Clicky

With Mac’s latest OS, Apple’s exclusion list makes it possible for its own apps to bypass VPNs and firewalls

Another possible privacy-unfriendly move.

If you’re tired of censorship and surveillance, subscribe to Reclaim The Net.

The latest version of Apple’s macOS, Big Sur, looks like a “gift that keeps on giving” – at least where controversies linked to users’ privacy and security are concerned.

After researchers found that users can no longer rely on programs that prevent the operating system from sending telemetric data on what apps they run, and when, Apple’s claim to privacy and security took another blow when it was discovered that Big Sur contains an “exclusion list” that allows apps to ignore firewalls, making traffic that takes place over these apps invisible to them.

Many have hoped that this was a bug in the beta released last month; however, the final version of Big Sur came out with this feature. The list contains over 50 of Apple’s own apps and hides their traffic from firewalls, potentially opening the system up to malicious software.

As ProtonVPN said in a blog post this bypassing that jeopardizes security can also affect VPNs. ProtonVPN is the VPN service of the end-to-end encrypted email provider ProtonMail, and the post looks into if, and how its customers who use macOS devices are affected by the change.

ProtonVPN criticizes what it calls Apple’s unannounced and undocumented decisions implemented in the new macOS release as detrimental to users’ security, but also to the tech giant’s own image as a privacy-minded company.

The Swiss-based email and VPN provider said it condemned the move, adding, “this secret exclusion list (…) makes it harder for users to control or even be aware of how their data is being collected.”

The report explained that Apple now allows apps to circumvent those VPNs that work “per-app” – but that its own VPN service’s firewall is not affected because ProtonVPN’s macOS app functions system-wide. However, the company advises users to enable Kill Switch to make sure that no traffic is left out of its encrypted VPN tunnel, including that happening via the apps Apple has put on its “exclusion list.”

As a system level app, ProtonVPN does not need NEFilterDataProvider or NEAppProxyProvider – from which Apple is now hiding its apps – to implement control of network connections in the VPN tunnel. But the blog post also notes that application-level firewalls for macOS, like Little Snitch do – and are consequently affected by the change.

If you’re tired of censorship and surveillance, subscribe to Reclaim The Net.

Read more

Share this post

Reclaim The Net Logo

Join the pushback against online censorship, cancel culture, and surveillance.

Already a member? Login.