Having Trouble with Your Mac VPN? Update to Big Sur 11.2

Here’s a case of development time constraints causing a panic among the security community. Before the second beta of Big Sur 11.2 was released, Apple had included a specific feature that would exclude its first party apps from most security checks. This means apps like VPNs, firewalls, anti-malware, and others would no longer function correctly. More details on the feature below.

Apple Apps Bypass VPNs

Pretty straightforward – a macOS component called ContentFilterExclusionList allowed Apple programs to ignore user-specific network settings. As a result, you couldn’t block first-party apps from communicating with Apple servers (with a firewall, for example). Similarly, Apple programs would be ignored by anti-malware scans. Essentially, hackers could stealthily compromise your system by creating malware that specifically targets these apps.

What about VPNs? Well, since they were added to the exclusion list, first-party programs could no longer have their network traffic encrypted. For one, this could this lead to potential data leaks from apps like iCloud (seeing as it bypassed the VPN encrypted tunnel). Furthermore, apps on the list would expose your IP address (and thus your physical location) to Apple, even while using a VPN.

Not all providers were affected, of course. Most top-tier Mac VPNs (such as those found right here) don’t use the new Network Extension Framework that caused the issue in the first place. Some providers, such as Surfshark and CyberGhost VPN continued to investigate the issue.

Others (like ProtonVPN) recommended activating the built-in killswitch, even though their tests concluded the issue did not impact their macOS client.

How Did Such an Issue Slip Past Apple?

Fortunately, after they’ve had their fair share of community backlash, Apple removed the ContentFilterExclusionList entirely by the time the second beta was out. The reason for its inclusion? Time constraints, according to a software engineer working at the company. There simply wasn’t enough time to fix all the bugs that resulted from deprecating network extension kernels (NKEs).
Now that Big Sur 11.2 is fully released, firewalls and other security tools will correctly work with all Apple apps. You don’t need to worry about your VPN leaking data or your IP address to Apple, either. Well, at least if you aren’t using a so-called “free” VPN.

If you haven’t heard, at least 20 million people had their emails, passwords, payment details, and other sensitive info leaked online by several free VPNs. The providers (all based in Hong Kong) specifically had no-logs policies outlined in their terms of service. That means they shouldn’t have been collecting all that data to begin with.

Then again, Apple has had trouble curating VPN providers from its App Store for quite a while now. Studies show that many of the top downloaded free VPNs collect way more user data than they should, in direct violation of the App Store guidelines.

Finally, it’s worth noting that free VPNs can and will sell your browsing activity and location data to ad networks. After all, maintaining such a service costs quite the pretty penny, and user data just happens to be valuable enough to the right people.

Al Hilal:
Related Post