Thursday, October 22, 2020

Apple Apps Exempt From Network Filters and VPNs

Maxwell Swadling:

Some Apple apps bypass some network extensions and VPN Apps. Maps for example can directly access the internet bypassing any NEFilterDataProvider or NEAppProxyProviders you have running 😒

The new beta for @littlesnitch seems to use an NEFilterDataProvider instead of kext, I don’t think they will be able to block Maps from tile loading...

Patrick Wardle (Hacker News):

Previously, a comprehensive macOS firewall could be implemented via a Network Kernel Extension (kext)

Apple deprecated kexts, giving us Network Extensions....but apparently (many of) their apps / daemons bypass this filtering mechanism.


NEXTs = obviously more complexity than KEXTs = bigger attack surface… and all you need is a “NEXT exempt exploit” (which will definitely happen at some point), and LuLu, @littlesnitch etc. won’t be able to intercept malware traffic.

Jeff Johnson:

Getting rid of kernel extensions “for our security”? DIRTY FUCKING LIE! Now you can’t stop Apple from phoning home.


That totally breaks my use case for Little Snitch: working tethered. When I tether my laptop it thinks it has free reign with the bandwidth and all of the little background processes can kill my data in a few minutes. With a firewall, I can grant access to only the processes that I need to get my work done.

Now, I guess I have to run some external firewall between my laptop and my phone. ... or better yet, abandon Apple.

David Dudok de Wit (developer of TripMode, tweet, Radar):

With macOS Big Sur however, that changed, as application-level firewalls now need to use the new NetworkExtensions APIs, such as NEFilterDataProvider or NEAppProxyProvider, to offer a similar level of functionality as in previous macOS releases.


Starting with macOS Big Sur, users can’t:

  1. View a full, uncensored list of apps trying to access the Internet on their Mac — as Apple is hiding 56 of its own apps.
  2. Know how much data these Apple apps upload or download.
  3. Know which domains or IP addresses these Apple apps interact with.
  4. Block or allow traffic from these Apple apps.

Adam Engst:

I don’t believe this move shows any grand conspiracy to undermine TripMode or Little Snitch. I suspect it’s just another change that Apple has made—perhaps in the name of overall security, perhaps merely with no thought to what developers and users want—that has an unintended and undesirable consequence. It’s reminiscent of when Apple quietly prevented apps like BusyContacts and HoudahSpot from indexing Mail’s email archive in Catalina, regardless of how you set your permissions. Nevertheless, it’s disappointing, and if you’re bothered by the move, let Apple know via its Feedback Assistant.

Miles Wolbe:

Deleting those entries [from /System/Library/Frameworks/NetworkExtension.framework/Versions/A/Resources/Info.plist] under Big Sur turned out to be rather involved; in fact, one could be forgiven for coming away with the vague suspicion that Apple would prefer them not to be disturbed[…]


Little Snitch 5 and TripMode 3 had no problem blocking the previously-cloaked processes afterwards[…]

But it causes problems for the IMTransferAgent process.


13 Comments RSS · Twitter

Not a sane/fair behaviour! Because of this, I will definitivily move to Linux!

Regarding the “tethered mode” argument, last year Apple introduced 2 flags on the network: “constrained” (the Low Data Mode toggle) and “expensive” (most cellular and personal hotspots). These are intended to let the app make intelligent decisions about what network requests to do. For example, “expensive” networks should disable background or speculative fetches and only fetch what the user asked for.

Presumably Apple apps that bypass the network filter are making use of these flags already, to avoid unnecessary network traffic.

@Lily That may work for tethering, but there are plenty of cases where there is Wi-Fi that just isn’t very good, and so you might want to limit the traffic.

Bugs have been getting worse and worse, including "Mail opens itself at completely random times since around 10.12"

10.15 made me give up all my 32-bit games

10.16 means giving up up extremely useful tools like Little Snitch and Chatology (which seems to have already stopped working in 10.15) For more round icon applications that half ass the Mac side like the Podcasts app (which has no context controls in the dock icon like iTunes did etc)

The tiny details are really losing hard in ways.


@Lily: "These are intended to let the app make intelligent decisions"

This is why Miles's post was titled "Whose computer is it?". They're taking control away from the user, and giving it to the app developer, and in a very non-transparent way.

This is the opposite trend from iOS 14, where the new entitlements and notifications help give the user more control over their apps.

I don’t believe this move shows any grand conspiracy to undermine TripMode or Little Snitch. I suspect it’s just another change that Apple has made—perhaps in the name of overall security, perhaps merely with no thought to what developers and users want—that has an unintended and undesirable consequence.

I can see this for some system stuff, like updating XProtect. Even stuff like Find My Device I can partially understand, as the support volume of people who configure a filter, then complain that the filter does what it’s supposed to is likely non-trivial.

But… Maps? Music? Just show a banner that they can’t connect.

I don’t think it’s about Apple trying to ensure that any of their apps can always connect. The security angle would be that nothing can interfere with where traffic from their apps goes (e.g. it can’t be redirected to a malicious server). Blocking and redirecting traffic would use the same mechanism. That’s a reasonable security goal, but as the author of TripMode says in their blog post, this could be addressed by granting special entitlements to specific apps that have been vetted not to be malicious (e.g. TripMode, Little Snitch, etc).

Anyone who is unhappy with this change should absolutely submit feedback as detailed in the TripMode blog post. There’s a good chance this is an oversight and making enough noise will wake Apple up.

By suggesting that "this is an oversight", one is suggesting serious dysfunction inside Apple: a world in which each engineering team is doing whatever it wants, and no one is paying attention to how the whole hangs together... which was supposed to be what Apple was good at.

More charitably I would suggest that yes, this is about Apple ensuring their apps always work. They killed haxies for the same reason: it's all about catering to the computer illiterate who have most of the money, not to the literate. Same with how they are making it difficult to write to the root drive, in case someone deletes the wrong file and bricks their machine.

Another Old Unix Geek

This is the sort of thing that makes me want to take another look at using one of the BSDs as a daily driver OS.

Hey, you kids! Get off my lawn!

Seriously, I really am wondering where I will go when Mojave is no longer supported.

This seems problematic for a number of obvious reasons. Maybe MacOS needs an optional 'expert mode' option for select user accounts that doesn't have this type of stuff?

"Maybe MacOS needs an optional 'expert mode' option...?"

That would be great. But Apple won't do that, because it would cost money to develop and maintain, and maybe even more for related tech support. Techies like us don't (directly) generate a big enough chunk of their profit for them to care.

"Techies like us don't (directly) generate a big enough chunk of their profit for them to care."

Maybe but Apple certainly knows that they need developers to use macOS to develops the software for all of their platforms. If developers don't like to use Macs anymore and only do so for the development of Apple software they are much more likely to start developing for other platforms.
I think it is fine to make this the default behaviour because many macOS users are not experts but adding a simple command line settings that disables the "whitelist" is not hard to do.

I really hope they are gonna change it in the final release. I don't know what to do otherwise, I generally don't like being on an old OS for too long.

Regardless of their intentions, Apple's executives talk endlessly about "giving users the choice" and "defaulting to opt-in" as it pertains to privacy and security. AFAIK, I haven't been given a choice of allowing Apple apps from transmitting unencrypted traffic that ignores both my VPN and my Little Snitch firewall. In fact, I wasn't even notified of this by Apple. .

This set of architectural decisions demonstrates incompetence and/or hypocrisy on Apple's part.

Leave a Comment