Security Issue Allows Apps to Bypass VPN Connections on iOS and macOS

Symantec has identified a security issue with both iOS and macOS that could result in network traffic circumventing VPN tunnels. This issue allows third-party developers to develop applications that could bypass the VPN client set-up, resulting in any traffic or data originating from the application intentionally or unintentionally being sent across unsecure channels.

Apple VPN Client Setup

The Apple SDK provides a NetworkExtension API to set up VPN clients on Apple operating systems such as iOS and macOS that "protects their Internet browsing activity on insecure networks such as public Wi-Fi networks." According to Apple, the VPN client will route traffic based on destination IP address. This means that the API can dictate which destination IP addresses will be routed to the virtual interfaces and therefore directed through the secure channel which the VPN client provides.

In a typical VPN client implementation the system should route any traffic according to the route table provided by the VPN client, regardless of where and how the traffic originated. A third-party user application that attempts to change or disable these routes requires both special developer permissions granted by Apple and then user permission at the time the routes are changed. A third-party application should not be able to bypass or alter this routing method once it has been set up in the system without the user’s knowledge.

Unexpected behavior

Symantec researchers found that third-party applications on both iOS and macOS can evade this routing method by explicitly binding a network socket to the IP address of a physical network interface leading to insecure internet browsing activity.

If an application binds a socket to a specified IP address, any traffic that is sent to this socket is sent out directly through the physical network interface. This means that it isn’t tunneled through the VPN client’s virtual interface, regardless of whether the traffic is included in the VPN route table.

Symantec has found multiple applications that establish VPN tunnels in such a manner.

Symantec tested the behavior of other operating systems such as Android version 4.4, Windows 10, Ubuntu Linux (version 17.04), and FreeBSD (release 11.1) and found that these operating systems behaved as expected and traffic was correctly routed through the VPN tunnel regardless of how the network socket was established.

It should be noted that this issue applies only to the NetworkExtension API, which is used by many third-party VPN applications. The Always-On VPN functionality, which applies VPN configuration natively in supervised mode using a configuration profile, cannot be circumvented in this way.

Privacy and security implications

This unexpected behavior on iOS and macOS presents some privacy and security concerns as third-party applications may intentionally or unintentionally evade VPN tunnels.

In some situations this may mean that applications which rely on VPN tunnels will simply fail to work correctly. However of more concern is that this behavior will result in sensitive information being transmitted in clear text.

Many organizations use VPN tunnels to ensure that communications or data sent across networks is encrypted. However this behavior presents scenarios where sensitive data could be leaked and potentially intercepted by malicious attackers.

Additionally many organizations also use VPNs to provide control over devices. They can use VPN connections to perform administrative activities such as scanning traffic, recording and auditing activity, and blocking access. By evading the VPN connection an application is also effectively evading these controls.

Mitigation

Symantec reported its findings with Apple and was advised that this behavior doesn’t constitute a security vulnerability, and that the NetworkExtension framework feature makes no guarantees about where traffic will flow. Apple recommends using the Always-On VPN functionality instead. However, given the NetworkExtension framework documentation does not specify such limitations, Symantec believes this approach puts users at risk as many VPN applications and developers are utilizing the NetworkExtension framework to provide secure VPN capabilities. Apple noted they will look into updating the NetworkExtension framework documentation accordingly.

Symantec recommends that application developers review their usage of NetworkExtension APIs to establish VPN tunnels.

Organizations should ensure third-party VPN applications are not vulnerable or utilize Always-On VPN functionality, which Apple documentation states “gives your organization full control over device traffic.”

Symantec also recommends that organizations and users only install applications from known and trusted publishers who are more likely to adopt secure development practices.