Apple Addresses Privacy Concerns Surrounding App Authentication in macOS

Following the release of macOS Big Sur on Thursday, Mac users began to experience issues with opening apps while connected to the internet. Apple's system status page attributed the situation to issues with its Developer ID notary service, with developer Jeff Johnson specifying that there were connection issues with Apple's OCSP server.

macosmojaveprivacy
Shortly after, security researcher Jeffrey Paul shared a blog post titled "Your Computer Isn't Yours," in which he raised privacy and security concerns related to Macs "phoning home" to Apple's OCSP server. In short, Paul said that the OCSP traffic that macOS generates is not encrypted and could potentially be seen by ISPs or even the U.S. military.

Apple has since responded to the matter by updating its "Safely open apps on your Mac" support document with new information, as noted by iPhoneinCanada. Here's the new "Privacy protections" section of the support document in full:

macOS has been designed to keep users and their data safe while respecting their privacy.

Gatekeeper performs online checks to verify if an app contains known malware and whether the developer's signing certificate is revoked. We have never combined data from these checks with information about Apple users or their devices. We do not use data from these checks to learn what individual users are launching or running on their devices.

Notarization checks if the app contains known malware using an encrypted connection that is resilient to server failures.

These security checks have never included the user's Apple ID or the identity of their device. To further protect privacy, we have stopped logging IP addresses associated with Developer ID certificate checks, and we will ensure that any collected IP addresses are removed from logs.

Apple clarifies that user-specific data is not harvested during the security check and that it plans on removing all IP information from the logs. In addition, it plans on introducing several changes to the system over the next year, including:

  • a new encrypted protocol for Developer ID certificate revocation checks
  • strong protections against server failure
  • a new preference for users to opt out of these security protections

Some users have advocated blocking the traffic to Apple's authentication servers, but it appears that Apple will provide this option to end-users in the future as well.

Top Rated Comments

dracarysar Avatar
14 months ago
The larger issue here in my opinion is that Apple is bypassing firewalls and vpn apps and exposing your public ip. If you go to the trouble of using a vpn to hide your traffic apple shouldn’t be bypassing those measures and broadcasting unencrypted packets.

Although this particular traffic is relatively harmless, the very idea that they thought that was a good design decision is disturbing.
Score: 70 Votes (Like | Disagree)
Kung gu Avatar
14 months ago
Good to see them addressing this and not keeping quiet!!
Score: 57 Votes (Like | Disagree)
jjjlevin Avatar
14 months ago
im glad apple is actually responding to this. I half expected them to ignore it.
Score: 45 Votes (Like | Disagree)
DiscoToast Avatar
14 months ago
Still hella sketchy. I still trust Apple more than any other big tech company... but honestly not by much.
Score: 33 Votes (Like | Disagree)
dracarysar Avatar
14 months ago

They didn't explain or acknowledge this at all.
Exactly, which is arguably worse because they are basically acting like that aspect wasn’t a big deal.
Score: 30 Votes (Like | Disagree)
Bandaman Avatar
14 months ago

The larger issue here in my opinion is that Apple is bypassing firewalls and vpn apps and exposing your public ip. If you go to the trouble of using a vpn to hide your traffic apple shouldn’t be bypassing those measures and broadcasting unencrypted packets.

Although this particular traffic is relatively harmless, the very idea that they thought that was a good design decision is disturbing.
They didn't explain or acknowledge this at all.
Score: 26 Votes (Like | Disagree)

Related Stories

macOS Big Sur Feature Blue

Apple Seeds Sixth Beta of macOS Big Sur 11.3 to Developers [Update: Public Beta Available]

Wednesday March 31, 2021 10:03 am PDT by
Apple today seeded the sixth beta of an upcoming macOS Big Sur 11.3 update to developers for testing purposes, with the new beta coming one week after the launch of the fifth beta and more than a month after the release of macOS Big Sur 11.2, a bug fix update. Developers can download the ‌‌macOS Big Sur‌‌ 11.3 beta using the Software Update mechanism in System Preferences after...
macOS Big Sur Feature Purple

Apple Releases macOS Big Sur 11.3.1 With Fixes for WebKit Security Issues

Monday May 3, 2021 10:26 am PDT by
Alongside iOS 14.5.1 and watchOS 7.4.1, Apple today also released macOS Big Sur 11.3.1, which the company says "provides important security updates". According to the full security notes for the release, it addresses a memory corruption issue and an integer overflow in WebKit that could both be exploited using maliciously crafted web content. Apple says it aware of a report that these issues ...
macOS Big Sur Feature Orange

Apple Releases macOS Big Sur 11.3 With M1 Optimizations, AirTag Integration, Updated Controller Support, Apple Music Updates and More

Monday April 26, 2021 9:58 am PDT by
Apple today released macOS Big Sur 11.3, the third major update to the macOS Big Sur‌ operating system that launched in November. ‌macOS Big Sur‌ 11.3 comes two months after the release of macOS Big Sur 11.2, a bug fix update. The new ‌‌‌macOS Big Sur‌‌ 11.3 update can be downloaded for free on all eligible Macs using the Software Update section of System Preferences. macOS Big...
macOS Big Sur Feature Blue

Apple Seeds Second Beta of macOS Big Sur 11.5 to Developers

Wednesday June 2, 2021 10:09 am PDT by
Apple today seeded the second beta of an upcoming macOS Big Sur 11.5 update to developers for testing purposes, with the new beta coming two weeks after the release of the first macOS Big Sur 11.5 beta. Developers can download the ‌‌‌‌macOS Big Sur‌‌‌‌ 11.5 beta using the Software Update mechanism in System Preferences after installing the proper profile from the Apple...
google privacy labels

Google Plans to Add Privacy Labels to Play Store Apps Next Year

Thursday May 6, 2021 11:57 am PDT by
Apple with iOS 14 introduced App Privacy labels for App Store apps, which are designed to let customers know details about the data that an app will collect about them before they make the decision to install an app. Google is planning to follow in Apple's footsteps with the Play Store, introducing a new feature that will require developers to provide transparency into how apps are using...
macOS Big Sur Feature Purple

Apple Seeds RC Version of macOS Big Sur 11.3 to Developers

Tuesday April 20, 2021 11:16 am PDT by
Apple today seeded the RC version of an upcoming macOS Big Sur 11.3 update to developers for testing purposes, with the new beta coming one week after the launch of the eighth beta and more than two months after the release of macOS Big Sur 11.2, a bug fix update. Developers can download the ‌‌macOS Big Sur‌‌ 11.3 beta using the Software Update mechanism in System Preferences after...
macOS Big Sur Feature Orange

Apple Releases macOS Big Sur 11.4 With Apple Podcasts Subscription Support

Monday May 24, 2021 10:08 am PDT by
Apple today released macOS Big Sur 11.4, the fourth major update to the macOS Big Sur operating system that launched in November 2020. macOS Big Sur comes one month after the release of macOS Big Sur 11.3, an update that added M1 optimizations, AirTag integration, and more. The new ‌‌‌‌macOS Big Sur‌‌‌ 11.4 update can be downloaded for free on all eligible Macs using the...
play store google

Google to Limit Which Apps Can See Other Installed Apps on Android Devices, Evoking Similar Privacy Changes Apple Made in iOS 9

Saturday April 3, 2021 3:23 am PDT by
Google will soon make it harder for third-party apps to see what other apps are installed on a user's Android device, a policy change that evokes similar privacy protections Apple introduced in iOS 9, way back in 2015. According to XDA-Developers, upcoming amendments to Google's Developer Program Policy will limit which apps can access an Android user's full list of installed apps. As noted...