Follow Mark on LinkedIn Follow @marknca on Twitter Follow marknca on GitHub Follow marknca on YouTube

imgs/hero.jpg

Is Apple Tracking The Apps You Use?

Published 2020-Nov-16 |An icon depicting a retail tag with a heart for 'favourite'PrivacyAppleSecurity

Watch the episode on YouTube

Apple recently launched macOS Big Sur and a security researcher’s post vent viral highlighting a steady stream of communications that “phone home” detailing what apps you’re using on your system. What’s going on here?

Is privacy promoting Apple actually spying on every app running on every macOS system around the world? Or is something much less sinister going on…something that might even help us?

Index

References

Transcript

[00:00:00]: Is Apple spying on you via the brand new macOS Big Sur? Are they tracking every single app that you open? If so, why? How?

[00:00:11]: Last week, Apple released the latest version of macOS Big Sur. This latest update to the operating system brings a number of improvements and changes. And, as always, it's a free update for supported Macs, which basically means anything from late 2013 onward. MacOS updates are typically evolutionary, and not revolutionary. And they're almost always very smooth affairs. Now, Big Sur broke this norm on both fronts. It incorporates a number of visual changes, bringing it much closer to iOS and iPod OS, and it also enables the use of apps from those operating systems via the new Apple M1-based systems. Oh, and the rollout did not at all go smoothly. In fact, the problems associated with the launch rippled out and impacted users of older versions of macOS as well. So, what happened, and why are people up in arms about it?

[00:01:04]: On launch day, beyond the typical slowdown in download speeds from the Apple update servers, we saw a host of outages and slowdowns across multiple Apple services. The update servers themselves, iMessage, Apple Pay, Apple TV, and other services reported issues. Now, thankfully, only for a few minutes, but long enough that a lot of people noticed. And when people notice a major outage with Apple, there's always a few outside of Apple that will dig in to see what's going on. And that brings us to this blog post written by security researcher, Jeffrey Paul, a post that has been discussed and shared a lot on social media and has some people questioning whether or not Apple actually lives by their privacy claims.

[00:01:46]: Now, in their post, Jeffrey breaks down the issue and provides some valuable insights. Unfortunately, it's wrapped in a bunch of very strong opinions that muddle the issue. And it's not even that I necessarily disagree with Jeffrey's opinions, but they definitely aren't helpful when we're trying to figure out what's actually going on.

[00:02:05]: So, what is happening here? Well, the outage and the slowdown for all the services tie back to one service that Apple runs. This is a service that lives at the domain ocsp.apple.com. It's part of a feature in macOS called Gatekeeper. Now, Gatekeeper is designed to help prevent malware from running on your system. It does this by checking to see if every app that you run is signed by a known developer. Gatekeeper isn't new. It's been around for years. You've probably seen that macOS dialogue that pops up and says, "This program can't be opened because it's from an unidentified developer." That's Gatekeeper. And, yes, for the record, you can override its decision to stop that file from running and continue along in your day.

[00:02:51]: But the concept behind Gatekeeper is very simple. When a developer is ready to publish their app, whether that's through the App Store or directly on the web, they go through [00:03:00]: a process called notarization. That creates a ticket that Gatekeeper can use to verify that the application you're trying to run is the one that the developer intended. This is where our story circles back to that mysterious domain, ocsp.apple.com. This is the endpoint that macOS's Gatekeeper and other services use to check these tickets for applications. And the OCSP stands for Online Certificate Status Protocol, which gives us a bit of a hint as to what's going on behind the scenes in the system.

[00:03:30]: Now, when you run an application in macOS, Gatekeeper checks that identifier against a known set of tickets in the central repository. That is simplifying it a lot. There's a huge amount of stuff that's going on behind the scenes to account for different versions, um, patches, and things like that. But at the end of the day, Gatekeeper is basically saying, "Someone's trying to run this. Is it okay?" And then, the central Apple-run service replies, "Yeah, sure," or, "No." Now, that's the simple version. And as we well know by now, nothing is ever just that simple. Wish it was. But for years, Apple has been tightening control over what apps can run where. iOS and iPad OS are platforms where you essentially have to distribute your software through Apple. Technically, you can go around them, but it's really complicated for the developer and absurdly tricky and difficult for the user. It's essentially impossible.

[00:04:22]: Now, the growing concern with macOS is that Apple is tightening control here too, compared to the good old days when you could run whatever you wanted on your system. Now, to be fair, that was amazing in some ways. But also, sticking on the side of fair, those systems of yesteryear were not connected to the internet 24/7, where there's an army of cybercriminals and bots constantly trying to gain access and compromise your system. From that perspective, Gatekeeper as a core system service is a massive step forward [laughs] for security.

[00:04:53]: But what about privacy? If we refer back to Jeffrey's post, there's a direct accusation that this system sends Apple your location and what app you're running. Furthermore, they say that because this is an unencrypted request, they're blasting that information to anyone else on your network, and also to a third-party provider that Apple uses named Akamai. Now, what's actually happening under the covers is that Gatekeeper sends one unencrypted web request to ocsp.apple.com with the signature of the application that you're trying to run as the sole data point. The location and date-time data that Jeffrey refers to is present in any and all internet requests. It's a core part of how commu-, the communication protocol that runs the internet works, and there's no getting around it. There are situations where this itself can be dangerous to you; but if that's the type of threat model you're dealing with, it's probably time to get offline.

[00:05:47]: Now, despite the hyperbole, there is a legitimate question here that Apple should answer. Because taken in the aggregate, you could actually create a picture of someone's computing habits using this small amount of data. The question for Apple is simple, are the requests to ocsp.apple.com logged? And if so, is that information combined with other data? And how long is any of it stored? Now, I searched around for a while and could not find any official statement from Apple on how these logs, if they exist, are handled. Previous requests by others to Apple for their personal data have not shown any indication that this data is stored. Now, that strongly implies that this data is at least not correlated to specific users, as Apple would've been legally required to disclose it, as that's part of the law in some jurisdictions.

[00:06:34]: Now, the logs, again if they exist, could still be stored separately and vulnerable to a legal request based on a target's IP address. But what risk would that pose to your privacy? Well, by default, less exposure is better when it comes to privacy. But if your threat model includes a law enforcement request to Apple, there's significantly more interesting infor-, and revealing data available in your iCloud account. In addition to being an excellent set of services for users, iCloud is actually Apple's compromise for lawful access requests for data. Data on your device is extremely difficult to access without your passcode, touch ID, or face ID. Now, some data in your iCloud account, and there's a lot of it there, is accessible by Apple when legally required. This data poses a much greater risk to your privacy.

[00:07:22]: Now, let's circle back to Gatekeeper and its requests that have raised such a fuss this week. Apple could improve the system by using encrypted requests. This would remove what application you're trying to access from the communications visible over the network, but not remove that data from any logs that Apple retains. This would have an impact on the performance of the Gatekeeper check, but most of that would be on Apple, not on the end user.

[00:07:46]: Now, some more risk-adverse users would also like to be able to block the Gatekeeper checks. In the new version of macOS Big Sur, Apple has actually moved these requests to a list that prevents users from blocking them at all. On the whole though, that's a good security move for the general population of macOS users. Having a strong security feature like Gatekeeper on by default and then making that feature more robust, means that macOS is gonna be harder to attack and less attractive to cybercriminals.

[00:08:17]: Now, don't get me wrong. I totally get the knee-jerk reaction from when this information first came out. For most people, this is the first time they've ever heard of Gatekeeper; and upon hearing that Apple could maybe potentially see every app that you're running, that feels like a huge violation of your privacy. But, you know, as we dug into this issue, we start to see the truth of the matter. Yes, there was a momentary operational issue for Apple last week related to the system; and that's not okay, but it happens. Reality is, Gatekeeper has been running on millions of Macs for years with little to no issues and almost no risk to anyone or their privacy. In my books, that's a fantastic security system that works hard to help keep us all just a little bit safer.