The two security holes most people don't know they have

Why DNS leaks happen even when you think you're protected

DNS is the phone book of the internet. When you visit a website, your phone asks a DNS resolver 'where is example.com?' and that resolver tells it. If you're using a VPN, that query should go through the VPN tunnel so the VPN provider sees it, not your ISP. But there are gaps.

Android devices sometimes route certain DNS queries outside the VPN tunnel when the tunnel drops, even momentarily. iOS devices can leak DNS queries if an app is configured to bypass the VPN entirely. Or a user switches networks and the DNS settings don't update cleanly. Most people never know it's happening.

When we were building the DNS leak test for ARK, we wanted it to do what the big privacy-focused tools do, but on your device itself. It sends a series of queries to a test domain and checks whether those queries came from the IP address your VPN says you're using, or from somewhere else. If they're leaking, ARK shows you exactly what's leaking and from which app or system process. Then a single tap takes you to the settings page where you can actually fix it.

2FA: the audit nobody runs until it's too late

Two-factor authentication is table-stakes security. But most people set it up once, on five or six accounts, and forget about it. Years pass. They create new accounts, some without 2FA. They delete old accounts and the 2FA is still sitting in their authenticator, taking up space and mental load.

More importantly, they have no overview. I spoke to a small business owner who discovered she had 2FA enabled on her banking app but not on her company email. Her team had the opposite problem. Without an audit, that stays hidden until the moment you don't want it to be.

ARK's 2FA audit scans the apps you have installed and checks their app configuration for 2FA support. It doesn't hack into your accounts or try to log in. It simply flags 'you have this app, it supports 2FA, and our database shows you haven't enabled it yet'. You get a prioritised list. High value targets like email, banking, and password managers float to the top. Lower risk apps sit below. The remediation link takes you directly to that app's security settings, usually just three taps to enable 2FA.

What we found in beta was that most users saw between 5 and 12 apps they could enable 2FA on but hadn't. A few had it enabled nowhere. Those numbers change behaviour.

They're Shield features because they're network and account level

We kept the core security score and breach check free because they're the foundation: your device, local. Everything that lives on your device without needing external infrastructure stays free tier.

DNS leak testing and 2FA auditing live in Shield because they're checking network behaviour and account configuration. The DNS test connects to our test infrastructure to verify whether queries are leaking. The 2FA audit doesn't store your authentication secrets, but it does cross reference your installed apps against our configuration database to know what each app supports. Both require updates and maintenance that cost us money to run. Shield also includes dark web monitoring (which requires breach feeds), our QR and URL phishing scanner, the Wi-Fi analyser, and password health checking. It's £2.99 a month or £29.99 a year.

Some users only care about DNS leaks. Some only want a 2FA audit. We resisted splitting them because most people who need one benefit from the other. A user with DNS leaks is usually someone who cares about network privacy, which means they probably care about account security too.

What you actually see when you run both scans

Let me walk through a real scenario. You open ARK, hit 'Run Scan'. The app measures your security score across four vectors: device security (OS updates, screen lock, etc), network exposure (this is where DNS leak test sits), app permissions (what you've granted to which apps), and breach exposure (have your credentials appeared in known breaches). The score updates in real time as each sub-scan completes.

The DNS leak test takes about 30 seconds. It queries our test infrastructure and watches where the requests come from. If anything's leaking, it shows you: 'DNS leaking to ISP' or 'DNS leaking to Cloudflare' or 'DNS leaking to your home router'. Then a 'Fix this' button opens your DNS settings.

The 2FA audit is instant. It scans your installed apps, cross references them against our database of which apps support two-factor authentication, and compares that to what's enabled on your device. You see: 'Gmail supports 2FA. You haven't enabled it.' Tap once, it opens Gmail's security settings page.

Both scans feed into your overall score. A DNS leak might drop your score by 8 points. Missing 2FA on high-value accounts might drop it by 10 to 15. That numerical feedback matters more than you'd think. Users actually respond to it. They fix the things because they want to see the score move.

The gaps this catches that most people live with

What strikes me most is how hidden these problems are. Users get a VPN app, see the 'VPN is active' notification, and assume they're done. They enable 2FA on three important accounts and assume they've done the rest. Neither is true, but there's nowhere to verify it until something goes wrong.

We've had users find DNS leaks on devices they thought were locked down. We've had parents discover their kids' phones had zero 2FA enabled anywhere. We've had small business owners realise half their team's accounts weren't protected. None of them knew until they ran the scan.

The thing that keeps me coming back to this problem is that it's so common and so fixable. It's not a vulnerability that requires a patch. It's a configuration oversight that takes minutes to remedy once you see it. ARK's job is to be that mirror. To show you what's actually happening on your network, and what's still missing on your accounts, so you can make the choice to fix it.