A test reveals that Apple’s built-in apps in macOS Big Sur do not bypass VPNs. Recently, an alleged security and privacy vulnerability in macOS Big Sur was in the news which claimed that Apple has allowed its native apps to bypass VPNs and firewalls. Following up on that allegation, a Redditor @Nyctea_scandiaca tested the software to check for the alleged vulnerability and did not find any.
I did some experiments to determine, whether macOS Big Sur is able to bypass VPNs as claimed a lot right now. The answer is: It is not. Packets do, what the routing table says they should do.
The possibility of macOS Big Sur allowing Apple’s apps to bypass firewalls and VPNs immediately attracted a lot of attention because it makes the system vulnerable to malicious attacks by miscreants. Hackers could have used the security vulnerability to gain access to users’ systems and their confidential data. @patrickwardle claimed to have discovered and reported the security lapse to Apple. However, his claims are apparently refuted by this test.
macOS Big Sur apps do not bypass VPNs
Intrigued by the lack of information and evidence on the issue, @Nyctea_scandiaca set up a test of his own and discovered that macOS Big Sur does not allow first-party apps to bypass firewalls as alleged. To check for any drop in packets, he installed Apple’s own apps from the App Store and carried on with his daily work on the MacBook for 48 hours. He connected MacBook 2016 via Ethernet to another PC with two NICs, running Debian Buster.
“The two NICs were bridged together and the second one was connected to my LAN in such a way, that the MB could access the internet (both via IPv4 and IPv6) without any packet being dropped. Wifi und Bluetooth were both switched off.
I ran tcpdump on the bridge and captured every single ethernet frame that was spit out by the MB. Additionally I ran Wireshark on the MB in order to check, whether the kernel might hide some ethernet frame from Wireshark. Such a frame would still be visible on the bridge.
On my MB I created a VPN tunnel to yet another machine on my LAN and tested all three major VPN implementations: IPSec (Cisco Anyconnect), OpenVPN and Wireguard. All VPNs were first set up to route all traffic through the VPN, and afterwards as a split tunnel, with Apple’s IPs routed through the tunnel.
Furthermore, I separately captured any single ethernet frame on the bridge, which did not use the VPN tunnel.”
The test revealed that all the packets followed the rules on his MacBook routing table and did not use the VPN tunnel. He explained:
“What actually happened is, that Apple changed some API for userspace applications that want to sniff on the network traffic, to be precise: NEFilterDataProvider. Apple’s own services are listed on a exclusion list which prevents third party apps from tinkering with it.
I don’t say that’s a good move, but this doesn’t mean it bypasses VPNs, like, not at all.”
Let us know how your experience has been with macOS Big Sur and VPNs so far in the comments below.