Unable to Properly Secure Apple Watch Communication

Number:rdar://31663953 Date Originated:17-Apr-2017 04:16 PM
Status:Open Resolved:
Product:watchOS + SDK Product Version:watchOS 3.2 (13V349)
Classification: Reproducible:Always
Because Apple Watch can use known wifi networks synced from your iPhone, it’s possible to leak sensitive information when relying on a VPN service on iPhone and disconnected from your Watch.

Steps to Reproduce:
1. Use a VPN service on iOS to protect your communication.
2. Connect to a public wifi network (for instance, at a hotel).
3. Disconnect your watch from your phone (for instance, take the watch down to the hotel pool to swim some laps, while leaving your iPhone in your hotel room).
4. Use an app on your Watch (or have background updates run for an app) that downloads sensitive information; for instance, an app that updates its interface with your bank account balance in the background.

Expected Results:
It’s possible to secure the wifi connection your Apple Watch makes with the known wifi network with a VPN.

Observed Results:
There are no VPN configuration APIs available for watchOS.

This is typically a problem in a travel scenario. I use two Apple Watches—one for daytime use and one for tracking my sleep. During the day, the latter watch remains in my hotel room on its charger. Any background updates happening at that time (or on any watch in a disconnected scenario) are not protected by my VPN. For my VPN, I use Cloak (https://www.getcloak.com), which automatically connected to a VPN when I’m on an untrusted connection. I’d love to be able to use Cloak on watchOS.

All Apple Watch models.


Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!