Following previous reports that iOS 16 didn’t correctly funnel data through a connected VPN comes the news that IOS 16.1 is somehow worse.
A previous report by security researchers Mysk found that DNS requests were being leaked outside a confirmed VPN connection in iOS 16, but now the same researchers say that iOS 16.1 also now allows push notifications to bypass secure VPN connections, too.
The whole point of connecting to the internet via VPN is to ensure that browsing data and other information is kept private. All data should be routed via that VPN, ensuring nobody outside of it can see what is going on. That wasn’t happening with iOS 16, and the VPN connections weren’t as secure as they should be.
Things are reportedly no better with iOS 16.1, released earlier this week.
“The VPN leaks got worse in #iOS 16.1,” Mysk researchers said via Twitter. “Now push notifications also bypass the VPN in the standard mode. The Lockdown Mode is the same.”
The fact that Lockdown Mode still doesn’t ensure that all data moves through the VPN is troubling, but this cloud has a small silver lining. Musk adds that “it’s only Apple services that bypass the VPN, all other connections are tunneled in the VPN.”
This is all less than ideal, of course, but it now seems to be the case that iOS is behaving as designed. With that in mind, a fix seems unlikely.
Despite all of this, the best iPhone remains secure, and for those who need to keep their connections private, a VPN is still the way to go. Just keep in mind that not all data will pass through it, no matter how much we expect it to.
The iOS 16.2 beta just went out to developers this week; no word yet if this security issue is still prevalent in that version of Apple’s iPhone software.