MacOS Big Sur(veillance) bypasses Firewall/VPN to tell Apple what programs you run on your computer

Posted on Nov 20, 2020 by Caleb Chen
MacOS Big Sur(veillance) bypasses Firewall_VPN to tell Apple what programs you run on your computer

Some default Apple apps on MacOS Big Sur bypass any VPN or firewall rules set by the user to send information like what programs you run back to Apple. Namely, the Apple App store and 50 other Apple apps are allowed to bypass user based internet routing rules which means Apple could know your real IP address even when you try to get behind a VPN on MacOS Big Sur. Additionally, this type of exemption can be exploited by malware.

This VPN ignoring behavior was first discovered in MacOS Big Sur’s beta back in October; however, now that Big Sur has exited beta, the privacy ignoring “feature” still remains. One of Apple’s programs that is allowed to bypass VPN is cause for major privacy concerns. The program, called Gatekeeper, checks the certificate of any program run on your computer along with a timestamp and your IP address with Apple – which is enough data to start building a profile on what programs you use and from where.

Apple denies spying with GateKeeper and Big Sur

On Apple’s end, they explained Gatekeeper with an emergency release of a support doc this week that detailed the security measure. Additionally, Apple has stated that they will stop storing IP addresses with these authentication requests. Some argue that Apple just checks the program’s developer ID certificate for authenticity, and there is no stored hash of the program’s code for Apple to use to compile lists of programs used by individual Apple customers. Even with the existing system, Gatekeeper essentially creates a log of programs used by Apple users sorted by IP address.

Apple of course denies that this information is used in that way. They stated:

“Gatekeeper performs online checks to verify if an app contains known malware and whether the developer’s signing certificate is revoked. […] We have never combined data from these checks with information about Apple users or their devices. We do not use data from these checks to learn what individual users are launching or running on their devices.”

It doesn’t matter if they did or not, the fact that the information is there means that it’s available for a government agency to come in and use. Additionally, the very existence of this type of privacy invading check opens up functionality issues which were recently highlighted.

Besides privacy concerns, Gatekeeper even led to usability downtime on Macs around the world

A recent spat of downtime for Apple servers also revealed another weak point with this Gatekeeper model.

Namely, Mac users were unable to execute code or open programs because they would fail the OCSP check with Apple servers. Of course, it is possible to set up a Macbook completely offline and avoid this type of phoning home activity; however, that’s not how most people want to use their Apple devices. It’s important to note that Apple’s new M1 powered laptops won’t be able to run anything besides MacOS Big Sur. Apple has promised to make this Gatekeeper function better for users by adding encryption as well as a way to opt out.

It’s clear that this is Apple’s hamfisted way to try and salvage the not so true claim that “Macs can’t get viruses.” The truth is much more nuanced than that: Mac devices can get malware, there are always going to be more zero-days found, etc. Apple seems to be doubling down on this specific anti-privacy approach to stop malware – and that deserves all the reproach I can muster.