Proton VPN prevents Apple apps on Big Sur exclusion list from bypassing firewall

Update: Apple has listened to its users, and no longer exempts its own apps from any firewall interfaces in macOS. The information in this article is therefore of purely historical interest only.

The new macOS release, Big Sur, has made headlines due to Apple’s decision to place 56 of its own apps, including FaceTime, Apple Maps, and Apple Music Library, on an undocumented, unannounced “exclusion list.” This means these apps can bypass firewalls and, potentially, VPNs that function on a per-app basis without the users’ knowledge or consent, undermining macOS devices’ security and privacy.

Given the potential impact this could have on our users’ privacy, we immediately examined the Proton VPN app’s performance on macOS. We found that Proton VPN’s network control is not impacted by Big Sur. Our macOS app works on a system level and prevents these Apple apps from bypassing our VPN’s firewall. However, we advise everyone using our macOS app to enable Kill Switch to maintain optimal security.

What Big Sur does

Back in October, when Big Sur, the latest version of macOS, was still in beta, IT security analysts discovered that Apple made dozens of its services and apps unavailable to NEFilterDataProvider and NEAppProxyProvider. Application-level firewalls like Little Snitch use NEFilterDataProvider to implement content-based firewall rules (i.e., firewall rules based on the actual program that is performing the network requests). Essentially, Apple made those apps’ traffic invisible(new window) to firewalls and the user.

https://twitter.com/mxswd/status/1318305284524183552

When Big Sur was released on Nov. 12, 2020, analysts found that Apple had not resolved this issue, leaving macOS devices less secure.

Because Apple has excluded its apps’ traffic from NEAppProxyProvider, firewalls are no longer able to intercept and filter network traffic originating from these Apple services. Additionally, these Apple apps can bypass per-app VPNs that rely on NEAppProxyProvider.

Why Proton VPN is not affected

Similar to other system-wide VPNs, Proton VPN does not rely on NEFilterDataProvider or NEAppProxyProvider to control network connections in the VPN tunnel. Our macOS app uses the Packet Filter (PF) mechanism to enable our Kill Switch feature. PF controls a networking layer that is lower in the network stack than those controlled by NEFilterDataProvider or NEAppProxyProvider and, thus, is not affected by this particular issue. If Kill Switch is enabled, it prevents your device from establishing any connections outside the VPN tunnel, including the Apple apps on the exclusion list.

We ran tests that proved no traffic is excluded from our app’s encrypted VPN tunnel when Kill Switch is enabled.

If Kill Switch is disabled, some TCP requests that were initiated before the VPN tunnel was established will continue outside the VPN tunnel (similar to the previously noted bug afflicting iOS(new window)). For this reason, we advise you to enable Kill Switch for optimal security.

This is a concerning development from Apple, a company trying to claim that privacy is its most important product. While claiming to be modernizing macOS with Big Sur, Apple is actually preventing networking app developers from creating extensions that allow them to manipulate the network at the kernel level (the foundations) of its operating system, making it difficult for users to have comprehensive oversight and control of their device’s traffic.

We condemn this secret exclusion list on the grounds that it makes it harder for users to control or even be aware of how their data is being collected.

Related articles

Where to watch Macy's Thanksgiving day parade
en
Here's how and where to watch Macy's Thanksgiving Day Parade live from anywhere in the world with Proton VPN.
What we've been up to, and what's next
en
Here are the main things Proton VPN delivered this spring and summer and the exciting changes that lie ahead on our product roadmap this winter.
Proton VPN for Windows ARM
en
  • Proton VPN news
We’re pleased to announce a new Proton VPN app with native support for Windows devices that use the ARM chipset.
What is doxing and is doxing illegal
en
We look at what doxing is, who does it (and why), and at how to protect yourself from doxing .
Stream securely on tvOS with Proton VPN
en
With the Proton VPN Apple TV app, you can easily and securely watch your favorite content on your big-screen TV no matter where you are.
Illustrated laptop devices representing a network with a shield and a lock in the center of the screen
en
Cybercriminals will take any opportunity to gain unauthorized access to your servers. Learn how you can stop them.