See the section "Always On VPN": https://support.apple.com/guide/deployment/vpn-overview-depa...
Is it dubious that Apple doesn't let VPN apps do this as well? Maybe. But this is known and documented.
If this was working as it arguably should and could be done easily without MDM provisioning, it would remove a genuinely useful avenue for law enforcement and add more fuel to the the FBI's dislike for Apple's security features.
That would then mean the app maker can effectively steal control of the phone from Apple.
"VPN overview for Apple device deployment."
It further states "Secure access to private corporate networks is available in iOS ..."
An individual iPhone user who is not using a company issued device would not be beholden to MDM restrictions or profiles. Nor would access to "private corporate networks" be necessarily relevant.
">Always On VPN activation requires device supervision."
Supervision denotes a managed device"
"Supervision generally denotes that the device is owned by the organization, which provides additional control over its configuration and restrictions."[1]
No regular non-corporate iOS device user is ever likely to be downloading manually distributed mobile profiles.
[1] https://support.apple.com/guide/deployment/about-device-supe...
Apple could fix that with proper UI though.
One reason is that GPS doesn't work well (or at all) indoors, through cell-tower geolocation should work well enough for that case.
I don't think contactless Apple Pay actually uses device geo[1] for authorization, but it's still worth noting that iOS devices without cell connectivity (ie WiFi-only iPads) don't have GPS anyway.
You can use Apple Pay on websites in Safari, though, which IIRC doesn't require location permissions to work.
1. You have to be able to use it in the same places you'd use a normal card, which means you can't rely on network connectivity of any kind.
Back in the university days, we (me + a few friends) used to get some radios and antennas to create a signal stronger than the one coming from satellites. It was always fun when the semester started and all freshmen were using Google Maps to navigate through the campus, but the map always showed their location in North Korea. Good ol' times.
* first, a purchase shouldn't require an internet connection. Humans have been doing commerce for millennia without it, and we have sophisticated pub/priv key schemes to figure this all out.
* second, it's a security hole. It's either a VPN or it's not.
While on IOS any system app doesn't use the VPN or DNS requests.
VPNs are useless on iOS, and its made to be this way, again the "privacy OS" isn't privacy focused at all.
There appear to be several easy-to-use MDM solutions that cater to small businesses that would also work fine for families. Apple even has one, Apple Business Essentials.
"We’ve raised this issue with Apple multiple times. Unfortunately, its fixes have been problematic. Apple has stated that their traffic being VPN-exempt is “expected”, and that “Always On VPN is only available on supervised devices enrolled in a mobile device management (MDM) solution”. We call on Apple to make a fully secure online experience accessible to everyone, not just those who enroll in a proprietary remote device management framework designed for enterprises."
https://protonvpn.com/blog/apple-ios-vulnerability-disclosur...
The great thing: even if the VPN connection drops, it doesn't leak your real/naked IP, and also /all/ traffic on an iOS device has to pass through the VPN. No special exceptions for Apple traffic.
The only caveat is you have to carry this when traveling, which means if you're traveling light, carrying this around could be burdensome. If you are at home most of the time though, such a router is invaluable.
[0] https://www.amazon.co.uk/GL-iNet-GL-MT300N-V2-Converter-Pre-...
But over the LTE connection, which is far harder to sniff without very expensive equipment, it could be doing almost anything. And you can't even check what it's doing.
Our tech overlords are not immune to pressures if we teach them how it is abused.
While your phone is in Airplane mode and regular (but your router’s) WiFi only network
PiHole arguably is getting less effective with each passing year as alternate DNS resolution methods like DNS over HTTPS etc gain traction, and defeating DNS over HTTPS is s a whack-a-mole game today, all you can really do is try to blacklist known DNS over HTTPS server IPs, which is a running battle.
My assumption is all ad driven applications who depend on resolving advert domains correctly to serve the ad content will one day all utilise methods like DNS over HTTPS to stop products like PiHole reducing revenue.
Aren't blocking ads another whack-a-mole? So it seems like more of the same.
Also, aren't there proxies that you can setup that can inspect HTTPS connections (so long as you install the proxy's cert on your machine). I suppose the whack-a-mole might be more practical if a few people used those regularly along with some kind of automated scanning for DNS over HTTPS.
For PiHole today, most everything comes over port 53, and thus easy to track, monitor and block as required.
Tomorrow, DNS requests can be on any port, to any server, on any protocol. This makes trying to use a single point of control like the PiHole so much harder than it was in the past. Who is to say next week its HTTPS as the encrypted transport for DNS? Use whatever bizarre encryption scheme you like. It's your app... The app can just ignore whatever DNS server you suggested via DHCP or whatever and go back to its homebrew domain name resolution system.
It's common for apps to prevent this with certificate pinning. They'll ignore the certs you've installed manually and will only connect to servers with certs signed by their in-house certificate authority.
Yes, but the mole-whacker is whoever controls the software doing the rendering. So on a personal computer, the ads are the moles. But on a locked down "phone", the user is the mole.
80 and 443 are only used by convention for HTTP/HTTPS - you can use whatever the hell you like. There's also the option to not use HTTP(S) or DNS at all to obtain addresses, the list of ways you can avoid traditional methods is endless. Finally, you can just serve your DNS on same IP as back end of the app - block the IP and the app dies completely, meaning a simple IP block will not work etc etc. It's super easy to write some code that combines tens of methods, ensuring you get that DNS record no matter how hard the user tried to stop you.
FWIW people (including me) already do this, but its a blunt tool and not all that effective in many cases: https://gist.github.com/ckuethe/f71185f604be9cde370e702aa179...
The way to solve it and still continue to use iOS is to implement your VPN at the network layer. e.g. use one of those wifi routers with a VPN client built in.
That's a little impractical for a phone. You'd have to lug around some kind of VPN-enabled mobile hotspot, plus batteries to power it.
