VPN On Demand Rules are sometimes mis-evaluated

Originator:davepeck
Number:rdar://23186904 Date Originated:20-Oct-2015 11:29 AM
Status:Closed Resolved:Fixed
Product:iOS 9 Product Version:iOS 9.0.2 (13A452)
Classification:Security Reproducible:Sometimes
 
Summary:

It is possible to construct a very simple VPN configuration profile that contains a handful of On Demand Rules that, given enough time, will be mis-evaluated, resulting in the VPN turning on (or off) when it shouldn't. This appears to be a regression starting with iOS 9; while this is an intermittent issue, we have yet to see it reproduce on an iOS 8 device.

Steps to Reproduce:

1. Create a VPN configuration profile with OnDemand enabled, and with the following rules, replacing "Trusted SSID" with the SSID for your favorite trusted network:

<key>OnDemandRules</key>
<array>
	<dict>
		<key>InterfaceTypeMatch</key>
		<string>WiFi</string>
		<key>SSIDMatch</key>
		<array>
			<string>Trusted SSID</string>
		</array>
		<key>Action</key>
		<string>Disconnect</string>
	</dict>

	<dict>
		<key>InterfaceTypeMatch</key>
		<string>Cellular</string>
		<key>Action</key>
		<string>Disconnect</string>
	</dict>

	<dict>
		<key>InterfaceTypeMatch</key>
		<string>WiFi</string>
		<key>Action</key>
		<string>Connect</string>
	</dict>

	<dict>
		<key>Action</key>
		<string>Ignore</string>
	</dict>
</array>

2. Install the profile

3. Wait until you see an unexpected activation of the VPN when connected to the trusted network. As we mentioned, this is an intermittent issue; you may be waiting a few hours... or a week. (We have a huge number of customers, and a large number of test devices in-house, and we see the bug happen quite often.)

Expected Results:

Expected: the VPN is always disconnected on the "Trusted SSID" Wi-Fi network, and is always connected on *all other networks*

Actual Results:

Actual: on occasion, the VPN is enabled even on the "Trusted SSID" Wi-Fi network.

Notes:

- This bug exists in the iOS 9.1 beta series, too.

- The bug does not exist in iOS 8, at least as far as we can tell.

- We've noticed that this bug seems to happen _more_ often when your device is either locked on your trusted network and then later unlocked, or when your device is locked and transitions either from cellular or another Wi-Fi network to your trusted network. But because of the intermittent nature of this bug, it's hard to say for sure whether this is actually related.

- It sure feels like a race condition of some kind.

- It's probably impacting Apple's enterprise customers to some degree. The specific configuration profile included in this report is effectively a whitelist, so perhaps it's not the end of the world as a bug. 

However, if you flipped the sense of the rules around, you've got a potentially quite serious bug.

Comments

Apple Closed the bug!

From Dave Peck

Hi,

Thank you for the update on this bug. We've been testing this behavior on iOS 10 beta 1 ever since it was released (and since we saw your update to this bug).

So far the signs are encouraging: we believe this bug is fixed! Thank you very much. :-)

Because of the intermittent nature of this bug, we intend to continue testing for now; we'll let you know if the situation changes.

From Apple Developer Relations

Please verify this issue with the latest iOS 10 beta build and update your bug report at https://bugreport.apple.com/ with your results.

iOS 10 beta (Build: 14A5261v) https://developer.apple.com/download/ Posted Date: Jun 13th, 2016


Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!