Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Major security and privacy issue with Gatekeeper based on the latest news - Should gatekeeper be disabled?

Benz63amg

Benz63amg

macrumors 601
Original poster
Oct 17, 2010
4,377
912
I just went ahead and disabled Gatekeeper entirely on MacOS catalina by running the sudo spctl --master-disable script in Terminal after reading yesterday's terrible news of how apple tracks every single app that is launched at any given time and transmitting data without the users knowledge at any given time, Is the disabling of gatekeeper using the Terminal i mentioned above enough to stop this data collection from Apple happening on my mac or do i still need to add some sort of an inclusion in the Hosts file as well?

Also, in the firewall settings on the Mac, there are several Apple processes that i allow incoming connections for ever since i've been using my Macbook Pro, The processes are: sharingd, rapportd, netbiosd, mediasharind, gamed, avconferenced, Should all these that i just mentioned should have their incoming connections BLOCKED in the Apple firewall or left in the Allow list?

This is the article for anyone that missed it: https://9to5mac.com/2020/11/13/apple-server-outage-reveals-mac-privacy-concerns/
 
  • Like
Reactions: IowaLynn
Consultant

Consultant

macrumors G5
Jun 27, 2007
13,314
36
The article did not mention anything about Gatekeeper. Even the original article did not mention anything about Gatekeeper.

The article did say you can block the connections using Little Snitch with macOS before Big Sur. The Big Sur 11.0 release doesn't work with Little Snitch at this time.

But given Apples's better privacy record than competitors, Apple will likely do / say something about this issue.

EDIT: Developer at Panic mentioned it's a Gatekeeper issue but resolved.

EDIT 2: Article with Apple response https://arstechnica.com/gadgets/202...ck-stokes-fears-apple-logs-every-app-you-run/
 

Attachments

  • Screen Shot 2020-11-15 at 9.03.12 AM.png
    Screen Shot 2020-11-15 at 9.03.12 AM.png
    147 KB · Views: 168
Last edited:
Benz63amg

Benz63amg

macrumors 601
Original poster
Oct 17, 2010
4,377
912
Consultant said:
The article did not mention anything about Gatekeeper. Even the original article did not mention anything about Gatekeeper.

The article did say you can block the connections using Little Snitch with macOS before Big Sur. The Big Sur 11.0 release doesn't work with Little Snitch at this time.

But given Apples's better privacy record than competitors, Apple will likely do / say something about this issue.
Click to expand...
Did you read the article from 9 to 5 Mac? It says it’s a gatekeeer issue.
So you’re saying the only way to stop this privacy issue is to block the ocsp.apple.com address in the hosts file? Is there a logical reason for Apple to be receiving the data that it collects from every single app that is open?
 
IowaLynn

IowaLynn

macrumors 68020
Feb 22, 2015
2,145
589
I'm thinking time to add a rule to router firewall.

I was disheartened to say least. Even a VPN is no help, Apple can bypass those as well... whatever did we get into here? Is this a "backdoor compromise" solution?

My first thoughts when I read how extensive the impact and services down, that it wasn't a server overload due to Big Sur rollout - but apparently some requests were timing out and the default was draconian.

Not a few people. Given how widespread and the habit of updating and staying current, I can imagine enterprise users - unless they have different rule sets or locally controlled (Lockheed, NASA etc). Packets sent in the clear? Ouch.
 
T

theluggage

macrumors G3
Jul 29, 2011
8,011
8,444
I think that this is one of those cases where, if you have a bank account, use a credit card, browse the web or, heaven forfend, use a mobile phone then you have far more serious potential privacy breaches to worry about and should just stick your head back into the warm, comforting sand.

What is happening is that, when you open a "notarised" application (i.e. one that has been check for malware by Apple) by Apple) Gatekeeper sends a code identifying that certificate to an Apple server and receives a response as to whether that certificate is still valid (the "good" reason for which would be that the app had been found to contain malware).

As with any internet transaction* (unless you're paranoid and do everything through a VPN or similar) that means that the Apple server receives your IP address (which is potentially traceable). They also get the code identifying the app you are using. The 9to5 article then speculates that Apple could log all that info to a big database and do scary things with it. Which is true - but they don't have to store or process that info (and if they do then they're in danger of getting roasted by the EU and other non-US bits of the world where that would definitely need informed consent).

It's also true that your ISP or any black hat snooping on your connection could potentially intercept that connection. Just bear in mind that the same is true of every single website that you visit (even with HTTPS your ISP knows the IP address of you and the web server you are calling) - along with most "subscription" software (which will periodically check to see if you've paid) or many other copy-protection schemes.

...also, if Apple are using the basic OCSP protocol then an evesdropper would also know which applications you were running - but it would be very easy for Apple to encrypt that ID (HTTPS would be over-kill). Unfortunately, it is clear from the sensationalist, click-baity nature of the article that the author isn't going to look too closely at anything that doesn't fit the story.

This isn't a non-issue: if nothing else, my Mac ground to a halt, with no explanation, when Apple had their server problems and I wasted an hour or so doing disc checks and scanning for malware. (That's a 2017 iMac running Mojave - the only Apple Silicon connection is that some of the tools used to block Gatekeeper won't work on Big Sur).

Apple need to release a statement, confirm whether the application IDs are sent unencrypted and confirm that they're not permanently logging these transactions. They also need to fix the timeout issues so that the next time their server goes slow it doesn't gum up everybody's Mac. However, its worth getting it into perspective - and if you haven't previously been running Little Snitch or similar, nothing much has changed. Apple have already said that you'll be able to run MacOS on ASi with the new kernel protections turned off - but the security risks of that probably outweigh the risk of using Gatekeeper (which is, above all else, a guard against malware).

If you're that seriously worried about privacy, you should probably be using a privacy-hardened Linux like Tails - not even one of the mainstream distros - rather than anything from Apple, Google or Microsoft.

(* If you run your own website with Apache etc. then by default it will log the IP address of every request it receives - when GDPR came in I had to go through every website I operate and explicitly turn that off).
 
  • Like
Reactions: IowaLynn
Benz63amg

Benz63amg

macrumors 601
Original poster
Oct 17, 2010
4,377
912
theluggage said:
I think that this is one of those cases where, if you have a bank account, use a credit card, browse the web or, heaven forfend, use a mobile phone then you have far more serious potential privacy breaches to worry about and should just stick your head back into the warm, comforting sand.

What is happening is that, when you open a "notarised" application (i.e. one that has been check for malware by Apple) by Apple) Gatekeeper sends a code identifying that certificate to an Apple server and receives a response as to whether that certificate is still valid (the "good" reason for which would be that the app had been found to contain malware).

As with any internet transaction* (unless you're paranoid and do everything through a VPN or similar) that means that the Apple server receives your IP address (which is potentially traceable). They also get the code identifying the app you are using. The 9to5 article then speculates that Apple could log all that info to a big database and do scary things with it. Which is true - but they don't have to store or process that info (and if they do then they're in danger of getting roasted by the EU and other non-US bits of the world where that would definitely need informed consent).

It's also true that your ISP or any black hat snooping on your connection could potentially intercept that connection. Just bear in mind that the same is true of every single website that you visit (even with HTTPS your ISP knows the IP address of you and the web server you are calling) - along with most "subscription" software (which will periodically check to see if you've paid) or many other copy-protection schemes.

...also, if Apple are using the basic OCSP protocol then an evesdropper would also know which applications you were running - but it would be very easy for Apple to encrypt that ID (HTTPS would be over-kill). Unfortunately, it is clear from the sensationalist, click-baity nature of the article that the author isn't going to look too closely at anything that doesn't fit the story.

This isn't a non-issue: if nothing else, my Mac ground to a halt, with no explanation, when Apple had their server problems and I wasted an hour or so doing disc checks and scanning for malware. (That's a 2017 iMac running Mojave - the only Apple Silicon connection is that some of the tools used to block Gatekeeper won't work on Big Sur).

Apple need to release a statement, confirm whether the application IDs are sent unencrypted and confirm that they're not permanently logging these transactions. They also need to fix the timeout issues so that the next time their server goes slow it doesn't gum up everybody's Mac. However, its worth getting it into perspective - and if you haven't previously been running Little Snitch or similar, nothing much has changed. Apple have already said that you'll be able to run MacOS on ASi with the new kernel protections turned off - but the security risks of that probably outweigh the risk of using Gatekeeper (which is, above all else, a guard against malware).

If you're that seriously worried about privacy, you should probably be using a privacy-hardened Linux like Tails - not even one of the mainstream distros - rather than anything from Apple, Google or Microsoft.

(* If you run your own website with Apache etc. then by default it will log the IP address of every request it receives - when GDPR came in I had to go through every website I operate and explicitly turn that off).
Click to expand...
Is gatekeeper still fully functional if a connection to ocsp.apple.com is blocked in the hosts file?(Blocked for the sake of avoiding the issue of the mac slowing down just as it happened on Thursday with big sur's release and the "potential" unnecessary data collection)
 
T

theluggage

macrumors G3
Jul 29, 2011
8,011
8,444
Benz63amg said:
Is gatekeeper still fully functional if a connection to ocsp.apple.com is blocked in the hosts file?(Blocked for the sake of avoiding the issue of the mac slowing down just as it happened on Thursday with big sur's release and the "potential" unnecessary data collection)
Click to expand...

I'm just guessing (pending someone knowledgeable writing a non-sensationalised account) but I think that if gatekeeper can't contact the server then the app opens as normal (if its been signed by Apple or the user has allowed it) - this isn't about checking that the app has been notarised, it's an extra check that the notarisation hasn't been revoked. The problem on Thursday seemed to be that the server was visible & responding, but very, very slowly.

I'm not 100% sure about the "checking every time" thing, either: in my case, the whole mess started when I opened Logic for the first time in a week or so and it decided to re-validate all of the audio units (and also announced that new sounds were available). I think Apple just updated too much in one go and triggered a cascade of apps phoning home...
 
  • Like
Reactions: IowaLynn
Benz63amg

Benz63amg

macrumors 601
Original poster
Oct 17, 2010
4,377
912
theluggage said:
I think that this is one of those cases where, if you have a bank account, use a credit card, browse the web or, heaven forfend, use a mobile phone then you have far more serious potential privacy breaches to worry about and should just stick your head back into the warm, comforting sand.

What is happening is that, when you open a "notarised" application (i.e. one that has been check for malware by Apple) by Apple) Gatekeeper sends a code identifying that certificate to an Apple server and receives a response as to whether that certificate is still valid (the "good" reason for which would be that the app had been found to contain malware).

As with any internet transaction* (unless you're paranoid and do everything through a VPN or similar) that means that the Apple server receives your IP address (which is potentially traceable). They also get the code identifying the app you are using. The 9to5 article then speculates that Apple could log all that info to a big database and do scary things with it. Which is true - but they don't have to store or process that info (and if they do then they're in danger of getting roasted by the EU and other non-US bits of the world where that would definitely need informed consent).

It's also true that your ISP or any black hat snooping on your connection could potentially intercept that connection. Just bear in mind that the same is true of every single website that you visit (even with HTTPS your ISP knows the IP address of you and the web server you are calling) - along with most "subscription" software (which will periodically check to see if you've paid) or many other copy-protection schemes.

...also, if Apple are using the basic OCSP protocol then an evesdropper would also know which applications you were running - but it would be very easy for Apple to encrypt that ID (HTTPS would be over-kill). Unfortunately, it is clear from the sensationalist, click-baity nature of the article that the author isn't going to look too closely at anything that doesn't fit the story.

This isn't a non-issue: if nothing else, my Mac ground to a halt, with no explanation, when Apple had their server problems and I wasted an hour or so doing disc checks and scanning for malware. (That's a 2017 iMac running Mojave - the only Apple Silicon connection is that some of the tools used to block Gatekeeper won't work on Big Sur).

Apple need to release a statement, confirm whether the application IDs are sent unencrypted and confirm that they're not permanently logging these transactions. They also need to fix the timeout issues so that the next time their server goes slow it doesn't gum up everybody's Mac. However, its worth getting it into perspective - and if you haven't previously been running Little Snitch or similar, nothing much has changed. Apple have already said that you'll be able to run MacOS on ASi with the new kernel protections turned off - but the security risks of that probably outweigh the risk of using Gatekeeper (which is, above all else, a guard against malware).

If you're that seriously worried about privacy, you should probably be using a privacy-hardened Linux like Tails - not even one of the mainstream distros - rather than anything from Apple, Google or Microsoft.

(* If you run your own website with Apache etc. then by default it will log the IP address of every request it receives - when GDPR came in I had to go through every website I operate and explicitly turn that off).
Click to expand...
There are several Apple processes in the built in firewall that are supposdly Apple processes that MacOS uses to function properly and they are the following processes:

netbiosd,
rapportd,
gamed
avconferenced
mediasharingd
sharingd

Do you guys ALLOW or DENY incoming connections to these processes within the built in firewall in MacOS?
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom