Archive for August 18, 2022

Thursday, August 18, 2022

iOS VPNs Are Broken

Tim Hardwick (Hacker News):

Third-party VPNs made for iPhones and iPads routinely fail to route all network traffic through a secure tunnel after they have been turned on, something Apple has known about for years, a longtime security researcher has claimed (via ArsTechnica).

Writing on a continually updated blog post, Michael Horowitz says that after testing multiple types of virtual private network (VPN) software on iOS devices, most appear to work fine at first, issuing the device a new public IP address and new DNS servers, and sending data to the VPN server. However, over time the VPN tunnel leaks data.

Both Proton and Horowitz say that toggling Airplane Mode does not work around the problem.

Michael Horowitz:

It also seems that Apple has a level of trust that they do not deserve. Back in March 2020, Steve Gibson said “… Apple’s going to fix this. I’m sure it’s already been fixed in-house. They’re probably moments away from pushing out a fix to this because it’s gotten a lot of attention in the industry … I imagine within a few days this’ll be fixed.” A slightly more skeptical John Dunn of Sophos wrote at the time that “A patch might not appear for weeks”. It has been over two years.

I emailed Apple at their special email address for reporting security issues on May 19, 2022 and, for a week, there was no response. On May 26th, I emailed again and, this time, Apple responded the next day.


To date, roughly five weeks later, Apple has said virtually nothing to me. They have not said whether they tried to re-create the problem. They have not said whether they agree on this being a bug. They have not said anything about a fix.

Still no response or fix for the Mail bug I and others reported nearly 3 years ago, where moving messages between mailboxes instead deletes them, even though it was widely reported.


Update (2022-10-11): Ben Lovejoy:

Proton told me that it was aware of the claimed fix, and had tested it at the time. However, the company found that it was only partially effective. Insecure connections to some Apple services remain in place after a VPN is activated.


Amplifi responded to a customer query by saying that it had tested the fix, and found it caused reliability problems.


Horowitz additionally pointed out that even iOS doesn’t seem to know whether or not a VPN service is active.

See also: ArsTechnica (via Hacker News).

Update (2022-10-14): Mysk (via doekezanstra):

We confirm that iOS 16 does communicate with Apple services outside an active VPN tunnel. Worse, it leaks DNS requests. #Apple services that escape the VPN connection include Health, Maps, Wallet.

Update (2023-07-26): Mysk:

OS 16.5.1 still bypasses the VPN. New tests show that Apple Push Notification traffic completely ignores the VPN connection. Apple Maps sends many requests outside the VPN, including unencrypted DNS requests. This also happens in the Lockdown Mode. 🎬

macOS 12.5.1

Juli Clover:

According to Apple’s release notes, macOS Monterey 12.5.1 improves the security of macOS and is recommended for all users. The update addresses kernel and WebKit vulnerabilities that could lead to arbitrary code execution. Apple says that it is aware that these vulnerabilities may have been actively explited in the wild, so it is important to update right away.

You can download the installer and IPSW (via Mr. Macintosh).

Howard Oakley:

Other than expected minor increments in build numbers for parts of WebKit, the only visible change is that Safari is updated from 15.6 (17613. to 15.6.1 (17613.


Suggested Shortcuts Improvements

Matthew Cassinelli:

Today, Apple released updates to their iWork suite of apps that adds actions in Shortcuts for Pages, Numbers, and Keynote on macOS, bringing powerful first-party actions that Mac users can take advantage to automate their work[…]


One oddity worth mentioning is that the “Add Row” action requires Numbers to physically open the spreadsheet and insert the data, just like it does on iOS – Apple should make this action work in the background without opening the app, otherwise it creates an inconsistent experience with every other action in Shortcuts that doesn’t require opening the app to insert data.

Matthew Cassinelli:

One piece of low-hanging fruit that Apple could grab onto to improve the onboarding experience is to do an overhaul of the quality of action descriptions in the app.


Secondly, the flow of information throughout the Shortcuts app is still very confusing and not immediately obvious for new or even intermediate users. […] Apple should implement a step-through mode like the one implemented in their Swift Playgrounds app, which allows users who are learning coding basics to see what’s happening in between each step.


Many of the categories in the Shortcuts gallery haven’t been curated recently — I literally programmed them myself when I worked at Workflow — and there are many more examples including third-party apps from the App Store that could show people the power of Shortcuts beyond simple use cases.


Gatekeeper Changes in macOS Ventura

Howard Oakley:

In the past, Gatekeeper has primarily been concerned with checking apps and other executable code which have been put in quarantine; once an app has passed those first run checks and its quarantine flag has been cleared, its notarization and signing haven’t been checked again in the same way. Apple has announced that’s changing in Ventura, where Gatekeeper will check that all notarized apps are correctly signed whenever they’re run. This will ensure that no unauthorised modifications can be made to them, without these checks imposing noticeable delays in launching.

Rich Siegel:

Does this mean that if (for example) a user adds or modifies something inside of a notarized application’s package, that macOS will subsequently refuse to launch it and report some helpful error (e.g. “ appears to have been tampered with”)?

Rosyna Keller:

You get the “this application has been damaged” alert. Of course, like other gatekeeper features, users can disable it.

Guilherme Rambo:

Another change is that apps on macOS may no longer update/modify apps that are not signed by the same development team, unless the other app declares the third-party team ID in its Info.plist. This will lead to some scary dialogs before everyone adapts to this new model.

See also: What’s new in privacy, Phil Stokes (Hacker News).


Update (2022-09-26): Howard Oakley:

Fast forward to Ventura in a few weeks time, and not only are there notarization checks, introduced in Catalina, but every time you run that app the same checks on its signature and notarization are made as if it was undergoing first run. If the app doesn’t pass those, you’ll see similar dialogs to those when the problem has occurred on first run, and Gatekeeper will block that app from running on your Mac.

What could possibly go wrong?