Two issues following the Big Sur update for macOS have been revealed. The first issue revolves around Apple notarization for apps, and is a security features used by Apple to verify that apps aren't harmful and hasn't been modified. The second issue is that apps created by Apple typically circumvent VPN connections.
TLDR: After extensive research and testing, the OVPN client does not leak data from native Apple apps when the killswitch is enabled as the killswitch uses the Packet Filter (PF) firewall. All traffic originating from your macOS computer is sent over the VPN connection.
What happened?
If you tried to open any applications on your Mac around November 12th, you may have noticed that the applications either failed to launch, or took a very long time to launch.
This is because modern versions of macOS sends a hash to Apple every time you launch a program, and (possibly due to the Big Sur update) the Apple servers got really slow. So slow, in fact, that the hash that gets sent to Apple failed to send and didn't trigger the offline-code. This, in turn, causes all non-Apple apps to fail to launch.
Whenever you launch an application on your macOS computer, the computer sends a message to ocsp.apple.com which contains the following information:
Date, Time, Computer, ISP, City, State, Application Hash
As with any server you communicate with, the server can also see your IP address. This opens a potential issue with all modern macOS computers where they can associate both your normal IP address and VPN IP address to you. When you start a VPN application, the aforementioned information would be sent to Apple's servers using your ISP IP address. After you've connected and started any other application, a new call would be made to Apple's servers with your VPN IP address, meaning your VPN IP address could potentially be tied back to you using the information Apple has stored about you.
What's worse, the information doesn't only stay with Apple, the requests your computer sends are unencrypted, meaning your ISP or anyone else on the same network as you can see these, as well as anyone else who may have tapped their cables. They're also sent to a server run by a separate company — Akamai — who would also have access to them. In addition to Apple and Akamai, Apple has been a partner of the US military intelligence PRISM program since October 2012, who can access all of this data at any time without a warrant. And boy do they. In fact, they did so more than 35000 times during 2019.
Before the Big Sur update, all of this could be blocked using Little Snitch, LuLu or other firewall applications, but that's no longer possible as of macOS 11.0, due to some new APIs that prevent firewalls from blocking these. Little Snitch recently released an updated version, Little Snitch 5, that does solve this issue which you can upgrade to for free if you purchased Little Snitch 4 after November 1st 2019.
While this has been standard even in previous versions of macOS computers, this is the first time that Apple actively prevent people from blocking these requests. Beyond the obvious privacy issues, this opens up a lot of new problems, such as Apple being apple to control which apps are allowed to be launched on your computer, opening doors for authoritarian regimes such as China to coerce Apple into censoring which applications Chinese users can access, something they've already done in the past on the App Store. This could also potentially open up new doors for governments such as the United States to install backdoors directly into Apple's devices — which they introduced a bill for as recently as this year.
How can this be prevented?
Currently, there is no easy way to prevent this on your Apple device without third-party apps since the daemon responsible for these requests (trustd) is in the new ContentFilterExclusionList, meaning they ignore any user-controlled firewalls. In fact, all Apple-developed apps seem to ignore most VPN and firewall rules completely. After extensive research and testing, the OVPN client does not leak data from native Apple apps with the killswitch enabled. Other apps such as Tunnelblick, WireGuard and Viscosity do, though.
Since the lookups are done unencrypted towards ocsp.apple.com you could potentially filter them directly on a hardware firewall as well, such as on your router. You can also install third-party firewall applications such as Little Snitch 5 to block these requests.
Do note that blocking ocsp.apple.com can lead to issues with app certificates since Apple do use it to authenticate apps.
Apple's response
Apple has since responded to the critique by outlining exactly what the Gatekeeper security feature does.
Gatekeeper performs online checks to verify if an app contains known malware and whether the developer’s signing certificate is revoked. We have never combined data from these checks with information about Apple users or their devices. We do not use data from these checks to learn what individual users are launching or running on their devices. - Apple
They also state that since the critique, they have stopped logging Apple ID, IP addresses, or the identity of each device, and they've also stopped logging IP addresses associated with ID checks done by Gatekeeper, and will ensure that any IP addresses collected in the past will be removed from their logs.
They've also committed to make some improvements over the next year by introducing several changes to their security checks:
- A new encrypted protocol for Developer ID certificate revocation checks
- Strong protections against server failure
- A new preference for users to opt out of these security protections
While it is not possible to opt-out of these security checks at the moment, it is nonetheless good that Apple is transparent about the issue and is working to resolve the issue by allowing users to opt-out.