Thursday, January 14, 2021

ContentFilterExclusionList Gone in macOS 11.2 Beta 2

Patrick Wardle (tweet, Hacker News):

Unfortunately, Apple (without telling anybody) decided to “exclude” or exempt over 50 of its own applications (such as the App Store) and daemons from being routed thru the Network Extension Framework.


Due to the ContentFilterExclusionList list any traffic generated from these “excluded” items could not be filtered or blocked by a socket filter firewall (such as LuLu). Many (rightfully) asked, “What good is a firewall if it can’t block all traffic?” I of course also wondered if malware could abuse these “excluded” items to generate network traffic that could surreptitiously bypass any socket filter firewall. Unfortunately the answer was yes! It was (unsurprisingly) trivial to find a way to abuse these items, and generate undetected network traffic[…]


Well, after lots of bad press and lots of feedback/bug reports to Apple from developers such as myself, it seems wiser (more security conscious) minds at Cupertino prevailed.

Norbert Heger:

Thanks Apple for listening!


Big Sur on M1 (and possibly on Intel) maintains a persistent, hardware-serial-number linked TLS connection to Apple (for APNS, just like on iOS) at all times when you are logged in, even if you don’t use iCloud, App Store, iMessage, or FaceTime, and have all analytics turned off.

There’s no UI to disable this.

This means that Apple has the coarse location track log (due to GeoIP of the client IP) for every M1 serial number.


This change is essential for blocking such traffic, and I’m glad for it, but there is a long way to go when it comes to pressuring the pro-privacy forces inside of Apple to do more.


Update (2021-02-05): Jeffrey Paul:

There are several privacy/usage leaks remaining in the OS, but now they can be effectively blocked without affecting the overall operation of the device.

2 Comments RSS · Twitter

Like the translucent menu bar, it'll be back.

I begin to wonder how many "security and privacy conscious" people actually has left? I'm thinking not many, this "Hole in the wall for Apple only" was a bad idea that used to be dismissed. What was the point of changing the network layer away from something that worked?

Perhaps the same as "Notarization"-- something that protects Apple's interests first and then as a side effect also the customer.

Leave a Comment