- Proton VPN uniquely blocks IP tunnel fingerprinting on iOS, researchers say
- Mullvad is among other providers that remain vulnerable to the breach
- The problem is with the behavior of the iOS network
Proton VPN is the only VPN that successfully avoids internal tunnel IP fingerprinting on iOS, according to recent testing by security researchers at Mysk.
Internal tunnel IP fingerprinting is the ability to correlate a VPN session using the “fingerprints” left by a recurring private IP address assigned inside a VPN tunnel.
A lot of The best VPNs assign a static, unique IP address per session or device, leaving these traces behind.
The problem is that in the iOS ecosystem, apps can freely read the internal IP address of the VPN tunnel, which means it can be used as an additional tracking signal between apps.
Instead, Proton VPN assigns the same reserved local internal IP address – specifically 10.2.0.2 – to all users, removing individual fingerprints left by your own online activity.
What the researchers discovered
Imagine you are a member of a private club and when touring the building you leave your fingerprints everywhere.
Even if no one can identify who they belong to, the fact that they are on specific objects can give an idea of what a particular person did.
This is indeed the problem with iOS. When you have a stable internal IP address assigned by WireGuard – in any VPN – it acts as a digital fingerprint and iOS allows any app to read it. This, in turn, can be used as a shared identifier, making it easier for these apps to infer that they are running on the same device and within the same VPN session.
Proton VPN has chosen to tackle this problem head on. Thanks to a new approach, users are assigned the exact same internal IP address. This appears identical to all other users connecting to the service via the WireGuard protocol.
Using Loupe, we discovered that Proton VPN is the only VPN that prevents internal tunnel IP fingerprinting by assigning 10.2.0.2 to all users. Other VPNs, like Mullvad, assign a static, unique IP address per session. This allows iOS apps to track user sessions between apps. pic.twitter.com/zOyR8lZBWQJune 15, 2026
This week, Mysk security researchers used software they developed to definitively illustrate the problem. Using Loupe, they discovered that their iOS app reads a unique fingerprint when using Mullvad VPN, for example, but only reads a generic fingerprint when connected to Proton VPN.
Although TechRadar confirms the findings regarding Proton, the team could not independently verify whether all other VPN services are affected.
However, Mullvad has previously highlighted the issues with having a static IP address and how it could lead to privacy issues.
In January, the VPN provider, popular for its rigid privacy stance and no-logging policy, already noted that maintaining a static IP address for each device could be leaked through technologies like WebRTC and help identify and track user activity.
In his blog, Mullvad noted that he plans to introduce dynamic workgroup assignment to address this issue. In May, the vendor announced plans to address another IP fingerprinting issue after researchers raised the issue.
An iOS problem
Researchers appear to confirm that the problem is at the platform level, suggesting that Apple’s operating system needs updates to its VPN handling rather than the other way around.
It’s not yet clear whether Apple is actually addressing these issues.
This isn’t the first time Apple’s platforms have come into conflict with VPNs, either. The two security researchers at Mysk and Mullvad also publicly complained about another iOS behavior that could leak traffic during app updates.
In April, Mullvad decided to roll out an update to make its iOS app more secure, taking advantage of an iOS configuration option called includeAll networks to act as a hermetic circuit breaker.
“We decided that we weren’t going to wait any longer and would like to offer our users the best privacy and security possible, even if it comes with major UX limitations,” Mullvad said in his blog, while admitting that traffic would continue to leak during the update process.
However, Apple doesn’t seem to have any plans to fix this problem. Even in the latest beta version of iOS and iPad OS, Mysk found that the real IP address of the device continues to leak when updating a VPN app while it is active.
At least for this “leak”, Mullvad users will now receive advance notification so they can choose the safest time to update. When it comes to IP fingerprinting, non-Proton users may have to wait much longer for a fix.
