Since the release of macOS Big Sur on November 12, Apple has received backlash because of its decision to allow default Apple apps to communicate with its servers in a manner that bypasses third-party firewalls and Virtual Private Networks.
macOS is generally thought to be a platform that is better for consumer data privacy and security, so it seems counterproductive that Apple's updated Operating System is sending back invasive telemetry in such a way that it potentially affects VPN users.
The ability for consumers to conceal their location from online services (including Apple's own apps) is important to huge numbers of people who value privacy.
For a VPN to be able to provide this privacy, it is vital that identifiable user data cannot be harvested outside of the VPN tunnel at any stage during networking. Unfortunately, changes rolled out in Big Sur can allow this kind of tracking to occur under certain circumstances – leading to concerns over the use of VPNs on Big Sur.
Big Sur: a problematic update
The problem revolves around Apple's decision to bypass user-defined firewall rules in Big Sur. This results in Apple being able to harvest information from Mac users when they use certain Apple apps.
This is concerning because it theoretically creates a data trail that could be leveraged to figure out what programs were used, when, and where. With this data sitting around on Apple's servers, it could potentially be accessed by the company or even the government using a warrant.
This is exactly the kind of tracking that VPN users seek to prevent and the idea that Big Sur purposefully bypasses the ability to prevent tracking raises serious concerns. Andy Yen, founder and CEO at Proton VPN, explained the situation to ProPrivacy:
Preventing third-party firewalls from blocking Apple's own apps and telemetry in Big Sur is a move that is hostile to users, making it much harder for them to control how their data is collected.
Not all VPN clients affected
The good news is that the updates implemented in Big Sur do not affect all VPN firewalls. Many reliable VPNs implement their Mac VPN apps in such a way that all data passes through the VPN tunnel even when the kill-switch is triggered.
ExpressVPN told ProPrivacy that Mac users do not need to worry about any data being harvested by Apple apps outside of the VPN tunnel:
We've investigated this matter thoroughly and can confirm that Apple apps are not able to bypass the ExpressVPN app for macOS and send data outside of the VPN tunnel. The issue primarily impacts VPN apps that use macOS' certain APIs in its Network Extension Framework, which ExpressVPN does not.
Despite this, ExpressVPN told us that they have very serious concerns over Apple's decision to exempt its own apps from user-defined networking rules:
We share the overall digital security industry's concern that these changes by Apple risk a negative impact on user privacy and safety. When users use VPNs, firewalls, and other similar tools, they have every right to expect that Apple would not privilege their own traffic and sidestep these protections.
Tested
Andy Yen CEO of Proton VPN also informed us that the VPN has thoroughly tested the issue to ensure its Mac client is unaffected, as long as the kill-switch is activated:
When we became aware of the issue we immediately ran a battery of tests on our Mac app, intercepting all connections into and out of a testbed machine for packet-level analysis. After an extensive period of testing, we were satisfied that no packets could enter or leave the testbed machine outside the VPN interface if the kill-switch was enabled.
According to Yen, the Proton VPN app for macOS is not affected by the issue caused by Big Sur because the kill-switch uses the macOS packet filter (PF) to ensure connections are not possible outside the VPN tunnel. Yen explained:
The PF works at a lower level than many application-level firewalls, including those used by Little Snitch and some other VPN apps. These rely on the NEFilterDataProvider and NEAppProxyProvider network extensions to implement their firewall rules, and it is these network extensions that Apple has bypassed in Big Sur to prevent its own services from being blocked.
Swedish VPN provider PrivateVPN also confirmed to us that they are not affected by the changes in Big Sur:
We're using Packet Filter (PFCTL), which is built into the macOS. It means any app packets (traffic) will not be excluded from our firewalling (kill-switch).
The same is true of the US-based provider Private Internet Access, which told us:
The issue only affects VPNs and firewalls using the NetworkExtension APIs on macOS. PIA Desktop uses a utun device and is not affected.
Mullvad also informed ProPivacy that its Mac app has been tested. It uses PF to route all traffic inside of the VPN tunnel successfully:
We connected the macOS device to the internet through another machine where we could monitor all the network traffic to and from the macOS device. Then we made the app secure the device. We started using Apple apps, and we could not observe any network traffic that was not encrypted and heading for our VPN server.
While Mullvad's testing revealed that the VPN app is working as it should, the provider was also quick to point out that:
No one can guarantee 100% security. That is not possible. Yet unknown bugs in the operating system or our VPN software could theoretically show up any time, providing an attack vector or causing a leak. But we do our best to proactively mitigate that from happening by carefully evaluating how we implement our security measures and what operating system APIs to rely on.
Need to know information
Other VPN providers including CyberGhost and Surfshark have informed us that they are aware of the issues resulting from the changes to Big Sur. Those VPN providers are currently investigating to see whether they need to make changes to the implementation of their macOS VPN clients. A spokesperson from Surfshark told us:
Surfshark is currently testing the impact of Apple changes introduced in Big Sur and will make adaptations as needed.
What we know from the tests performed by leading VPN providers, is that the data-leak issue negatively affects macOS VPN clients that use specific macOS APIs. As a result, any VPNs that use NEFilterDataProvider and NEAppProxyProvider network extensions could potentially be affected.
At ProPrivacy we are aware that this raises concerns for VPN users, who are keen to know which VPNs are and aren't affected. This is why we have contacted market-leading VPN providers to find out where they stand. We will update this article as and when those providers provide us with a definitive answer (a list can be found below this article).
Ultimately, the decision to allow the Apple App store and 50 other Apple apps to bypass user-defined internet routing rules amounts to a huge invasion of privacy.
Users have a right to control what data leaves their devices and how, and any attempt to provide privileges for its own apps and telemetry is damning.
Unfortunately for users, Apple has always been of the opinion that unless it can control everything within its walled garden, it can't guarantee the best possible experience for users. Now it would appear that Apple is seeking to extend that ethos from hardware and software to networking – a move that flies in the face of its claims that it is a platform that cares about user privacy.
VPNs currently known to be unaffected by the changes in Big Sur:
- Proton VPN
- ExpressVPN
- PIA
- PrivateVPN
- AirVPN
- Hide.me (3.x version)
- NordVPN
- Mullvad