Apple Hides Traffic of Some of Its Own Apps in Big Sur
David Dudok de Wit, co-founder of Alix, makers of the TripMode utility for controlling your Mac’s data usage on slow or expensive networks, has written a post on Medium outlining an Apple change in macOS 11 Big Sur and its consequences. (There’s also a huge Hacker News discussion.) In Big Sur, Apple will start enforcing an exclusion list of more than 50 Apple apps and processes that allows those apps to bypass oversight and control from application-level firewalls. The list first appeared in 10.15 Catalina but wasn’t enforceable for apps with network kernel extensions, as used by apps like TripMode, Little Snitch, and others. Big Sur changes that, essentially requiring such apps to use different APIs that honor Apple’s exclusion list. You can see the list here in Catalina or Big Sur:
I don’t believe this move shows any grand conspiracy to undermine TripMode or Little Snitch. I suspect it’s just another change that Apple has made—perhaps in the name of overall security, perhaps merely with no thought to what developers and users want—that has an unintended and undesirable consequence. It’s reminiscent of when Apple quietly prevented apps like BusyContacts and HoudahSpot from indexing Mail’s email archive in Catalina, regardless of how you set your permissions. Nevertheless, it’s disappointing, and if you’re bothered by the move, let Apple know via its Feedback Assistant.
Apple’s coding and security have slipped enough that this year I ceased recommending Macs to most people and now suggest they should compare Windows and linux too. If this change goes through, I shall follow my own advice and consider running another system on our computers. It is one thing to forgo basic controls like this on a phone or tablet, but it is quite another on a computer.
The HoudahSpot link should probably be this. (My post on the Mail issue is here. My post on the network filtering issue here.)
That’s better, thank you! I’ll update it…
That’s nothing, Apple put dtrace into Mac OS X since the beginning but hobbled it so it couldn’t be used to debug iTunes DRM.
The dtrace live debugger can examine EVERYTHING at run time. It’s not hobbled on Solaris and other platforms. Just on Apple macOS.
I’m a little confused by the Apple feedback page that I was directed to by your link. It asked me if I want to comment on the beta and another question (cannot recall), which I can’t seem to bypass to simply make a general feedback comment. Sorry to sound like a newbie, but I would like to comment on the issue this thread brings up.
The Apple feedback page that I was directed to by your link was blocked by:
The server certificate is untrusted!
I am running MRT 1.68 and XProtect 2133.
You have to be signed up as a macOS beta tester of some flavor in order to use Feedback Assistant.
Not seeing any certificate issues with that link. That response doesn’t come from either MRT or XProtect. Are you a beta tester?
No, I’m not a beta tester. I am a translator for TidBITS-Japanese, and I was checking the links in the article. I simply clicked the Feedback Assistant link in the ExtraBITS article, and got the error, both from Safari 13.1.2 and iCab 6.0.4.
Interesting. I just visited the link. It asked me to log in with my Apple ID, but I was able to log in. I am in the developer program (free tier), but have never joined any beta program. I found a record of three bug reports I filed over the years via their old “bugreport” site (which appears to be down, probably replaced by the Feedback Assistant).
If you’re seeing a certificate error, then it may be a temporary situation. FWIW, I’m running Firefox 82 on macOS Catalina on a 2018 Mac mini.
I too have been grandfathered into the free developer program from almost twenty years ago, so can use Feedback Assistant. BugReports became Radars then were merged into FA for simplification purposed perhaps a year ago.
Sorry about pointing people to Feedback Assistant without remembering that it required having signed up for a beta test account. You can also submit feedback about macOS via this link:
Patrick Wardle is saying that Apple’s exclusion list could be abused by malware. I won’t pretend to understand how his screenshots illustrate this, but he’s a smart guy and I generally trust what he says.
Happy day—Apple has reversed course on this approach. Patrick Wardle explains in Hooray, no more ContentFilterExclusionList.
Hooray, Little Snitch rules again.
Join the discussion in the TidBITS Discourse forum