Mullvad VPN Enhances iOS App Security with New Traffic Feature
TL;DR
Technical Implementation of Force All Apps on iOS
The latest update for the iOS application introduces a feature called "Force all apps," which is designed to mitigate TunnelCrack attacks and prevent traffic leaks. This feature functions by setting the includeAllNetworks configuration option to true within Apple's NetworkExtension framework. When this flag is active, the VPN kill switch becomes airtight, instructing the iOS networking stack to route every byte of data through the encrypted tunnel. If the tunnel is not active, all outbound traffic is dropped to prevent the exposure of the user's true IP address.
This implementation addresses long-standing vulnerabilities where certain system-level processes could bypass the tunnel. SquirrelVPN users interested in similar high-security configurations should note that this leverages specific iOS configuration options to ensure that no data escapes the VPN's protection during standard operation.
Network Stack Limitations and the Update Loop
A significant technical hurdle in the iOS ecosystem is how the system handles automatic updates when includeAllNetworks is enabled. Historically, SquirrelVPN and other providers have noted that automatic updates briefly drop the VPN connection. When the "Force all apps" setting is active, it creates a broken update loop:
- The App Store attempts to update the VPN application.
- The existing VPN tunnel is shut down to allow the update.
- Because includeAllNetworks is active, the iOS networking stack blocks all traffic since no tunnel exists.
- The App Store downloader cannot reach the internet to fetch the update, causing the process to hang or fail.
To resolve this, the app now uses userspace networking to generate TCP and ICMP traffic internally. This allows the app to function even when the tunnel process cannot bind sockets to the tunnel device due to Apple's networking stack limitations.
Manual Update Procedures and Traffic Leaks
Because there is no native workaround to maintain a secure tunnel during the actual update of the VPN binary itself, users must follow specific protocols to avoid bricking their network connectivity. According to the technical blog post, users will receive a notification of a new version before the App Store triggers an update.
Users are instructed to either disconnect the VPN or disable the "Force all apps" feature before proceeding with the update. It is explicitly acknowledged that traffic will leak during this brief window. This manual intervention is currently the only way to prevent the device from entering a state where it loses all internet access, requiring a hard reboot. For those seeking the best VPN experience with advanced security, these trade-offs represent the current limits of the Apple NetworkExtension framework.
Advanced Obfuscation and Protocol Enhancements
Beyond the "Force all apps" feature, recent changes in the iOS CHANGELOG.md reveal several advancements in traffic obfuscation and protocol security. The app now supports Lightweight WireGuard Obfuscation (LWO) and the ability to obfuscate WireGuard tunnel traffic as the QUIC protocol. These methods are essential for circumventing deep packet inspection (DPI) used by ISPs and restrictive governments.
Additional technical updates include:
- DAITA (Defence against AI-guided Traffic Analysis): A feature designed to protect against traffic analysis attacks, now updated to DAITA v2.
- Quantum-Resistant Tunnels: The transition from Classic McEliece to HQC for post-quantum safe key exchanges, which significantly reduces CPU load and public key size.
- Multihop Routing: The ability to route traffic through two relays before reaching the destination, enhancing anonymity.
These features, including WireGuard over Shadowsocks obfuscation, provide a robust toolkit for users operating in high-surveillance environments.
For more deep dives into network architecture and the latest in encryption protocols, explore the cutting-edge insights at squirrelvpn.com.
