Security warning: Macs ‘call home’ unencrypted to notarise apps
Apple has notarised all apps since macOS Catalina. This means the company checks that the app isn’t executing any malicious code. It’s an important process, but can sometimes cause problems.
On Friday night, some servers at Apple went on strike and made the update to macOS Big Sur difficult. The OCSP server in particular caused problems – that’s the one responsible for the Online Certificate Stature Protocol, which notarises apps and thus establishes their legitimacy. As a result, some applications would no longer start while the Mac was connected to the internet.
The security researcher Jeffrey Paul took this as an opportunity to point out that the Mac sometimes “calls home” unencrypted, meaning providers and even the military could read the traffic between the notarisation office and the Mac.
The unencrypted logs that a computer sends to the notarisation server include the date and time of the connection, the IP address, the type of device and a hash (checksum) of the apps checked. Even this rudimentary data, when combined, allows all kinds of conclusions to be drawn about the individual user and his or her habits.
With the IP address, for example, you can more or less precisely guess the location; with the checksums of the programs you can determine with a little effort what exactly the user is opening on his Mac.
Jeffrey Paul’s claim that Apple sends app hashes to its own servers, however, provoked a response from the University of Milan’s Jacopo Jannone, who commented in his blog that Paul’s analysis “isn’t quite accurate”. He intercepted the data on the OCSP server when Firefox was started using Little Snitch and took a closer look at it: although hash information is transmitted, it cannot be used to identify the app, but rather the developer certificates that belong to the app. These certificates do not always indicate a specific app in use; a developer can use the certificate multiple times.
In its support document Safely open apps on your Mac, Apple has now made it clear that the Apple ID or the identity of the device would never have been transferred. However, the company has now stopped logging the IP addresses belonging to the developer certificates; as old logs, this data will now also be deleted.
Apple also promises that in the future the apps will be checked against the notarisation server in encrypted form and that such a connection will be secured against server failures. In the future, Apple also wants to offer users an option in the system settings to deactivate notarisation check completely.
Read our Mac security tips for more general advice.
This article originally appeared on Macwelt. Translation by David Price.