{"id":30518,"date":"2020-10-22T15:58:41","date_gmt":"2020-10-22T19:58:41","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=30518"},"modified":"2020-10-22T19:50:02","modified_gmt":"2020-10-22T23:50:02","slug":"apple-apps-exempt-from-network-filters-and-vpns","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2020\/10\/22\/apple-apps-exempt-from-network-filters-and-vpns\/","title":{"rendered":"Apple Apps Exempt From Network Filters and VPNs"},"content":{"rendered":"

Maxwell Swadling<\/a>:<\/p>\n

\n

Some Apple apps bypass some network extensions and VPN Apps. Maps for example can directly access the internet bypassing any NEFilterDataProvider or NEAppProxyProviders you have running 😒<\/p>\n

The new beta for @littlesnitch seems to use an NEFilterDataProvider instead of kext, I don’t think they will be able to block Maps from tile loading...<\/p>\n<\/blockquote>\n\n

Patrick Wardle<\/a> (Hacker News<\/a>):<\/p>\n

Previously, a comprehensive macOS firewall could be implemented via a Network Kernel Extension (kext)<\/p>\n

Apple deprecated kexts, giving us Network Extensions....but apparently (many of) their apps \/ daemons bypass this filtering mechanism.<\/p><\/blockquote>\n\n

bucky<\/a>:<\/p>\n

NEXTs = obviously more complexity than KEXTs = bigger attack surface… and all you need is a “NEXT exempt exploit” (which will definitely happen at some point), and LuLu, \n@littlesnitch\n etc. won’t be able to intercept malware traffic.<\/p><\/blockquote>\n\n

Jeff Johnson<\/a>:<\/p>\n

Getting rid of kernel extensions “for our security”? DIRTY FUCKING LIE! Now you can’t stop Apple from phoning home.<\/p><\/blockquote>\n\n

joncp<\/a>:<\/p>\n

That totally breaks my use case for Little Snitch: working tethered. When I tether my laptop it thinks it has free reign with the bandwidth and all of the little background processes can kill my data in a few minutes. With a firewall, I can grant access to only the processes that I need to get my work done.<\/p>\n

Now, I guess I have to run some external firewall between my laptop and my phone. ... or better yet, abandon Apple.<\/p><\/blockquote>\n\n

David Dudok de Wit<\/a> (developer of TripMode<\/a>, tweet<\/a>, Radar<\/a>):<\/p>\n

With macOS Big Sur however, that changed<\/a>, as application-level firewalls now need to use the new NetworkExtensions APIs, such as NEFilterDataProvider or NEAppProxyProvider, to offer a similar level of functionality as in previous macOS releases.<\/p>

[…]<\/p>

Starting with macOS Big Sur, users can’t:<\/p>

  1. View a full, uncensored list of apps <\/em>trying to access the Internet on their Mac — as Apple is hiding 56 of its own apps.<\/li>
  2. Know how much data these Apple apps upload or download.<\/li>
  3. Know which domains or IP addresses these Apple apps interact with.<\/li>
  4. Block or allow traffic from these Apple apps.<\/li><\/ol><\/blockquote>\n\n

    Adam Engst<\/a>:<\/p>\n

    I don’t believe this move shows any grand conspiracy to undermine TripMode or Little Snitch. I suspect it’s just another change that Apple has made—perhaps in the name of overall security, perhaps merely with no thought to what developers and users want—that has an unintended and undesirable consequence. It’s reminiscent of when Apple quietly prevented apps like BusyContacts<\/a> and HoudahSpot<\/a> from indexing Mail’s email archive in Catalina, regardless of how you set your permissions. Nevertheless, it’s disappointing, and if you’re bothered by the move, let Apple know via its Feedback Assistant<\/a>.<\/p><\/blockquote>\n\n

    Miles Wolbe<\/a>:<\/p>\n

    Deleting those entries [from \/System\/Library\/Frameworks\/NetworkExtension.framework\/Versions\/A\/Resources\/Info.plist<\/tt>] under Big Sur turned out to be rather involved<\/a>; in fact, one could be forgiven for coming away with the vague suspicion that Apple would prefer them not to be disturbed[…]<\/p>\n

    […]<\/p>\n

    Little Snitch 5 and TripMode 3 had no problem blocking the previously-cloaked processes afterwards[…]<\/p><\/blockquote>\n\n

    But it causes problems for the IMTransferAgent process.<\/p>\n\n

    Previously:<\/p>\n