iOS 16 is a buggy mess, with Apple releasing a series of dedicated bug fixes that have barely scratched the surface. And now, new research has discovered that arguably the worst problem in iOS is even worse in iOS 16.
Speaking to MacRumors, security researchers Tommy Mysk and Talal Haj Bakry of Mysk reveal that iOS 16 leaks user data when using a VPN. This problem has been ongoing since iOS 13.3.1. What makes it worse is Apple introduced a new ‘Lockdown Mode’ in iOS 16, but the researchers found it leaks even more data than the standard mode. Something which has potentially serious repercussions.
“We confirm that iOS 16 does communicate with Apple services outside an active VPN tunnel. Worse, it leaks DNS requests. #Apple services that escape the VPN connection include Health, Maps, Wallet,” the researchers tweeted along with an explanatory video.
“The Lockdown Mode leaks more traffic outside the VPN tunnel than the ‘normal’ mode,” the researchers added. “It also sends push notification traffic outside the VPN tunnel. This is weird for an extreme protection mode.”
Contrast this with Apple’s description of Lockdown Mode in its support documents:
“Lockdown Mode is an optional, extreme protection that’s designed for the very few individuals who, because of who they are or what they do, might be personally targeted by some of the most sophisticated digital threats. Most people are never targeted by attacks of this nature.”
“When Lockdown Mode is enabled, your device won’t function like it typically does,” Apple continues. “ To reduce the attack surface that potentially could be exploited by highly targeted mercenary spyware, certain apps, websites, and features are strictly limited for security and some experiences might not be available at all.”
There’s a differentiation to be made here between attacks and data retention. Still, it is reasonable to assume that anyone using Lockdown Mode would not expect more data to be leaked via VPN with it enabled than without.
I have contacted Apple about these discoveries and will update this article if/when I receive a response.
Follow Gordon on Facebook
More on Forbes