All iOS VPNs are worthless and Apple knows it, claims researcher

2

Comments

  • Reply 21 of 43
    DAalsethDAalseth Posts: 3,058member
    Apple takes privacy seriously, so hopefully they fix this. App review should also be looking for data leaks from VPN apps if it really offers the consumer protections Apple says it does.
    What kind of leaks are you talking about here? VPNs have many vulnerabilities, not just apps which leak data. Do you really trust a single third party to handle all your private data? Do you even know which national governments have the right to issue warrants to get data from the VPN company's software to provide information from their users? I don't trust VPNs very much which is why I prefer using Apple's Private Relay, which addresses some of those vulnerabilities.
    Ok, but for most of us we use a VPN to keep snoopers from picking up something while we’re in a coffee shop. I’m not worried about warrants and governments. My worry is about the local card scraper, and for that VPNs work very well. If you’re security requirements are higher, then fine, but for most of us, it’s not that life and death. Oh and the other thing I use them for is virtually shifting my location. Crunchyroll demands a premium account for everything when you’re in Canada. I just found out that if I let it think I’m in the US most stuff is open if you have the free account. 

    So if you don’t trust VPNs that’s fine. Personally I’ll take a VPN with a good reputation, over a service from Apple. Eggs in one basket issue you know. Besides from what I’ve read Apple’s service is a bit limited.
    edited August 2022 FileMakerFeller
  • Reply 22 of 43
    danoxdanox Posts: 3,429member
    Apple cares more about adding moronic effects to Messages for children & older people who still behave like children than they do about providing a secure platform. They also care more about self-righteous posturing & fleecing third-party developers. Apple needs to grow up and b stop being morally bankrupt.
    A Geeks lament, VPN, and little Snitch programs will always be on the outside looking in what did you expect with Apple being involved in content creation and massive distribution, torrent programs never and programs that convert different audio and video formats? barely with their nose in the air….

    Apple creating content isn’t necessary a plus, for most users not if it means Apple limits itself from developing or allowing a wider range of programs and hardware within iOS or Mac OS.
    williamlondonelijahg
  • Reply 23 of 43
    anonymouseanonymouse Posts: 6,976member
    Apple takes privacy seriously, so hopefully they fix this. App review should also be looking for data leaks from VPN apps if it really offers the consumer protections Apple says it does.
    What kind of leaks are you talking about here? VPNs have many vulnerabilities, not just apps which leak data. Do you really trust a single third party to handle all your private data? Do you even know which national governments have the right to issue warrants to get data from the VPN company's software to provide information from their users? I don't trust VPNs very much which is why I prefer using Apple's Private Relay, which addresses some of those vulnerabilities.
    I have to agree with this. All a traditional "consumer" VPN will do is hide your traffic from the ISP, but it doesn't hide it from the VPN provider. Hopefully your traffic is also encrypted end-to-end, but if it isn't, the VPN provider can read the content as well as the source and destination IPs and protocols. I mean, choose your poison I guess, but someone can see your traffic, and I'm not sure it's better for that to be a VPN provider than an ISP.
  • Reply 24 of 43
    MarvinMarvin Posts: 15,493moderator
    DAalseth said:
    Let me know if I’m understanding this right;
    I’m on my iPad using Safari. Nothing is encrypted.
    I start a VPN. Then I start FireFox
    It sounds like the FireFox connection is encrypted, but Safari isn't?
    Or is there data leakage between FireFox and Safari?
    If I quit Safari and restart it, then it would be encrypted?
    (By implication might there be leakage between what is running through the tunnel, and any app that isn’t, Mail, iMessage, etc.)
    According to the ProtonVPN site linked in the article, it affects persistent connections. Some of these are connections to Apple's servers from iOS like for push notifications. They suggest an easy workaround by turning airplane mode on/off after connecting to a VPN. This forces every active connection to disconnect and reconnect through the VPN.

    https://protonvpn.com/blog/apple-ios-vulnerability-disclosure/

    It seems like a simple enough fix that Apple could do it. They must have reasons for not fixing it. At the very least the developer should be allowed to ask the user if they want to restart active network connections. They might not want to if they are in the middle of a Zoom/Teams call and trying to access a corporate network.
    edited August 2022 roundaboutnowkillroyFileMakerFellerCheeseFreezejony0
  • Reply 25 of 43
    Obviously this idiot has never seen the exemption lists of MANY VPN clients, even those outside iOS ecosystem, such as Windows and macOS...

    Take Cisco AnyConnect, do you know how many domains are in the default tunnel exemption list that end users CANNOT modify?!?!

    The guy making these claims is so full of shit it's not even funny. I have yet to see ONE SINGLE COMMERCIAL VPN service that totally routes 100% of connections via the tunnel, except for my own OpenVPN server I run, which I have setup to route ALL traffic, and it actually does, even on iOS!

    Basically split-tunneling where you might want only certain Apps to go through the VPN while other Apps/services continue as they were.

    Seems like he’s expecting a specific behavior, and since he doesn’t get it he screams “Apple has a severe security flaw”. 
    killroyFileMakerFellermagman1979jony0
  • Reply 26 of 43
    22july201322july2013 Posts: 3,735member
    DAalseth said:
    Apple takes privacy seriously, so hopefully they fix this. App review should also be looking for data leaks from VPN apps if it really offers the consumer protections Apple says it does.
    What kind of leaks are you talking about here? VPNs have many vulnerabilities, not just apps which leak data. Do you really trust a single third party to handle all your private data? Do you even know which national governments have the right to issue warrants to get data from the VPN company's software to provide information from their users? I don't trust VPNs very much which is why I prefer using Apple's Private Relay, which addresses some of those vulnerabilities.
    So if you don’t trust VPNs that’s fine. Personally I’ll take a VPN with a good reputation, over a service from Apple. Eggs in one basket issue you know. Besides from what I’ve read Apple’s service is a bit limited.
    You are misusing the "eggs in one basket" metaphor. By using a VPN you are putting all your trust in a single company, the VPN company, which can see all your traffic. but if you use Apple Private Relay, no single company, not even Apple, gets to see all your traffic.

    So indeed any VPN user is "putting all their eggs in one basket", while any user of Apple Private Relay is making sure that no single company can read all your data.

    Also, you called it "a service from Apple." I think you don't understand how Apple Private Relay works. There's a different company involved which Apple does not control, and that company may be different depending on where you live. It's a service provided by two separate companies.
    FileMakerFellermagman1979
  • Reply 27 of 43
    DAalsethDAalseth Posts: 3,058member
    DAalseth said:
    Apple takes privacy seriously, so hopefully they fix this. App review should also be looking for data leaks from VPN apps if it really offers the consumer protections Apple says it does.
    What kind of leaks are you talking about here? VPNs have many vulnerabilities, not just apps which leak data. Do you really trust a single third party to handle all your private data? Do you even know which national governments have the right to issue warrants to get data from the VPN company's software to provide information from their users? I don't trust VPNs very much which is why I prefer using Apple's Private Relay, which addresses some of those vulnerabilities.
    So if you don’t trust VPNs that’s fine. Personally I’ll take a VPN with a good reputation, over a service from Apple. Eggs in one basket issue you know. Besides from what I’ve read Apple’s service is a bit limited.
    You are misusing the "eggs in one basket" metaphor. By using a VPN you are putting all your trust in a single company, the VPN company, which can see all your traffic. but if you use Apple Private Relay, no single company, not even Apple, gets to see all your traffic.

    So indeed any VPN user is "putting all their eggs in one basket", while any user of Apple Private Relay is making sure that no single company can read all your data.

    Also, you called it "a service from Apple." I think you don't understand how Apple Private Relay works. There's a different company involved which Apple does not control, and that company may be different depending on where you live. It's a service provided by two separate companies.
    Nowhere could I find a reference to it being a separate company from Apple. Got a citation?
    It only works with Safari. I like to use DuckDuckGo’s browser. APR does nothing to protect that data.
    It does not let you select a country to route through. Subverting geofencing aside, I prefer to not go through FiveEyes countries. That isn’t possible with APR.
    It is built into iCloud, which is fine, but that gets back to the eggs in one basket thing. It’s an Apple service, running on Apple iCloud, on an Apple device, that only works with Apple’s browser. 
    I might enable APR for general use. But I’m going to keep my VPN around as well. One based outside the US.

    EDIT: I just looked and on my iPad which just got the latest iPadOS update today it is STILL listed as BETA software. I’m not going to trust it with anything until it’s out of BETA.
    edited August 2022 FileMakerFeller
  • Reply 28 of 43
    hmlongco said:
    They also care more about self-righteous posturing & fleecing third-party developers. Apple needs to grow up and b stop being morally bankrupt.
    Developers need to realize that Apple provides a service, platform, and store on which they can sell their wares to over a billion people. They need to to grow up and stop expecting something for nothing.
    You have to realize that statement is completely bananas, and several governments and experts feel the same way. They’ve outlined exactly why they think so in comprehensive reports, and they hold much more weight than your opinion which provides no real arguments or insights and lacks any form of expert knowledge.

    Also the above has nothing to do with the article, which is about a huge bug in VPN that affects people all around the world who feel safe but aren’t.
    As you can clearly see from the quotes, in this particular context I was directly responding to BeDifferent's comment about "fleecing" developers. My comment is as germane  to the article as his. 

    Second, just because others may feel otherwise doesn't mean that they're correct. Especially since many of those hired "experts" happen to be providing opinions (excuse me, "comprehensive reports") which coincidentally support companies like, say, Epic, who has a vested interest in NOT paying for access to Apple's platform and customers. 

    Third, and as you so aptly point out, the comments in this thread are primarily focused on the VPN, so forgive me for not providing a doctoral dissertation on the matter in order to support my thesis.

    Fourth, while I may not be a lawyer or other "expert" in your eyes, I do in fact happen to be an iOS developer, so... yeah. I do have some skin in the game and some opinions on the matter.

    And finally, I responded directly to the alleged VPN issue in another comment, where I mention how the VPN works for me and my use case. Not being a communications engineer (are you?), I'm not sure I'm qualified to discuss the full ramifications of forcing every existing communications link for every app in the system to drop. Especially if said apps are in the process of downloading updates or other critical information. 
    FileMakerFellerjony0
  • Reply 29 of 43
    genovellegenovelle Posts: 1,481member
    neoncat said:
    Apple Defense Force™ is flexing its muscles in this thread! God bless.
    It’s sad that they have to because a lot BS floaters show up to petal their fecal matter and and need to be called out. 
    magman1979jony0
  • Reply 30 of 43
    y2any2an Posts: 231member
    So why didn’t the author raise a CVE? This is after all the established way of reporting and gaining traction on vulnerabilities. 
  • Reply 31 of 43
    elijahgelijahg Posts: 2,854member
    Obviously this idiot has never seen the exemption lists of MANY VPN clients, even those outside iOS ecosystem, such as Windows and macOS...

    Take Cisco AnyConnect, do you know how many domains are in the default tunnel exemption list that end users CANNOT modify?!?!

    The guy making these claims is so full of shit it's not even funny. I have yet to see ONE SINGLE COMMERCIAL VPN service that totally routes 100% of connections via the tunnel, except for my own OpenVPN server I run, which I have setup to route ALL traffic, and it actually does, even on iOS!
    Except it doesn’t, due to this bug. Which shows you don’t actually have any idea whether your OpenVPN tunnel really does tunnel all data or not. 
    edited August 2022
  • Reply 32 of 43
    boboliciousbobolicious Posts: 1,175member
    Apple takes privacy seriously
    What exactly does this mean anyway...?  Does that exclude customer IP...?

    For some is it anonymizing the ad targeting, which is apparently somewhat moot, or perhaps for others is it collecting customer IP (CoreML?) or other collection for future AI offerings...?

    As well for consideration: www.theatlantic.com/technology/archive/2019/01/apples-hypocritical-defense-data-privacy/581680/
  • Reply 33 of 43
    zimmiezimmie Posts: 651member
    DAalseth said:
    DAalseth said:
    Apple takes privacy seriously, so hopefully they fix this. App review should also be looking for data leaks from VPN apps if it really offers the consumer protections Apple says it does.
    What kind of leaks are you talking about here? VPNs have many vulnerabilities, not just apps which leak data. Do you really trust a single third party to handle all your private data? Do you even know which national governments have the right to issue warrants to get data from the VPN company's software to provide information from their users? I don't trust VPNs very much which is why I prefer using Apple's Private Relay, which addresses some of those vulnerabilities.
    So if you don’t trust VPNs that’s fine. Personally I’ll take a VPN with a good reputation, over a service from Apple. Eggs in one basket issue you know. Besides from what I’ve read Apple’s service is a bit limited.
    You are misusing the "eggs in one basket" metaphor. By using a VPN you are putting all your trust in a single company, the VPN company, which can see all your traffic. but if you use Apple Private Relay, no single company, not even Apple, gets to see all your traffic.

    So indeed any VPN user is "putting all their eggs in one basket", while any user of Apple Private Relay is making sure that no single company can read all your data.

    Also, you called it "a service from Apple." I think you don't understand how Apple Private Relay works. There's a different company involved which Apple does not control, and that company may be different depending on where you live. It's a service provided by two separate companies.
    Nowhere could I find a reference to it being a separate company from Apple. Got a citation?
    It only works with Safari. I like to use DuckDuckGo’s browser. APR does nothing to protect that data.
    It does not let you select a country to route through. Subverting geofencing aside, I prefer to not go through FiveEyes countries. That isn’t possible with APR.
    It is built into iCloud, which is fine, but that gets back to the eggs in one basket thing. It’s an Apple service, running on Apple iCloud, on an Apple device, that only works with Apple’s browser. 
    I might enable APR for general use. But I’m going to keep my VPN around as well. One based outside the US.

    EDIT: I just looked and on my iPad which just got the latest iPadOS update today it is STILL listed as BETA software. I’m not going to trust it with anything until it’s out of BETA.
    The document explaining iCloud Private Relay is only 11 pages, most of which are under half text.
     
    Private Relay has two layers. The first is run by Apple everywhere. It handles making sure the user is authorized, but has no way to see where the user is going. The second layer is run by several "third-party partners" in each facility. It can see where the traffic is going, but it has no ability to see the user's Apple ID, source IP, or other identifying information. The phone does client-anonymous QUIC to the second layer, then sends that inside client-authenticated QUIC to the Apple layer.

    It covers all DNS requests made through the system DNS resolver, as well as all HTTP traffic made through system APIs. All browsers on iOS are Safari skins, so all HTTP traffic from any browser on iOS can be covered by Private Relay. It doesn't do anything with HTTPS traffic currently.
    edited August 2022 muthuk_vanalingamjony0
  • Reply 34 of 43
    Apple cares more about adding moronic effects to Messages for children & older people who still behave like children than they do about providing a secure platform. They also care more about self-righteous posturing & fleecing third-party developers. Apple needs to grow up and b stop being morally bankrupt.
    I agree with the first sentence at least. Sick of seeing some trumpeted upgrade where the main change is some dumbass emoticon.
    elijahg
  • Reply 35 of 43
    magman1979magman1979 Posts: 1,301member
    Obviously this idiot has never seen the exemption lists of MANY VPN clients, even those outside iOS ecosystem, such as Windows and macOS...

    Take Cisco AnyConnect, do you know how many domains are in the default tunnel exemption list that end users CANNOT modify?!?!

    The guy making these claims is so full of shit it's not even funny. I have yet to see ONE SINGLE COMMERCIAL VPN service that totally routes 100% of connections via the tunnel, except for my own OpenVPN server I run, which I have setup to route ALL traffic, and it actually does, even on iOS!
    Split tunnel exceptions are just for VPNs (like Cisco AnyConnect or OpenVPN) that connect you to a home or work network. Consumer VPNs used for privacy should be sending all traffic. They should certainly be sending Gmail and DNS traffic which the author mentioned was bypassing the VPN for new connections.
    Well DUH, why do you think they aren't?! They are getting MONETIZATION FUNDS from those companies! Look at the App Privacy Report for those apps and you'll quickly see the app internally communicates with MANY of those providers' API domains! Again, this isn't a flaw in iOS, this is a legitimate API / exemption capability that's required, being exploited by morally bankrupt and financially-incentivized capitalists to turn us (yet again) into the PRODUCT.

    The ONLY individuals / organizations to blame here are the unscrupulous VPN providers, NOT Apple!
  • Reply 36 of 43
    magman1979magman1979 Posts: 1,301member
    Obviously this idiot has never seen the exemption lists of MANY VPN clients, even those outside iOS ecosystem, such as Windows and macOS...

    Take Cisco AnyConnect, do you know how many domains are in the default tunnel exemption list that end users CANNOT modify?!?!

    The guy making these claims is so full of shit it's not even funny. I have yet to see ONE SINGLE COMMERCIAL VPN service that totally routes 100% of connections via the tunnel, except for my own OpenVPN server I run, which I have setup to route ALL traffic, and it actually does, even on iOS!

    Basically split-tunneling where you might want only certain Apps to go through the VPN while other Apps/services continue as they were.

    Seems like he’s expecting a specific behavior, and since he doesn’t get it he screams “Apple has a severe security flaw”. 
    That, and also because these apps have integrated API's that call home to their CnC servers, and you can bet your bottom dollar that these "private" VPN's are getting monetization dollars from places like Google, FB and others under condition traffic to their resources aren't filtered and/or hidden which would impede their marketing revenues and kickbacks to the VPN providers.

    We are all the product, even with PAID PRODUCTS / SERVICES, which most people cannot seem to grasp.
  • Reply 37 of 43
    magman1979magman1979 Posts: 1,301member
    elijahg said:
    Obviously this idiot has never seen the exemption lists of MANY VPN clients, even those outside iOS ecosystem, such as Windows and macOS...

    Take Cisco AnyConnect, do you know how many domains are in the default tunnel exemption list that end users CANNOT modify?!?!

    The guy making these claims is so full of shit it's not even funny. I have yet to see ONE SINGLE COMMERCIAL VPN service that totally routes 100% of connections via the tunnel, except for my own OpenVPN server I run, which I have setup to route ALL traffic, and it actually does, even on iOS!
    Except it doesn’t, due to this bug. Which shows you don’t actually have any idea whether your OpenVPN tunnel really does tunnel all data or not. 
    Uh, yeah I do; I run my OpenVPN server on a Ubiquity EdgeOS router, and I have DPI enabled, and can instantly see when a device connected to it is routing all data via the tunnel, or directly outside the tunnel.

    Nice try, this isn't a bug, but a legit feature being exploited against it's true intent in order to turn a profit. Remember, WE ARE THE PRODUCTS for these capitalists, not the other way around.
  • Reply 38 of 43
    No surprise, just leaving a few backdoors for NSA surveillance operations. Hush, hush boys!
  • Reply 39 of 43
    Obviously this idiot has never seen the exemption lists of MANY VPN clients, even those outside iOS ecosystem, such as Windows and macOS...

    Take Cisco AnyConnect, do you know how many domains are in the default tunnel exemption list that end users CANNOT modify?!?!

    The guy making these claims is so full of shit it's not even funny. I have yet to see ONE SINGLE COMMERCIAL VPN service that totally routes 100% of connections via the tunnel, except for my own OpenVPN server I run, which I have setup to route ALL traffic, and it actually does, even on iOS!

    Basically split-tunneling where you might want only certain Apps to go through the VPN while other Apps/services continue as they were.

    Seems like he’s expecting a specific behavior, and since he doesn’t get it he screams “Apple has a severe security flaw”. 
    Because it IS a security flaw. Either VPN should work 100% correctly, or it doesn’t - in which case it is a security flaw, especially people relying on absolute privacy. 
    Apple suggests to the end-user that it is all working - there is no front-end feedback that displays what is happening ‘underwater’. Using VPN on macOS clearly gives a false sense of security, and the end-user has no way of seeing what is truly going on when it comes to network traffic.
    Spin it ‘pro-Apple’ whatever you like - but it is a security bug, it’s the very definition of it. And it’s a severe one too.
    edited August 2022 muthuk_vanalingam
  • Reply 40 of 43
    22july201322july2013 Posts: 3,735member
    DAalseth said:
    DAalseth said:
    Apple takes privacy seriously, so hopefully they fix this. App review should also be looking for data leaks from VPN apps if it really offers the consumer protections Apple says it does.
    What kind of leaks are you talking about here? VPNs have many vulnerabilities, not just apps which leak data. Do you really trust a single third party to handle all your private data? Do you even know which national governments have the right to issue warrants to get data from the VPN company's software to provide information from their users? I don't trust VPNs very much which is why I prefer using Apple's Private Relay, which addresses some of those vulnerabilities.
    So if you don’t trust VPNs that’s fine. Personally I’ll take a VPN with a good reputation, over a service from Apple. Eggs in one basket issue you know. Besides from what I’ve read Apple’s service is a bit limited.
    You are misusing the "eggs in one basket" metaphor. By using a VPN you are putting all your trust in a single company, the VPN company, which can see all your traffic. but if you use Apple Private Relay, no single company, not even Apple, gets to see all your traffic.

    So indeed any VPN user is "putting all their eggs in one basket", while any user of Apple Private Relay is making sure that no single company can read all your data.

    Also, you called it "a service from Apple." I think you don't understand how Apple Private Relay works. There's a different company involved which Apple does not control, and that company may be different depending on where you live. It's a service provided by two separate companies.
    Nowhere could I find a reference to it being a separate company from Apple. Got a citation?
    It only works with Safari. I like to use DuckDuckGo’s browser. APR does nothing to protect that data.
    It does not let you select a country to route through. Subverting geofencing aside, I prefer to not go through FiveEyes countries. That isn’t possible with APR.
    It is built into iCloud, which is fine, but that gets back to the eggs in one basket thing. It’s an Apple service, running on Apple iCloud, on an Apple device, that only works with Apple’s browser. 
    I might enable APR for general use. But I’m going to keep my VPN around as well. One based outside the US.

    EDIT: I just looked and on my iPad which just got the latest iPadOS update today it is STILL listed as BETA software. I’m not going to trust it with anything until it’s out of BETA.
    I presume Zimmie's citation is a sufficient citation for you. He provided a document link to an Apple document that explains how the "separate company from Apple" works. Apple refers to these other companies as "third party partners." Apple does not indicate in that document the name of the other companies. The names may differ for different people depending on what country they live in.

    Your point about BETA is valid, however. You don't have to trust it if you don't want to.

    Your point about it working only with Safari isn't very accurate. Apple's document says "As a result, Private Relay protects all web browsing in Safari and unencrypted activity in apps, adding both privacy and security benefits." Is that more clear?
Sign In or Register to comment.