Apple is hiding server connections from firewalls and VPNs in Big Sur

[X--X]

Since this is a Big Sur topic it should be mentioned here.

Apple has made strange choice in macOS 11 that pose risks to both security and privacy - and protecting yourself is not easy. Programs like Little Snitch and Tripmode must now use what Apple calls the Network Extension API, a programming interface that provides access to most of the features that previously existed in the corresponding kernel extension. But what Apple has failed to mention to anyone is that there is a system with exceptions that means that these programs can no longer filter exactly all network connections.

Apple's own programs bypass firewalls and VPNs in Big Sur

Apple has made strange choice in macOS 11 that pose risks to both security and privacy - and protecting yourself is not easy

www.macworld.co.uk

Apple is actively hiding some of their connections from users.

Statement from Little Snitch: https://blog.obdev.at

 

[Puonti]

Since there's a possibility for misunderstandings, this is not a problem for packet filtering VPNs like ProtonVPN.

Proton VPN prevents Apple apps on Big Sur exclusion list from bypassing firewall | Proton

The latest macOS release, Big Sur, places Apple apps on an exclusion list. ProtonVPN doesn’t allow these apps to bypass its firewall when Kill Switch is on.

protonvpn.com

 

[jgbr]

Thats a good blog post from Little Snitch

 

[Kung gu]

enterprise VPN still works, but yeah apples apps do bypass

 

[sashavegas]

from terminal
mkdir mnt
sudo mount -o nobrowse -t apfs /dev/disk1s5 mnt/
(change disk if different)
sudo nano mnt/System/Library/Frameworks/NetworkExtension.framework/Versions/A/Resources/Info.plist

Remove anything between <array>, under ContentFilterExclusionList.
save
sudo bless --folder mnt/System/Library/CoreServices --bootefi --create-snapshot && sudo reboot

once done Little Snitch see everything as usual.

 

[X--X]

"Hacking" your own system to be able to see what servers Apple is connecting to, is sad. Not to mention any work around can be blocked or reversed by Apple with every update.

They have not even made a statement about this, even though news outlets asked them and they keep this a secret from users.

 

[stevenaaus]

Maybe I'm dreaming, but perhaps there's a chance they are doing this for US gov snooping, and are required by law to not say anything.

But, regardless, this is another nail in any goodwill and confidence mac OS still has left.

 

[Mochi_D]

from terminal
mkdir mnt
sudo mount -o nobrowse -t apfs /dev/disk1s5 mnt/
(change disk if different)
sudo nano mnt/System/Library/Frameworks/NetworkExtension.framework/Versions/A/Resources/Info.plist

Remove anything between <array>, under ContentFilterExclusionList.
save
sudo bless --folder mnt/System/Library/CoreServices --bootefi --create-snapshot && sudo reboot

once done Little Snitch see everything as usual.

I'm getting a "resource busy" response, is there a specific program I'd need to disable before doing this?

 

[Memoraike]

from terminal
mkdir mnt
sudo mount -o nobrowse -t apfs /dev/disk1s5 mnt/
(change disk if different)
sudo nano mnt/System/Library/Frameworks/NetworkExtension.framework/Versions/A/Resources/Info.plist

Remove anything between <array>, under ContentFilterExclusionList.
save
sudo bless --folder mnt/System/Library/CoreServices --bootefi --create-snapshot && sudo reboot

once done Little Snitch see everything as usual.

Yoooho, work for me ^-^ Thanks <3

 

[0279317]

Thanks for the Proton link, Puont: This statement from Proton says it all.

"This is a concerning development from Apple, a company trying to claim that privacy is its most important product. While claiming to be modernizing macOS with Big Sur, Apple is actually preventing networking app developers from creating extensions that allow them to manipulate the network at the kernel level (the foundations) of its operating system, making it difficult for users to have comprehensive oversight and control of their device’s traffic.

We condemn this secret exclusion list on the grounds that it makes it harder for users to control or even be aware of how their data is being collected."

 

[Puonti]

@Benjamin Disapfectation You're welcome! You might remember Proton as one of the companies that joined the Coalition for App Fairness alongside Epic Games despite not agreeing with Epic on everything. They aren't shy about voicing their opinion and standing behind it.

 

[0279317]

@Benjamin Disapfectation You're welcome! You might remember Proton as one of the companies that joined the Coalition for App Fairness alongside Epic Games despite not agreeing with Epic on everything. They aren't shy about voicing their opinion and standing behind it.

I didn't know that. I'm liking Proton even more now.

I just tried their temp trial with the upgraded VPN and it worked just fine.

 

[IowaLynn]

Is this what might be construed as a compromise back door?

 

[Puonti]

I didn't know that. I'm liking Proton even more now.

I just tried their temp trial with the upgraded VPN and it worked just fine.

I've been quite happy with them, for what it's worth. Just like Apple they don't have to be perfect, as long as they're better than my other options.

 

[X--X]

Is this what might be construed as a compromise back door?

That's basically what it is.

 

[steve62388]

Since there's a possibility for misunderstandings, this is not a problem for packet filtering VPNs like ProtonVPN.

Proton VPN prevents Apple apps on Big Sur exclusion list from bypassing firewall | Proton

The latest macOS release, Big Sur, places Apple apps on an exclusion list. ProtonVPN doesn’t allow these apps to bypass its firewall when Kill Switch is on.

protonvpn.com

Yep, absolutely. It depends on what method your VPN provider uses. Mullvad is another that works fine.

Big no on Big Sur: Mullvad disallows Apple apps to bypass firewall

Despite Apple’s changes to macOS with the release of Big Sur, we can confirm that the Mullvad app still performs as intended by not allowing Apple’s own apps to bypass our VPN firewall.

mullvad.net

 

[TurangaLeela]

Since there's a possibility for misunderstandings, this is not a problem for packet filtering VPNs like ProtonVPN.

Proton VPN prevents Apple apps on Big Sur exclusion list from bypassing firewall | Proton

The latest macOS release, Big Sur, places Apple apps on an exclusion list. ProtonVPN doesn’t allow these apps to bypass its firewall when Kill Switch is on.

protonvpn.com

I often read articles and blogposts that Apple bypasses VPNs. Glad that ProtonVPN and Mullvad debunked this.
But what concerns me is that Apple services actually bypassing firewalls like Little Snitch. It's too bad that this issue doesn't get this much attention as the OCSP story.

It is an absolute no go that Apple decides to hide traffic from its users and bypassing legitimate software. The devs of Little Snitch already confirmed that they are working on this issue. But I would like to know what Apple has to say about this issue and its implications for privacy and security.

If there won't coming any change I am thinking about canceling my MacBook order.

Anyway thanks for bringing this up.

 

[junkw]

ProtonMail does not allow confirming an account by using captcha when using Tor, proof that it's in bed with the intel agencies. I would not rely on their sister tool ProtonVPN for anything that needs serious anon

 

[Puonti]

ProtonMail does not allow confirming an account by using captcha when using Tor, proof that it's in bed with the intel agencies. I would not rely on their sister tool ProtonVPN for anything that needs serious anon

Unfortunately for conspiracy theorists everywhere I don't just blindly accept hot takes spread by random user accounts on the internet. If this is actually happening, better proof will be presented by better sources.

It wouldn't be the first time Proton's business was targeted by FUD spewed by parties with ulterior motives, though it's much more likely this is just random internet nonsense.

 

[junkw]

Unfortunately for conspiracy theorists everywhere I don't just blindly accept hot takes spread by random user accounts on the internet. If this is actually happening, better proof will be presented by better sources.

It wouldn't be the first time Proton's business was targeted by FUD spewed by parties with ulterior motives, though it's much more likely this is just random internet nonsense.

Conspiracy Denial is as harmful as Conspiracy Theory

 

[vetoes]

I'm Little Snitch and ProtonVPN user and have upgraded to Bug Sur yesterday and didn't noticed any issue. Everything works like it did on Catalina. I have options to block all the stuff that I did before but I could be fooled since i'm no expert. Regardless I have no reason to doubt anything as of yet.

 

[TurangaLeela]

I'm Little Snitch and ProtonVPN user and have upgraded to Bug Sur yesterday and didn't noticed any issue. Everything works like it did on Catalina. I have options to block all the stuff that I did before but I could be fooled since i'm no expert. Regardless I have no reason to doubt anything as of yet.

There should be services that are completely invisible to Little Snitch. For example: You block all outgoing traffic with Little Snitch, but these services still work, because you cannot block them at all.

 

[vetoes]

I don't want or plan to block Apple services. If I didn't trust Apple enough I wouldn't run their OS and the day I stop trusting that my safety and privacy is Apple's and mine aligned interest I will stop being Apple user.

I have bought Little Snitch for informational purposes (to educate myself) and to block third party apps connection if I need to install something because of business purposes. That probably explains why I didn't notice anything.

 

[TurangaLeela]

I don't want or plan to block Apple services. If I didn't trust Apple enough I wouldn't run their OS and the day I stop trusting that my safety and privacy is Apple's and mine aligned interest I will stop being Apple user.

I have bought Little Snitch for informational purposes (to educate myself) and to block third party apps connection if I need to install something because of business purposes. That probably explains why I didn't notice anything.

You are totally right. If you don't trust Apple in the first place you shouldn't use their products at all.

But I find it kind of shady to simply hide these processes and I clearly see one major problem. You don't have any control and can't see what is going on anymore, if you want to. And as Patrick Wardle (Security Researcher) demonstrated on Twitter this lack of control can easily be exploited.

https://twitter.com/i/web/status/1327726496203476992

 

[Puonti]

Conspiracy Denial is as harmful as Conspiracy Theory

I'm not denying conspiracies, they're serious business. I'm denying knee-jerk internet conspiracy theorists.

Here, let me show you: