Security & privacy

Mullvad VPN adds iOS master switch to block data leaks from LocalNet attacks

SiliconFeed Editorial
Mullvad VPNiOS securityLocalNet attacksVPN leaksincludeAllNetworks

Sections and tags — in the Topics menu Search the feed

At a glance:

  • Mullvad VPN is rolling out an iOS setting that enforces includeAllNetworks to close leak paths that can expose traffic during LocalNet attacks on public Wi-Fi.
  • The feature is optional and ships with a safeguard that warns users to disable the VPN or toggle includeAllNetworks off during iOS updates to avoid bricking loops.
  • Mullvad recommends users report update-related freezes or bricks to Apple while noting the workaround isn’t perfect, even as the service also touts post-quantum encryption and AI-guided traffic-analysis defenses from $5 per month.

Mullvad confronts iOS leak and LocalNet risks with an optional master switch

Apple iOS presents unique problems for VPNs, including potential data leaks from certain kinds of traffic that can escape the tunnel before the VPN fully asserts control. Mullvad VPN, long regarded as a privacy-first choice among independent reviews, has addressed this class of vulnerability by implementing a new fix that places control in users’ hands rather than imposing it by default. The change targets LocalNet attacks, in which cybercriminals impersonate nearby friendly Wi-Fi networks — such as a common cafe hotspot — to intercept or manipulate unencrypted or partially encrypted traffic before the VPN tunnel is established.

To neutralize this vector, Mullvad is offering a configuration that forces all iOS app data through the VPN by enabling includeAllNetworks. This method is effective at closing the window in which device traffic might bypass the encrypted tunnel, but it collides with iOS update behavior in ways that can destabilize the device. Mullvad has been aware of this tension for some time and has previously held back from shipping the setting because Apple’s update routines do not gracefully accommodate VPN configurations that lock down network access so comprehensively.

Bricking loops and update headaches shape a cautious rollout

The core risk lies in a loop where iOS attempts to update Mullvad’s VPN app, encounters the restrictive includeAllNetworks state, and then fails in ways that can brick the iPhone, force a reboot, and retry the update cycle repeatedly. This behavior has made Mullvad reluctant to enable the setting automatically, since doing so would shift the management burden to users who might not understand why their device suddenly becomes unresponsive during routine maintenance windows. By keeping the feature optional, Mullvad avoids imposing that friction on every install base while still providing a path to stronger protection for users who need it.

To mitigate the bricking scenario, Mullvad has built a safeguard that surfaces a notification when an iOS update arrives. The warning advises users to either turn off the VPN during the update or disable the includeAllNetworks setting temporarily to avoid problems. This introduces a manual step into the update workflow, but it preserves device operability and reduces the likelihood of a stuck update loop that could otherwise require recovery or restore procedures.

Trade-offs, timelines, and the limits of a VPN-side workaround

Mullvad has not specified exactly how or when the new iOS feature is rolling out, stating only that it is coming soon. The company also warns users that its workaround is not perfect and cannot eliminate every edge case where iOS and VPN policy collide. As a result, Mullvad encourages people on iOS to report update-related freezes or bricks directly to Apple, framing the issue as one that ultimately requires platform-level attention rather than a VPN-only fix.

Beyond the immediate iOS leak fix, Mullvad continues to invest in forward-looking privacy measures that aim to harden the service against emerging threats. These include post-quantum encryption to future-proof its VPN against ultra-fast quantum hacking, as well as protocols designed to protect against AI-guided traffic analysis. Pricing starts at $5 per month, positioning Mullvad as a budget-conscious option that nevertheless prioritizes cutting-edge cryptographic hygiene and granular control over network exposure.

Editorial SiliconFeed is an automated feed: facts are checked against sources; copy is normalized and lightly edited for readers.

FAQ

What problem does Mullvad’s iOS master switch address?
The setting addresses data leaks on Apple iOS that can occur before a VPN tunnel is fully active, particularly during LocalNet attacks in which nearby Wi-Fi networks are mimicked to intercept traffic. By enforcing includeAllNetworks, Mullvad forces all app data through the VPN, closing the window in which traffic might bypass encryption. This reduces the risk of exposure on public or hostile networks but requires careful handling during iOS updates.
Why is the includeAllNetworks feature optional and what safeguard does Mullvad provide?
The feature is optional because Apple iOS updates can conflict with restrictive VPN configurations and trigger bricking loops that force repeated failed update attempts. Mullvad’s safeguard displays a notification when an update arrives, warning users to turn off the VPN or disable includeAllNetworks temporarily to avoid device instability. This balances stronger leak protection with practical device management during updates.
How should users handle update-related freezes or bricks, and what other protections does Mullvad offer?
Mullvad advises users to report update-related freezes or bricks to Apple, since the underlying conflict involves iOS update behavior that a VPN-side workaround cannot fully resolve. Beyond the iOS setting, Mullvad also implements post-quantum encryption to defend against future quantum-enabled attacks and protocols to resist AI-guided traffic analysis, with pricing starting at $5 per month.

More in the feed

Prepared by the editorial stack from public data and external sources.

Original article