Last week, many Mac users had problems opening applications. The reason seems to be in Apple security protocols. They are the ones that are responsible for checking the reliability of software sources. The slowdown of the Mac was the reason for a new criticism of Apple – this time for collecting too much information about user activities. To this criticism, the company has now responded with a promise of change, but to preserve these security protocols in the future. So how much information does Apple get from users? And why are some experts sure that the MacOS Big Sur update has radically changed the privacy situation?
Where did it all begin?
This story began on November 12, when a huge number of Mac users reported failures when opening third-party applications. The problem spread to Apple’s own platforms, such as iMessage and Apple Pay, which worked chaotically for a short period of time. It turned out that the problem was caused by Gatekeeper, a security system that Apple had introduced back in Mountain Lion. It is an operating system for personal computers and servers, developed by Apple; the ninth version of OS X.
In fact, if your Mac is connected to the Internet, Gatekeeper checks to see if it’s safe to run any software. Say you click the “Run” button in Photoshop and your computer checks the connection to the Apple server to make sure that Adobe still has a valid developer certificate. This process is usually fast and invisible to users. But the huge number of people updating to macOS Big Sur has overloaded the system and slowed it down.
Researchers interested in the reason for the slowdown began analyzing the data that their computers sent to Apple servers. They claimed that the operating system was sending HQ details to Apple in plain text about what, when and how you used it. This, of course, caused panic among users.
“Your computer is no longer yours”.
In a blog post entitled “Your computer is not yours,” security researcher Jeffrey Paul said that Apple collects a hash (unique identifier) of each program run by a Mac user along with their IP address over an unencrypted connection. The end result, Paul wrote, is that anyone who uses the current version of macOS cannot do anything without “passing on and storing their activity log”.
“In modern versions of macOS, you just can’t turn on your computer, run a text editor or a program to read e-books, write or read messages without passing and saving the log of your actions,” said Jeffrey Paul.
Since MacOS performs operations over the network, the server certainly sees your IP address and knows what time the request came in, a security expert assures.
“Apple knows when you’re home, when you’re at work, which applications you open, and how often. They know when you open the Premiere at a friend’s house over their Wi-Fi, and they know when you open the Tor Browser at a hotel while traveling to another city.
And it’s not just about Apple. The information goes further, emphasizes the expert, and this is a big problem. And that’s why.
- OCSP requests are transmitted in unencrypted form. - Since October 2012, Apple has been a partner of U.S. military intelligence in the PRISM espionage program, which provides U.S. federal police and military forces with unhindered access to this data without a warrant when they ask for it. In the first half of 2019, this happened more than 18,000 times, and in the second half of 2019 - another 17,500 times. - These data make up a huge amount of data about your life and habits and allow someone who has them to identify your movements and activity patterns. For some people, it can even be a physical hazard.
As Jeffrey Paul notes, until last week it was possible to block the collection of Mac data with a program called Little Snitch. The released version of macOS 11.0, also known as Big Sur, has new APIs that prevent Little Snitch from working properly, namely checking or blocking any OS-level processes. In addition, the new rules in macOS 11 make it difficult for VPNs to work, so that Apple applications simply bypass them.
Is it not that bad?
However, not everyone agreed with Jeffrey Paul’s analysis. A blog post from Jacopo Yannone, a cyber security student, notes that the data sent to the Apple OCSP server contains information related to the application developer, but not to the application itself. He adds that the Apple Gatekeeper service can send the hash of an executable file, but separately from the OCSP and over an encrypted connection. On its own Apple support page, it is noted that Gatekeeper uses an “encrypted connection resistant to server failures”.
How did Apple respond?
Apple was forced to clarify how its Gatekeeper anti-malware platform works after security researchers assumed that the system violated confidentiality.
An Apple representative told the iPhone in Canada Blog that the company has updated its supporting documentation. The goal is to explain that the system does not track what its users do. At the same time, Apple said it will change the work of Gatekeeper in the future to “minimize future risks.
“Gatekeeper performs online checks to see if the application contains known malware and if the developer’s signature certificate has been revoked,” Apple explains. – We never combined these checks with information about Apple users or their devices. We don’t use the data from these scans to find out what individual users run or run on their devices,” the company said.
In addition, Apple states that “over the next year, we will make several changes to our security checks,” namely:
- new encrypted protocol to verify the revocation of the Developer ID certificate; - reliable protection against server failure; - a new preference for users to opt out of these security features.
Apple also provided the iPhone in Canada Blog with additional technical information about the situation. Certificate revocation checks are performed to ensure that the Developer ID certificates used to sign the application have not been revoked by the company. This step is crucial for security. The fact is that if the developer suspects that the certificate was compromised by third parties or used to sign malicious applications, it can be revoked.
MacOS uses the Standard Network Certificate State Protocol (OCSP) to verify that the developer code signing certificate issued to the application developer has not been revoked. This OCSP request does not include the Apple user ID and does not disclose the device or application being run.
The Network Certificate Status Protocol is an Internet protocol used to obtain the revocation status of an X.509 digital certificate. The mechanism of the protocol is described in RFC 6960 and is one of the “Internet standards”.
Apple has pointed out that since OCSP is used to verify other certificates, including those used for encrypted web connections, these requests are made using the unencrypted HTTP protocol, which is the “industry standard”.
HTTP is used to prevent situations where the validation of the certificate that protects the connection to the OCSP server may potentially depend on the result of the request to the same OCSP server. This creates a loop that makes it impossible to resolve the request.
Apple states that in macOS Catalina and later, by default, all running applications are notarized by the company. They are scanned by Apple for known malware. When an application is launched, macOS checks if the application has been marked as malicious by Apple since its first notarization. These checks take place through an encrypted connection and are resistant to server failures. This is exactly what happened the other day when users noticed that their applications hang up and run endlessly.
What caused the problem with the OCSP server?
Apple claims that it happened because of a wrong configuration on the server side. It specifically prevented MacOS from caching OCSP responses to identify the developer. This plus the wrong configuration of an unlinked Content Delivery Network (CDN) and is the cause of poor application performance at startup.
Apple explained that it had already eliminated this performance problem with a server-side update. MacOS users do not need to do anything to take advantage of this update.
Notarized application checks are used to confirm that applications running in macOS have not been deemed malicious by Apple since they were first notarized. The company claims that these scans take place through an encrypted connection and are immune to server failures. The notarization checks were not affected by a problem on the server side, due to which OCSP requests were not executed.