Gadgets for humans

Apple apps on Big Sur bypass firewalls and VPNs — this is terrible

Don't worry though, Apple really, really, really cares about your privacy

header image Apple apps on Big Sur bypass firewalls and VPNs

For all of Apple’s talk of being privacy-first, often its marketing speak doesn’t match up with what it’s actually doing. And the latest example? Well, it’s Apple apps on Big Sur bypassing firewalls and VPNs.

I don’t need to tell you just how worrying this is.

The issue was first spotted in the macOS Big Sur beta by Twitter user @mxswd all the way back in October. They had this to say:

This was confirmed and expanded upon by Patrick Wardle, a security researcher at Jamf.

Effectively, Wardle says that previous versions of macOS allowed a firewall or VPN to be set up using the Network Kernel Extension. But this isn’t the case in Big Sur.

What Wardle found is that the Mac App Store on the latest macOS bypasses any firewall. For all intents and purposes, its traffic is invisible to firewalls. What’s happening is that Apple apps on Big Sur are beginning to operate outside the user’s control. Which is terrible news.

This story was brought to light on Apple Term, but many assumed it would be fixed when Big Sur was released to the general public. This hasn’t happened.

The question you might be asking next is so what? What’s the issue here?

Well, aside from control over your own system, Apple apps on Big Sur being able to bypass firewalls and VPNs is a huge privacy and security issue. Wardle showed on Twitter how easy it is for malware to exploit this gap:

What this amounts to is that bad actors could exploit this hole in Apple apps on Big Sur to send out your personal data to remote servers. This should worry everyone.

The big question though is why the company’s doing this. So far, it hasn’t said why Apple apps on Big Sur are exempt from firewalls and VPNs, but there are some theories.

One school of thought is that this makes it harder for users to pretend they’re in different countries, meaning it can be stricter on licensing issues. Another is that Apple wants to keep its apps’ data and traffic out of VPN servers.

Whatever the reason, I severely doubt its good enough to excuse Apple’s actions here.

If you want to understand further what this sort of activity does, I’d recommend you go and read this piece from Jeffrey Paul about why your computer isn’t yours. It’s a sobering look at the world we’re living in, where

So much for Apple being privacy-first, hey?

Did you know we have a newsletter all about consumer tech? It’s called Plugged In – and you can subscribe to it right here.

Published November 16, 2020 — 09:11 UTC