A bug in iOS 13.3.1 or later may prevent iPhone users from connecting properly to a VPN, according to provider ProtonVPN. However, this may only occur for certain Apple traffic and may be completely benign.

The problem appears to occur when an iPhone user connects to a VPN server while already connected to an Internet service or website, as most iPhones typically do.

According to ProtonVPN, even after turning on the VPN service, some existing connections do not switch to using the VPN and continue to use their previous path.

The risk for the user is that the still-live connection allows a third-party monitor to see to which IP address the user's traffic is being sent. VPN connections usually hide this. Data over an unencrypted connection would also be visible to "sniffers" on the network, but as ProtonVPN admits, such is now rare.

"Those most at risk due to this security flaw are those in countries where surveillance and civil rights violations are common," ProtonVPN said in a blog post.

The fix is simple: to work around the issue, ProtonVPN suggests that iPhone users go into Airplane Mode, disconnect from all existing connections, turn on the VPN service, then leave Airplane Mode and resume connection.

We have asked Apple for comment on this issue and will update the article as soon as we hear back.

However, it is also possible that this is a feature rather than a bug; the WireShark screenshot in the ProtonVPN blog post illustrating this phenomenon shows that this issue only affects traffic to and from Apple servers that use the entire 17.0.0.0 IP address range They show that it only affects traffic to and from Apple servers that use the entire 17.0.0.0 IP address range.

Will Strafach, a well-known mobile security expert and creator of the Guardian iOS privacy app, yesterday (March 26) wondered if this behavior was related to the Apple Push Notification Service (APNS) He questioned on Twitter whether this behavior might be related to the Apple Push Notification Service (APNS).

APNS is an Apple-specific protocol used for FaceTime and push notifications, and does not behave exactly like normal Internet traffic -- but uses Apple's IP address range. Apple also seems to go to great lengths to ensure that APNS traffic does not go through a VPN or proxy service.

One person responding to Strafach's tweet quoted OpenVPN's support FAQ, stating: "Many Apple services, such as push notifications and FaceTime, follow Apple policy and do not go through a VPN tunnel. VPN tunnels.

Another tweeter pointed to an Apple document stating that using push notifications and FaceTime "requires a direct, proxy-free connection to the APNS server."

In its blog post, ProtonVPN said that even if this problem occurs with APNS traffic, "this issue could affect any app or service, including instant messaging applications and web beacons."

ProtonVPN's Twitter account also replied to Strafach's Twitter query: "We looked into this hypothesis at the time and determined A) this bug isn't specific to APNS (though that is the most common and easiest to reproduce) B) Notifications are delivered through the VPN tunnel, provided the APNS connection is established once the VPN tunnel is set up."

ProtonVPN Twitter account also replied to Strafach's Twitter query. and that is to use the workaround suggested in our article." ProtonVPN added in a second tweet." Switching Airplane Mode to on and then back to off will disconnect APNS for an extended period of time, but the re-established connection will be in the VPN tunnel."

We responded to ProtonVPN's Twitter post requesting a screenshot of WireShark showing this issue on a non-Apple server. We will update this post as soon as we receive a response.