Blog

A hole in the wall

Apple on Privacy:

Privacy is a fundamental human right. At Apple, it’s also one of our core values. Your devices are important to so many parts of your life. What you share from those experiences, and who you share it with, should be up to you. We design Apple products to protect your privacy and give you control over your information. It’s not always easy. But that’s the kind of innovation we believe in.

We could not agree more. That’s why we created Little Snitch in the first place, 18 years ago.

It is your right to know where your computer connects to. To whom it talks. It’s your right to see these connections. It’s your right to allow them. And it’s your right to deny them.

That’s our philosophy. You should always be able to see what’s going on and to make informed decisions.

When we first discovered that Apple’s new Network Extension Framework — that all third party firewalls are now required to use on macOS Big Sur[1] — didn’t report network traffic during some large software update download, we reported this bug to Apple on July 1 (FB7839544), hoping it would be fixed in the final version of Big Sur.

But it came worse. Three months later we realized, that a number of other Apple services like App Store, Maps or FaceTime also showed this strange behavior of acting invisibly, bypassing the new filter API. So we reported our new findings again on October 1 (FB8762834).

As it turned out, this behavior is on purpose. There’s an explicit whitelist that allows certain macOS services to bypass any third party firewalls and to communicate on the Internet without being even noticed by the user. A hole in the wall.

It is understandable, that some network connections are essential for a secure and smooth system operation. It makes sense to check the validity of signing certificates to effectively protect against malware attacks. It makes sense to download critical security updates in a timely fashion to prevent malware from exploiting vulnerabilities that have already been fixed. Blocking such connections would usually cause more harm than good.

But hiding these connections completely from the user makes no sense. It contradicts the idea of a transparent and trustworthy system and undermines the user’s trust in that system.

We’ve been facing similar challenges in Little Snitch as well. If we allow users to block each and every network connection, they might inadvertently render their computer unusable, causing DNS lookups to hang, preventing users from logging into their accounts and more.

How did we solve it? By being transparent and informative. By telling users about the possible consequences that the denial of certain connections might have, and in some cases recommending them not to do so. By providing default firewall rules to allow a few essential connections, but still letting users opt out. By developing the Internet Access Policy that also gives third party developers the possibility to explain, which connections their apps are about to make, and whether it’s OK or not to deny them.

But the final decision whether to accept the possible consequences should always be left to the user, to you.

In the light of the recent public discussions that this topic has triggered we are extremely confident that Apple stands by their word to give users control over their information and will therefore eliminate this kind of whitelisting in a future macOS update.

Just yesterday Apple announced their willingness to address such privacy concerns by improving the way how online certificate checks are performed, and even adding the possibility to completely opt out of these security protections.

Until then we won’t be restless either. We are already working on an alternative technique how to make even those currently hidden connections visible again in Little Snitch in one of our next updates. Looks very promising so far!

So stay tuned and protect your privacy. It’s yours, after all.

Credits: Image by clipground.com licensed under CC BY 4.0


  1. Apple has discontinued the support of Network Kernel Extensions in macOS Big Sur. Developers must therefore rewrite their apps to use Apple’s Network Extension Framework instead. ↩︎

Little Snitch and the Deprecation of Kernel Extensions

You probably came here because your Mac showed a message telling you that software from “Objective Development Software GmbH” (Little Snitch) loaded a system extension that will no longer be compatible with a future version of macOS and that you »

macOS 10.15.1 Update Fixes Kernel Prelinking

The initial release of macOS Catalina caused trouble for a lot of Little Snitch users. Updating an existing version of Little Sntich would almost always lead to a dreaded “Version Mismatch” error being shown after restarting your Mac. We documented »

How Kernel Prelinking Works on macOS Catalina (or not)

Update on October 30, 2019: This issue is fixed in macOS 10.15.1.In this article we’d like to outline some technical details about how the installation of a kernel extension works on macOS Catalina, about potential pitfalls »

The Story Behind CVE-2019-13013

This blog post targets fellow software developers. It’s a story of how it could happen that we shipped a version of Little Snitch with a serious vulnerability and, more importantly, what we can learn from it. It all began »

Archive