Apple drops 'exclusion list' which allowed its own apps to bypass firewalls

The latest beta of macOS Big Sur has reportedly removed the contentious ability for Apple’s own apps to bypass firewalls, and hide their network use.

Apple’s release of the macOS Big Sur 11.2 beta appears to show that the company is dropping a controversial network feature. In the current public version of Big Sur, 56 of Apple’s own apps and system processes can use the internet even when a user has blocked all access with a firewall.

Adding to the controversy, when those apps do access the internet, they do so without a user or any network traffic apps being able to monitor or report on them. Apple did this in part because of its Gatekeeper security system.

When a user opens an app, macOS “calls home” to check that this app is as it was authorized when the developer sent it to Apple. The idea is that if any malware has been added, Gatekeeper can detect that and stop the app launching.

However, this has led to issues such as the severe problems users had when macOS Big Sur was first released. Since the Big Sur release caused server problems at Apple, even users not upgrading were finding that Gatekeeper wasn’t responding.

So users still on macOS Catalina were being prevented from working, and apps were crashing on launch. All because their Macs weren’t getting the confirmation that the apps were genuine.

Apple introduced the notarization process to developers in 2018

Apple introduced the notarization process to developers in 2018

Central to this feature was what Apple calls the “ContentFilterExclusionList.” Any app on that list could circumvent firewalls and not be monitored. Unfortunately, it appears that rogue agents have been able to use this feature to get their own apps excluded.

“It was (unsurprisingly) trivial to find a way to abuse these items, and generate undetected network traffic,” writes security expert Patrick Wardle in a blog post.

“Well, after lots of bad press and lots of feedback/bug reports to Apple from developers such as myself, it seems wiser (more security conscious) minds at Cupertino prevailed,” continues Wardle. “The ContentFilterExclusionList list has been removed (in macOS 11.2 beta 2).”

It’s not clear yet how Gatekeeper security will work if the Mac is blocked by a firewall. Also, the presence or absence of a feature in a beta is not a guarantee that it will be the same when the macOS update is released publicly.

Apple has not commented on the change.

Leave a Reply