Security Bits Logo no alpha channel

# Security Bits — 27 August 2022

Feedback & Followups

Deep Dive 1 — Are VPNs on iOS Broken?

Important Disclaimer/Context the only thing I’m certain of about this story is that it’s really not clear what exactly is going on, and that’s despite spending hours trying to get to the bottom of it!

A security researcher released a very snarky report that shows traffic not being routed through a VPN connection on iOS. The researcher didn’t try to figure out exactly when it does and doesn’t happen, or what, because he felt that was Apple’s job.

Apple say they provide appropriate APIs to allow VPN vendors to configure their services securely on iOS, but the vendors disagree.

I also have a very distinct memory of a kerfuffle some years ago when Apple point blank said they intentionally do not allow VPNs to route certain important Apple traffic through them, because doing so would be a security risk. I remember talking to Allison about it on this segment, and I remember agreeing with Apple but understanding the counterargument. It wasn’t silly, I just didn’t agree. But, searching for security bits apple vpn didn’t find that discussion and none of my searches on the general internet turned up anything more useful either — searches like Apple VPN bypass are just too common 🙁

The bottom line is that at least some VPNs on iOS do not cause all existing connections to close and re-open when they’re enabled, so as long as those connections stay active they remain outside the VPN, only when they’re re-negotiated do they get routed through the tunnel.

As best as I can tell Apple have provided reasonable APIs, but the industry don’t like them, so they’re not using them, and continuing to misclassify reasonable decisions as bugs. If I’m correct in that educated guess then the security researcher is reporting accurate findings, and Apple are correct when they say he’s seeing expected behaviour.

Again, as best as I can tell, VPNs that use Apple’s API only ‘leak’ the connections Apple intentionally routes around the VPN, and those are properly secured by Apple, and it would actually be less secure to allow a third-party app to interfere with those connections.

Basically, I don’t think there’s a there here. I’m certainly not lighting my hair on fire 🙂

As a quick aside, remember that it is not just tolerable, but often desirable, to have some connections go through a VPN and others not — it’s referred to as a split tunnel and is completely normal and very common. The two most common reasons for split tunnelling are:

  1. Allowing LAN access while routing internet access through the VPN.
  2. Routing only corporate traffic through the VPN, leaving all LAN and internet traffic to take its usual course. (Do you really want your Netflix, Wordle, and Call of Duty traffic routed through your corporate network just because you need to connect to Exchange?)


Deep Dive 2 — Do Google Really Track Most and Apple least?

A report on what companies track by is getting a lot of media attention, but I’m sorry to say it’s not at all earned.

The concept was interesting — the report didn’t try to measure the volume of data collected by the big five tech companies, but at the number of distinct data points each collects. The more data points, the broader the profile of each user.

The report gives us those data point counts, and all the headlines are focusing on the two extremes in the data set — Google collect by far the most distinct types of data with 39 data points, and Apple the least with just 12. The first thing that struck me when I dived deeper was actually the companies in between. Twitter and Amazon land about in the middle with 23 and 24 data points respectively, but Facebook’s number is utterly unexpected, right down near Apple with just 14 data points.

Is Google really over three times as creepy as Apple? And is Facebook really almost as privacy-conscious as Apple?

While all the headlines line up perfectly with our expectations, don’t be too quick to retweet this story, it might be meaningful and accurate, but we actually can’t tell!

The reason I dug deeper is that I am working hard to train myself to cast a skeptical eye over any story that lines up too perfectly with my existing beliefs, because there’s a really good chance I’m being manipulated. Like deals that look too good to be true almost always are, stories that look too good to be true often prove misleading or downright wrong on closer inspection.

I’m really glad I took the time to peek under the covers here because this story absolutely does not deserve the headlines its getting — when I read the original report (linked below), it turns out it’s nothing more than his is nothing more than an unsubstantiated press release! 🙁

Not only do they not explain their methodology, but they also don’t even show their data! I’m serious, they don’t even list the data points, and the only information provided is the totals!

Only giving the totals implies that data is data is data, and that 12 must be a little better than 14 and 14 a lot better than 39. Is that a valid assumption? Heck no! Knowing your name is very different to tracking your location every 2 minutes, but both are single data points from this report’s POV.

We also don’t know what their rules were for considering a data point personal, nor how they even managed to count them! Depending on what you count and how you seek you could end up with very different totals.

This ambiguity might explain the most unexpected number in the report, Facebook’s 14 data points. There are three possible interpretations:

  1. All our information about Facebook to date is wrong
  2. The problem is in the what
  3. The problem is how the counting was done

Could we really be totally wrong about Facebook, is it possible they’re not actually a freepie company that make their money by leeching off users’ privacy, and every other report and analysis we’ve seen for years has been all wrong? Clearly, that would be an extraordinary claim, and hence, would require extraordinary evidence, and this report is absolutely not that!

OK, so maybe Facebook really only have 14 personal data points, but maybe they’re much more invasive than the 12 Apple collect. We know Apple need to have payment details, but Facebook don’t, so it’s definitely not the case that Facebook collect just two additional things to what Apple collect. Without seeing the actual 14 data points we simply can’t know how relieved we should be by the unexpectedly low number.

But what if they just didn’t count most of Facebook’s data points at all? Their definition of private could be way off base, or, maybe they only count data directly collected by the company. This one sentence about Google suggests an interesting, IMO even a likely explanation (emphasis mine):

Google collects more different types of information for individual users. The firm relies on this data for targeted advertising rather than relying on third-party trackers.

If Google do their own tracking, but Facebook out-source it to subsidiaries and third parties, and if this report only counts things directly collected, then Facebook’s effective number could be the same as Google’s, with the difference simply being in who does the tracking, and whether or not it gets counted in this report. Because the authors don’t share their methodology, we just can’t know.

OK, with all that said, let’s assume the methodology is fine and the data is accurate, what does the report conclude?

Firstly, Apple get the cleanest bill of health imaginable:

It is the most privacy-conscious firm out there. Apple only stores the information that is necessary to maintain users’ accounts

And as you’d expect, Google get the heaviest criticism:

Google takes the cake when it comes to tracking most of your data. This should not surprise, given that their entire business model relies on data.

In fact, the title of the report is ‘Google Tracks 39 Types of Private Data, the Highest Among Big Tech Companies’, so criticising Google seems to be what this report is primarily about, the rest is almost an afterthought.

This is clear from how little the report says about the other companies:

Twitter and Facebook both save more information than they need to. However, with Facebook, most of the data they store is information users enter.

An Amazon doesn’t even get one sentence in the report, they just get a quick mention in a sentence about Apple:

Apple is in a league above Amazon in protecting user privacy.

So, while at first glance this is an instant-retweet kinda story, it really should have been utterly panned for being useless, and shouldn’t have gotten any of the hype and buzz it did. IMO, this story is worse than useless — at best, it’s noise, and depending on the nature of the things they’re not telling us, it could easily be mis- or even dis-information 😡


❗ Action Alerts

Worthy Warnings

Notable News

  • Twitter’s recently fired security chief and storied hacker/researcher mudge has filed a formal whistleblower disclosure in the US. Public details are sparse, and the whistleblower legislation limits how much can be shared publicly, but it sounds damning. As expected, Twitter completely dispute the criticisms —…

Top Tips

Excellent Explainers

Just Because it’s Cool 😎

Palate Cleansers


When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.

Emoji Meaning
🎧 A link to audio content, probably a podcast.
A call to action.
flag The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country.
📊 A link to graphical content, probably a chart, graph, or diagram.
🧯 A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂
💵 A link to an article behind a paywall.
📌 A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future.
🎩 A tip of the hat to thank a member of the community for bringing the story to our attention.

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top