For all of Apple’s talk of being privacy-first, often its marketing speak doesn’t match up with what it’s actually doing. And the latest example? Well, it’s Apple apps on Big Sur bypassing firewalls and VPNs.
I don’t need to tell you just how worrying this is.
The issue was first spotted in the macOS Big Sur beta by Twitter user @mxswd all the way back in October. They had this to say:
Some Apple apps bypass some network extensions and VPN Apps. Maps for example can directly access the internet bypassing any NEFilterDataProvider or NEAppProxyProviders you have running 😒
— Maxwell (@mxswd) October 19, 2020
This is true 😭
Previously, a comprehensive macOS firewall could be implemented via a Network Kernel Extension (kext)
Apple deprecated kexts, giving us Network Extensions….but apparently (many of) their apps / daemons bypass this filtering mechanism.
Are we ok with this!? https://t.co/rYkDnuOgLJ
— patrick wardle (@patrickwardle) October 20, 2020
Effectively, Wardle says that previous versions of macOS allowed a firewall or VPN to be set up using the Network Kernel Extension. But this isn’t the case in Big Sur.
What Wardle found is that the Mac App Store on the latest macOS bypasses any firewall. For all intents and purposes, its traffic is invisible to firewalls. What’s happening is that Apple apps on Big Sur are beginning to operate outside the user’s control. Which is terrible news.
This story was brought to light on Apple Term, but many assumed it would be fixed when Big Sur was released to the general public. This hasn’t happened.
The question you might be asking next is so what? What’s the issue here?
Well, aside from control over your own system, Apple apps on Big Sur being able to bypass firewalls and VPNs is a huge privacy and security issue. Wardle showed on Twitter how easy it is for malware to exploit this gap:
In Big Sur Apple decided to exempt many of its apps from being routed thru the frameworks they now require 3rd-party firewalls to use (LuLu, Little Snitch, etc.) 🧐
Q: Could this be (ab)used by malware to also bypass such firewalls? 🤔
A: Apparently yes, and trivially so 😬😱😭 pic.twitter.com/CCNcnGPFIB
— patrick wardle (@patrickwardle) November 14, 2020
What this amounts to is that bad actors could exploit this hole in Apple apps on Big Sur to send out your personal data to remote servers. This should worry everyone.
The big question though is why the company’s doing this. So far, it hasn’t said why Apple apps on Big Sur are exempt from firewalls and VPNs, but there are some theories.
One school of thought is that this makes it harder for users to pretend they’re in different countries, meaning it can be stricter on licensing issues. Another is that Apple wants to keep its apps’ data and traffic out of VPN servers.
Whatever the reason, I severely doubt its good enough to excuse Apple’s actions here.
If you want to understand further what this sort of activity does, I’d recommend you go and read this piece from Jeffrey Paul about why your computer isn’t yours. It’s a sobering look at the world we’re living in, where
So much for Apple being privacy-first, hey?
Published November 16, 2020 — 09:11 UTC