Last week, a number of Mac users had trouble opening apps — a problem that seemed to be caused by an Apple security protocol responsible for checking that software comes from trusted sources. The slow-down prompted some to criticize Apple for collecting too much information about users’ activities; criticism which the company has now responded to with promises that it will change how these security protocols work in future.
Apple announced the changes via its support pages, adding a new “Privacy protections” section to a page entitled “Safely open apps on your Mac” (as spotted by iPhone in Canada). Apple says a service known as Gatekeeper “performs online checks to verify if an app contains known malware and whether the developer’s signing certificate is revoked.” It goes on to clarify how Apple currently uses the data, and outlines new safeguards that are being introduced over the next year.
Complaints about this verification process focused on a protocol known as the online certificate status protocol service, or OCSP. This security feature checks that an app’s developer certificate hasn’t been revoked before it’s allowed to launch. The outage lead to scrutiny of Apple’s practices, most notably by security researcher Jeffrey Paul.
In a blog post titled “Your Computer Isn’t Yours,” Paul claimed that this security process means Apple collects a hash of every program a Mac user runs, along with their IP address, over an unencrypted connection. The end result, wrote Paul, is that anyone use a modern version of macOS can’t do so without “a log of [their] activity being transmitted and stored.”
However, not everybody agreed with Paul’s analysis. One blog post by cybersecurity student Jacopo Jannone notes that the data sent to Apple’s OCSP server contains information that could identify an app’s developer but not the app itself. However, Paul argues that since many developers only publish a single app it wouldn’t be hard to infer which app someone is using from information about its developer.
In its updated support document, Apple makes clear that security checks it makes when authenticating software do not include a user’s Apple ID or device identity. The company also says it’s stopped logging IP addresses associated with the Developer ID certificate checks. “We have never combined data from these checks with information about Apple users or their devices,” writes the iPhone-maker. “We do not use data from these checks to learn what individual users are launching or running on their devices.”
However, something about these complaints do seem to have registered with Apple, as the company says it’s changing how it handles these checks in the future. Over the next year the company says it will roll out a new encrypted protocol for developer ID certificate checks while adding “strong protections against server failure” — that is, protections against the issues that stopped apps from opening last week. Finally, users will also be given the option of opting out of these security protections all together, a change that seems designed to appease complaints like Paul’s.
Correction November 16th, 2:58PM ET: An earlier version of this story conflated Apple’s developer ID certificate check process with Apple’s notarization malware check process. Notarization checks are currently encrypted; certificate checks are not yet encrypted. We regret the error.