Proton VPN-Startseite
ProtonVPN

Update: Apple has listened to its users, and no longer exempts its own apps from any firewall interfaces in macOS. The information in this article is therefore of purely historical interest only.

The new macOS release, Big Sur, has made headlines due to Apple’s decision to place 56 of its own apps, including FaceTime, Apple Maps, and Apple Music Library, on an undocumented, unannounced “exclusion list.” This means these apps can bypass firewalls and, potentially, VPNs that function on a per-app basis without the users’ knowledge or consent, undermining macOS devices’ security and privacy.

Given the potential impact this could have on our users’ privacy, we immediately examined the Proton VPN app’s performance on macOS. We found that Proton VPN’s network control is not impacted by Big Sur. Our macOS app works on a system level and prevents these Apple apps from bypassing our VPN’s firewall. However, we advise everyone using our macOS app to enable Kill Switch to maintain optimal security.

What Big Sur does

Back in October, when Big Sur, the latest version of macOS, was still in beta, IT security analysts discovered that Apple made dozens of its services and apps unavailable to NEFilterDataProvider and NEAppProxyProvider. Application-level firewalls like Little Snitch use NEFilterDataProvider to implement content-based firewall rules (i.e., firewall rules based on the actual program that is performing the network requests). Essentially, Apple made those apps’ traffic invisible(neues Fenster) to firewalls and the user.

https://twitter.com/mxswd/status/1318305284524183552

When Big Sur was released on Nov. 12, 2020, analysts found that Apple had not resolved this issue, leaving macOS devices less secure.

Because Apple has excluded its apps’ traffic from NEAppProxyProvider, firewalls are no longer able to intercept and filter network traffic originating from these Apple services. Additionally, these Apple apps can bypass per-app VPNs that rely on NEAppProxyProvider.

Why Proton VPN is not affected

Similar to other system-wide VPNs, Proton VPN does not rely on NEFilterDataProvider or NEAppProxyProvider to control network connections in the VPN tunnel. Our macOS app uses the Packet Filter (PF) mechanism to enable our Kill Switch feature. PF controls a networking layer that is lower in the network stack than those controlled by NEFilterDataProvider or NEAppProxyProvider and, thus, is not affected by this particular issue. If Kill Switch is enabled, it prevents your device from establishing any connections outside the VPN tunnel, including the Apple apps on the exclusion list.

We ran tests that proved no traffic is excluded from our app’s encrypted VPN tunnel when Kill Switch is enabled.

If Kill Switch is disabled, some TCP requests that were initiated before the VPN tunnel was established will continue outside the VPN tunnel (similar to the previously noted bug afflicting iOS(neues Fenster)). For this reason, we advise you to enable Kill Switch for optimal security.

This is a concerning development from Apple, a company trying to claim that privacy is its most important product. While claiming to be modernizing macOS with Big Sur, Apple is actually preventing networking app developers from creating extensions that allow them to manipulate the network at the kernel level (the foundations) of its operating system, making it difficult for users to have comprehensive oversight and control of their device’s traffic.

We condemn this secret exclusion list on the grounds that it makes it harder for users to control or even be aware of how their data is being collected.

Verwandte Artikel

en
Watch the Six Nations live safely and securely with Proton VPN. Check the Six Nations schedule and learn how to see every match.
What are active and passive digital footprints?
en
  • Grundlagen der Privatsphäre
Your digital footprint is the trail of information you leave online. We discuss digital footprints and whether you should be worried about yours.
A lock with the colors of the Dutch flag
en
We ran a survey in the Netherlands and found that 51% of Dutch adults are worried about their online privacy. See the rest of the results.
s AliExpress reliable?
en
  • Grundlagen der Privatsphäre
Chinese shopping platform AliExpress is undoubtedly cheap. But is it also safe and reliable, or you are likely to get scammed?
How to fix a 502 error
en
In this article, we explain what a 502 bad gateway error is and explore possible ways to fix it as a visitor to a website.
Watch Thanksgiving Day football with Proton VPN
en
Here's how you can live stream this year's Thanksgiving football games using Proton VPN, whether you're watching from home or abroad.