Apple started hiding the traffic of its own Mac apps

* Except if you use Apple apps. Source: Apple Privacy Control page title

Update 14 January 2021: Apple fixed the issue in macOS Big Sur 11.2 and higher. TripMode 3 is now able to detect and block Apple traffic that used to be hidden, without requiring an update.This is great news: everything now works as expected, as long as you upgrade to the latest version of macOS Big Sur. Learn more.

Apple started enforcing an “exclusion list” of 56 Apple apps and processes in macOS Big Sur, that make them bypass oversight and control from application-level firewalls. This list, which has not been announced or documented by Apple, appeared in macOS Catalina.

Was it even noticed when it came out earlier this year in Catalina? It actually wasn’t a big deal, as it was technically not enforceable: Catalina supported apps with Network Kernel Extensions (“NKEs”, used by TripMode, Little Snitch, and many other apps for years), allowing full system-level network traffic oversight.

With macOS Big Sur however, that changed, as application-level firewalls now need to use the new NetworkExtensions APIs, such as NEFilterDataProvider or NEAppProxyProvider, to offer a similar level of functionality as in previous macOS releases.

The List

You can check the ContentFilterExclusionList in the Info.plist, which resides in the Resources folder of /System/Library/Frameworks/NetworkExtension.framework. This list can be seen on macOS Catalina and Big Sur, but not modified, due to System Integrity Protection.

It includes 56 Apple apps and processes at the time of writing, including recognisable names such as:

com.apple.facetime

Software Update.app

MacOS/App Store

ApplePushService.framework

MusicLibrary.framework

What it means for everyday macOS users

Starting with macOS Big Sur, users can’t:

1. View a full, uncensored list of apps trying to access the Internet on their Mac — as Apple is hiding 56 of its own apps.
2. Know how much data these Apple apps upload or download.
3. Know which domains or IP adresses these Apple apps interact with.
4. Block or allow traffic from these Apple apps.

Why we care — and why you should, too.

When we introduced TripMode back in 2015, one of its most popular use cases was to pause any iCloud background traffic when using a hotspot. This is still one of its most popular use cases today. It helped prevent nasty data bills, ISP throttling, or getting unusable Internet access on slow public Wi-Fi. And now, we can’t guarantee that to our users anymore, unless Apple decides to change its policy.

Unlimited data is still far from a reality for many users around the world, as we keep hearing from our ever growing TripMode user base. And that’s just one use case: there are many security, privacy, or IT policy reasons to name a few, why one would want to control system-level traffic.

The whole point of an app like TripMode, is to guarantee that no data leaks happen between the cracks. And Apple just created a hole in the dam — without telling anyone.

What you can do

We encourage you to report that those system-imposed limitations are not ok, using this feedback form from Apple or their Feedback Assistant if you have a registered Apple developer / beta account. If you do so, make sure to add a reference to FB8808172, our original report. The more reports Apple gets, the more likely this will get the right level of attention. You may even copy and paste parts or all of our original bug report description.

To limits risks of having excessive background traffic from Apple apps, follow these steps:
1. Disable automatic software updates, by following the steps from this support article : https://support.apple.com/en-us/HT207251
2. Disable automatic App Store updates, by launching the Mac App Store, clicking on App Store in the menubar, Preferences, and uncheck Automatic updates.

What Apple could do

1. Allow third party apps to measure the volume of traffic of any app on the Mac without exception, and report it to the user. In the context of TripMode, measuring the volume of traffic is key for limited data plans.
2. Allow third party apps to see which domains or IP adresses any system app interacts with. This is key for transparency and trust: we believe users have a right to know where their data is going, and where they get data from.
3. Allow the user to take block/allow decisions on any system traffic — especially, in the case of TripMode, of anything that has a significant data download/upload potential.

It’s understandable why Apple would want to put some safeguards and prevent any app from manipulating system traffic. Here, many paths can be explored. One of them could be to open a special entitlement application process for developers wanting include block/allow functionality on system apps (a process similar to what Apple did with developers asking for the right to use NKEs, in the past). We don’t really see a reason to prevent 3rd party apps to do the first two points. Security by obscurity is not a thing, never has been.

What’s next?

By posting this article, we hope that it will bring some additional attention to the issues introduced by Apple’s unilateral policy, and encourage them to revise it or engage with us, for the benefit of all.

Last but not least: we just introduced TripMode 3, the leading data saving app for the Mac. You should check it out. Test it and get a copy if you like it. Your support makes a difference.