Description

When servers list is sorted by Country, display servers with country code before city name:

AT, Vienna
AU, Sydney
BE, Brussels
BG, Sofia

Description

In the App Store version, as well as in the latest beta 2.1.0 (20), on iPad, when the user changes the trust status, the dialogue asking to reconnect etc. appears cutoff. The issue is only present on portrait mode, on the landscape the dialogue is fully visible.

Expected result

The Network Protection dialogue when changing the trust status should be fully visible.

Environment

IVPN: 2.0.4 (11), 2.1.0 (20)
Devices: iPad 6 iOS 13.6.1

Steps To Reproduce

1. Install either App Store version 2.0.4 or latest beta 2.1.0 (20) on an iPad.
2. Login.
3. Select OpenVPN or WireGuard.
4. Change the trust status until the alert is shown.

Description

This setting should be disabled (or hidden) and on by default.

When user enabled IPv6 for VPN tunnel, this setting should became visible.

When both "Enable IPv4" and "Show gateways without IPv6 support" are enabled, on the servers list there should be "IPv6" label next to servers that support IPv6.

Description

Implement option for secure DNS over HTTPS/TLS inside a VPN tunnel - a new option in existing "Custom DNS" screen.

Notes

• Only available for iOS 14+ devices

App icon needs to be updated:

Description

When losing internet connection (or enabling Airplane mode), if the user decides to switch from IKEv2 or OpenVPN to WireGuard, once the device recovers connectivity (or disables Airplane mode), the client will automatically connect to the last OpenVPN or IKEv2 server, even though WireGuard is selected and another server is displayed on screen.

Note:
See attached video for further details.

Actual result:

After internet connection is recovered, the client connects to the last selected server + OpenVPN protocol.

Expected result:

After internet connection is recovered, the client should connect to the current selected server + protocol.

Steps to reproduce:

1. Install build 1.17.0 (2) or current App Store version.
2. Login with a paid or trial user.
3. Select OpenVPN as protocol.
4. Connect to the faster server.
5. Enable Airplane mode.
6. When the VPN is disconnected, select WireGuard as protocol and change the server.
7. Disable Airplane mode.
8. Observe that the app shows connected to the WireGuard server, but it's actually connected to the last OpenVPN server.

Environment:

• Device: iPhone XR
• OS name and version: iOS 14.3
• IVPN app version: Beta 2.1.0 (28)

Description:

In the current App Store build 2.3.0 (16), IKEv2 is selected automatically after a fresh installation. At first, WireGuard is selected as the default protocol, but when closing/reopening the app, IK2v2 is selected instead.

Actual result:

IKEv2 selected automatically when closing/reopening the app after installation.

Expected result:

WireGuard should always be the default protocol, and no other protocol should be automatically selected.

Steps to reproduce:

1. Install App Store build 3.2.0(16)
2. Login
3. WireGuard is selected
4. Close app
5. Reopen app
6. IKEv2 is selected

Environment:

IVPN: 3.2.0(16)
Devices: iPhone XR iOS 14.4, iPad 6 iOS 13.6.1

Description:
Observed with WireGuard, when the app fails to connect to a server, then the user connects successfully to e.g. fastest server and then connects back to the server that failed, the application shows as connected to the server selected , but the geolocation API shows the fastest server.
When looking up the IP address, the app is indeed connected to the fastest server instead of selected one.

Note:
See attached video for further details.

Actual result:
There is a mismatch between the server the app is connected to and the server selected

Expected result:
The app should always connect to the server selected

Steps to reproduce:
Try to mock a disabled gateway

1. Install e.g. latest beta 2.1.0(26).
2. Login.
3. Select WireGuard as protocol.
4. Attempt connection to the disabled gateway.
5. Disconnect.
6. Connect to e.g. fastest server.
7. Switch to the disabled gateway.
8. Observe the mismatch.

Extra info:

• Device: iPhone XR
• OS name and version: iOS 14.3
• IVPN app version: Beta 2.1.0 (23)

Description

Remove views that are no longer used - clean up Main.storyboard.

Description

In the App Store version, as well as in the latest beta 2.1.0 (20), when the app is closed, but connected, the shortcut "Disconnect" does not work.

Expected result

The shortcuts should always work, regardless if the app is opened or closed.

Environment

IVPN: 2.0.4 (11), 2.1.0 (20)
Devices: iPhone XR iOS 14.3, iPad 6 iOS 13.6.1

Steps To Reproduce

1. Install either App Store version 2.0.4 or latest beta 2.1.0 (20).
2. Login.
3. Connect to any server with any protocol.
4. Shut the app down (close it)
5. Open the IVPN shortcuts.
6. Tap on "Disconnect".
7. Observe that the app opens, but it doesn't disconnect.

Current behaviour

Privacy Policy and Terms of Service are static HTML files bundled with the app.

New behaviour

Load Privacy Policy and Terms of Service from ivpn.net:
https://www.ivpn.net/privacy-mobile-app/
https://www.ivpn.net/tos-mobile-app/

Description

In the latest beta version 2.1.0(20), the IVPN widget is not loaded. The issue is only present on iPhone XR which has an iOS version 14.3.
The issue is NOT present in the App Store version 2.0.4.

Expected result

The IVPN widget should work on all supported devices and iOS versions.

Environment

IVPN: 2.1.0 (20)
Devices: iPhone XR iOS 14.3

Steps To Reproduce

1. Install IVPN version 2.1.0 (20) on an iPhone, iOS 14.x
2. Observe that the IVPN widget is unable to load.

Description

A new iOS 14 privacy alert is presented when new installed apps require access/try to interact with the local network.
First we need to investigate which part of the app/app's logic triggers this alert, and then resolve the issue in 2 possible ways:

1. Remove the logic that triggers the privacy alert, if possible
2. Add a custom description in Info.plist that describes exactly why IVPN app requires access to local network (instead iOS presenting a default alert text)

More info:

https://developer.apple.com/forums/thread/663858

Compiling ios on mac keeps getting errors: Command ExternalBuildToolExecution failed with a nonzero exit code
Module: wireguard go bridge

Compiler Environment:
Mac os :10.15.7
Go version:go version go1.15.2 darwin/amd64
Xcode:12.0.1

• Device: iphonesimulator
• IVPN app version::2.0.3

Description:

When the subscription expires "today", but it's still active, the iOS app shows incorrectly the alert "Subscription expired RENEW".

Actual result:

Incorrect subscription expiration alert when the subscription expires "today".

Expected result:

When the subscription expiration date is <=1 day, the app should display an alert such as: "Subscriptions expires today" along with the button "Renew".

Steps to reproduce:

1. Install version 2.3.0(10).
2. Login with an account which is going to expire "today".
3. Observe the incorrect alert in the main screen.

Environment:

• Device: iPhone XR
• OS name and version: iOS 14.3
• IVPN app version: Beta 2.3.0 (10)

Description

Refactor syntax in GitHub actions.

Description

In order to flag a binary as restricted, one has to configure the linker in Xcode by adding the following flags into the Other Linker Flags located in Build Settings → Linking → Other Linker Flags.

Compiler Flags:
-Wl,-sectcreate,__RESTRICT,__restrict,/dev/null

More info

https://pewpewthespells.com/blog/blocking_code_injection_on_ios_and_os_x.html 
https://theevilbit.github.io/posts/dyld_insert_libraries_dylib_injection_in_macos_osx_deep_dive/

Description

Identify and remove unused Swift code using CLI tool periphery:
https://github.com/peripheryapp/periphery

Description

The main objective of Captcha is to discourage automated brute-forcing of either Account IDs or Email / Password combination of the existing users or through credentials stuffing attack.

Sometimes attackers are sophisticated enough and use huge number of IP addresses, therefore making regular rate-limiting per IP address useless.

As a solution, we’re counting total requests for /v4/sessions/new endpoint and after some threshold exceeded, Captcha is requests from all clients calling this endpoint for some period of time.

Input validation

Apps need to validate user input - verification code must be 6-digit code.

If input is not valid, app presents an error alert:

Title: “Invalid code“
Text: “Please enter 6-digit verification code“

Currently, the iOS app uses a DNS hostname to connect to gateway with IKEv2.

With using an IP address, there are advantages:

• DNS hosts are blocked for some users
• Load balancing is achieved by connecting to a location with multiple servers

Description

Rename WireGuard "Key regeneration" to "Key rotation" in the app UI.

Description

UpgradePlanViewController.swift:
Properties sessionsLimit, upgradeToUrl should be passed as dependency injection

When entering hostname for DoH or DoT settings, iOS device resolves IP addresses from hostname, as an array of IP addresses is required to enable custom DNS configuration.
If DNS resolver fails, we want to present an error alert in the UI.

This needs to be implemented for both connected and disconnected custom DNS settings.

Description

Some ViewControllers need to have their view logic extracted to separate View component:

TermsOfServiceViewController.swift
WireGuardSettingsViewController.swift
SettingsViewController.swift

Description

While testing network protection on version 2.1.0(27), it was observed that the app was getting stuck in connecting/disconnecting state when changing the default & current network trust status quickly, the issue not only happens with IKEv2 where the app throws endlessly the authentication error, but with OpenVPN as well where the app permanently tries to connect/disconnect.

Note:
See attached video for further details.
Please note that this issue is not observed with WireGuard.

Actual result:

App gets stuck on connecting/disconnecting state when changing the default & current network trust status repeatedly.

Expected result:

The app should never get stuck on connecting/disconnecting state when changing the trust status (even repeatedly).

Steps to reproduce:

1. Install beta version 2.4.0(10).
2. Login.
3. Select e.g. OpenVPN.
4. Enable network protection.
5. Change default trust status and make sure you select "Reconnect + don't ask me again"
6. Change the default and current network trust status several times.
7. Go back to the main screen and observe the issue.

Environment

Device: iPhone XR
OS name and version: iOS 14.3
IVPN app version: Beta 2.1.0 (27)

File

The current implementation of the ping Ping Service requires access to the local network because it is implemented using CFSocket (a low level communications channel implemented with a BSD socket) and this is one of the operations which will trigger this access request.

Ideally, we want to implement the Ping Service in a way that does not perform operations that require access to the local network.

Local Network Privacy FAQ:
https://developer.apple.com/forums/thread/663858

What operations require local network access?:
https://developer.apple.com/forums/thread/663874

Description:

After fresh installing the App Store build 2.3.0 (16), when the user tries to restore purchases, the app crashes.
This is not observed after updating the IVPN version or when trying to restore purchases after logging out from the app

Actual result:

Crash when trying to restore purchases after a fresh installation.

Expected result:

The app should never crash when trying to restore purchases, if there is a valid subscription, the app should log the user in.

Steps to reproduce:

1. Fresh install App Store build 3.2.0(16)
2. Launch the app.
3. Tap on Restore Purchases (make sure there is a valid subscription)

Environment:

IVPN: 3.2.0(16)
Devices: iPhone XR iOS 14.4

We want to make WireGuard a default protocol when the app is used for the first time.

Bug report

I cannot compile project

Describe your environment

• Device: MBP15 2017
• OS name and version: MACOS 10.14.6
• IVPN app version: 1.18.1
• GO VERSION 1.12.7

Describe the problem

It says 'Makefile:37: *** This requires go version go1.12.7 darwin/amd64. Stop.
Command ExternalBuildToolExecution failed with a nonzero exit code'
BUT I ALREADY HAVE GO1.12.7 INSTALLED
HOW TO FIX IT?
Full log is here: https://pastebin.com/Gchpe7dj
Screen shot: https://prnt.sc/rg23w2

Steps to reproduce:

1. CLONE REPO
2. POD INSTALL
3. CMD+R

Observed Results:

• What happened? This could be a description, log output, etc.
  It says 'Makefile:37: *** This requires go version go1.12.7 darwin/amd64. Stop.
  Command ExternalBuildToolExecution failed with a nonzero exit code'
  Full log is here: https://pastebin.com/Gchpe7dj
  Screen shot: https://prnt.sc/rg23w2

Expected Results:

• What did you expect to happen?
  SUCCESSFUL BUILD

Description

In the current app version 2.3.0, for DoH server it is only possible to enter hostname or IP address.
We want to add support for entering a custom DoH server URL, or DoT server name with subdomain.

For example:


DoH: https://dns.nextdns.io/123456
DoT: 123456.dns.nextdns.io

This needs to be implemented for both connected and disconnected custom DNS settings.

Introduction

Apps don't usually determine which certificates to trust and which not to trust when they try to establish a connection with a server. Rather, they rely entirely on trusted root certificates that are preinstalled with the operating system.

SSL pinning is technique that helps to prevent MITM or man-in-the-middle attacks.

What is pinning?

Pinning is the process of associating a host with their expected X509 certificate or public key. Once a certificate or public key is known or seen for a host, the certificate or public key is associated or ‘pinned’ to the host.from OWASP — Certificate and Public Key Pinning

Types of SSL certificate pinning

Pin the certificate: download the server's certificate and bundle it into the app. At runtime, the app compares the server's certificate to the one you've embedded.

Pin the public key: retrieve the certificate's public key and include it in app code as a string. At runtime, the app compares the certificate's public key to the one hard-coded in app code.


IVPN apps will use public key pinning method

App needs to do a verification when performing HTTPS requests to our API server in these steps:

1. Extracting the public key from the received certificate
2. Hash it - base64 encoding of a SHA256 hash
3. Matching it to stored hashes - array valid public keys are hardcoded in the app

Description

When user enables 2-factor authentication on his account, backend will require additional TOTP token from the client app when creating new session.

Input validation

Apps need to validate user input - verification code must be 6-digit code.

If input is not valid, app presents an error alert:

Title: “Invalid code“
Text: “Please enter 6-digit verification code“

Description

Since users can opt-in to allow Apple to share crash reports with app developers, we do not need the option for users to send the app crash reports directly to IVPN.

Notes

With the removal of this option, we also need to remove dependency:

• github.com/getsentry/sentry-cocoa

QA notes

Sanity check of IVPN app's settings screen.

Description

Enable Data Protection capability to protect files and data created by the app by encrypting it on disk.

Data Protection Entitlement:

<key>com.apple.developer.default-data-protection</key>
<string>NSFileProtectionComplete</string>

More info

https://developer.apple.com/documentation/uikit/protecting_the_user_s_privacy/encrypting_your_app_s_files
https://developer.apple.com/documentation/bundleresources/entitlements/com_apple_developer_default-data-protection

Description

For UserDefaults keys used in multiple places, it is a good practise to define the keys as string constants in a single place, to avoid possible misspelling errors.

Currently, the iOS app uses a DNS hostname to connect to gateway with OpenVPN.

With using an IP address, there are advantages:

• DNS hosts are blocked for some users
• Load balancing is achieved by connecting to a location with multiple servers

Description

Currently, we use two sets of country flag icons - one (vector format) for countries where IVPN have gateways, and one (PNG format) for all other locations.

We want to have a single vector set for all locations.

Potential flags icon set, with most countries, SVG option and simplified art details that are suitable for displaying icons in small dimensions:
https://github.com/yammadev/flag-icons

QA notes

• Added new SVG icon set that replaces old PNG set
• Fixed minor issues with flag icon border (we add subtile border around flag icons, most noticeable in light theme)

Description

Remove unused properties in UserDefaults extension.

Description

Disable URLCache for all requests made to IVPN API server.

More info

https://developer.apple.com/documentation/foundation/urlcache
https://developer.apple.com/documentation/foundation/nsurlrequestcachepolicy

Description

New version of wireguard-go 0.0.20201118 is available:
https://github.com/WireGuard/wireguard-go/releases

QA notes

Standard sanity check for WireGuard protocol.

Description

Starting December 31, 2020, legislation from the European Union introduces Strong Customer Authentication (SCA) requirements for users in the European Economic Area (EEA) that may impact how they complete online purchases. We need to verify our app’s implementation of StoreKit to ensure purchases are handled correctly.

For in-app purchases that require SCA, the user is prompted to authenticate their credit or debit card. They’re taken out of the purchase flow to the bank or payment service provider’s website or app for authentication, then redirected to the App Store where they’ll see a message letting them know that their purchase is complete. Handling this interrupted transaction is similar to Ask to Buy purchases that need approval from a family approver or when users need to agree to updated App Store terms and conditions before completing a purchase.

More info:
https://developer.apple.com/support/psd2/

Description:

On version 2.3.0 (10), when the VPN profile dialog shows, if the user selects "Don't allow" and tries to change protocol, the app shows unexpectedly the following alert 'VPN connection is active. Changing protocol will turn off the current VPN connection'.

Furthermore, with IKEv2, the VPN profile dialog is displayed twice if selecting "Don't allow".

Actual result:

Unexpected alert when trying to change protocol after disallowing to set the VPN profile upon connection.

Expected result:

If users select "Don't allow" when the VPN profile dialog appears, afterwards if they change protocol, the connection alert should not be shown .

Steps to reproduce:

1. Install 2.3.0(10)
2. Login.
3. Attempt to connect.
4. When the VPN profile dialog appears, select "Don't allow".
5. Try to change protocol.
6. Observe the alert.

Environment:

• Device: iPhone XR
• OS name and version: iOS 14.3
• IVPN app version: Beta 2.3.0 (10)

Description

Upgrade TunnelKit to latest version:
https://github.com/passepartoutvpn/tunnelkit/releases

QA Notes

This requires a basic sanity for OpenVPN protocol.

Description

Implement support for custom DNS over HTTPS/TLS, when VPN is not connected.

Notes

• Only available for iOS 14+ devices

More info

https://developer.apple.com/documentation/networkextension/nednssettingsmanager

When entering hostname for DoH or DoT settings, iOS device resolves IP addresses from hostname, as an array of IP addresses is required to enable custom DNS configuration.
We want to display this list of IP addresses in the UI. So as a user, i can see exactly which DNS server is used for custom DNS configuration.

This needs to be implemented for both connected and disconnected custom DNS settings.

Description

Allow users access to the IPv6 internet after they connect to the WireGuard VPN.

In current clients, WireGuard [Interface] is only configured with IPv4 address.
By adding IPv6 address in the client config, VPN tunnel will have IPv6 traffic as well, when connected to gateway which support IPv6.

Example client config:

[Interface]
Address = 192.0.2.0,2001:0db8:0:0::2001:0db8/64
ListenPort = 51820
PrivateKey = <PrivateKey>
DNS = 198.51.100.0

[Peer]
PublicKey = <PublicKey>
AllowedIPs = 0.0.0.0/0,::/0
Endpoint = 203.0.113.0:2049
PersistentKeepalive = 25

There should be an option in the app settings that enables IPv6 inside VPN tunnel, which is off by default.

Description

When IKEv2 VPN is connected for the first time, toggle is kept in disconnected state until VPN is connected.

Expected result

When VPN is connecting, the toggle should be in the enabled state (blue color, on the right side).

Description

The current implementation of the ping Ping Service requires access to the local network because it is implemented using CFSocket (a low level communications channel implemented with a BSD socket) and this is one of the operations which will trigger this access request.

Until we can implement the Ping Service in a way that does not require access to the local network, we want to describe to users why the app requires this. This is done by adding NSLocalNetworkUsageDescription in the Info.plist.

This issue is relevant only for iOS 14+ devices.

QA notes

Instead iOS default alert message, now the alert contains a custom message describing why IVPN app requires access to user's local network - to obtain servers latency.

To get this alert presented by iOS consistently, follow these steps:

0. Make sure to be connected to WiFi/local network
1. Delete IVPN app (if installed)
2. Reboot the device
3. Install the IVPN app
4. Launch the app - in most cases at this point the alert should appear
5. Go to servers screen and refresh servers latency times every 15 seconds, after a couple of times the alert should appear if it didn't at the app launch

Description:
In the App Store build 2.0.4, as well as in the latest beta 2.1.0 (23), there is an UI issue with the connecting circle animation while changing networks and having the following network trust settings (Mobile data: Untrusted, WIFI: Trusted or vide versa).
When changing networks, it is observed two circles at the same time, one for the disconnected server and another one for the server connected to.

Note:
See attached video for further details.

Actual Result:
Two connecting circles when changing networks while having different trust status set from every network.

Expected Result:
Only one circle animation should be shown when connecting or disconnecting.

Steps to reproduce:

1. Over WIFI, install App Store version 2.0.4.
2. Login.
3. Select e.g. OpenVPN as protocol and connect to any server.
4. Enable Network Protection.
5. Set Mobile Data to Untrusted and WIFI network to Trusted.
6. Proceed to the main screen.
7. Change network from WIFI to Mobile Data.
8. Observe that two circles are displayed when connecting to the server.
9. Change network from Mobile Data to WIFI.
10. Observe that two circles are displayed when disconnecting from the server.

Extra Info:

• Device: iPhone XR
• OS name and version: iOS 14.3
• IVPN app version: App Store 2.0.4, Beta 2.1.0 (23)

After I do 'pod install' it says this:

The file mentioned file at:
Problem during make - Please check /Users/miladgholamhosseini/Library/Caches/CocoaPods/Pods/Release/OpenSSL-Apple/1.1.0l.4-f3d16/bin/MacOSX10.15.4-x86_64.sdk/build-openssl-1.1.0l.log

says:

I searched everywhere but no clue what to do, I'd be grateful for your help.