A vulnerability that affects iOS 13.3.1 and later prevents virtual private networks (VPNs) from encrypting all traffic. This allows some Internet connections to bypass encryption and potentially disclose users' data and IP addresses.
Details of the vulnerability were shared today by Bleeping Computer after being discovered by ProtonVPN. The vulnerability is caused when iOS does not terminate all existing connections when a user connects to a VPN, so that after the VPN tunnel is established, the user can reconnect to the target servers.
Connections made after connecting to a VPN on iOS are not affected by this error, but all connections previously made are not secure. This could potentially result in a user who believes they are protected accidentally disclosing an IP address and thus an approximate location.
Apple's push notifications are an example of a process that uses connections on Apple's servers that don't close automatically when connecting to a VPN, however, can affect any apps or services that operate on running on a user's device.
VPNs cannot work around the problem because iOS does not allow VPN apps to terminate existing network connections. So this is a fix that is required to be implemented by Apple. Apple is aware of the vulnerability and is considering options to mitigate it.
Until resolved, VPN users can connect to a VPN server, turn on airplane mode, and then turn off airplane mode to end all existing connections. However, the damage limitation isn't quite reliable, so iPhone and iPad owners who rely on VPNs should be careful until Apple releases a solution.