MacOS Big Sur(veillance) bypasses Firewall/VPN to tell Apple what programs you run on your computer
Some default Apple apps on MacOS Big Sur bypass any VPN or firewall rules set by the user to send information like what programs you run back to Apple. Namely, the Apple App store and 50 other Apple apps are allowed to bypass user based internet routing rules which means Apple could know your real IP address even when you try to get behind a VPN on MacOS Big Sur. Additionally, this type of exemption can be exploited by malware.
In Big Sur Apple decided to exempt many of its apps from being routed thru the frameworks they now require 3rd-party firewalls to use (LuLu, Little Snitch, etc.) 🧐
Q: Could this be (ab)used by malware to also bypass such firewalls? 🤔
A: Apparently yes, and trivially so 😬😱😭 pic.twitter.com/CCNcnGPFIB
— patrick wardle (@patrickwardle) November 14, 2020
This VPN ignoring behavior was first discovered in MacOS Big Sur’s beta back in October; however, now that Big Sur has exited beta, the privacy ignoring “feature” still remains. One of Apple’s programs that is allowed to bypass VPN is cause for major privacy concerns. The program, called Gatekeeper, checks the certificate of any program run on your computer along with a timestamp and your IP address with Apple – which is enough data to start building a profile on what programs you use and from where.
Apple denies spying with GateKeeper and Big Sur
On Apple’s end, they explained Gatekeeper with an emergency release of a support doc this week that detailed the security measure. Additionally, Apple has stated that they will stop storing IP addresses with these authentication requests. Some argue that Apple just checks the program’s developer ID certificate for authenticity, and there is no stored hash of the program’s code for Apple to use to compile lists of programs used by individual Apple customers. Even with the existing system, Gatekeeper essentially creates a log of programs used by Apple users sorted by IP address.
An algorithm to guess with overwhelming probability which app someone is using when you observe a Mozilla cert OCSP request from a Mac:
Step 1: guess Firefox.
Step 2: there is no step 2.
— Matthew Green (@matthew_d_green) November 15, 2020
Apple of course denies that this information is used in that way. They stated:
“Gatekeeper performs online checks to verify if an app contains known malware and whether the developer’s signing certificate is revoked. […] We have never combined data from these checks with information about Apple users or their devices. We do not use data from these checks to learn what individual users are launching or running on their devices.”
It doesn’t matter if they did or not, the fact that the information is there means that it’s available for a government agency to come in and use. Additionally, the very existence of this type of privacy invading check opens up functionality issues which were recently highlighted.
Besides privacy concerns, Gatekeeper even led to usability downtime on Macs around the world
A recent spat of downtime for Apple servers also revealed another weak point with this Gatekeeper model.
Hey Apple users:
If you're now experiencing hangs launching apps on the Mac, I figured out the problem using Little Snitch.
It's trustd connecting to https://t.co/FzIGwbGRan
Denying that connection fixes it, because OCSP is a soft failure.
(Disconnect internet also fixes.) pic.twitter.com/w9YciFltrb
— Jeff Johnson (@lapcatsoftware) November 12, 2020
Namely, Mac users were unable to execute code or open programs because they would fail the OCSP check with Apple servers. Of course, it is possible to set up a Macbook completely offline and avoid this type of phoning home activity; however, that’s not how most people want to use their Apple devices. It’s important to note that Apple’s new M1 powered laptops won’t be able to run anything besides MacOS Big Sur. Apple has promised to make this Gatekeeper function better for users by adding encryption as well as a way to opt out.
It’s clear that this is Apple’s hamfisted way to try and salvage the not so true claim that “Macs can’t get viruses.” The truth is much more nuanced than that: Mac devices can get malware, there are always going to be more zero-days found, etc. Apple seems to be doubling down on this specific anti-privacy approach to stop malware – and that deserves all the reproach I can muster.