Proton VPN prevents Apple apps on Big Sur exclusion list from bypassing firewall

Update: Apple has listened to its users, and no longer exempts its own apps from any firewall interfaces in macOS. The information in this article is therefore of purely historical interest only.

The new macOS release, Big Sur, has made headlines due to Apple’s decision to place 56 of its own apps, including FaceTime, Apple Maps, and Apple Music Library, on an undocumented, unannounced “exclusion list.” This means these apps can bypass firewalls and, potentially, VPNs that function on a per-app basis without the users’ knowledge or consent, undermining macOS devices’ security and privacy.

Given the potential impact this could have on our users’ privacy, we immediately examined the Proton VPN app’s performance on macOS. We found that Proton VPN’s network control is not impacted by Big Sur. Our macOS app works on a system level and prevents these Apple apps from bypassing our VPN’s firewall. However, we advise everyone using our macOS app to enable Kill Switch to maintain optimal security.

What Big Sur does

Back in October, when Big Sur, the latest version of macOS, was still in beta, IT security analysts discovered that Apple made dozens of its services and apps unavailable to NEFilterDataProvider and NEAppProxyProvider. Application-level firewalls like Little Snitch use NEFilterDataProvider to implement content-based firewall rules (i.e., firewall rules based on the actual program that is performing the network requests). Essentially, Apple made those apps’ traffic invisible(new window) to firewalls and the user.

https://twitter.com/mxswd/status/1318305284524183552

When Big Sur was released on Nov. 12, 2020, analysts found that Apple had not resolved this issue, leaving macOS devices less secure.

Because Apple has excluded its apps’ traffic from NEAppProxyProvider, firewalls are no longer able to intercept and filter network traffic originating from these Apple services. Additionally, these Apple apps can bypass per-app VPNs that rely on NEAppProxyProvider.

Why Proton VPN is not affected

Similar to other system-wide VPNs, Proton VPN does not rely on NEFilterDataProvider or NEAppProxyProvider to control network connections in the VPN tunnel. Our macOS app uses the Packet Filter (PF) mechanism to enable our Kill Switch feature. PF controls a networking layer that is lower in the network stack than those controlled by NEFilterDataProvider or NEAppProxyProvider and, thus, is not affected by this particular issue. If Kill Switch is enabled, it prevents your device from establishing any connections outside the VPN tunnel, including the Apple apps on the exclusion list.

We ran tests that proved no traffic is excluded from our app’s encrypted VPN tunnel when Kill Switch is enabled.

If Kill Switch is disabled, some TCP requests that were initiated before the VPN tunnel was established will continue outside the VPN tunnel (similar to the previously noted bug afflicting iOS(new window)). For this reason, we advise you to enable Kill Switch for optimal security.

This is a concerning development from Apple, a company trying to claim that privacy is its most important product. While claiming to be modernizing macOS with Big Sur, Apple is actually preventing networking app developers from creating extensions that allow them to manipulate the network at the kernel level (the foundations) of its operating system, making it difficult for users to have comprehensive oversight and control of their device’s traffic.

We condemn this secret exclusion list on the grounds that it makes it harder for users to control or even be aware of how their data is being collected.

Related articles

Illustrated laptop devices representing a network with a shield and a lock in the center of the screen
Cybercriminals will take any opportunity to gain unauthorized access to your servers. Learn how you can stop them.
Proton for Business now offers MDM support, more dedicated servers, and gateway monitoring.
Proton for Business now offers MDM support, more dedicated servers, and gateway monitoring.
How to disable browser extensions
How safe a browser extension is depends almost entirely on how trustworthy its developer is. We take a deep dive.
Apps like discord
  • Privacy deep dives
Here's why you might want to consider a Discord alternative — and the pros and cons of seven other apps like Discord that you may want to switch to instead.
Computer screen showing the World Series 2024 logo
Find out where to watch the World Series, when it starts, and how to securely stream it online with Proton VPN.
Computer screen with a shield that has a lock on it, demonstrating secure network access via a dedicated IP address
Learn what network access control is and how a business VPN can help keep your business data safe against hackers.