Little Snitch 4 review: Mac app excels at monitoring and controlling network activity

The Internet is a terrifying place, and Objective Development’s Little Snitch 4 ($45) has tried for many years to help keep your Mac locked down by monitoring connections and letting you control inbound and outbound traffic. Version 4 refines and extends this friendly firewall, and if you’ve used it or looked at it in the past, you’ll find it mostly familiar. But the app has significant updates for visualizing connections and improves how it explains what apps are trying to do.

It’s bizarre that this many decades into the net’s evolution, Apple still doesn’t include strong tools enabled by default that restrict access to your Mac or examine connections from macOS or apps you’re running out to the Internet. The firewall option in the Security & Privacy system preference pane is extremely coarse and lacks necessary features. Enabling it likely causes more problems and confusion for less-experienced users than leaving it off, but a Mac with unfettered bidirectional access isn’t a good thing, either.

That’s why I’ve recommended Little Snitch since version 1, because it lets you keep an active but not irritating eye on what your Mac is doing. It was only in version 3 that it added inbound connection management, too, which made it much more useful against attacks. Version 4 freshens things up.

Little Snitch 4: Watching for chatty apps

As in previous versions, Little Snitch’s most obvious use is in alerting you to the network activity of applications and low-level software. For instance, launch Google Chrome, and Little Snitch warns you that the browser is attempting to connect to www.google.com (to check for updates, ostensibly). Should Little Snitch let it proceed, and, if so, for how long and with what limits?

IDG

For previously unknown connections, Little Snitch presents a dialog box that shows you the requesting app’s icon, its name, and what it’s attempting to do. Using the previous example with a browser that’s not pre-approved, you might see an alert that Google Chrome is trying to connect to google.com. Clicking Allow or Deny adds a rule to Little Snitch’s configuration, bypassing this dialog in the future for varying degrees of specificity and periods of time.

The utility lets you drill down nearly everywhere. The default view offers simple details that shouldn’t frighten someone with no real technical knowledge as long as they get what a domain name represents and what apps are trying to do. Click a button here and there—like a downward-pointing arrow to the left of the Deny button—and you can expand options and limit choices. For instance, you can approve connections to all ports on a domain, or click on the allow/deny dialog to specify a port. (An IP address is a destination, like an apartment building; a port is like a specific apartment within the building.)

Little Snitch comes configured to allow common activities. For example, Safari requests data from port 80 (non-secure Web connections) and port 443 (https connections) to pass through without notice. Many OS X system daemons, autonomous bits of low-level software, also get pre-approved. But even these passes are explicitly allowed via rules that you can view, with descriptions, in the Little Snitch Configuration app.

You can be concerned enough about Internet safety that you changed prefab rules, like requiring individual approval of domain access in Safari, instead of letting it use all those ports. You’ll have to allow sites and items referenced on sites one at a time as you visit, but that offers some people more piece of mind against unwanted Web-based trackers and even malware.

As with similar software requiring training, you’ll go through a bit of annoyance after you install Little Snitch and restart your Mac, and then start running software for the first time with the app installed. But it quickly settles down, even if you use a variety of software. You’ll find many apps make an extraordinary number of different connections, like Adobe’s Creative Cloud manager. Others randomly check for updates, providing a Little Snitch warning when you’re not actively using the app, which can seem alarming.

Malware typically tries to phone home, making a connection back to a command-and-control center. In the event you’re infected by malware, Little Snitch should be an early-warning center, letting you know that a previously unknown app is trying to reach out to an IP address, oddly named domain (these are sometimes randomly generated by malware creators), or an unfamiliar domain.

Little Snitch 4: Digging in

Little Snitch offers information about a connection in a couple of ways. Click the eyeglasses on a prompt, and it brings up descriptive details about the app or service, if they exist. In version 4, Objective Development now lets other developers create bundles of information that Little Snitch can import, providing more detail straight from the horse’s mouth.

If you see a connection you don’t know what it’s about and there’s no information in Little Snitch, this is a likely one to block, and then figure out if your machine has been infected.

You can also hover near the eyeglasses, and click the … button that appears. This reveals highly technical details if you’re of that bent, like the IP address of the connection and whether the app or service involved has a code signature, meaning it’s been released by someone or some organization enrolled in Apple’s developer program.

IDG

Little Snitch also lets you set timing for the rule, which lets you minimize access to apps or services you may not fully trust to have unfettered access. While Forever is the default, holding down Shift toggles the menu choice to Once, and pressing Control toggles it to Until Quit. You can also select intervals from 15 minutes to 2 hours and Until Logout and Until Restart. In practice, I rarely use these options, as I don’t want to grant access at all to something that I don’t trust for more than 15 minutes or during a session. However, there may be software you don’t want to communicate in the foreground or background when it’s not in active use.

In the past, some software, like Microsoft Office, used local network probes to prevent multiple simultaneous copies running with the same license. That was a common use of Little Snitch, but it looks like most copies have switched to cloud-based licensed that requires a check-in to work.

IDG

If you’re interested in highly granular control of inbound and outbound connections, you can use Little Snitch’s Configuration app to create and refine rules. For most people, this will be overkill, but there’s a deep bottom to how much you can learn and tweak. The more particular and secure you want your network profile to be, the more options you can manipulate. This is true in preferences, too, which have a lot of fiddly settings that more advanced or secure users will want to look at.

One that might be useful, and isn’t in the default Deny/Allow popup, is Ask for Connection. There may be some apps or domains for which you don’t want to allow continuous or unmonitored access, but want to approve each time.

You can use the system menu to override global behavior. This includes silently allowing all connections or denying them, or halting Little Snitch’s filtering altogether. You may encounter software or a situation in which the firewall interferes with what you’re trying to do, or you might want to clamp down on all access without disconnecting from a network. The system menu bar icon also doubles as a network activity indicator.

Little Snitch 4: Monitor locally, observe globally

Little Snitch used to have a semi-useful Network Monitor window that operated separately from its configuration app that showed you a chart of inbound and outbound activity, what apps and system tools were in use, and provide some controls. This has been overhauled into something that’s vastly better at visualizing what’s going on and controlling actions. It’s a real control center if you need one.

The centerpiece is a global map, showing you effectively in real time all the recent and active connections from your system to the IP-derived or otherwise guessed locations of the endpoints around the world. It’s a little terrifying, and might cause you to flip some Allow switches to Deny. Don’t take it overseriously, though: many companies maintain data centers worldwide, and the “closest” path for a given resource could be somewhere far from you at any given moment. In other cases, software checks in with global endpoints, without sending substantive data. Skype seems to ping nodes around the world, but send literally on the order of bytes, not even kilobytes.

IDG

Click or select any of the processes in the list at left, and the network activity graph shows just traffic in and out over the last hour, the map shows where connections are or were in that period, and a summary sidebar at right shows all traffic, domains, and other information since Little Snitch was installed. You can reset those counters.

If you’re trying to see what’s happening on your local network, Little Snitch can identify broadcast traffic, which can be useful to track down misbehaving software (or perhaps misbehaving children). It doesn’t snoop on direct connections on the LAN, nor does it sniff within connections.

Bottom line

The latest version makes tracking and visualization easier while increasing the amount of information available about both familiar and unfamiliar network actions that macOS, background software, and apps are trying to take.

Little Snitch is the only security software that I recommend wholeheartedly to an entire range of users, from beginner to super sophisticated. It provides network—and privacy—protection while being easy to use and train, and it’s powerful enough for demanding users. Version 4 continues to build on that strong foundation.