Security experts have discovered that Apple’s latest iOS version continues to expose users’ actual IP addresses during updates of their VPN apps. The team at Mysk created a test website that logs iPhone IP addresses every second to demonstrate the vulnerability in action.
After starting Mullvad VPN on an iPhone with iOS 26.4.2, the researchers opened their testing website and allowed the VPN app to update in the background. They were able to confirm through their website logs that the iPhone leaked its true IP address during the software update process.
Mullvad acknowledged the iOS vulnerability over a year ago
Mullvad first documented this security flaw in Apple’s NetworkExtension framework more than a year ago. The VPN provider explained that iOS contains bugs preventing VPN apps from achieving maximum security on the platform.
The core issue involves how Apple handles app updates while a VPN connection remains active. When the App Store attempts to update a VPN app, iOS temporarily shuts down the existing VPN tunnel. During this brief window, all device traffic flows outside the encrypted tunnel.
Apple includes a configuration option called “includeAllNetworks” that could fix this leak by forcing every byte of traffic through the VPN. However, enabling this setting creates another serious problem. When an automatic update starts with this setting active, the old VPN connection shuts down and prevents the iOS downloader from fetching the new app version. The device then loses connectivity entirely and enters an infinite update loop.
VPN provider forces users to choose between security and convenience
Mullvad recently decided to stop waiting for Apple to fix the underlying issue. The company announced a new “Force all apps” feature, which activates the ‘includeAllNetworks setting’ to prevent traffic leaks.
This solution comes with significant trade-offs for users. Mullvad admits that traffic will still leak during the update process. The only difference is that users now receive a notification before automatic updates occur, so it allows them to choose a safe moment to disconnect manually.
Users have two options when updating the VPN app: they can either disconnect the VPN during the update and reconnect afterward or temporarily disable the “Force all apps” feature before updating and then re-enable it manually. Neither method prevents traffic leaks during the actual update window.
Mullvad stated that it expects a minority of users who enable this feature will end up with a broken networking stack. The company encourages affected users to report the issue directly to Apple.
To understand whether Mullvad’s privacy protections and transparency outweigh these technical inconveniences for your specific use case, check out our detailed Mullvad VPN review, which breaks down the service’s logging policy, encryption standards, and real-world performance across different platforms.
Apple has not fixed long-standing VPN leak issues
The problem extends beyond just Mullvad. Security researchers have documented similar VPN leak vulnerabilities across multiple iOS versions over several years. Apple’s push notification service maintains a long-running connection between the device and Apple’s servers that can remain open outside the VPN tunnel for minutes or even hours.
Other VPN providers have reported related issues. IVPN documented a DNS leak that occurs when automatically rotating WireGuard keys while the VPN stays connected. During the key rotation process, the VPN tunnel briefly disengages, causing device network traffic to route outside the encrypted VPN channel.
ProtonVPN also previously identified a flaw where iOS fails to close existing internet connections when a user connects to a VPN. This allows long-lasting connections from services like Apple’s push notifications to continue exposing the user’s real IP address rather than the VPN server’s address.
The risks facing VPN users extend beyond technical flaws; a fake Mullvad site discovered recently has been delivering fileless malware to unsuspecting users, demonstrating that cybercriminals use both platform vulnerabilities and social engineering to compromise VPN users’ security.
The Mysk researchers created their test website specifically after reading Mullvad’s recent blog post about the issue. Their demonstration proves that iOS 26.4.2 still contains the same fundamental flaw, which exposes VPN users at the moment they expect maximum protection. Apple has not publicly commented on when or if the company plans to release a permanent fix.
