Apple has long touted as a privacy-concerned company with various privacy-focused products and approaches.
But Apple is just like any other companies out there, in which it can have flaws. And in this case, it failed to fully route all network traffics to pass through VPNs and that the issue has not been fixed in iOS 16.
Developer and security researcher Tommy Mysk ran some tests and discovered that users' real IP addresses can be accessed even when a VPN is active, when using iOS 16.
What this means, one major release and Apple didn't bother about patching the bug.
In addition, Mysk discovered that several stock iOS apps ignore the VPN tunnel and communicate directly with Apple services.
We confirm that iOS 16 does communicate with Apple services outside an active VPN tunnel. Worse, it leaks DNS requests. #Apple services that escape the VPN connection include Health, Maps, Wallet.
We used @ProtonVPN and #Wireshark. Details in the video:#CyberSecurity #Privacy pic.twitter.com/ReUmfa67ln— Mysk (@mysk_co) October 12, 2022
Some Apple apps make use of end-to-end encryption, and some other apps boast security features like encryption in transit to carry out the deed. Other apps can also encrypt data when the data is being sent to Apple servers.
What what makes this a VPN leak a concern is not about how the data is secured, but more about whether or not threat actors have the capability to gather data through incoming traffic that passes through non-VPN sources.
Seeing how big of a security and privacy lapse this could be, it's concerning why Apple that realizes this is still doing nothing about it.
Hence, it’s more or less like a type of intended behavior.
But what makes it even more worrisome is that, Apple's Lockdown Mode "leaks more traffic outside the VPN tunnel than the 'normal' mode."
The security feature that is first introduced in iOS 16, "offers an extreme, optional level of security for the very few users who, because of who they are or what they do, may be personally targeted by some of the most sophisticated digital threats, such as those from NSO Group and other private companies developing state-sponsored mercenary spyware," Apple said in the announcement of the feature.
"Turning on Lockdown Mode in iOS 16, iPadOS 16, and macOS Ventura further hardens device defenses and strictly limits certain functionalities, sharply reducing the attack surface that potentially could be exploited by highly targeted mercenary spyware."
But referring to what Mysk is saying, this feature is only giving a false sense of security.
Read: 'Lockdown Mode' As Apple Ramps Up Security Against State-Sponsored Hacking
You can easily monitor the network traffic of any device using this simple method. You don't need a custom router for that. You just need a Mac and #Wireshark, and enjoy https://t.co/1IBRf4F14A
— Mysk (@mysk_co) October 12, 2022
Mysk continued to say that the issue isn't isolated to just Apple:
What this means, VPN apps on Android also behave the same way as when they are on Apple devices.
On Android, Google services can also communicate outside the intended VPN tunnel, when it shouldn't.
Update: The Lockdown Mode leaks more traffic outside the VPN tunnel than the "normal" mode. It also sends push notification traffic outside the VPN tunnel. This is weird for an extreme protection mode.
Here is a screenshot of the traffic (VPN and Kill Switch enabled) #iOS pic.twitter.com/25zIFT4EFa— Mysk (@mysk_co) October 13, 2022