- Proton VPN blocks unique IP tunnel fingerprinting on iOS, researchers say
- Moles are among other porvids that remain vulnerable to the bug
- The issue stems from iOS network behavior
Proton VPN is the only VPN that successfully avoids internal tunnel IP fingerprinting on iOS, according to recent tests conducted by security researchers at Mysk.
Internal tunnel IP fingerprinting is the ability to correlate a VPN session using the ‘fingerprints’ left by a returning private IP address assigned inside a VPN tunnel.
Many of them best VPNs assign a static and unique IP address per session or device and leaves these traces.
The problem is that in the iOS ecosystem, apps can freely read the internal IP address of the VPN tunnel, which means it can be used as an additional tracking signal across apps.
Instead, Proton VPN assigns the same reserved local internal IP address – specifically 10.2.0.2 – to all users by removing the individual fingerprints left by your own online activity.
What the researchers found
Imagine you are a member of a private club and while visiting the building you leave your fingerprints everywhere.
Although no one can identify who they belong to, the fact that they are found on certain objects can give an idea of what a particular person has done.
This is actually the problem with iOS. When you have a stable internal IP address assigned by WireGuard – in any VPN – this acts as a digital fingerprint and iOS allows any app to read it. This in turn can be used as a shared identifier, making it easier for these apps to infer that they are running on the same device and within the same VPN session.
Proton VPN has chosen to address this issue directly. Using a new approach, users are all assigned the exact same internal IP address. This appears to be identical to those for all other users connecting to the service using the WireGuard protocol.
Using Loupe, we found that Proton VPN is the only VPN that prevents internal tunnel IP fingerprinting by assigning 10.2.0.2 to all users. Other VPNs, such as Mullvad, assign a static and unique IP per session. This allows iOS apps to track user sessions across apps. pic.twitter.com/zOyR8lZBWQ15 June 2026
This week, security researchers at Mysk used software they developed to illustrate the problem definitively. Using Loupe, they found that their iOS app reads a unique fingerprint while using Mullvad VPN, for example, but only reads a generic one while connected to Proton VPN.
While TechRadar confirms the findings regarding Proton, the team could not independently verify whether all other VPN services are affected.
However, Mullvad has previously pointed out issues related to having a static IP address and how this could bring privacy issues.
In January, the VPN provider, which is highly regarded for its rigid privacy stance and no-logs policy, already noted that keeping a static IP address for each device could be leaked via technologies like WebRTC and help identify and track user activity.
In its blog, Mullvad announced that it planned to introduce WG dynamic allocation to help with the problem. In May, the provider announced its intention to address another IP fingerprinting issue after researchers raised the issue.
An iOS issue
Researchers seem to confirm that the problem is at the platform level, suggesting that Apple’s operating system needs updates in its VPN handling rather than the other way around.
It is not yet clear whether Apple will actually fix these issues.
It’s also not the first time Apple’s platforms have clashed with VPNs. Both security researchers know Mysk and Mullvad have also publicly complained about another iOS behavior that could lead to a traffic leak during app updates.
In April, Mullvad decided to push an update to make its iOS app more secure by leveraging an iOS configuration option called include All networks to act as an airtight kill switch.
“We’ve decided that we don’t want to wait any longer, and we want to offer our users the best possible privacy and security, even if it comes with major UX limitations,” Mullvad said in his blog post, while admitting that traffic will continue to leak during the update process.
However, Apple does not seem to aim to solve this problem. Even in the latest iOS and iPad OS beta, Mysk found that the device’s real IP still leaks while updating a VPN app while it’s active.
At least for this ‘leak’ though, Mullvad users will now receive a notification in advance so they can choose the safest time to update. While IP fingerprinting is involved, non-Proton users may have a long wait for a fix.
