Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Regarding the news yesterday that apps on macOS needs to phone home

brianmowrey

brianmowrey

macrumors 6502
Oct 5, 2020
419
133
romanof said:
So, lets say that some troll company decides that Firefox has blatantly used a patent for the movement of a mouse sideways to access the scroll bar and convinces some clueless judge of the horrible damage being caused by the theft. So a DMCA is issued to Apple requiring them to kill all usage of a product they have nothing do do with. See the problem here? Can't do that?
Click to expand...
That would require additional mechanisms besides the current ocsp/trustd. ocsp is only used for apps that Apple considers trusted. Untrusted and unsigned apps don't have to wait for ocsp check before opening.

I'm not sure what it would look like if Apple revoked an app, but I'm imagining you would have to then tell OS X you want to run it anyway, and from thereon, no trustd for that app. Or, you might have to reinstall the app to give it permission.

One day Mac OS might stop allowing unsigned apps, but I doubt it, as Apple has to use their own computers, and likely would not want to bind themselves to having to issue provisional certificates for every one of their in-house Mac apps.

Either way, only Apple-trusted apps live in the penalty box of having to check ocsp.
 
arn

arn

macrumors god
Staff member
Apr 9, 2001
16,391
5,831
Benz63amg

Benz63amg

macrumors 601
Oct 17, 2010
4,370
911
SpiritSoul1008 said:
Until there is more information, it’s probably the best we can do at the moment without introducing pi-holes and router VPNs.
Click to expand...
What would make you reverse the change that we made to the hosts file? would it be Apple coming out publicly addressing and saying that the data they collect from each and every app opened doesn’t contain user information?
 
brianmowrey

brianmowrey

macrumors 6502
Oct 5, 2020
419
133
arn said:
I believe this happened to a developer by mistake

A Day Without Business – Charlie Monroe

blog.charliemonroe.net blog.charliemonroe.net

https://twitter.com/i/web/status/1290570459113824256
Click to expand...
Ah, I forgot that the additional mechanism already exists - Apple's malware blacklist. That would certainly add enough burden to opening a given app that most users would not bother.

Now I kind of want to see the "judge orders Firefox taken down" scenario in real life just to see how Apple would react.
 
  • Like
Reactions: phalseHUD
arn

arn

macrumors god
Staff member
Apr 9, 2001
16,391
5,831
brianmowrey said:
Ah, I forgot that the additional mechanism already exists - Apple's malware blacklist. That would certainly add enough burden to opening a given app that most users would not bother.

Now I kind of want to see the "judge orders Firefox taken down" scenario in real life just to see how Apple would react.
Click to expand...

No it sounds like this was revoking this specific certificate.

Apple wrote this:
Earlier today, we successfully un-revoked your Developer ID certificate. Users who were affected by the initial revocation will have app functionality restored when their OCSP cache refreshes (typically within 2 hours).
Click to expand...

So it's not necessarily every launch. Looks like there's a cache.
 
arn

arn

macrumors god
Staff member
Apr 9, 2001
16,391
5,831
Benz63amg said:
What would make you reverse the change that we made to the hosts file? would it be Apple coming out publicly addressing and saying that the data they collect from each and every app opened doesn’t contain user information?
Click to expand...

What data would make you comfortable? It sounds like, from reports. this is the following information:

- IP Address
- Developer ID / Key (not necessarily app-specific)

arn
 
brianmowrey

brianmowrey

macrumors 6502
Oct 5, 2020
419
133
arn said:
No it sounds like this was revoking this specific certificate.

Apple wrote this:


So it's not necessarily every launch. Looks like there's a cache.
Click to expand...
Hmm, so rather than a blacklist, Mac OS flags as malware anything that claims to be signed but isn't. In that case Firefox or any other app can just release an unsigned version and users would have an easier time figuring out how to allow it in syspref.

As far as "their OCSP cache," I'm interpreting that Apple meant the server cache which will be on a different part of the 2-hour-ish update schedule in different regions.
 
arn

arn

macrumors god
Staff member
Apr 9, 2001
16,391
5,831
brianmowrey said:
Hmm, so rather than a blacklist, Mac OS flags as malware anything that claims to be signed but isn't. In that case Firefox or any other app can just release an unsigned version and users would have an easier time figuring out how to allow it in syspref.
Click to expand...

I mean in this specific case, they revoked a developer's certificate. They may have another blacklist, but the screenshot shows you what happens when a developer's cert doesn't pass validation.
 
  • Like
Reactions: brianmowrey
jido

jido

macrumors 6502
Oct 11, 2010
297
145
arn said:
What data would make you comfortable? It sounds like, from reports. this is the following information:

- IP Address
- Developer ID / Key (not necessarily app-specific)

arn
Click to expand...
The IP address is sent because it's a TCP request, which by (protocol) definition has a source and a destination address.

In other words it's no different from any TCP request you may make from your computer (like loading Google home or checking your e-mail etc).
 
  • Like
Reactions: BigMcGuire and arn
brianmowrey

brianmowrey

macrumors 6502
Oct 5, 2020
419
133
Benz63amg said:
I’m not sure I understand your post, that happened because you blocked the address in the hosts file?
Click to expand...
He was replying to me speculating about Apple revoking trusted apps. Settings on the users' Macs were not involved in any way.
 
  • Like
Reactions: arn
arn

arn

macrumors god
Staff member
Apr 9, 2001
16,391
5,831
jido said:
The IP address is sent because it's a TCP request, which by (protocol) definition has a source and a destination address.

In other words it's no different from any TCP request you may make from your computer (like loading Google home or checking your e-mail etc).
Click to expand...
Yeah I know. Was just being complete. It’s just how the internet works.
 
arn

arn

macrumors god
Staff member
Apr 9, 2001
16,391
5,831

A closer look

TL;DR​

  • No, macOS does not send Apple a hash of your apps each time you run them.
  • You should be aware that macOS might transmit some opaque information about the developer certificate of the apps you run. This information is sent out in clear text on your network.
  • You shouldn’t probably block ocsp.apple.com with Little Snitch or in your hosts file.
Click to expand...
And it does seem to cache it so not every launch.
 
  • Like
Reactions: BigMcGuire
jido

jido

macrumors 6502
Oct 11, 2010
297
145
Mmh, he says that the OCSP messages are not encrypted? Does he mean they are not sent using SSL?
 
Benz63amg

Benz63amg

macrumors 601
Oct 17, 2010
4,370
911
I just read the new FAQ that was added to the original Article by Jeffrey and it confirms that the thing needs to be blocked in the hosts file to prevent this tracking from happening and there is no other way to block that transmission,

It also seems that disabling Gatekeeper completely through Terminal does NOT stop the transmission of this data which is why the addition to the hosts file is the only way to stop it, Gatekeeper should be left fully enabled to keep it fully functional to prevent any potential malware affecting the Mac.

One thing that i dont know about as well is this, There are several Apple processes in the built in firewall that are supposdly Apple processes that MacOS uses to function properly and they are the following processes:

netbiosd,
rapportd,
gamed
avconferenced
mediasharingd
sharingd

Should incoming connections be BLOCKED to these services in the built in firewall in MacOS or is it fine to allow incoming connections to these services?
 
Last edited:
Xanderhoff

Xanderhoff

macrumors member
Apr 30, 2010
74
18
profdraper said:
Apparently no: macos 11 bypasses both VPN & Little snitch, amongst other things, see, eg:
Your Computer Isn't Yours & Developer ID certificate revocation.
Click to expand...
VPN usage in Catalina or previous macOS should still work, right? I am concerned with the unencrypted OCSP traffic being intercepted by third parties.

This should be covered more by the tech media, might force Apple to make a statement.

More discussion here - https://news.ycombinator.com/item?id=25095438
 
Last edited:
Benz63amg

Benz63amg

macrumors 601
Oct 17, 2010
4,370
911
There are several Apple processes in the built in firewall that are supposdly Apple processes that MacOS uses to function properly and they are the following processes:

netbiosd,
rapportd,
gamed
avconferenced
mediasharingd
sharingd

Do you guys ALLOW or DENY incoming connections to these processes within the built in firewall in MacOS?
 
brianmowrey

brianmowrey

macrumors 6502
Oct 5, 2020
419
133
arn said:
And it does seem to cache it so not every launch.
Click to expand...
Haha! This is the most I have over-credited Apple's ability to apply coherent rationality to security in a long time. Why bother introducing a potentially 3P-app-crippling Internet-based security check into OS X if it isn't going to ping the current server cache every open? SAAAAD....
 
tzm41

tzm41

macrumors 6502
Original poster
Jul 11, 2014
336
1,002
Sunnyvale
  • Like
Reactions: BigMcGuire
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom