Apple responds to privacy concerns over Mac software security process



Last week, a number of Mac users had trouble opening apps — a problem that seemed to be caused by an Apple security protocol responsible for checking that software comes from trusted sources. The slow-down prompted some to criticize Apple for collecting too much information about users’ activities; criticism which the company has now responded to with promises that it will change how these security protocols work in future.

Apple announced the changes via its support pages, adding a new “Privacy protections” section to a page entitled “Safely open apps on your Mac” (as spotted by iPhone in Canada). Apple says a service known as Gatekeeper “performs online checks to verify if an app contains known malware and whether the developer’s signing certificate is revoked.” It goes on to clarify how Apple currently uses the data, and outlines new safeguards that are being introduced over the next year.

Complaints about this verification process focused on a protocol known as the online certificate status protocol service, or OCSP. This security feature checks that an app’s developer certificate hasn’t been revoked before it’s allowed to launch. The outage lead to scrutiny of Apple’s practices, most notably by security researcher Jeffrey Paul.

In a blog post titled “Your Computer Isn’t Yours,” Paul claimed that this security process means Apple collects a hash of every program a Mac user runs, along with their IP address, over an unencrypted connection. The end result, wrote Paul, is that anyone use a modern version of macOS can’t do so without “a log of [their] activity being transmitted and stored.”

However, not everybody agreed with Paul’s analysis. One blog post by cybersecurity student Jacopo Jannone notes that the data sent to Apple’s OCSP server contains information that could identify an app’s developer but not the app itself. However, Paul argues that since many developers only publish a single app it wouldn’t be hard to infer which app someone is using from information about its developer.

In its updated support…

Source…