According to a seasoned security researcher, third-party iOS VPNs designed for iPhones and iPads frequently fail to send all network traffic via a secure tunnel after they are turned on, one which Apple has been aware of for years (via ArsTechnica). According to Michael Horowitz, who tests various virtual private network (VPN) software for iOS devices, the majority first seem to function as intended, giving the device a new public IP address, new DNS servers, and transmitting data to the VPN server. The VPN tunnel does, however, eventually leak data.
The operating system typically closes all active internet connections when a user connects to a VPN before reopening them via the iOS VPN tunnel.
iOS VPN Apps Are Not Perfectly Safe Says Researcher
Horowitz has not seen that with his sophisticated router logging. As opposed to what one might think, sessions and connections started before the VPN is enabled continue to function and can continue to send data outside the VPN tunnel while it is operational, potentially leaving it unencrypted and accessible to ISPs and other parties.
Horowitz asserts that a report released in March 2020 by the privacy firm Proton, which stated that an iOS VPN bypass vulnerability had been discovered in iOS 13.3.1 and persisted through three additional updates to iOS 13, supports his findings. Apple reportedly said it will include the Kill Switch feature in a future software update that would enable developers to shut down all active connections in the event that a VPN tunnel is lost, according to Proton.
While Horowitz contends that Airplane mode is unreliable in and of itself and should not be relied upon as a solution to the issue, Proton concedes that this is not guaranteed to function against iOS VPN.