After more than a year of publicly reporting a constraint in iOS’s NetworkExtension framework, Mullvad has decided to stop waiting. The Swedish app is about to release an optional feature in its iOS application that attempts to plug traffic leaks outside the VPN tunnel, a structural problem in Apple’s operating system that has never been fixed.

The feature is called Force all apps and, when activated, sets the includeAllNetworks option to true on iOS. In practice, the system is forced to route all application traffic through the encrypted tunnel, preventing isolated packets from escaping the VPN under certain conditions.

The known iOS problem

Mullvad had explained a year ago why it avoided enabling that option, even though it would have fixed the leaks. The reason is concrete: enabling it breaks the App Store update mechanism.

The scenario described by the company is a loop: iOS starts the app update, the phone’s network stack freezes, the device loses connection. The user restarts, the network works again, but the App Store retries updating the app and the sequence repeats. A cycle you only escape by intervening manually.

The choice, and its conditions

The news is that Mullvad is now choosing to offer this path to users anyway, aware that many will pay the price in terms of usability. The company has set the feature as explicitly opt-in and hopes that with more users exposed to the problem, the likelihood of Apple fixing it at the source will increase.

To avoid the loop described above, those who enable Force all apps must handle updates manually. There are two possible approaches. The first is to disconnect the VPN before the update, allow the app to update (it won’t reconnect automatically) and then reactivate the connection manually, leaving Force all apps active. The second is to directly disable Force all apps, let everything proceed normally, and re-enable it manually afterward.

In either case, during the update window traffic will exit outside the VPN tunnel. Mullvad states it has found no way to prevent this. And it warns that some users who enable the feature might still end up with a compromised network stack, in which case the only useful thing to do is send a feedback report to Apple. There also remains an unresolved related limitation that forces Mullvad to maintain a technical workaround. Another signal that the entire system doesn’t depend on how the app is written, but on how Apple built iOS.

A consistent choice

Beyond the technical details, the announcement aligns with Mullvad’s long-standing position: accepting uncomfortable compromises on user experience in order to offer greater privacy to those who genuinely seek it. A consistency that has paid off in reputation, but on iOS it collides with the limitations of an operating system where many decisions don’t depend on app developers.