[Warning]: VPN bypass vulnerability in Apple iOS

[Kemarit]

Many of you might be using Apple iOS with VPN like me, so I would like to share this article as it might put you in jeopardy. Initially it says that it only affects those people that are vulnerable for surveillance but there is a possibility that it can be used to steal people's credentials like crypto wallet's password.

How the iOS VPN bypass vulnerability works

A member of the Proton community discovered that in iOS version 13.3.1, the operating system does not close existing connections. (The issue also persists in the latest version, 13.4.) Most connections are short-lived and will eventually be re-established through the VPN tunnel on their own. However, some are long-lasting and can remain open for minutes to hours outside the VPN tunnel.

One prominent example is Apple’s push notification service, which maintains a long-running connection between the device and Apple’s servers. But the problem could impact any app or service, such as instant messaging applications or web beacons.

The VPN bypass vulnerability could result in users’ data being exposed if the affected connections are not encrypted themselves (though this would be unusual nowadays). The more common problem is IP leaks. An attacker could see the users’ IP address and the IP address of the servers they’re connecting to. Additionally, the server you connect to would be able to see your true IP address rather than that of the VPN server.

Those at highest risk because of this security flaw are people in countries where surveillance and civil rights abuses are common.

Neither ProtonVPN nor any other VPN service can provide a workaround for this issue because iOS does not permit a VPN app to kill existing network connections.

Source: https://protonvpn.com/blog/apple-ios-vulnerability-disclosure/

[1714036094]

1714036094

[1714036094]

1714036094

[1714036094]

1714036094

[1714036094]

1714036094

[1714036094]

1714036094

[Charles-Tim]

Normally, VPN are not secured, especially if you are using a free VPN. They connect you to third parties to display their ads on your phone screen and this can leak your data to the third party. So, some scammers makes use of this to even try to send malwate to phones. Such phones are not safe. It can also happen to android or any phone.

Paid VPN can be predicted not to be safe too but they are better, and if trusted and have good reputation can still be good. But, know that 🤬VPN connections may not be safe. Not only on IPhone but all phones.

[Peanutswar]

Normally, VPN are not secured, especially if you are using a free VPN. They connect you to third parties to display their ads on your phone screen and this can leak your data to the third party. So, some scammers makes use of this to even try to send malwate to phones. Such phones are not safe. It can also happen to android or any phone.

Paid VPN can be predicted not to be safe too but they are better, and if trusted and have good reputation can still be good. But, know that 🤬VPN connections may not be safe. Not only on IPhone but all phones.

I think you have a mistake about the VPN friend because yes this is a third party software but the ads you are seeing is an adware which is only can get to the website you are surfing or browsing and some of the VPN requires a configuration that you need to download and some of them has phishing or any programming language included to get your information else you get by the hackers from browsing into the unsafe websites because VPN is commonly used for browsing unsecured platform or websites and you can change your ISP (internet service provider) and server for your location.

[jseverson]

It's serious problem for people who still use website which don't support HTTPS or application which don't perform any encryption between the device and server.

True, but if you're sharing sensitive information with an http website in the first place (which shows their neglect to cybersecurity), then a VPN probably won't help you much. The real problem lies on failing to hide users' identity, which could easily be a life or death situation depending on where they're located. There's an easy workaround from OP's link, thankfully, and I might as well post it here to save other people the trouble:

Internet connections established after you connect to VPN are not affected. But connections that are already running when you connect to VPN may continue outside the VPN tunnel indefinitely. There is no way to guarantee that those connections will be closed at the moment you start a VPN connection.

However, we’ve discovered the following technique to be almost as effective:

    Connect to any ProtonVPN server.
    Turn on airplane mode. This will kill all Internet connections and temporarily disconnect ProtonVPN.
    Turn off airplane mode. ProtonVPN will reconnect, and your other connections should also reconnect inside the VPN tunnel, though we cannot guarantee this 100%.

One more notable workaround to ensure that everything is working well on all your devices is running the VPN directly on your router, but that obviously won't work when you're out and about.

[hugeblack]

VPN importance lies in overcoming the restrictions that a country or website may impose on accessing, but it will not help you to hide your identity or protect your personal data.
Even placing the airplane mode or turning off personal data will not make you safe.
If you want to protect your data, it is best not to trust any third party to do it and start setting up your connection with the appropriate encryption of your own.

Please tell me which VPN is best for today? To be able to use for free or at least trial versions.

There is no better, but the best of the bad.