Devices starting with iOS 13.3.1 have a security flaw, currently unpatched, that prevents VPNs (Virtual Private Network) from keeping all traffic encrypted. The information was published in an article by ProtonVPN, which has already reported the case to Apple.
The failure, in this case, means that the connections already established are not within the safe zone when a VPN is enabled, and only those that are made later are not affected.
In this way, these connections bypass VPN encryption and can expose user data or leak their IP addresses and location, for example. Thus, the Apple operating system does not terminate existing connections. The natural way when a VPN connection is established is for the OS to close all internet connections and reestablish everything in the secure zone of the VPN itself.
ProtonVPN says that while these connections are automatically reestablished, “some take longer and can stay open from minutes to hours outside the VPN tunnel”.
As an example, the article points to Apple’s push notification service, which maintains a more lasting connection between a device and the company’s servers. Among other concerns, messaging applications can also be affected.
“Those most at risk due to this security breach are people from countries where surveillance and civil rights abuses are common,” says ProtonVPN. To date, no VPN service has a definitive solution to this problem.
In addition to the traffic between the device’s IP and the VPN server, it was discovered that there is also traffic with an external IP that is not from the VPN, but from an Apple server.
The discovery was shared with Apple, which recognized the vulnerability and is working on ways to fix it. As an alternative to work around the flaw, ProtonVPN found that enabling and disabling airplane mode can restart all connections within the VPN tunnel.