What you need to know
- A big server outage rendered many Macs unusable earlier this week.
- A new report says that the problem has raised big privacy concerns regarding macOS.
- A new article from Jeffrey Paul has highlighted concern about unique identifiers used when running apps.
Update, November 16 (5:45 am ET): Apple has issued an update on these concerns, and promised a new encrypted protocol next year.
An Apple server outage earlier this week has raised big privacy questions about macOS, according to a new report.
Jeffrey Paul, writing Thursday notes:
On modern versions of macOS, you simply can't power on your computer, launch a text editor or eBook reader, and write or read, without a log of your activity being transmitted and stored.
It turns out that in the current version of the macOS, the OS sends to Apple a hash (unique identifier) of each and every program you run when you run it. Lots of people didn't realize this, because it's silent and invisible and it fails instantly and gracefully when you're offline, but today the server got really slow and it didn't hit the fail-fast code path, and everyone's apps failed to open if they were connected to the internet.
Paul claims that because these identifiers use the internet, the server can see your IP address, as well as the time the request came in:
An IP address allows for coarse, city-level and ISP-level geolocation, and allows for a table that has the following headings:
Date, Time, Computer, ISP, City, State, Application Hash
The upshot of this, Paul says, is that Apple knows quite a lot about you:
This means that Apple knows when you're at home. When you're at work. What apps you open there, and how often. They know when you open Premiere over at a friend's house on their Wi-Fi, and they know when you open Tor Browser in a hotel on a trip to another city.
Paul also claims that the requests are transmitted unencrypted, meaning "everyone who can see the network can see these", including ISPs.
Paul further notes that the issue is more problematic with the release of macOS Big Sur, which prevents workaround apps like Little Snitch from blocking these processes. Paul did suggest that it might be possible to modify Apple silicon Macs to prevent this but would need to test it out in person.
In an FAQ update to the piece, Paul stated the problem had nothing to do with Apple's analytics and was more to do with Apple's anti-malware/piracy efforts, and that there was "no user setting in the OS to disable this behaviour."
Paul also claims the problem has been "happening silently" for at least a year, since macOS Catalina in October 2019.
Update, November 16 (5:45 am ET) — Apple has addressed concerns raised.
Regarding concerns raised in the initial report, Apple has confirmed to iMore the certificate revocation checks used at this system are important for security, as certificates can be revoked if a developer thinks it has been compromised or used to sign potentially harmful software.
Apple states that online certificate status protocol (OCSP) is an industry-standard and that it doesn't contain either your Apple ID, the identity of your device, or the app being launched, putting to bed claims that the issue meant Apple could see who you were and what apps you were opening at any given time.
Apple says that OCSP is also used to check other certificates like those used to encrypt web connections, so they are done over HTTP to prevent an infinite loop (no pun intended) where checking if a certificate is valid might depend on the result of a request to the same server, which it wouldn't be able to resolve.
Separately, all apps running on macOS Catalina and later are notarized by Apple to confirm they don't contain malicious software when they're created, and the app is checked again when each time it is opened to confirm that this hasn't changed in the meantime. Apple says these checks are encrypted, and not vulnerable to server failures.
Regarding last week's specific outage, it appears this was caused by a server-side issue preventing macOS from being able to cache the response to the OCSP checks, combined with an unrelated CDN issue, which was causing the slow performance and hangs many users saw last week. Apple says this has been fixed, and that users don't need to make any changes at their end. App notarization checks (the encrypted kind mentioned above) were not affected by the outage last week.
Regardless, Apple will introduce a new encrypted protocol for the former Developer ID checks in the next year, as well as increasing server resiliency and finally, adding an opt-out option for users. Full story here.