Proton VPN prevents Apple apps on Big Sur exclusion list from bypassing firewall

Update: Apple has listened to its users, and no longer exempts its own apps from any firewall interfaces in macOS. The information in this article is therefore of purely historical interest only.

The new macOS release, Big Sur, has made headlines due to Apple’s decision to place 56 of its own apps, including FaceTime, Apple Maps, and Apple Music Library, on an undocumented, unannounced “exclusion list.” This means these apps can bypass firewalls and, potentially, VPNs that function on a per-app basis without the users’ knowledge or consent, undermining macOS devices’ security and privacy.

Given the potential impact this could have on our users’ privacy, we immediately examined the Proton VPN app’s performance on macOS. We found that Proton VPN’s network control is not impacted by Big Sur. Our macOS app works on a system level and prevents these Apple apps from bypassing our VPN’s firewall. However, we advise everyone using our macOS app to enable Kill Switch to maintain optimal security.

What Big Sur does

Back in October, when Big Sur, the latest version of macOS, was still in beta, IT security analysts discovered that Apple made dozens of its services and apps unavailable to NEFilterDataProvider and NEAppProxyProvider. Application-level firewalls like Little Snitch use NEFilterDataProvider to implement content-based firewall rules (i.e., firewall rules based on the actual program that is performing the network requests). Essentially, Apple made those apps’ traffic invisible(new window) to firewalls and the user.

https://twitter.com/mxswd/status/1318305284524183552

When Big Sur was released on Nov. 12, 2020, analysts found that Apple had not resolved this issue, leaving macOS devices less secure.

Because Apple has excluded its apps’ traffic from NEAppProxyProvider, firewalls are no longer able to intercept and filter network traffic originating from these Apple services. Additionally, these Apple apps can bypass per-app VPNs that rely on NEAppProxyProvider.

Why Proton VPN is not affected

Similar to other system-wide VPNs, Proton VPN does not rely on NEFilterDataProvider or NEAppProxyProvider to control network connections in the VPN tunnel. Our macOS app uses the Packet Filter (PF) mechanism to enable our Kill Switch feature. PF controls a networking layer that is lower in the network stack than those controlled by NEFilterDataProvider or NEAppProxyProvider and, thus, is not affected by this particular issue. If Kill Switch is enabled, it prevents your device from establishing any connections outside the VPN tunnel, including the Apple apps on the exclusion list.

We ran tests that proved no traffic is excluded from our app’s encrypted VPN tunnel when Kill Switch is enabled.

If Kill Switch is disabled, some TCP requests that were initiated before the VPN tunnel was established will continue outside the VPN tunnel (similar to the previously noted bug afflicting iOS(new window)). For this reason, we advise you to enable Kill Switch for optimal security.

This is a concerning development from Apple, a company trying to claim that privacy is its most important product. While claiming to be modernizing macOS with Big Sur, Apple is actually preventing networking app developers from creating extensions that allow them to manipulate the network at the kernel level (the foundations) of its operating system, making it difficult for users to have comprehensive oversight and control of their device’s traffic.

We condemn this secret exclusion list on the grounds that it makes it harder for users to control or even be aware of how their data is being collected.

Protect your privacy and security online
Get Proton VPN free

Related articles

Paris Olympics
The 2024 Summer Olympics in Paris begins this July. While you’ve likely already missed your chance to get a ticket and witness the best athletes from around the world in person, there are plenty of ways to enjoy the games from the comfort of your hom
Where to watch euros
Every four years, the entire continent of Europe turns its eyes to see who will be crowned as the continent’s champion of football (or soccer for the Americans).  This is the 17th edition of the UEFA European Football Championship, in which 24 natio
How to enable location services
Location services refer to a combination of technologies used in devices like smartphones and computers that use data from your device’s GPS, WiFi, mobile (cellular networks), and sometimes even Bluetooth connections to determine and track your geogr
What is AirTag stalking?
In an era of “smart devices” that often double as spy devices, AirTags are tracking tools that are open about their function and can be vital in helping locate lost items (as anyone who has lost their car keys can attest to). However, as a recent cla
How to fix a "Your connection is not safe" error
As you surf the web using your browser, you’ll no doubt encounter websites that your browser will refuse to load, instead showing some variation of an error message, such as Your connection is not private or Warning: Potential Security Risk Ahead. 
Your search history is a window into your inner life. Anyone with access to it knows what your hobbies and interests are, your sexual orientation and preferences, the things that worry you (for example your medical concerns), your political affiliati