Update: Apple has listened to its users, and no longer exempts its own apps from any firewall interfaces in macOS. The information in this article is therefore of purely historical interest only.
The new macOS release, Big Sur, has made headlines due to Apple’s decision to place 56 of its own apps, including FaceTime, Apple Maps, and Apple Music Library, on an undocumented, unannounced “exclusion list.” This means these apps can bypass firewalls and, potentially, VPNs that function on a per-app basis without the users’ knowledge or consent, undermining macOS devices’ security and privacy.
Given the potential impact this could have on our users’ privacy, we immediately examined the Proton VPN app’s performance on macOS. We found that Proton VPN’s network control is not impacted by Big Sur. Our macOS app works on a system level and prevents these Apple apps from bypassing our VPN’s firewall. However, we advise everyone using our macOS app to enable Kill Switch to maintain optimal security.
What Big Sur does
Back in October, when Big Sur, the latest version of macOS, was still in beta, IT security analysts discovered that Apple made dozens of its services and apps unavailable to NEFilterDataProvider and NEAppProxyProvider. Application-level firewalls like Little Snitch use NEFilterDataProvider to implement content-based firewall rules (i.e., firewall rules based on the actual program that is performing the network requests). Essentially, Apple made those apps’ traffic invisible to firewalls and the user.
When Big Sur was released on Nov. 12, 2020, analysts found that Apple had not resolved this issue, leaving macOS devices less secure.
Because Apple has excluded its apps’ traffic from NEAppProxyProvider, firewalls are no longer able to intercept and filter network traffic originating from these Apple services. Additionally, these Apple apps can bypass per-app VPNs that rely on NEAppProxyProvider.
Why Proton VPN is not affected
Similar to other system-wide VPNs, Proton VPN does not rely on NEFilterDataProvider or NEAppProxyProvider to control network connections in the VPN tunnel. Our macOS app uses the Packet Filter (PF) mechanism to enable our Kill Switch feature. PF controls a networking layer that is lower in the network stack than those controlled by NEFilterDataProvider or NEAppProxyProvider and, thus, is not affected by this particular issue. If Kill Switch is enabled, it prevents your device from establishing any connections outside the VPN tunnel, including the Apple apps on the exclusion list.
We ran tests that proved no traffic is excluded from our app’s encrypted VPN tunnel when Kill Switch is enabled.
If Kill Switch is disabled, some TCP requests that were initiated before the VPN tunnel was established will continue outside the VPN tunnel (similar to the previously noted bug afflicting iOS). For this reason, we advise you to enable Kill Switch for optimal security.
This is a concerning development from Apple, a company trying to claim that privacy is its most important product. While claiming to be modernizing macOS with Big Sur, Apple is actually preventing networking app developers from creating extensions that allow them to manipulate the network at the kernel level (the foundations) of its operating system, making it difficult for users to have comprehensive oversight and control of their device’s traffic.
We condemn this secret exclusion list on the grounds that it makes it harder for users to control or even be aware of how their data is being collected.
We really need a phone OS that is secure. even if it’s more expensive as long as it is secure.
This has since been removed, all Mac apps are subject to the same firewall and restrictions as the rest of the third party apps. This blog post is now spreading false information unless for some reason you’ve upgraded to Big Sur but stayed on an early update.
Hi Johnny. You are correct, and and we have now posted an update to the post to this effect.
I discover this incredibile security fault reading posts on internet, and looking some videos on yt that analysed this security issue.
What I wonder is if Apple really thought that no one would have noticed this security problem they created with this ‘exclusion list’?!?!?
I’ve just activated kill switch!!
After Apple announced they were doing that “contact tracing” API with Google, NOTHING they do that compromises users surprises me. I’ve not updated past a pre-contact-tracing version of iOS13 for this very reason. They’ve lost my trust. I hope Verizion eventually has a Linux phone or at least allows one on their network. (And by “Linux,” I mean doesn’t rely on one line of Google code. That’s a deal-breaker for me.)
i would also be researching this kinda stuff if i would have a good reputation…
ps: thx for storing my data…i was thinking that the timestamp is enough to track my modem down…but this time also you store encryption keys?? mhmmm…proton proton…
Thank you for this research and advice.
ProtonVPN its NOT working i test and still Big Sur bypass the ProtonVPN.
im wondering why apple is doing that for
This is an extremely helpful piece of information! Sharing this on Twitter and FB! Thank you!
This is totally unaccepted! – THIS IS WRONG!
EVERYONE should know about this and Apple should correct this ASAP!
Are you kidding me? In today era, of work from home, ciber attacks, state privacy invading – this is unbelievable!
Best regards to Proton Team.
Apple is a phone company these days. Mac OS is turning into iOS.