Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Apple drops 'exclusion list' which allowed its own apps to bypass firewalls

Apple's Mac apps have been able to bypass firewalls to access the internet

Last updated

The latest beta of macOS Big Sur has reportedly removed the contentious ability for Apple's own apps to bypass firewalls, and hide their network use.

Apple's release of the macOS Big Sur 11.2 beta appears to show that the company is dropping a controversial network feature. In the current public version of Big Sur, 56 of Apple's own apps and system processes can use the internet even when a user has blocked all access with a firewall.

Adding to the controversy, when those apps do access the internet, they do so without a user or any network traffic apps being able to monitor or report on them. Apple did this in part because of its Gatekeeper security system.

When a user opens an app, macOS "calls home" to check that this app is as it was authorized when the developer sent it to Apple. The idea is that if any malware has been added, Gatekeeper can detect that and stop the app launching.

However, this has led to issues such as the severe problems users had when macOS Big Sur was first released. Since the Big Sur release caused server problems at Apple, even users not upgrading were finding that Gatekeeper wasn't responding.

So users still on macOS Catalina were being prevented from working, and apps were crashing on launch. All because their Macs weren't getting the confirmation that the apps were genuine.

Apple introduced the notarization process to developers in 2018 Apple introduced the notarization process to developers in 2018

Central to this feature was what Apple calls the "ContentFilterExclusionList." Any app on that list could circumvent firewalls and not be monitored. Unfortunately, it appears that rogue agents have been able to use this feature to get their own apps excluded.

"It was (unsurprisingly) trivial to find a way to abuse these items, and generate undetected network traffic," writes security expert Patrick Wardle in a blog post.

"Well, after lots of bad press and lots of feedback/bug reports to Apple from developers such as myself, it seems wiser (more security conscious) minds at Cupertino prevailed," continues Wardle. "The ContentFilterExclusionList list has been removed (in macOS 11.2 beta 2)."

It's not clear yet how Gatekeeper security will work if the Mac is blocked by a firewall. Also, the presence or absence of a feature in a beta is not a guarantee that it will be the same when the macOS update is released publicly.

Apple has not commented on the change.



7 Comments

saarek 16 Years · 1586 comments

Good, they should never have done this in the first place. Glad to see them quickly reverse the decision.

xyzzy-xxx 6 Years · 201 comments

Great move!
If Apple now would also enable target disk mode for Apple Silicon Macs...

theotherguy 3 Years · 2 comments

> It's not clear yet how Gatekeeper security will work if the Mac is blocked by a firewall. 
Feel free to try by adding this to /etc/hosts:

0.0.0.0 ocsp.apple.com

Macocalypse 3 Years · 18 comments

xyzzy-xxx said:
Great move!
If Apple now would also enable target disk mode for Apple Silicon Macs...

Transfer files between a Mac with Apple silicon and another Mac

https://support.apple.com/guide/mac-help/transfer-files-a-mac-apple-silicon-mchlb37e8ca7/mac

elijahg 18 Years · 2845 comments

xyzzy-xxx said:
Great move!
If Apple now would also enable target disk mode for Apple Silicon Macs...

Transfer files between a Mac with Apple silicon and another Mac

https://support.apple.com/guide/mac-help/transfer-files-a-mac-apple-silicon-mchlb37e8ca7/mac

That's not even remotely the same as target disk mode.