Apple Addresses Privacy Concerns Surrounding App Authentication in macOS

[RogerWade]

Following the release of macOS Big Sur on Thursday, Mac users began to experience issues with opening apps while connected to the internet. Apple's system status page attributed the situation to issues with its Developer ID notary service, with developer Jeff Johnson specifying that there were connection issues with Apple's OCSP server.

Shortly after, security researcher Jeffrey Paul shared a blog post titled "Your Computer Isn't Yours," in which he raised privacy and security concerns related to Macs "phoning home" to Apple's OCSP server. In short, Paul said that the OCSP traffic that macOS generates is not encrypted and could potentially be seen by ISPs or even the U.S. military.

Apple has since responded to the matter by updating its "Safely open apps on your Mac" support document with new information, as noted by iPhoneinCanada. Here's the new "Privacy protections" section of the support document in full:Apple clarifies that user-specific data is not harvested during the security check and that it plans on removing all IP information from the logs. In addition, it plans on introducing several changes to the system over the next year, including:

• a new encrypted protocol for Developer ID certificate revocation checks
• strong protections against server failure
• a new preference for users to opt out of these security protections

Some users have advocated blocking the traffic to Apple's authentication servers, but it appears that Apple will provide this option to end-users in the future as well.

Article Link: Apple Addresses Privacy Concerns Surrounding App Authentication in macOS

Apple. Always doing the right thing.

Except for the times that they don't, and someone discovers it.

Or under penalty of the law.

 

[RogerWade]

All u guys that are still unsure about Apples privacy stance, one thing is for sure, the OTHER tech companies collect much more WAY more, if u are worried about this, then the amount of data Google, Microsoft and facebook collect is beyond ur belief.

Yawn. Apple does what they want until they get called out.

Other manufacturers don't advertise their "privacy" as a marketing tool.

 

[dumastudetto]

Still hella sketchy. I still trust Apple more than any other big tech company... but honestly not by much.

Apple have earned our trust through their actions. Nobody cares more about our privacy than Apple. We must trust them.

 

[PinoRavvit]

Apple have earned our trust through their actions. Nobody cares more about our privacy than Apple. We must trust them.

Source?

 

[kildraik]

This release/clarification has prevented me from returning my M1/16GB/1TB 13" MBP when it arrives Thursday. The IP logging was the dealbreaker when Rossman talked about it two days ago.

 

[0279317]

Source?

"Apple have earned our trust through their actions. Nobody cares more about our privacy than Apple. We must trust them."
I'm guessing that dumanstudetto was being sarcastic

 

[dumastudetto]

Source?

Source: my learned experience.

If your experience with Apple is different, feel free to take your data somewhere else.

 

[Rigby]

The larger issue here in my opinion is that Apple is bypassing firewalls and vpn apps and exposing your public ip. If you go to the trouble of using a vpn to hide your traffic apple shouldn’t be bypassing those measures and broadcasting unencrypted packets.

Although this particular traffic is relatively harmless, the very idea that they thought that was a good design decision is disturbing.

It depends on the VPN software. Mullvad just confirmed that Apple apps cannot bypass the PF-based firewall that their app uses to prevent leaking. This issue appears to only affect software that uses the content filter provider API.

Big no on Big Sur: Mullvad disallows Apple apps to bypass firewall

Despite Apple’s changes to macOS with the release of Big Sur, we can confirm that the Mullvad app still performs as intended by not allowing Apple’s own apps to bypass our VPN firewall.

www.mullvad.net

 

[7493920]

Oh funny how Apple responds to this considering how many people were saying the article wasn’t accurate. Obviously there was some truth to it.

 

[cppguy]

Sending IP addresses unencrypted? Apple directors need to be forced take a computer security 101 course.

 

[Rigby]

Sending IP addresses unencrypted? Apple directors need to be forced take a computer security 101 course.

If that isn't sarcasm, someone else needs to take an IP networking course.

 

[Bandaman]

If you run Safari in private mode, do you think it’s completely private?

Nothing is completely private. Your reply has nothing to do with the lengths Google goes to mine your data ... including ignoring “privacy” toggles.

 

[Apple2020]

Following the release of macOS Big Sur on Thursday, Mac users began to experience issues with opening apps while connected to the internet. Apple's system status page attributed the situation to issues with its Developer ID notary service, with developer Jeff Johnson specifying that there were connection issues with Apple's OCSP server.

Shortly after, security researcher Jeffrey Paul shared a blog post titled "Your Computer Isn't Yours," in which he raised privacy and security concerns related to Macs "phoning home" to Apple's OCSP server. In short, Paul said that the OCSP traffic that macOS generates is not encrypted and could potentially be seen by ISPs or even the U.S. military.

Apple has since responded to the matter by updating its "Safely open apps on your Mac" support document with new information, as noted by iPhoneinCanada. Here's the new "Privacy protections" section of the support document in full:Apple clarifies that user-specific data is not harvested during the security check and that it plans on removing all IP information from the logs. In addition, it plans on introducing several changes to the system over the next year, including:

• a new encrypted protocol for Developer ID certificate revocation checks
• strong protections against server failure
• a new preference for users to opt out of these security protections

Some users have advocated blocking the traffic to Apple's authentication servers, but it appears that Apple will provide this option to end-users in the future as well.

Article Link: Apple Addresses Privacy Concerns Surrounding App Authentication in macOS

Honestly, out of every company available. I trust Apple the most. I know a lot about the company as a consumer as well as from a business standpoint. Apple is the only trustworthy company out there. I have faith they’re doing the right thing with our data, and I know how important privacy is. It’s at the “core” of apple.

 

[gnasher729]

Well.....unless the VPN app ends up being the malware... if malware ended up hijacking your networking and you didn't know, you would want the OS to still have a way to identify the malware. I'm sure thats probably the reason they did it that way.....

That's something that most people don't realise - your VPN receives _all_ the data coming from your computer or being sent to your computer and can decrypt or read all of it. VPN is only as secure as you trust it. So your VPN provider themselves could be crooked, or they could be leaned on or hacked by someone with enough resources.

 

[gnasher729]

I'm telling you, there are plenty of IP addresses where the distance is a lot more than 2 miles.

About ten percent of US IP addresses all have as their location a place about 100 meters from some farm in Kansas, I believe. Actually, the location is "100 meters from some farm in Kansas, with an error of +/- 3000 miles", but nobody reads the last bit. The owners have lots of fun because 10 percent of all criminals whose IP address is traced by the cops apparently live there, so they get lots of visits from police from all over the USA.

 

[Skoal]

"Guys it's cool, we're not actually doing that" Apple says, while they're secretly giving U.S. Military the traffic.

Because the US Military wants to track your data for targeted ads right?

 

[hans1972]

The larger issue here in my opinion is that Apple is bypassing firewalls and vpn apps and exposing your public ip. If you go to the trouble of using a vpn to hide your traffic apple shouldn’t be bypassing those measures and broadcasting unencrypted packets.

Although this particular traffic is relatively harmless, the very idea that they thought that was a good design decision is disturbing.

Your public IP address is public.

Firewall can only hide your internal IP address and VPN only encrypts the data not the public IP addressing information used to route the packet.

 

[startergo]

What permission should it ask for? Permission to check the app is signed with a genuine certificate?

An app can be signed to run locally without developer certificate and changing the id. How will the enforce this?

 

[hans1972]

Quite frankly, yes.

"Mac OS would like to verify the Application "Little Snitch". To do this, Mac OS will send details of the Application to Apple."

"Cancel" "Verify" "Run without verification"

That wasn't hard. I'm sure the vast majority of people will choose verify.

They probably needs to check several times a week. Would you like to get 1000 dialog boxes per year per application you launch regularly?

I would not be surprised I would get 10 000 dialog boxes a year depending on how often they check.

 

[readit.design]

I want to thank all engineers and designers at Apple which under Steve Jobs management are responsible for my exceptionally pleasurable 20+ computing years. For me Apple after Jobs is just a well hidden greed motivated machine. Clearly I don’t consider Apple to be worthy of legacy of their founder. There is no balance anymore. Personally I am not surprised at all. The last true Apple os was Mountain Lion, after which I have not trusted Mac OS X at all and the only reason to continue using it was a program called: Little Snitch. But I want to thank current management for their contribution in forcing me out of platform that has no ethical or business value for me anymore. I cannot trust my computer to work in critical business cases. I have voted with my money year after year, preached to my costumers and friends thousands of Apple products and I don't regret it. Apple was exceptionally powerful combination for professional work with unbelievable hardware quality. But the real selling point was the software, the Mac OS X (objective c one).Yes, todays world is mobile first and this is normal, but some of us are working with this shiny called computers and idea of merging iOS, iPadOS and MacOS is clearly motivated by vertical business integration not by putting interests of the users first. Thankfully for me there is an alternative – Linux. Finally there is real business reason for companies that make graphic design software to consider Linux as a viable target. So long and thanks for all the fish, Apple

 

[MacBH928]

So what about VPN on iOS devices?! does the iOS bypass the VPN too?!

What certificate are they checking for if we are downloading apps from the internet and open source ones? If they want to check on anything they should check the apps in the App Store. Once its in the app store its in the clean, no need to spy on me.

This is seriously sketchy, looks like whats on your iphone doesn't stay on your iphone after all.

 

[neander]

• a new preference for users to opt out of these security protection

Ok so I will wait to update until that comes along then.. wont want any hassle with old apps.

 

[Dave-Z]

Sending IP addresses unencrypted? Apple directors need to be forced take a computer security 101 course.

If that isn't sarcasm, someone else needs to take an IP networking course.

Apple should totally use UDP packets with forged IPs. You know, to ensure privacy.

Firewall can only hide your internal IP address and VPN only encrypts the data not the public IP addressing information used to route the packet.

A properly configured VPN will hide your (for example) home ISP public IP address. The public IP address of the VPN will be visible after packets leave that VPN, yes, but your public IP (from where you are to the VPN) should never be visible. That would sort of defeat one of the purposes of a VPN.

 

[ipponrg]

Nothing is completely private. Your reply has nothing to do with the lengths Google goes to mine your data ... including ignoring “privacy” toggles.

The main issue is that the privacy toggles are confusing to most people including yourself. If you turn off everything, you'd be OK. Of course Google goes to lengths to mine data. That's what their business revolves around. If you were a search engine and selling ads, you'd do the same thing.

There are certain things that people consider "private" but aren't really private such as your relative location thanks to GPS and IP.

 

[Bandaman]

The main issue is that the privacy toggles are confusing to most people including yourself. If you turn off everything, you'd be OK. Of course Google goes to lengths to mine data. That's what their business revolves around. If you were a search engine and selling ads, you'd do the same thing.

There are certain things that people consider "private" but aren't really private such as your relative location thanks to GPS and IP.

They're being sued for tracking the things you ask them not to track, such as location history. I understand the toggles perfectly and know what's going on with the privacy issues surrounding big tech. So please spare me.