iOS + VPN: Data leaks, misconfigurations and what comes next?

Say what you will about technology and security in particular, but it’s never dull. Sure, there are downtimes, but it seems that the lulls are simply a prelude to something coming down the pike, as evidenced by the recent media coverage claiming that “VPNs on iOS are broken”, at least according to one security researcher.

Though the news has been making the rounds recently, historical evidence shows that it was an issue raised as early as 2020, when a provider of consumer VPN software submitted a bug report, claiming that they observed their VPN software making connections to Apple-owned domains, bypassing VPN security altogether while other non-Apple traffic remained confined to the VPN tunnel.

For the record, Apple traffic is routed directly to the Internet as it is exempt from VPN tunneling ensuring that Apple-related services, such as Push Notifications, for example, are not disrupted or impact the user experience in any negative way.

The Story

That was then, however. The current evolution of the VPN security story rekindled interest when Michael Horowitz, a security researcher, detected a data leak – during testing using consumer-level, third-party VPN software on his iPad running iPadOS 15.6.

The leak Michael detected is classified as a data leak – not the DNS leaks commonly associated with legacy VPN software that is sometimes used to unmask VPN users and obtain their real IP addresses when technologies are known to contain this vulnerability.

After performing several tests with multiple VPN apps, Michael contacted Apple to inform them of the bug he’d found and that’s where things get contentious.

“The behavior you are seeing is expected.”

That’s the start of the response received from Apple. While that may not seem comforting at face value, luckily there is additional color that adds greater context to the statement.

The way in which legacy VPN software works on iOS is that once enabled, existing connections to services that are already open do not always immediately get routed through the recently established VPN tunnel. In fact, it can sometimes take a few minutes to several hours before an existing connection will reconnect through the VPN tunnel.

Though it’s difficult to know for sure which apps reconnect immediately versus which ones take some time to do so is not really documented anywhere. Further adding confusion to the mix is that this behavior could very well be wholly dependent on the resources available to your iOS-based device at the time VPN is enabled. In fact, the combination of variables could reasonably affect how and when a connection becomes tunneled.

While it isn’t the point of this blog to excuse or condemn this behavior, the fact that it is expected by design from Apple may mean VPN developers may shoulder the responsibility of ensuring that their app works as their customers expect it to.

To their credit, Apple has built-in certain technologies that legacy VPN developers can leverage to offer greater protection while ensuring that user data is secured always. (More on that in the next section.)

Further securing data with legacy VPN

As touched upon in the previous section, the way iOS handles VPN connections – whether you agree with it or not – is what it is at this current point in time. To that end, Apple has maintained a few features, some introduced as far back as iOS 14, to minimize some of the shortcomings of legacy VPN services and shore up data security.

On the developer side, a killswitch can be created by using:

includeAllNetworks: A key that exists within Apple’s iOS developer documentation that effectively indicates whether the system sends all network traffic over the tunnel. By including this code within their app, VPN developers provide users assurance that if the value is ‘true’ (or the feature is enabled) and a VPN tunnel is unavailable, iOS-based devices drop all network traffic.

In lay terms, it ensures that all data, regardless of network connection (Wi-Fi or cellular), is routed through a VPN tunnel. If a tunnel is unavailable due to a service disruption, for example, no network traffic will be permitted until the VPN tunnel reestablishes a connection.

While the decision to include a killswitch is strictly up to the developer of the VPN app, Apple does include the technology to provide this feature, while some VPN providers are known to include this in their offerings as an added protection for the consumer.

For organizations managing iOS-based devices, legacy VPN can be activated automatically by using the:

Always On VPN Configuration Profile: According to Apple, the “Always On VPN” is a setting that may be configured using a configuration profile as part of your mobile device management (MDM) solution. When enabled, it “gives your organization full control over iOS and iPadOS traffic by tunneling all IP traffic back to the organization” and secures transmissions with always-on data encryption.

Activating this feature requires device supervision to install the profile on the target device. Any required VPN configuration settings are also included within the profile, ensuring that once installed, Always On VPN automatically activates without user interaction and remains active – even across system reboots.

Additionally, this configuration provides per-interface tunnels, meaning that if your device includes Wi-Fi and Cellular network capabilities, an active tunnel is created for each so your network traffic is always routed through an encrypted tunnel. Lastly, should any of these tunnels become unavailable, all IP traffic is dropped until the tunnels are re-established.

An elegant solution for a more modernized computing landscape

Legacy VPN solutions have long been the only real choice in protecting data while using remote connections due to the inherent securing of connections made over untrusted networks, like public Wi-Fi hotspots or the Internet at large – basically, anything outside the corporate perimeter maintained behind the company Firewalls.

The problem with this thinking is that due to a combination of factors, like:

• Mobile transformation
• Remote and hybrid work environments
• Evolving security threats

Enterprise VPN no longer provides the level of protecting corporate resources or securing access to sensitive data as it once did. For starters, the explosive growth of mobile devices has changed the way in which IT and Security teams approach management and security. Next, the rise in organizations migrating to fully remote or hybrid work has eroded the network perimeter, requiring a rethinking of how to best protect resources while permitting employees to remain as productive as possible from the devices they choose, over any connection and at any time, while working from anywhere. Third, as technology has evolved so too have bad actors and the tactics used to attack devices and users to compromise data.

The need for a modern approach to securing apps and data, including mobile computing protections, has given rise to Zero Trust Network Access, or ZTNA for short. The security model gets its name from the principle of “zero trust”, defined as never trusting devices or users, instead always verifying that access to protected resources is permitted.

It achieves this by decoupling the implicit security authorization from a “trusted” device or user’s credentials, instead securing the resources and data themselves. It provides multiple layers of security (also known as defense in depth) in which a user and their mobile device are required to verify that they’re eligible to access a requested resource prior to gaining authorization, through constant device health compliance checks and consistent policy-based enforcement of identity-centric authentication.

Unlike VPN where access grants the user access to the entire network, ZTNA utilizes microtunnels to connect users to only the resource they’re authorized to access, enforcing least privilege and preventing lateral network access. Going a step beyond, ZTNA actively prevents access only to affected resources from users and devices that may be compromised should they fail any of the checks at any time. Unaffected resources remain available, ensuring users stay productive until the affected issue is remediated.

Speaking of the user, their experience with ZTNA compared to legacy VPN means user privacy is preserved through the use of split tunneling. For those unfamiliar with split tunneling, it is a technology that ensures business connections are secured while routing non-business application traffic directly to the Internet. Also, ZTNA automatically connects when needed, reconnecting if there is a disruption while utilizing minimal system resources, for an uncompromised user experience that is lightweight, fast and efficient.

Lastly, leveraging cloud-based infrastructure means that there is zero hardware to manage, no need for complex software configurations, no expensive support contracts to maintain and scalability grows as your needs do. It also means integration with modern, cloud-based Identity Providers (IdP) extends security and flexibility across your infrastructure – spanning on-premises, public and private clouds and hosted SaaS solutions while eliminating the need to manage certificates as you take advantage of Single Sign-On (SSO) and Multifactor Authentication (MFA).

Key Takeaways:

• Legacy VPN solutions for iOS may not provide the level of security that users and organizations are expecting.
• Apple-provided security features can help to further secure legacy VPN connections but must be implemented by the developer.
• IT and Security teams can manage legacy VPN configurations through their preferred MDM solution to enable Always On VPN data security.
• ZTNA is an enterprise endpoint security solution developed to address the shortcomings of legacy VPN solutions against the evolving threat landscape.
• Zero trust was designed to support modern computing initiatives, like remote/hybrid work environments, mobile transformation and varying ownership models (BYOD).
• Enhanced security while preserving user privacy is baked into ZTNA while integrating protections across your entire infrastructure.
• Minimal impact on system resources means ZTNA performs faster and more efficiently than legacy VPN.
• Due to its cloud-based nature, ZTNA doesn’t incur the financial cost, impact on network performance, security limitations or require the administrative overhead of legacy VPN.
• Integration with third-party technologies extends security features, such as native support for IdP and MFA.
• ZTNA protection is always automatically enabled by default. No user intervention is required, so data is always secured across all networks, on all modern devices connecting from anywhere.