Apple takes privacy seriously, so hopefully they fix this. App review should also be looking for data leaks from VPN apps if it really offers the consumer protections Apple says it does.
What kind of leaks are you talking about here? VPNs have many vulnerabilities, not just apps which leak data. Do you really trust a single third party to handle all your private data? Do you even know which national governments have the right to issue warrants to get data from the VPN company's software to provide information from their users? I don't trust VPNs very much which is why I prefer using Apple's Private Relay, which addresses some of those vulnerabilities.
Ok, but for most of us we use a VPN to keep snoopers from picking up something while we’re in a coffee shop. I’m not worried about warrants and governments. My worry is about the local card scraper, and for that VPNs work very well. If you’re security requirements are higher, then fine, but for most of us, it’s not that life and death. Oh and the other thing I use them for is virtually shifting my location. Crunchyroll demands a premium account for everything when you’re in Canada. I just found out that if I let it think I’m in the US most stuff is open if you have the free account.
So if you don’t trust VPNs that’s fine. Personally I’ll take a VPN with a good reputation, over a service from Apple. Eggs in one basket issue you know. Besides from what I’ve read Apple’s service is a bit limited.
Apple cares more about adding moronic effects to Messages for children & older people who still behave like children than they do about providing a secure platform. They also care more about self-righteous posturing & fleecing third-party developers. Apple needs to grow up and b stop being morally bankrupt.
A Geeks lament, VPN, and little Snitch programs will always be on the outside looking in what did you expect with Apple being involved in content creation and massive distribution, torrent programs never and programs that convert different audio and video formats? barely with their nose in the air….
Apple creating content isn’t necessary a plus, for most users not if it means Apple limits itself from developing or allowing a wider range of programs and hardware within iOS or Mac OS.
Apple takes privacy seriously, so hopefully they fix this. App review should also be looking for data leaks from VPN apps if it really offers the consumer protections Apple says it does.
What kind of leaks are you talking about here? VPNs have many vulnerabilities, not just apps which leak data. Do you really trust a single third party to handle all your private data? Do you even know which national governments have the right to issue warrants to get data from the VPN company's software to provide information from their users? I don't trust VPNs very much which is why I prefer using Apple's Private Relay, which addresses some of those vulnerabilities.
I have to agree with this. All a traditional "consumer" VPN will do is hide your traffic from the ISP, but it doesn't hide it from the VPN provider. Hopefully your traffic is also encrypted end-to-end, but if it isn't, the VPN provider can read the content as well as the source and destination IPs and protocols. I mean, choose your poison I guess, but someone can see your traffic, and I'm not sure it's better for that to be a VPN provider than an ISP.
Let me know if I’m understanding this right; I’m on my iPad using Safari. Nothing is encrypted. I start a VPN. Then I start FireFox It sounds like the FireFox connection is encrypted, but Safari isn't? Or is there data leakage between FireFox and Safari? If I quit Safari and restart it, then it would be encrypted? (By implication might there be leakage between what is running through the tunnel, and any app that isn’t, Mail, iMessage, etc.)
According to the ProtonVPN site linked in the article, it affects persistent connections. Some of these are connections to Apple's servers from iOS like for push notifications. They suggest an easy workaround by turning airplane mode on/off after connecting to a VPN. This forces every active connection to disconnect and reconnect through the VPN.
It seems like a simple enough fix that Apple could do it. They must have reasons for not fixing it. At the very least the developer should be allowed to ask the user if they want to restart active network connections. They might not want to if they are in the middle of a Zoom/Teams call and trying to access a corporate network.
Obviously this idiot has never seen the exemption lists of MANY VPN clients, even those outside iOS ecosystem, such as Windows and macOS...
Take Cisco AnyConnect, do you know how many domains are in the default tunnel exemption list that end users CANNOT modify?!?!
The guy making these claims is so full of shit it's not even funny. I have yet to see ONE SINGLE COMMERCIAL VPN service that totally routes 100% of connections via the tunnel, except for my own OpenVPN server I run, which I have setup to route ALL traffic, and it actually does, even on iOS!
Basically split-tunneling where you might want only certain Apps to go through the VPN while other Apps/services continue as they were.
Seems like he’s expecting a specific behavior, and since he doesn’t get it he screams “Apple has a severe security flaw”.
Apple takes privacy seriously, so hopefully they fix this. App review should also be looking for data leaks from VPN apps if it really offers the consumer protections Apple says it does.
What kind of leaks are you talking about here? VPNs have many vulnerabilities, not just apps which leak data. Do you really trust a single third party to handle all your private data? Do you even know which national governments have the right to issue warrants to get data from the VPN company's software to provide information from their users? I don't trust VPNs very much which is why I prefer using Apple's Private Relay, which addresses some of those vulnerabilities.
So if you don’t trust VPNs that’s fine. Personally I’ll take a VPN with a good reputation, over a service from Apple. Eggs in one basket issue you know. Besides from what I’ve read Apple’s service is a bit limited.
You are misusing the "eggs in one basket" metaphor. By using a VPN you are putting all your trust in a single company, the VPN company, which can see all your traffic. but if you use Apple Private Relay, no single company, not even Apple, gets to see all your traffic.
So indeed any VPN user is "putting all their eggs in one basket", while any user of Apple Private Relay is making sure that no single company can read all your data.
Also, you called it "a service from Apple." I think you don't understand how Apple Private Relay works. There's a different company involved which Apple does not control, and that company may be different depending on where you live. It's a service provided by two separate companies.
Apple takes privacy seriously, so hopefully they fix this. App review should also be looking for data leaks from VPN apps if it really offers the consumer protections Apple says it does.
What kind of leaks are you talking about here? VPNs have many vulnerabilities, not just apps which leak data. Do you really trust a single third party to handle all your private data? Do you even know which national governments have the right to issue warrants to get data from the VPN company's software to provide information from their users? I don't trust VPNs very much which is why I prefer using Apple's Private Relay, which addresses some of those vulnerabilities.
So if you don’t trust VPNs that’s fine. Personally I’ll take a VPN with a good reputation, over a service from Apple. Eggs in one basket issue you know. Besides from what I’ve read Apple’s service is a bit limited.
You are misusing the "eggs in one basket" metaphor. By using a VPN you are putting all your trust in a single company, the VPN company, which can see all your traffic. but if you use Apple Private Relay, no single company, not even Apple, gets to see all your traffic.
So indeed any VPN user is "putting all their eggs in one basket", while any user of Apple Private Relay is making sure that no single company can read all your data.
Also, you called it "a service from Apple." I think you don't understand how Apple Private Relay works. There's a different company involved which Apple does not control, and that company may be different depending on where you live. It's a service provided by two separate companies.
Nowhere could I find a reference to it being a separate company from Apple. Got a citation? It only works with Safari. I like to use DuckDuckGo’s browser. APR does nothing to protect that data. It does not let you select a country to route through. Subverting geofencing aside, I prefer to not go through FiveEyes countries. That isn’t possible with APR. It is built into iCloud, which is fine, but that gets back to the eggs in one basket thing. It’s an Apple service, running on Apple iCloud, on an Apple device, that only works with Apple’s browser. I might enable APR for general use. But I’m going to keep my VPN around as well. One based outside the US.
EDIT: I just looked and on my iPad which just got the latest iPadOS update today it is STILL listed as BETA software. I’m not going to trust it with anything until it’s out of BETA.
They also care more about self-righteous posturing & fleecing third-party developers. Apple needs to grow up and b stop being morally bankrupt.
Developers need to realize that Apple provides a service, platform, and store on which they can sell their wares to over a billion people. They need to to grow up and stop expecting something for nothing.
You have to realize that statement is completely bananas, and several governments and experts feel the same way. They’ve outlined exactly why they think so in comprehensive reports, and they hold much more weight than your opinion which provides no real arguments or insights and lacks any form of expert knowledge.
Also the above has nothing to do with the article, which is about a huge bug in VPN that affects people all around the world who feel safe but aren’t.
As you can clearly see from the quotes, in this particular context I was directly responding to BeDifferent's comment about "fleecing" developers. My comment is as germane to the article as his.
Second, just because others may feel otherwise doesn't mean that they're correct. Especially since many of those hired "experts" happen to be providing opinions (excuse me, "comprehensive reports") which coincidentally support companies like, say, Epic, who has a vested interest in NOT paying for access to Apple's platform and customers.
Third, and as you so aptly point out, the comments in this thread are primarily focused on the VPN, so forgive me for not providing a doctoral dissertation on the matter in order to support my thesis.
Fourth, while I may not be a lawyer or other "expert" in your eyes, I do in fact happen to be an iOS developer, so... yeah. I do have some skin in the game and some opinions on the matter.
And finally, I responded directly to the alleged VPN issue in another comment, where I mention how the VPN works for me and my use case. Not being a communications engineer (are you?), I'm not sure I'm qualified to discuss the full ramifications of forcing every existing communications link for every app in the system to drop. Especially if said apps are in the process of downloading updates or other critical information.
Obviously this idiot has never seen the exemption lists of MANY VPN clients, even those outside iOS ecosystem, such as Windows and macOS...
Take Cisco AnyConnect, do you know how many domains are in the default tunnel exemption list that end users CANNOT modify?!?!
The guy making these claims is so full of shit it's not even funny. I have yet to see ONE SINGLE COMMERCIAL VPN service that totally routes 100% of connections via the tunnel, except for my own OpenVPN server I run, which I have setup to route ALL traffic, and it actually does, even on iOS!
Except it doesn’t, due to this bug. Which shows you don’t actually have any idea whether your OpenVPN tunnel really does tunnel all data or not.
What exactly does this mean anyway...? Does that exclude customer IP...?
For some is it anonymizing the ad targeting, which is apparently somewhat moot, or perhaps for others is it collecting customer IP (CoreML?) or other collection for future AI offerings...?
As well for consideration: www.theatlantic.com/technology/archive/2019/01/apples-hypocritical-defense-data-privacy/581680/
Apple takes privacy seriously, so hopefully they fix this. App review should also be looking for data leaks from VPN apps if it really offers the consumer protections Apple says it does.
What kind of leaks are you talking about here? VPNs have many vulnerabilities, not just apps which leak data. Do you really trust a single third party to handle all your private data? Do you even know which national governments have the right to issue warrants to get data from the VPN company's software to provide information from their users? I don't trust VPNs very much which is why I prefer using Apple's Private Relay, which addresses some of those vulnerabilities.
So if you don’t trust VPNs that’s fine. Personally I’ll take a VPN with a good reputation, over a service from Apple. Eggs in one basket issue you know. Besides from what I’ve read Apple’s service is a bit limited.
You are misusing the "eggs in one basket" metaphor. By using a VPN you are putting all your trust in a single company, the VPN company, which can see all your traffic. but if you use Apple Private Relay, no single company, not even Apple, gets to see all your traffic.
So indeed any VPN user is "putting all their eggs in one basket", while any user of Apple Private Relay is making sure that no single company can read all your data.
Also, you called it "a service from Apple." I think you don't understand how Apple Private Relay works. There's a different company involved which Apple does not control, and that company may be different depending on where you live. It's a service provided by two separate companies.
Nowhere could I find a reference to it being a separate company from Apple. Got a citation? It only works with Safari. I like to use DuckDuckGo’s browser. APR does nothing to protect that data. It does not let you select a country to route through. Subverting geofencing aside, I prefer to not go through FiveEyes countries. That isn’t possible with APR. It is built into iCloud, which is fine, but that gets back to the eggs in one basket thing. It’s an Apple service, running on Apple iCloud, on an Apple device, that only works with Apple’s browser. I might enable APR for general use. But I’m going to keep my VPN around as well. One based outside the US.
EDIT: I just looked and on my iPad which just got the latest iPadOS update today it is STILL listed as BETA software. I’m not going to trust it with anything until it’s out of BETA.
Private Relay has two layers. The first is run by Apple everywhere. It handles making sure the user is authorized, but has no way to see where the user is going. The second layer is run by several "third-party partners" in each facility. It can see where the traffic is going, but it has no ability to see the user's Apple ID, source IP, or other identifying information. The phone does client-anonymous QUIC to the second layer, then sends that inside client-authenticated QUIC to the Apple layer.
It covers all DNS requests made through the system DNS resolver, as well as all HTTP traffic made through system APIs. All browsers on iOS are Safari skins, so all HTTP traffic from any browser on iOS can be covered by Private Relay. It doesn't do anything with HTTPS traffic currently.
Apple cares more about adding moronic effects to Messages for children & older people who still behave like children than they do about providing a secure platform. They also care more about self-righteous posturing & fleecing third-party developers. Apple needs to grow up and b stop being morally bankrupt.
I agree with the first sentence at least. Sick of seeing some trumpeted upgrade where the main change is some dumbass emoticon.
Obviously this idiot has never seen the exemption lists of MANY VPN clients, even those outside iOS ecosystem, such as Windows and macOS...
Take Cisco AnyConnect, do you know how many domains are in the default tunnel exemption list that end users CANNOT modify?!?!
The guy making these claims is so full of shit it's not even funny. I have yet to see ONE SINGLE COMMERCIAL VPN service that totally routes 100% of connections via the tunnel, except for my own OpenVPN server I run, which I have setup to route ALL traffic, and it actually does, even on iOS!
Split tunnel exceptions are just for VPNs (like Cisco AnyConnect or OpenVPN) that connect you to a home or work network. Consumer VPNs used for privacy should be sending all traffic. They should certainly be sending Gmail and DNS traffic which the author mentioned was bypassing the VPN for new connections.
Well DUH, why do you think they aren't?! They are getting MONETIZATION FUNDS from those companies! Look at the App Privacy Report for those apps and you'll quickly see the app internally communicates with MANY of those providers' API domains! Again, this isn't a flaw in iOS, this is a legitimate API / exemption capability that's required, being exploited by morally bankrupt and financially-incentivized capitalists to turn us (yet again) into the PRODUCT.
The ONLY individuals / organizations to blame here are the unscrupulous VPN providers, NOT Apple!
Obviously this idiot has never seen the exemption lists of MANY VPN clients, even those outside iOS ecosystem, such as Windows and macOS...
Take Cisco AnyConnect, do you know how many domains are in the default tunnel exemption list that end users CANNOT modify?!?!
The guy making these claims is so full of shit it's not even funny. I have yet to see ONE SINGLE COMMERCIAL VPN service that totally routes 100% of connections via the tunnel, except for my own OpenVPN server I run, which I have setup to route ALL traffic, and it actually does, even on iOS!
Basically split-tunneling where you might want only certain Apps to go through the VPN while other Apps/services continue as they were.
Seems like he’s expecting a specific behavior, and since he doesn’t get it he screams “Apple has a severe security flaw”.
That, and also because these apps have integrated API's that call home to their CnC servers, and you can bet your bottom dollar that these "private" VPN's are getting monetization dollars from places like Google, FB and others under condition traffic to their resources aren't filtered and/or hidden which would impede their marketing revenues and kickbacks to the VPN providers.
We are all the product, even with PAID PRODUCTS / SERVICES, which most people cannot seem to grasp.
Obviously this idiot has never seen the exemption lists of MANY VPN clients, even those outside iOS ecosystem, such as Windows and macOS...
Take Cisco AnyConnect, do you know how many domains are in the default tunnel exemption list that end users CANNOT modify?!?!
The guy making these claims is so full of shit it's not even funny. I have yet to see ONE SINGLE COMMERCIAL VPN service that totally routes 100% of connections via the tunnel, except for my own OpenVPN server I run, which I have setup to route ALL traffic, and it actually does, even on iOS!
Except it doesn’t, due to this bug. Which shows you don’t actually have any idea whether your OpenVPN tunnel really does tunnel all data or not.
Uh, yeah I do; I run my OpenVPN server on a Ubiquity EdgeOS router, and I have DPI enabled, and can instantly see when a device connected to it is routing all data via the tunnel, or directly outside the tunnel.
Nice try, this isn't a bug, but a legit feature being exploited against it's true intent in order to turn a profit. Remember, WE ARE THE PRODUCTS for these capitalists, not the other way around.
Obviously this idiot has never seen the exemption lists of MANY VPN clients, even those outside iOS ecosystem, such as Windows and macOS...
Take Cisco AnyConnect, do you know how many domains are in the default tunnel exemption list that end users CANNOT modify?!?!
The guy making these claims is so full of shit it's not even funny. I have yet to see ONE SINGLE COMMERCIAL VPN service that totally routes 100% of connections via the tunnel, except for my own OpenVPN server I run, which I have setup to route ALL traffic, and it actually does, even on iOS!
Basically split-tunneling where you might want only certain Apps to go through the VPN while other Apps/services continue as they were.
Seems like he’s expecting a specific behavior, and since he doesn’t get it he screams “Apple has a severe security flaw”.
Because it IS a security flaw. Either VPN should work 100% correctly, or it doesn’t - in which case it is a security flaw, especially people relying on absolute privacy.
Apple suggests to the end-user that it is all working - there is no front-end feedback that displays what is happening ‘underwater’. Using VPN on macOS clearly gives a false sense of security, and the end-user has no way of seeing what is truly going on when it comes to network traffic. Spin it ‘pro-Apple’ whatever you like - but it is a security bug, it’s the very definition of it. And it’s a severe one too.
Apple takes privacy seriously, so hopefully they fix this. App review should also be looking for data leaks from VPN apps if it really offers the consumer protections Apple says it does.
What kind of leaks are you talking about here? VPNs have many vulnerabilities, not just apps which leak data. Do you really trust a single third party to handle all your private data? Do you even know which national governments have the right to issue warrants to get data from the VPN company's software to provide information from their users? I don't trust VPNs very much which is why I prefer using Apple's Private Relay, which addresses some of those vulnerabilities.
So if you don’t trust VPNs that’s fine. Personally I’ll take a VPN with a good reputation, over a service from Apple. Eggs in one basket issue you know. Besides from what I’ve read Apple’s service is a bit limited.
You are misusing the "eggs in one basket" metaphor. By using a VPN you are putting all your trust in a single company, the VPN company, which can see all your traffic. but if you use Apple Private Relay, no single company, not even Apple, gets to see all your traffic.
So indeed any VPN user is "putting all their eggs in one basket", while any user of Apple Private Relay is making sure that no single company can read all your data.
Also, you called it "a service from Apple." I think you don't understand how Apple Private Relay works. There's a different company involved which Apple does not control, and that company may be different depending on where you live. It's a service provided by two separate companies.
Nowhere could I find a reference to it being a separate company from Apple. Got a citation? It only works with Safari. I like to use DuckDuckGo’s browser. APR does nothing to protect that data. It does not let you select a country to route through. Subverting geofencing aside, I prefer to not go through FiveEyes countries. That isn’t possible with APR. It is built into iCloud, which is fine, but that gets back to the eggs in one basket thing. It’s an Apple service, running on Apple iCloud, on an Apple device, that only works with Apple’s browser. I might enable APR for general use. But I’m going to keep my VPN around as well. One based outside the US.
EDIT: I just looked and on my iPad which just got the latest iPadOS update today it is STILL listed as BETA software. I’m not going to trust it with anything until it’s out of BETA.
I presume Zimmie's citation is a sufficient citation for you. He provided a document link to an Apple document that explains how the "separate company from Apple" works. Apple refers to these other companies as "third party partners." Apple does not indicate in that document the name of the other companies. The names may differ for different people depending on what country they live in.
Your point about BETA is valid, however. You don't have to trust it if you don't want to.
Your point about it working only with Safari isn't very accurate. Apple's document says "As a result, Private Relay protects all web browsing in Safari and unencrypted activity in apps, adding both privacy and security benefits." Is that more clear?
Comments
So if you don’t trust VPNs that’s fine. Personally I’ll take a VPN with a good reputation, over a service from Apple. Eggs in one basket issue you know. Besides from what I’ve read Apple’s service is a bit limited.
Apple creating content isn’t necessary a plus, for most users not if it means Apple limits itself from developing or allowing a wider range of programs and hardware within iOS or Mac OS.
https://protonvpn.com/blog/apple-ios-vulnerability-disclosure/
It seems like a simple enough fix that Apple could do it. They must have reasons for not fixing it. At the very least the developer should be allowed to ask the user if they want to restart active network connections. They might not want to if they are in the middle of a Zoom/Teams call and trying to access a corporate network.
Seems like he’s expecting a specific behavior, and since he doesn’t get it he screams “Apple has a severe security flaw”.
So indeed any VPN user is "putting all their eggs in one basket", while any user of Apple Private Relay is making sure that no single company can read all your data.
Also, you called it "a service from Apple." I think you don't understand how Apple Private Relay works. There's a different company involved which Apple does not control, and that company may be different depending on where you live. It's a service provided by two separate companies.
It only works with Safari. I like to use DuckDuckGo’s browser. APR does nothing to protect that data.
It does not let you select a country to route through. Subverting geofencing aside, I prefer to not go through FiveEyes countries. That isn’t possible with APR.
It is built into iCloud, which is fine, but that gets back to the eggs in one basket thing. It’s an Apple service, running on Apple iCloud, on an Apple device, that only works with Apple’s browser.
I might enable APR for general use. But I’m going to keep my VPN around as well. One based outside the US.
EDIT: I just looked and on my iPad which just got the latest iPadOS update today it is STILL listed as BETA software. I’m not going to trust it with anything until it’s out of BETA.
Third, and as you so aptly point out, the comments in this thread are primarily focused on the VPN, so forgive me for not providing a doctoral dissertation on the matter in order to support my thesis.
And finally, I responded directly to the alleged VPN issue in another comment, where I mention how the VPN works for me and my use case. Not being a communications engineer (are you?), I'm not sure I'm qualified to discuss the full ramifications of forcing every existing communications link for every app in the system to drop. Especially if said apps are in the process of downloading updates or other critical information.
For some is it anonymizing the ad targeting, which is apparently somewhat moot, or perhaps for others is it collecting customer IP (CoreML?) or other collection for future AI offerings...?
As well for consideration: www.theatlantic.com/technology/archive/2019/01/apples-hypocritical-defense-data-privacy/581680/
Private Relay has two layers. The first is run by Apple everywhere. It handles making sure the user is authorized, but has no way to see where the user is going. The second layer is run by several "third-party partners" in each facility. It can see where the traffic is going, but it has no ability to see the user's Apple ID, source IP, or other identifying information. The phone does client-anonymous QUIC to the second layer, then sends that inside client-authenticated QUIC to the Apple layer.
It covers all DNS requests made through the system DNS resolver, as well as all HTTP traffic made through system APIs. All browsers on iOS are Safari skins, so all HTTP traffic from any browser on iOS can be covered by Private Relay. It doesn't do anything with HTTPS traffic currently.
The ONLY individuals / organizations to blame here are the unscrupulous VPN providers, NOT Apple!
We are all the product, even with PAID PRODUCTS / SERVICES, which most people cannot seem to grasp.
Nice try, this isn't a bug, but a legit feature being exploited against it's true intent in order to turn a profit. Remember, WE ARE THE PRODUCTS for these capitalists, not the other way around.
Spin it ‘pro-Apple’ whatever you like - but it is a security bug, it’s the very definition of it. And it’s a severe one too.
Your point about BETA is valid, however. You don't have to trust it if you don't want to.
Your point about it working only with Safari isn't very accurate. Apple's document says "As a result, Private Relay protects all web browsing in Safari and unencrypted activity in apps, adding both privacy and security benefits." Is that more clear?