Apple Addresses Privacy Concerns Surrounding App Authentication in macOS

[chucker23n1]

It seems to me that Apple put themselves in the position where they have to respond. Are there any lies, deceptions, exaggerations or misinformation in what you refer to as the "alarmist over the top opinion piece"? If so, set me straight.

For starters:

• OCSP is only tangentially related to Gatekeeper.
• An OCSP can, at best, track by developer, not by app. Granted, though, that's often the same (many will only have as single app from certain developers).
• There is no "application hash".
• Going from an IP address to "Computer, ISP, City, State" is quite a stretch. ISP, yes, obviously, but anything more fine-grained than that is unreliable.
• The mention of PRISM is not only a huge stretch; it's also an argument why Apple wouldn't want to do it. Why collect data if they are then obliged to share it with a third party, when they can instead avoid collecting it in the first place?

That's not a response. A press release is a response and I bet you they won't release one so they would not have to go into full damage control mode.

Had we, including the security researchers and forums that brought these issues to light and reported on them, not stirred up the pot we would have had the current status quo 'quietly' imposed on us.

They had a server outage. It would've been nice to acknowledge that and apologize again, but it's more helpful to instead offer concrete mitigation steps for the future.

 

[chucker23n1]

I wonder why they were collecting and storing IP addresses in the first place,

There is no evidence that they were. (edit) Sounds like they're saying they used to log them.

 

[m2m2k]

(Apple Macs not included)
Tim Cook

 

[m2m2k]

There is no evidence that they were.

They said they will delete them. So it’s means they get them.

 

[w1z]

There is no evidence that they were.

Quoting https://support.apple.com/en-us/HT202491

These security checks have never included the user’s Apple ID or the identity of their device. To further protect privacy, we have stopped logging IP addresses associated with Developer ID certificate checks, and we will ensure that any collected IP addresses are removed from logs.

 

[jido]

I wonder why they were collecting and storing IP addresses in the first place, if as it seems this process can function perfectly well without them?

As someone said previously, it is simply the default setting of any Web server (in this case the Web server seems to be Apache).
Requests are logged in the Access Log with information such as source IP address, request parameters and response time. The Access Log is usually deleted after a few days.

 

[chucker23n1]

They said they will delete them. So it’s means they get them.

Quoting https://support.apple.com/en-us/HT202491

Yup, my mistake.

It's unclear whether they simply mean web server access logs, though.

 

[Cycling Asia]

Apple rectified that issue now.

Yep, they're no longer contractors. They're full time employees.

 

[Freeangel1]

maybe we should go back to using computers that are not connected to the internet.

I use one machine that has nothing on it for the web.

The Mac I use to do important projects and work on never connects to the internet.

So no secret ports open that are spying on you or stealing your data

 

[Feyl]

What should they suppose to say. Yes, we’re spying on you?? What do you expect people? Don’t be naive.

 

[0279317]

For starters:

• OCSP is only tangentially related to Gatekeeper.
• An OCSP can, at best, track by developer, not by app. Granted, though, that's often the same (many will only have as single app from certain developers).
• There is no "application hash".
• Going from an IP address to "Computer, ISP, City, State" is quite a stretch. ISP, yes, obviously, but anything more fine-grained than that is unreliable.
• The mention of PRISM is not only a huge stretch; it's also an argument why Apple wouldn't want to do it. Why collect data if they are then obliged to share it with a third party, when they can instead avoid collecting it in the first place?

They had a server outage. It would've been nice to acknowledge that and apologize again, but it's more helpful to instead offer concrete mitigation steps for the future.

Well then, my mind is totally at ease. I guess we can all trust Apple 100%.

 

[chucker23n1]

Well then, my mind is totally at ease. I guess we can all trust Apple 100%.

No, we can't.

 

[0279317]

No, we can't.

That was my point. I don't think Apple's evil but I also don't think they are as open honest and transparent as they'd like us to believe. Does that article over do it? Maybe so, I don't have the tech knowledge to assess that. But to think Apple is innocent would be naive.

 

[2979382]

I agree with Jeffrey on this one and happy to see Apple promptly responding. You cannot survive as a privacy-centric company and put it at the forefront of your marketing, then "forget" about some aspects of it.

 

[Yammabot]

Who’s watching Apple to verify what their saying is true? Didn’t google start out saying do no harm etc. look where we are now. There must be consequences, immediately shut these companies down world wide for a month at any privacy breach. It’s nice to hear the words but it would be great if they actually meant something. It’s always next year or next version of software and it never really gets done. How about we shut you down until you fix it? Maybe you won’t be so careless in the future.

 

[RegexZ]

What's more disturbing is that this "authentication" happens at kernel level, without even asking for user's permission.

 

[jido]

What's more disturbing is that this "authentication" happens at kernel level, without even asking for user's permission.

What permission should it ask for? Permission to check the app is signed with a genuine certificate?

 

[TD540]

"We do not use data from these checks to learn what individual users are launching or running on their devices"

Individual users, no, ok. What about anonymized users?

 

[Brian Y]

As someone said previously, it is simply the default setting of any Web server (in this case the Web server seems to be Apache).
Requests are logged in the Access Log with information such as source IP address, request parameters and response time. The Access Log is usually deleted after a few days.

Going by what they've said, it looks like it was logged in a database, not just general web server logs.

For starters:

• OCSP is only tangentially related to Gatekeeper.
• An OCSP can, at best, track by developer, not by app. Granted, though, that's often the same (many will only have as single app from certain developers).
• There is no "application hash".
• Going from an IP address to "Computer, ISP, City, State" is quite a stretch. ISP, yes, obviously, but anything more fine-grained than that is unreliable.
• The mention of PRISM is not only a huge stretch; it's also an argument why Apple wouldn't want to do it. Why collect data if they are then obliged to share it with a third party, when they can instead avoid collecting it in the first place?

They had a server outage. It would've been nice to acknowledge that and apologize again, but it's more helpful to instead offer concrete mitigation steps for the future.

Sorry, but I've got to disagree with you on several of these points:

1. There is no application hash. Of course there is. You can create a hash of any file you like. They are obviously sending some kind of hash to verify the app.

2. Going from an IP address to "Computer, ISP" etc is quite a stretch. Not at all. I ran a free online ip geolocation tool on my IP address. The specified coordinates are about 2 miles from my actual location. That's the city/state nailed. Even suburb is pretty reliable. They can probably (if they wanted to, or if law enforcement needed to), identify this even further my cross referencing it with, for example, logs from find my mac, logs from apple maps or external sources. An example: Law enforcement wants to identify someone who ran App.X. Apple logged that App.x was run by a computer on 123.123.123.123 at a particular date and time. Law enforcement then contacts ISP and asks "who had this IP at this time?".

As far as I'm concerned, this is now blocked at network level here. Apple say that they're privacy oriented, but they're the same as everyone else in reality.

 

[laptech]

The fact of the matter is there was no need for Apple to have such a system in the first place. Stop finding hidden ways to get users information. There is no need for information to be immediatly sent back to Apple's servers when you power on your mackbook. What with the issue of allowing advertisers to track your actions and movements and now this, regardless of the fact that Apple is addressing the issues, it shows that Apple is no different to everyone else, they find hidden ways to track you and get your data whislt flying the flag of 'we respect customers privacy', yeah right!!.

 

[Mr Lizard]

There must be consequences, immediately shut these companies down world wide for a month at any privacy breach.

How would that even work? Co-ordinated legislation would have to be passed by governments around the planet, and even if those laws were somehow passed, those countries would then have to agree that the thresholds have been met in order to trigger enforcement. This would be an alignment effort between nations not seen since the second world war.

Even assuming any of that is possible, how does shutting down these companies work in practice when manufacturing, retail, R&D, HR, and customer support is all strewn across different offices worldwide? Does every country send its police force in to close them down? What happens if they don't close down? Who gets arrested, the local office manager or the CEO of the company?

Think this idea needs refinement.

 

[Brian Y]

What permission should it ask for? Permission to check the app is signed with a genuine certificate?

Quite frankly, yes.

"Mac OS would like to verify the Application "Little Snitch". To do this, Mac OS will send details of the Application to Apple."

"Cancel" "Verify" "Run without verification"

That wasn't hard. I'm sure the vast majority of people will choose verify.

 

[jido]

Quite frankly, yes.

"Mac OS would like to verify the Application "Little Snitch". To do this, Mac OS will send details of the Application to Apple."

"Cancel" "Verify" "Run without verification"

That wasn't hard. I'm sure the vast majority of people will choose verify.

Vast majority of people will look for a way to disable the notification, because it will happen regularly (certificate revocation needs to be checked often). Maybe click the "Don't alert me next time" checkbox... Combined with "Run without verification", would ensure the app is not protected from tampering.

I don't read that they are storing IP addresses in any kind of database from their statement. I may be wearing pink-coloured glasses, don't know

 

[blackcrayon]

Has anyone seen any recent comment from the Little Snitch devs on this? Was trying to read about their stance on their app not working as it should (or, maybe it does, it seems like the think piece wasn't sure if the shipping version of Big Sur or an update to Little Snitch wouldn't resolve the "issue".)

 

[Apple_Robert]

Very smart of Apple to issue a formal statement. Hopefully, this will allay the over distraught minds of some users here, who made this out to be more than it really is.