Proton VPN avoids fingerprinting on iOS: what does it mean for your privacy?

What happened?

Security researcher Mysk has revealed that Proton VPN is the only VPN application that manages to avoid internal tunnel fingerprinting on iOS. This technique allows attackers to identify users through the VPN tunnel's internal IP, even when the VPN is active. The finding, reported by TechRadar, highlights a vulnerability in iOS's network design that affects most VPNs.

To understand the problem, recall that on iOS, VPNs create a virtual tunnel that encapsulates traffic. However, due to how Apple manages network interfaces, the tunnel's internal IP (e.g., 10.x.x.x) can be exposed through APIs like WebRTC's RTCPeerConnection object. Mysk discovered that Proton VPN assigns internal IP addresses that are not unique per session but are reused among users, preventing a website from associating that IP with a specific individual. Other VPNs, such as NordVPN or ExpressVPN, assign unique IPs per session, enabling tracking.

Why is it important?

Internal tunnel fingerprinting allows websites and third-party services to track users even when they use a VPN. This undermines the main purpose of a VPN: protecting privacy. That only Proton VPN avoids it suggests that Apple has not prioritized the security of VPN connections on iOS, leaving a hole that can be exploited. For users, this means that if they use another VPN on iOS, their privacy could be compromised.

This problem is not new. In 2015, it was discovered that WebRTC leaked the real IP even with a VPN active on desktop. Apple introduced improvements in iOS 14.5 to mitigate WebRTC, but the internal tunnel remains a vector. Unlike Android, where VPNs can be configured as system interfaces, iOS limits VPNs to layer 3 tunnels, making the internal IP accessible. This affects millions of users: according to 2023 data, 25% of mobile VPN users use iOS, and the mobile VPN market grows 15% annually. Services like Netflix or banks could use this technique to detect and block VPN connections, or worse, to track users.

What consequences will it have?

This discovery could pressure Apple to patch iOS to close the vulnerability. Historically, Apple has been slow to address VPN-related privacy issues: the WebRTC bug in iOS 12 took over a year to fix. If Apple acts, it could do so in iOS 18, expected for September 2024. It could also lead other VPN providers to implement solutions similar to Proton's, such as assigning non-unique IPs or tunneling all traffic through a local proxy. In the short term, iOS users who prioritize privacy might migrate to Proton VPN. In the long term, it could raise awareness about privacy limitations on mobile devices, driving demand for alternatives like using browsers with built-in VPN (e.g., Brave) or DNS over HTTPS services.

In the market, Proton VPN could gain share among privacy-conscious users, while other providers like NordVPN or ExpressVPN would have to explain why they don't offer the same protection. However, Proton's solution is not perfect: reusing internal IPs can cause conflicts in corporate networks or reduce connection speed. Moreover, internal tunnel fingerprinting is just one of many tracking techniques; a comprehensive approach is still needed.

What should readers know?

If you use a VPN on iOS, your internal IP may be leaked. Proton VPN offers a solution, but it's not perfect: total privacy requires a comprehensive approach, including secure browsers and mindful browsing habits. Additionally, this finding is based on independent research, and the security community is analyzing its exact scope. Mysk has published a video demonstrating the leak on other VPNs but has not released the full code, so some experts call for independent verification.

To protect themselves, users can: 1) use Proton VPN on iOS; 2) disable WebRTC in Safari (Settings > Safari > Advanced > Experimental > WebRTC); 3) use a browser like Firefox Focus that blocks fingerprinting; 4) combine the VPN with a Tor network (though it slows down). In the long run, the real solution lies with Apple: modifying iOS so that VPNs can hide the internal IP by default. Until then, users must be aware that their VPN is not a total shield.