Apple Removes Feature That Allowed Its Apps To Bypass macOS Firewalls and VPNs

Apple has removed a controversial feature from the macOS operating system that allowed 53 of Apple's own apps to bypass third-party firewalls, security tools, and VPN apps installed by users for their protection. From a report: Known as the ContentFilterExclusionList, the list was included in macOS 11, also known as Big Sur. The exclusion list included some of Apple's biggest apps, like the App Store, Maps, and iCloud, and was physically located on disk at: /System/Library/Frameworks/NetworkExtension.framework/Versions/Current/Resources/Info.plist.

Its presence was discovered last October by several security researchers and app makers who realized that their security tools weren't able to filter or inspect traffic for some of Apple's applications. Security researchers such as Patrick Wardle, and others, were quick to point out at the time that this exclusion risk was a security nightmare waiting to happen. They argued that malware could latch on to legitimate Apple apps included on the list and then bypass firewalls and security software.

Re:

[Pibroch(CiH)]

Libertarian_Geek, what you've just said is one of the most insanely idiotic things I have ever heard. At no point in your rambling, incoherent response were you even close to anything that could be considered a rational thought. Everyone in this room is now dumber for having listened to it. I award you no points, and may God have mercy on your soul.

Re:Alternative headline

[Libertarian_Geek]

Though harsh, you are mostly correct. I misread, posted cynically and therefore deserve your criticism.

Re:Alternative headline

[Pibroch(CiH)]

I acquiesce to your gracious acceptance of my admittedly juvenile trolling in response to your comment.

Re:Alternative headline

[Known Nutter]

You two should run for office. This is how shit is supposed to go down.

Re:

[ZombieCatInABox]

No, they should get a room.

Re:

[Anonymous Coward]

You two should run for office. This is how shit is supposed to go down.

No, they should get a room.

Ask Fang Fang; getting a room is how politics do.

Re: Alternative headline

[aRTeeNLCH]

They don't stand a chance, there was no lobbying, no money changing hands, so no, running for office would be a waste of time, unfortunately.

Re:Alternative headline

[BeerFartMoron]

the apple phones and tablets that you own.

Hehe, "own". Good one.

BTW, the article is about a macOS feature, not iOS.

Re:Alternative headline

[DarkOx]

Umm this gives you back control. The filter exclusion list in place meant there was nothing you could about Apple knowing exactly where you were and collecting all kinds of telemetry about your system unless you blocked it with some external device.

If you took your laptop somewhere and say ran a VPN with the intent to tunnel everything back through your filtering device, Apples stuff would go out the local connection anyway. So it made it virtually impossible for laptops on the go to enjoy any privacy.

Now they are giving you back the ability to tunnel and filter everything if that is what you want to do. This a good thing. If you want to criticize Apple, it should be for thinking the 'content filter exclusion list' was ever a good or acceptable idea in the first place. That would be very fair criticism.

Re:Alternative headline

[v1]

It's difficult for beta testers to test things that interact in the background over the internet when a content blocker or VPN is blocking or rerouting the traffic.

But that being said, Apple has been doing this for awhile now with iTunes, because people were using it to analyze and reverse-engineer the traffic with the appstore and make tools that stripped the DRM off music and movies. So they may have had other, more "user-centric" reasons for doing it, but this has been a "known agenda" for some time now. Those efforts were largely ineffective though, since the users doing that referse-engineering were just using their own compiled versions the tools they needed (like TCPDUMP) instead of using the bundled ones that had been modified to ignore traffic from iTunes.

That plist was probably just a convenience for Apple developers and testers, to be able to turn on/off the blocking and rerouting on the fly while they test, rather than needing engineering to recompile tcpdump etc every time they wanted to tweak the routing and see if their apps (like findmymac) were working as intended. ("does FindMyMac still hang the process and chew up CPU if the network connection is working but it can't contact the servers, or is that fixed now?")

Speaking as a developer, I'll tell you that global "debug switches" are extremely handy to have, and I often add them to a Debug menu in my apps during testing. This is just a variation of Hanlon's Razor [wikipedia.org], substituting "utility" for 'stupidity". You can take off your tinfoil hat now.

Re:

[arosenfield]

iTunes music downloads haven't had DRM in them since 2009. Movies I'm not sure about.

"macOS operating system"

[inerlogic]

ATM machine
LCD display
PIN number

what other RAP phrases can you come up with?

Chattiness

[bmimatt]

macOS is more chatty with each new version, it has literally dozens of processes/daemons that periodically call the mothership. I filter those I could identify as non-essential for 'normal' functionality I require, but there are still a large number of others that periodically execute calls to Apple's servers, some by IP.
It seems to be the industry standard now. It is similar to how Google, Microsoft, etc. operate, with a large number of calls going out to seemingly unrelated domains. Like why does the browser make a call to youtube when I'm loading goog maps? I understand that complex systems are intertwined and cross-referenced as to, at the very least, avoid functionality duplication, but this methodology seems to keep sprawling beyond reason. While I haven't tracked it that deep, I suspect cookies are set/read across all of these domains. The hunger for data appears to be growing quite fast.

Re:Chattiness

[drinkypoo]

Like why does the browser make a call to youtube when I'm loading goog maps?

If I had to guess, and let me make it clear that I am doing so, it's that there's some kind of video-of-places-related functionality in maps which is based on embedding videos from youtube.

That sort of thing is understandable. What is "not" is that your PC should be calling home for anything other than updates, or for that matter, for anything without your permission. Yes, I can understand that they are trying to monetize you by collecting your data, but it should be considered wholly unacceptable. As in, there ought to be a law prohibiting it.

(Yes, HAHAHAHAHA etc. Governments love your metadata, they're not going to stop corporations from collecting it.)

Re:Chattiness

[Aczlan]

Not sure if its still the case, but at one point authentication for Google appeared to be going through Youtube (so to log into Gmail it was talking to Youtube auth servers), not sure if that is still the case, but it would explain that.

Aaron Z

Re:

[antdude]

Same with others like Windows, Linux, third party softwares, etc. I have to use a firewall to check and block unwanted connections. What are the good ones for iOS, macOS, and Linux?

Bypass Apple's Bypass

[ddtmm]

So what if you just deleted/removed all the entries in the exclusion list, or the list itself? Problem solved? By temporarily turning SIP off you could definitely do this. Not really a technique available to the masses but had I upgraded to BS I'm pretty sure I would have tried it out.

Re:

[Balthisar]

I'm not sure disabling SIP is enough. This is on a read-only partition, and I'm not sure it's possible to force-mount it RW. Maybe in single-user mode, but I think I heard rumblings that Macs with T2 chips no longer allow single user mode.

I'd really love to revert to the pre-Big Sur Finder sounds, but in the end it just seemed like less of a PITA than just learning to accept them.

Re:

[doragasu]

That does not solve the problem of malware using this mechanism to bypass the firewall. Better remove this unwanted "feature" completely.

Level playing feiod

[fermion]

It is nice that they making the playing feiod more level. One thing that I hated about MS Dos programming is that you could not use the top level hooks to the OS. You had to use direct system calls. It Hebe MS an advantage in reliability. The next thing to look for is Google making all android apps equal.

Re:

[Tora]

What??

I think you have some typos sir.

such as feiod, for starters.

Re:

[dgatwood]

Despite the negative post covefe, feiod is a perfectly cromulent word.

Holy crap. Apple's spell checker didn't flag "cromulent" as a misspelling. :-D

A Path

[Luthair]

is not a physical address :)

Hurray

[mrwireless]

So glad to hear it. I really wanted to buy a new Macbook Air, but this was honestly the main reason to hold off on that purchase.

I currently use Little Snitch to also limit what Apple apps phone home. I don't have any comparison to other OS's on this front, but MacOS is pretty chatty.

Re:

[tlhIngan]

Yeah, I'm really surprised Apple didn't double-down on this, but simply removed it completely. I mean, it was enabled for a reason so you'd expect it to stay.

I wonder if someone had a burst of inspiration that it simply was too big an attack surface - or the granularity was too big because many of those apps took plugins and that means it's way too easy to hitch a ride.

Removed the feature, or just the list?

[Predius]

So, the plist is gone, but has it been verified that the underlying bypass functionality has ALSO been removed?