Apple Addresses Privacy Concerns Surrounding App Authentication in macOS
Following the release of macOS Big Sur on Thursday, Mac users began to experience issues with opening apps while connected to the internet. Apple's system status page attributed the situation to issues with its Developer ID notary service, with developer Jeff Johnson specifying that there were connection issues with Apple's OCSP server.
Shortly after, security researcher Jeffrey Paul shared a blog post titled "Your Computer Isn't Yours," in which he raised privacy and security concerns related to Macs "phoning home" to Apple's OCSP server. In short, Paul said that the OCSP traffic that macOS generates is not encrypted and could potentially be seen by ISPs or even the U.S. military.
Apple has since responded to the matter by updating its "Safely open apps on your Mac" support document with new information, as noted by iPhoneinCanada. Here's the new "Privacy protections" section of the support document in full:
macOS has been designed to keep users and their data safe while respecting their privacy.
Gatekeeper performs online checks to verify if an app contains known malware and whether the developer's signing certificate is revoked. We have never combined data from these checks with information about Apple users or their devices. We do not use data from these checks to learn what individual users are launching or running on their devices.
Notarization checks if the app contains known malware using an encrypted connection that is resilient to server failures.
These security checks have never included the user's Apple ID or the identity of their device. To further protect privacy, we have stopped logging IP addresses associated with Developer ID certificate checks, and we will ensure that any collected IP addresses are removed from logs.
Apple clarifies that user-specific data is not harvested during the security check and that it plans on removing all IP information from the logs. In addition, it plans on introducing several changes to the system over the next year, including:
- a new encrypted protocol for Developer ID certificate revocation checks
- strong protections against server failure
- a new preference for users to opt out of these security protections
Some users have advocated blocking the traffic to Apple's authentication servers, but it appears that Apple will provide this option to end-users in the future as well.
Related Stories
Apple today seeded the sixth beta of an upcoming macOS Big Sur 11.3 update to developers for testing purposes, with the new beta coming one week after the launch of the fifth beta and more than a month after the release of macOS Big Sur 11.2, a bug fix update.
Developers can download the macOS Big Sur 11.3 beta using the Software Update mechanism in System Preferences after...
Alongside iOS 14.5.1 and watchOS 7.4.1, Apple today also released macOS Big Sur 11.3.1, which the company says "provides important security updates".
According to the full security notes for the release, it addresses a memory corruption issue and an integer overflow in WebKit that could both be exploited using maliciously crafted web content. Apple says it aware of a report that these issues ...
Apple today released macOS Big Sur 11.3, the third major update to the macOS Big Sur operating system that launched in November. macOS Big Sur 11.3 comes two months after the release of macOS Big Sur 11.2, a bug fix update.
The new macOS Big Sur 11.3 update can be downloaded for free on all eligible Macs using the Software Update section of System Preferences.
macOS Big...
Apple today seeded the second beta of an upcoming macOS Big Sur 11.5 update to developers for testing purposes, with the new beta coming two weeks after the release of the first macOS Big Sur 11.5 beta.
Developers can download the macOS Big Sur 11.5 beta using the Software Update mechanism in System Preferences after installing the proper profile from the Apple...
Apple with iOS 14 introduced App Privacy labels for App Store apps, which are designed to let customers know details about the data that an app will collect about them before they make the decision to install an app.
Google is planning to follow in Apple's footsteps with the Play Store, introducing a new feature that will require developers to provide transparency into how apps are using...
Apple today seeded the RC version of an upcoming macOS Big Sur 11.3 update to developers for testing purposes, with the new beta coming one week after the launch of the eighth beta and more than two months after the release of macOS Big Sur 11.2, a bug fix update.
Developers can download the macOS Big Sur 11.3 beta using the Software Update mechanism in System Preferences after...
Apple today released macOS Big Sur 11.4, the fourth major update to the macOS Big Sur operating system that launched in November 2020. macOS Big Sur comes one month after the release of macOS Big Sur 11.3, an update that added M1 optimizations, AirTag integration, and more.
The new macOS Big Sur 11.4 update can be downloaded for free on all eligible Macs using the...
Google will soon make it harder for third-party apps to see what other apps are installed on a user's Android device, a policy change that evokes similar privacy protections Apple introduced in iOS 9, way back in 2015.
According to XDA-Developers, upcoming amendments to Google's Developer Program Policy will limit which apps can access an Android user's full list of installed apps. As noted...
Top Rated Comments
Although this particular traffic is relatively harmless, the very idea that they thought that was a good design decision is disturbing.