Privacy concerns with Silicon Macs

[planteater]

In any kind of security scheme, there has to be a trusted party. If you care about software security, there has to be an agency that verifies signatures and synchronizes certificates. The question is, do you trust Apple to do this or not? If not, you shouldn’t use Apple products.

Apple is aggressively moving forwards with their security policies. Personally, I don‘t have any problem with that. If I wanted to tinker I’ll buy a Raspberry Pi.

By the way, I call BS on “every time you open an app macOS calls home”. More likely there is a local database that is checked first and only in some cases does the data gets synchronized.

Two points.

Patrick Wardle identified the requests that get sent to Apple. It would wise to take a moment to understand his credentials before challenging his findings. You might be humbled.

Your point about sending the application hashes is valid, until you consider that the traffic is not encrypted. At that point it falls apart and one has to wonder why it's not.

 

[Akulareb]

Two points.

Patrick Wardle identified the requests that get sent to Apple. It would wise to take a moment to understand his credentials before challenging his findings. You might be humbled.

Your point about sending the application hashes is valid, until you consider that the traffic is not encrypted. At that point it falls apart and one has to wonder why it's not.

exactly, why the traffic is not encrypted?

Continuing the conversation, you might not look or read the whole article but the core point is that why all of that is logged in the first place? Why there is a need for a handshake between Apple and non-Apple apps?

I love how hardware progresses year by year, but one has to think about how software progressively is crippling your freedom of user experience which ultimately will waste part of this whole technological advancement.

 

[leman]

Isn't that the whole point of the app store and making people jump through hoops to install apps from outside of it? If I've already got my apps from a supposedly secure source, why does Apple need to regularly reverify it before I can use the same app that was fine the last time they checked, and why do they need to log that information? This isn't me being snarky or facetious, I'm genuinely asking what the possible benefit to me as a user is?

Because this kind of security requires the ability to revoke certificates. A developer can have their certificate stolen, or malicious code injected into their app without their knowledge. These things have happened before. You need to be able to mark a previously trusted application as unsafe or your entire security system becomes a breeding ground for malware.

 

[planteater]

Because this kind of security requires the ability to revoke certificates. A developer can have their certificate stolen, or malicious code injected into their app without their knowledge. These things have happened before. You need to be able to mark a previously trusted application as unsafe or your entire security system becomes a breeding ground for malware.

Sure, all valid. BUT... why no encryption? That is the part that causes suspicion.

 

[leman]

Patrick Wardle identified the requests that get sent to Apple. It would wise to take a moment to understand his credentials before challenging his findings. You might be humbled.

I am not challenging the fact that Apple calls back to check certificates. I am questioning the claims that they call back every single time you open an application.

Your point about sending the application hashes is valid, until you consider that the traffic is not encrypted. At that point it falls apart and one has to wonder why it's not.

I have not seen any examples of what data Apple allegedly sends back. If it is just an occasional application hash or data to sync the certificate database, I don’t see a problem. If they are sending your personal information such as your hardware UUID, that’s a different thing.

Can you point me to an article or a source that discusses this in detail? The linked article contains very little factual information and reads to me like a Little snitch ad.

 

[leman]

Sure, all valid. BUT... why no encryption? That is the part that causes suspicion.

How would encryption help? Apple could still store all that data and sell it to military. I suppose it could prevent a third party from accessing it. How much can a third party extract anyway?

 

[venom600]

Disgusting, I'm downloading Little Snitch to block this now. I was wondering why my laptop was freaking out yesterday and now I know. Even if I wasn't concerned about privacy, having that affect the user experience is downright annoying.

Did you read the article? Little Snitch can't protect you in Big Sur. By getting rid of Kernel Extensions and forcing them to use an API, they made it so that it can't check or block OS level calls.

 

[planteater]

How would encryption help? Apple could still store all that data and sell it to military. I suppose it could prevent a third party from accessing it. How much can a third party extract anyway?

Yes, snooping by third parties listening on the connection. Apple has a valid use for it. The government has a legal right to access it. But anyone else listening in should not be seeing cleartext.

Perhaps this is getting blown out of proportion. But at the same time, I think Apple needs to do better to protect the communication of this data.

 

[Runs For Fun]

I stopped reading after “Richard Stallman”. That guy is a nutjob.

 

[kjd2234]

See my reply from another thread about this:

Checked the article real quick and it's full of lies, you should not take everything you read at face value.
Had a good laugh reading this, can't believe the author calls himself a "hacker and security researcher".

1. All Macs do this. It's not Apple Silicon exclusive.
2. This article makes it sound so dramatical.
3. Basically if you open an Application from the App store, Apple checks if it's signed correctly to see if it's not tampered with.
4. They're not logging Applications, they're sending digital certificates and basically responding with "OK"/"NOT OK".
5. The results gets cached so a request is only made every 3 to 7 days per application, not "everytime you open an app" like this article claims.
5. OCSP is an industry standard.


That's it, next story please.

Is this issue only for app-store apps?

I.e., apps installed using a .dmg are not tracked in this way?

Thanks!

 

[titan4]

Sure, all valid. BUT... why no encryption? That is the part that causes suspicion.

It's normal that OCSP messages are being sent over HTTP.

 

[bobmans]

Is this issue only for app-store apps?

I.e., apps installed using a .dmg are not tracked in this way?

Thanks!

Just checked and all applications their certificates are validated.
I tested with a random non-app store application before writing my post and saw that it didn't send a request so I (wrongly) assumed it was App store apps only, but my Mac had already cached the response so it didn't request it again.

This isn't tracking btw, it's validating the application's certificate to be sure it's not tampered with or that the certificate hasn't been revoked. If you're worried about the OCSP protocol then close your browser ASAP and disconnect your PC/Mac from the internet ASAP because the OCSP protocol is used basically everywhere.

I really don't get how someone that writes a whole article full of made up stuff about OCSP and tracking calls himself a "security researcher".

 

[zakarhino]

Do you understand what a warrant is? Because if you do, you realize that what you just said is nonsense.

I don't think you understand what warrant-less surveillance is, or secret courts for that matter which print out bogus warrants without justification.

 

[zakarhino]

I will not be buying another Mac product.

 

[Kung gu]

I will not be buying another Mac product.

ok but I will buy one anyway cause Windows is MUCH worse in terms of privacy and Linux yeah nah.

 

[Kung gu]

I will not be buying another Mac product.

also I think you should stop using the internet if u are worried about this

 

[zakarhino]

ok but I will buy one anyway cause Windows is MUCH worse in terms of privacy and Linux yeah nah.

Windows is disgusting in more ways than just privacy lol. I've been thinking of getting another Windows PC for gaming but I'm gonna make sure to completely nerf all built in spyware beforehand LOL.

Linux is considerably more secure if you know what you're doing and many distributions these days come with easy to use security built right in. I agree Linux is hard to adopt if you're a layman but I guess it's gonna take more people switching and more investment into it for it to become a viable third alternative. I personally don't mind putting in the work to set up a distro I like and I don't mind sharing software I build with others to make it easier for them to do the same.

I think I read something recently that Linux is gaining market share at quite an impressive rate. I think it's currently around 80% Windows, 10% Mac and 5% Linux for desktop/laptop machines.

 

[zakarhino]

also I think you should stop using the internet if u are worried about this

Why? If I know what my computer is doing and I have control over it, why would I be worried?

I wouldn't care as much about this story if:

a) I could turn this off
b) 3rd party firewalls worked the way they're supposed to, i.e, API calls that Apple thinks are important don't bypass the firewall

It's not about the fact that there's some form of certificate validation, it's that I don't have the power to turn it off and control it myself. Therefore, I don't really own my computer as ownership implies complete control in my opinion.

 

[LeeW]

I will not be buying another Mac product.

You are going to keep the current ones though right

 

[zakarhino]

You are going to keep the current ones though right

Yes, I have what I consider to be an acceptable amount of control over my current computer and software so I don't have a problem with it. Since all new Macs ship with this software that has no control, I will not be buying new Macs. It's really not hard to understand.

 

[LeeW]

I have what I consider to be an acceptable amount of control over my current computer and software

You can't be sure of anything, you only know what the computer and software give you the option to control or someone eventually discovers what a piece of software is doing that you don't know about until it's too late.

 

[zakarhino]

You can't be sure of anything, you only know what the computer and software give you the option to control or someone eventually discovers what a piece of software is doing that you don't know about until it's too late.

You're correct, there are unknown unknowns. In that case the choice is between Big Sur which I know for a fact does things that I don't like, my current Mac OS which as far as I know gives me a fair amount of control over everything I want control over, and finally Linux which I know for a fact does only what I tell it to do because almost everything is open source and customizable.

If it's between Big Sur and my current Mac OS, the choice is not hard at all.

My future setup will be a gaming PC with Windows that is stripped of most analytics BS (so long as it can run some games, I'm happy), my current Mac for work related applications that don't run on Linux, and a Linux machine for everything else (personal, work stuff that runs on it, etc.). If the current Mac conks out, I'll get a second hand Apple Silicon one and only use it for Mac specific applications (I won't even be logged into iCloud or anything else on it, it will only be used in exceptions).

 

[Runs For Fun]

Windows is disgusting in more ways than just privacy lol. I've been thinking of getting another Windows PC for gaming but I'm gonna make sure to completely nerf all built in spyware beforehand LOL.

Linux is considerably more secure if you know what you're doing and many distributions these days come with easy to use security built right in. I agree Linux is hard to adopt if you're a layman but I guess it's gonna take more people switching and more investment into it for it to become a viable third alternative. I personally don't mind putting in the work to set up a distro I like and I don't mind sharing software I build with others to make it easier for them to do the same.

I think I read something recently that Linux is gaining market share at quite an impressive rate. I think it's currently around 80% Windows, 10% Mac and 5% Linux for desktop/laptop machines.

I use Linux as well as MacOS and it’s definitely a viable alternative for the right kind of person but certainly not everyone. I absolutely hate using Windows though.

 

[venom600]

You can't be sure of anything, you only know what the computer and software give you the option to control or someone eventually discovers what a piece of software is doing that you don't know about until it's too late.

So because you can't be 100% sure you shouldn't do anything? The beauty of Mac OS X was that so much of it was open source and community verified to be secure, and what you didn't like you could change. Apple slowly eroded that over time, but this is one step too far.

I don't trust Apple without verification, and you shouldn't either.

 

[cosmichobo]

Why would Apple fight so hard to allow you to lock your iPhone in such a way that even law enforcement can't (at least, via Apple themselves) unlock it... only to then be this lax with your information? They took the stance on privacy quite hard, so seems odd they would now turn their backs on that?