I think VPN apps should be treated as browsers and require a special approval and entitlement from Apple. If Apple has security concerns about VPN apps, he says that is easily addressable. However, I don’t see an issue of tunneling this traffic in the VPN connection. ![]() There are services on the iPhone that require frequent contact with Apple servers, such as Find My and Push Notifications. But the amount of traffic we saw was much more than expected. I asked Mysk whether he thought both companies were doing this intentionally, perhaps to prevent an app from redirecting traffic, or for performance reasons? Android communicates with Google services outside an active VPN connection, even with the options “Always-on” and “Block Connections without VPN.” I used a Pixel phone running Android 13. I know what you’re asking yourself and the answer is YES. Mysk found that Android behaves in the same way with Google services. Details in the video: #CyberSecurity #Privacy /ReUmfa67ln You can watch his test with Wireshark capturing the IP addresses accessed by the iPhone: This means that all the data sent to and from these servers is at risk from snooping by ISPs or hackers operating man-in-the-middle attacks, using easy-to-create fake Wi-Fi hotspots.Ĭlearly most or all of the data handled by these apps could include extremely private information, ranging from health conditions to payment cards. #Apple services that escape the VPN connection include Health, Maps, Wallet. We confirm that iOS 16 does communicate with Apple services outside an active VPN tunnel. ![]() He ran his own tests, looking at which IP addresses were being accessed when a VPN was active, and found that many stock Apple apps ignored the VPN tunnel and instead communicated directly with Apple servers. Flaw 2: Many Apple apps are excludedĭeveloper and security researcher Tommy Mysk read our coverage and was intrigued. However, Michael Horowitz found that not only did this not reliably happen, but that iOS doesn’t allow VPN apps to close all existing non-secure connections. Flaw 1: Failing to close existing connectionsĪs soon as you activate a VPN app, it should immediately close down all existing (non-secure) data connections, and then reopen them inside the secure “tunnel.” This is an absolutely standard feature of any VPN service. Similarly, the websites and servers you are accessing don’t get access to your IP address, location, or other identifying data – your traffic appears instead to be originating from the VPN server. The usual analogy is it’s like using a secret tunnel from your device to the VPN server. All they can see is that you are using a VPN. Your data is protected from an ISP, carrier, or hotspot operator. ![]() That means that your ISP can see who you are and which sites and services you are accessing – and also puts you at risk from fake Wi-Fi hotspots.Ī VPN instead sends your data in encrypted form to a secure server. They then forward it to the remote server. Normally, when you connect to a website or other server, your data is first sent to your ISP or mobile data carrier. The second is that many Apple apps send private data outside the VPN tunnel, including Health (above) and Wallet … The first problem was that opening a VPN app should close all existing connections, but didn’t. ![]() A security researcher back in August found a significant flaw in iOS VPN apps, and a second researcher has now demonstrated another major issue.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |