Apple Addresses Privacy Concerns Surrounding App Authentication in macOS

[dracarysar]

This address was more regrading OSCP and servers and IP logging and opting out of such things

Yes, but the very same article that discovered this also pointed out that the OSCP traffic bypasses your firewall and vpn. Apple addressed the specific data that is being sent and was being stored, but did not address the intrusive way it’s being sent

 

[ani4ani]

All u guys that are still unsure about Apples privacy stance, one thing is for sure, the OTHER tech companies collect much more WAY more, if u are worried about this, then the amount of data Google, Microsoft and facebook collect is beyond ur belief.

I don’t believe you

 

[dracarysar]

I agree they are better than advertising companies, but if you haven’t requested the report about what apple collects and stores about you and your Apple ID then you should.

They store a lot more than you would think. They just don’t sell it to anyone who wants to pay.

 

[Puonti]

They likely did it to prevent a vpn or firewall from causing what happened the other day.

Still though, they should at least acknowledge and address it now that it’s been discovered. They didn’t even mention this aspect of the security researcher’s article.

They might see sidestepping VPNs as a different topic and address it separately, or they might fix it and address it with a patch note, depending on how they feel about it.

Or they might never address it publicly in any way because it might play a part in some long-term plan of theirs, the first steps of which are to ensure that their own traffic gets to where its going, uninterrupted short of real issues or some very determined network blocking, and they realize there's really no good explanation (yet) that doesn't involve revealing their long-term plans.

In the meanwhile we have the information we have, do with it what we can, and the rest is speculation.

 

[bobmans]

So they’re replacing an industry standard protocol like OCSP with a fully custom encrypted alternative and all the people who complained about OCSP sending unencrypted developer ID’s will now cheer this on. With OCSP you could literally see what they were sending and it was clear you didn’t need to worry about anything, with a custom alternative you won’t know anything.

At least you’ll be able to disable it I guess, although it’s not like 0.0.0.0 ocsp.apple.com didn’t exist.

 

[Dave-Z]

All u guys that are still unsure about Apples privacy stance, one thing is for sure, the OTHER tech companies collect much more WAY more, if u are worried about this, then the amount of data Google, Microsoft and facebook collect is beyond ur belief.

I took the time to read through Microsoft's documentation on data collection. I did it in several sessions because it was lengthy and boring.

I've also taken the time to read Apple's (equally boring).

I've also taken the time to proxy iPad and Windows to eavesdrop on their network activity.

My take away is as follows:

• Both companies collect a VAST amount of data. Seriously, a LOT.
• Microsoft documents WAY more about what it does than Apple. With some of Apple's products and/or services, I was unable to find any documentation.
• Apple claims to not associate much ("much" being the key word here) of the data with users. In many cases we have to take them at their word. (Keeping in mind (as their statement in this article attests) all network requests have an associated IP address which could easily be linked to one (or a handful) or users.)
• Microsoft confirms it associates data with users.
• Microsoft thoroughly documents how to disable analytics. (They have entire sections of their web site for this express purpose.) It is tedious, but doable.
• Apple only lets you disable some of the analytics. The rest you have to trust they're not associating with you.

At the end of the day, I trust absolutely no one. But using the Internet is already a compromise of one's privacy so you sort of just have to accept that. I think it's best if people have a balanced perspective and recognize that data is being collected by these companies and if you value privacy you need to do a lot of reading to understand what settings to turn on or off to minimize what data is transmitted.

 

[Krizoitz]

What they should do is more like old AntiVirus where Signatures ( or list ) are updated very frequently instead of having macOS phoning home on every App opening.

It doesn’t phone home on every App opening. It literally does not do that. If you are going to criticize Apple, fine, but at least be accurate about it.

 

[Kung gu]

I took the time to read through Microsoft's documentation on data collection. I did it in several sessions because it was lengthy and boring.

I've also taken the time to read Apple's (equally boring).

I've also taken the time to proxy iPad and Windows to eavesdrop on their network activity.

My take away is as follows:

• Both companies collect a VAST amount of data. Seriously, a LOT.
• Microsoft documents WAY more about what it does than Apple. With some of Apple's products and/or services, I was unable to find any documentation.
• Apple claims to not associate much ("much" being the key word here) of the data with users. In many cases we have to take them at their word. (Keeping in mind (as their statement in this article attests) all network requests have an associated IP address which could easily be linked to one (or a handful) or users.)
• Microsoft confirms it associates data with users.
• Microsoft thoroughly documents how to disable analytics. (They have entire sections of their web site for this express purpose.) It is tedious, but doable.
• Apple only lets you disable some of the analytics. The rest you have to trust they're not associating with you.

At the end of the day, I trust absolutely no one. But using the Internet is already a compromise of one's privacy so you sort of just have to accept that. I think it's best if people have a balanced perspective and recognize that data is being collected by these companies and if you value privacy you need to do a lot of reading to understand what settings to turn on or off to minimize what data is transmitted.

Windows 10 is much more a data miner, where is that in ur research. Ever wonder why they made windows 10 free.
Now u can use free version of windows 10 without the pc shutting down.

Win 8 and prior, the pc always shut down randomly when using a free trial version

 

[Kung gu]

Yes, but the very same article that discovered this also pointed out that the OSCP traffic bypasses your firewall and vpn. Apple addressed the specific data that is being sent and was being stored, but did not address the intrusive way it’s being sent

thats more of a big sur feature and not relating to OSCP

 

[mcbumbersnazzle]

All u guys that are still unsure about Apples privacy stance, one thing is for sure, the OTHER tech companies collect much more WAY more, if u are worried about this, then the amount of data Google, Microsoft and facebook collect is beyond ur belief.

Their approach can be disabled, have proper, SECURE transmission and reliable server that doesn't crash or hang their apps from opening lmao.

 

[Mr. Dee]

Does the vast majority of Mac users care about this though? Likely not, heck, there are users willing to give away their data to China using TikTok just to get likes. Checking if malware is in your apps and sharing data with your own government (especially if you have nothing to hide) should be the least of your problems.

I remember a cartoon of Angela Merkel being spied on by President Obama and Obama's response when she found out was 'Audacity of hope'. And I'm sure both Apple and President Obama are respected, but they both do/did things we might not agree with.

 

[mcbumbersnazzle]

Shout out to Craig Federighi for removing "Anywhere" option in MacOS Sierra in the first place and ignoring every developer, power users advice that forcing notarization check on all your apps, including your shell script would be a bad idea for it to come to this. You really shows how much you care about the Mac

 

[dracarysar]

They might see sidestepping VPNs as a different topic and address it separately, or they might fix it and address it with a patch note, depending on how they feel about it.
Or they might never address it publicly in any way because it might play a part in some long-term plan of theirs, the first steps of which are to ensure that their own traffic gets to where its going, uninterrupted short of real issues or some very determined network blocking, and they realize there's really no good explanation (yet) that doesn't involve revealing their long-term plans.

In the meanwhile we have the information we have, do with it what we can, and the rest is speculation.

Yeah, I was giving them the benefit of the doubt by speculating. Nonetheless, traffic being sent from your public ip when you are under the impression it’s being hidden is a major issue that needs to be addressed. Especially since you’re actively trying to hide all the traffic from your computer and this is being done without your knowledge or consent.

Giving them a pat on the back for addressing the less intrusive half of the issue is not a good solution. We have the information we have because that’s all they wanted to give us. Regardless of how or why it was implemented the way it was, silently leaking traffic from your public ip is not acceptable. They should be pushed to address this as well. If they plan to then they should tell us.

 

[Bokito]

Apple’s communication to the outside world has never been it’s greatest strength. But if you’re the biggest company in the world at some point you’ll have to learn how to communicate to the outside world about changes that potentially can lead to privacy or safety concerns.

 

[Dave-Z]

Windows 10 is much more a data miner, where is that in ur research.

I mean, it was literally the first bullet point:

Both companies collect a VAST amount of data. Seriously, a LOT.

I'm not going to get into a argument on the forums tonight. You do you and be happy. As I thoroughly said in my post, I took the time to research both iPadOS and Windows and found ways to minimize (not eliminate) data collection on both.

At this current moment in time with my devices, iPadOS reports more to Apple than Windows 10 does to Microsoft. (Because I researched, and took the time to adjust settings.)

Ever wonder why they made windows 10 free.

I never once wondered why. They recognize revenue potential of the future is in services and are pivoting to that (FWIW, Apple is doing this, too). Plus they have ads in the form of Start Menu app suggestions, etc. (which you can disable with a checkbox).

And Windows 10 is technically not free but, yeah, it does let you use it with some limitations without paying.

 

[Bandaman]

I mean, it was literally the first bullet point:



I'm not going to get into a argument on the forums tonight. You do you and be happy. As I thoroughly said in my post, I took the time to research both iPadOS and Windows and found ways to minimize (not eliminate) data collection on both.

At this current moment in time with my devices, iPadOS reports more to Apple than Windows 10 does to Microsoft. (Because I researched, and took the time to adjust settings.)



I never once wondered why. They recognize revenue potential of the future is in services and are pivoting to that (FWIW, Apple is doing this, too). Plus they have ads in the form of Start Menu app suggestions, etc. (which you can disable with a checkbox).

And Windows 10 is technically not free but, yeah, it does let you use it with some limitations without paying.

Windows 10 is absolutely not free, so I don't know why he said that.

 

[ipponrg]

All u guys that are still unsure about Apples privacy stance, one thing is for sure, the OTHER tech companies collect much more WAY more, if u are worried about this, then the amount of data Google, Microsoft and facebook collect is beyond ur belief.

Depends.

When I requested my data from Google and Apple, surprisingly Apple had more stuff on me. I meticulously have gone thru Google’s settings to turn off all sorts of tracking which is really the source of these problems ... user error.

 

[eulslix]

All u guys that are still unsure about Apples privacy stance, one thing is for sure, the OTHER tech companies collect much more WAY more, if u are worried about this, then the amount of data Google, Microsoft and facebook collect is beyond ur belief.

Classic case of whataboutism... that doesn’t make the issue go away, does it?

 

[HiRez]

So they say they "stopped" logging IP addresses, which implies they were logging them. I'm curious when this logging stopped, was it only after Apple got wind of this issue becoming public?

 

[Bandaman]

Depends.

When I requested my data from Google and Apple, surprisingly Apple had more stuff on me. I meticulously have gone thru Google’s settings to turn off all sorts of tracking which is really the source of these problems ... user error.

Google has had many lawsuits against them recently because they completely and utterly ignore any of the settings you choose, especially the ones that are turned "off". Another one they are being sued for is collecting data in Incognito Mode. So no, the source of the problems with Google aren't the settings ... it's Google.

 

[dracarysar]

Windows 10 is much more a data miner, where is that in ur research. Ever wonder why they made windows 10 free.
Now u can use free version of windows 10 without the pc shutting down.

Win 8 and prior, the pc always shut down randomly when using a free trial version

It’s literally right there, in his post you’re replying to, where he says both companies collect a vast amount of data. His point was not about who collects more or less data. His point was that Microsoft is a lot more transparent about what they collect and what they do with it.

Also, macOS used to not be free either. Even if you bought a Mac you had to pay for every new release. So you’re really not making any kind of case here.

You know, it’s ok to really like the products a company makes, but realize they are not your friend and you don’t have to blindly defend them. Every company, no matter how “cool” they are, makes questionable decisions. It’s not about one side vs the other. They are all out to make money, nothing more.

 

[Romey-Rome]

Yea? How about this gem from the same article?

In other news, Apple has quietly backdoored the end-to-end cryptography of iMessage. Presently, modern iOS will prompt you for your Apple ID during setup, and will automatically enable iCloud and iCloud Backup.

iCloud Backup is not end to end encrypted: it encrypts your device backup to Apple keys. Every device with iCloud Backup enabled (it’s on by default) backs up the complete iMessage history to Apple, along with the device’s iMessage secret keys, each night when plugged in. Apple can decrypt and read this information without ever touching the device. Even if you have iCloud and/or iCloud Backup disabled: it’s likely that whoever you’re iMessaging with does not, and that your conversation is being uploaded to Apple (and, via PRISM, freely available to the US military intelligence community, FBI, et al—with no warrant or probable cause).

 

[Dave-Z]

So they say they "stopped" logging IP addresses, which implies they were logging them. I'm curious when this logging stopped, was it only after Apple got wind of this issue becoming public?

I agree with you completely.

Just to provide some insight for people who may not be aware: nearly every web server software (Apache, Nginx, etc.) by default logs every request. Each entry includes date/time, IP address, URL path (everything after the domain name), query string (everything after the ? in the URL path). They also may log referrer (an associated address with the request), how the server handled the request (found, not found, not authorized, etc.), the size of the response, etc.

This is the default behavior. It's typically something a server admin would want because it helps identify problems (failed requests, hacking attempts, etc.). But it could be used to associate information with users.

 

[Serban55]

When this happen on windows side..nobody is saying nothing...

 

[dracarysar]

Yea? How about this gem from the same article?

Don’t bother, all your going to get is a response about how this was addressing OSCP. Everything else in that article is apparently irrelevant either because apple didn’t address it or it isn’t OSCP.