I’m told by reliable sources here that Apple does not spy on its users.
Ping
Yes - if you check the box that says “send analytics data to Apple” that’s what it does.
I fully switched from Mac to Linux years ago. I also do my freeping and other conservative web activities inside a VM, connected to a VPN.
Because things are starting to get weird.
This is a stupid article. You have to opt-in to send the analytics.
Privacy protections
macOS has been designed to keep users and their data safe while respecting their privacy.
Gatekeeper performs online checks to verify if an app contains known malware and whether the developer’s signing certificate is revoked. We have never combined data from these checks with information about Apple users or their devices. We do not use data from these checks to learn what individual users are launching or running on their devices.
Notarization checks if the app contains known malware using an encrypted connection that is resilient to server failures.
These security checks have never included the user’s Apple ID or the identity of their device. To further protect privacy, we have stopped logging IP addresses associated with Developer ID certificate checks, and we will ensure that any collected IP addresses are removed from logs.
In addition, over the next year we will introduce several changes to our security checks:
*A new encrypted protocol for Developer ID certificate revocation checks
*Strong protections against server failure
*A new preference for users to opt out of these security protections
That’s okay, you can use an Android ....
Wait!
Following some blowback, Apple responds...
Second, it’s putting in place new protections to prevent server failure issues. And finally, addressing the overarching concern that Jeffry Paul raised, Apple will release an update to allow users to opt-out of using these macOS security protections.
https://9to5mac.com/2020/11/15/apple-explains-addresses-mac-privacy-concerns/
Any issues with the iPhone recent 14.2 update? I don’t like the new orange or green dot in top right corner near the battery/wifi/cell signal icons, which is supposedly showing apps are using microphone or camera without my consent.
https://9to5mac.com/2020/11/15/apple-explains-addresses-mac-privacy-concerns/
Update 11/15 8:25 pm PT: Apple has updated a Mac security and privacy support document today sharing details about Gatekeeper and the OCSP process. Importantly, Apple highlights it doesn’t mix data from the process of checking apps for malware with any information about Apple users and doesn’t use the app notarization process to know what apps users are running.
The company also details Apple IDs and device identification have never been involved with these software security checks.
But going forward “over the next year,” Apple will be making some changes to offer more security and flexibility for Macs. First is that Apple will stop logging IP addresses during the process of checking app notarizations.
Second, it’s putting in place new protections to prevent server failure issues. And finally, addressing the overarching concern that Jeffry Paul raised, Apple will release an update to allow users to opt-out of using these macOS security protections.
Privacy protections
macOS has been designed to keep users and their data safe while respecting their privacy.
Gatekeeper performs online checks to verify if an app contains known malware and whether the developer’s signing certificate is revoked. We have never combined data from these checks with information about Apple users or their devices. We do not use data from these checks to learn what individual users are launching or running on their devices.
Notarization checks if the app contains known malware using an encrypted connection that is resilient to server failures.
These security checks have never included the user’s Apple ID or the identity of their device. To further protect privacy, we have stopped logging IP addresses associated with Developer ID certificate checks, and we will ensure that any collected IP addresses are removed from logs.
In addition, over the next year we will introduce several changes to our security checks:
*A new encrypted protocol for Developer ID certificate revocation checks
*Strong protections against server failure
*A new preference for users to opt out of these security protections
We’ve also learned more technical details about how this all works from Apple that aligns with what independent security researcher Jacopo Jannone shared earlier.
macOS’ process of using OCSP is a very important security measure to prevent malicious software from running on Macs. It checks to see if a Developer ID certificate used by an app has been revoked due to software being compromised or events like a dev certificate being used to sign malicious software.
Online certificate status protocol (OCSP) is used industry-wide and the reason why it works over unencrypted HTTP connections is that it is used to check more than just software certificates, like web connection encryption certificates. If HTTPS were used, it would create an endless loop. Jannone explained it succinctly: “If you used HTTPS for checking a certificate with OCSP then you would need to also check the certificate for the HTTPS connection using OCSP. That would imply opening another HTTPS connection and so on.”
Two notable points on this are that it’s not strange for macOS to be using unencrypted requests for this as that’s the industry standard and that with Apple’s commitment to security and privacy, it is investing in creating a new, encrypted protocol that goes above and beyond OCSP.
In addition to the OCSP process currently used by Apple, macOS Catalina and later also have another process where all apps are notarized by Apple after having checked for malware. When launching an app, macOS makes another check to make certain the app hasn’t become malicious since the first notarization. This process is encrypted, isn’t usually impacted by server issues, and indeed wasn’t affected by the OCSP issue.
As for the performance problems we saw on macOS Catalina and earlier during Apple’s server issues last week, they were caused by a server-side misconfiguration that was exacerbated by an unrelated CDN misconfiguration. Those issues were resolved on Apple’s end a few hours after they began with no action needed to be done on the users’ part.
Between the explanation of how everything is working here and the commitment to the future changes described above, Apple shows it is listening to users and putting privacy and security first.
Update 11/15 9:00 am PT: More details about Apple’s use of OCSP have been shared by cybersecurity researcher Jacopo Jannone. He says that macOS isn’t sending a hash of each app to Apple when they run and explains why the industry-standard OCSP doesn’t use encryption. Further, he says Paul’s analysis “isn’t quite accurate” and importantly notes that Apple uses this process to check and prevent apps with malware from running on your Mac.
This is likely a non-issue brought up by those that do not understand certificate checking (hint: your browser is likely doing this too).
Apple is using Online Certificate Status Protocol (OCSP) to check whether your signed applications were signed with valid certificates, or if those certificates have been revoked for some reason.
Why is OCSP unencrypted? It uses the HTTP protocol not HTTPS. If it used HTTPS, it would create an endless loop of checking certificates. Not good.
MacOS lets you install unsigned apps or apps with unknown signatures. You have to make a conscious decision to allow that. I don’t know what happens if a signed app returns a revoked or bad status. That is, will the OS still let you run the app if you allow it?
Interesting. If Big Sur is air-gapped, when do the apps fail?
Even if you have to opt-in to send the analytic data to Apple, if they’re sending it *UNENCRYPTED* it’s a big problem... as a big shiny beacon for anyone sniffing traffic on that network.
MJ
In China, Apple has multitudes of children looking over your files... heh heh heh.
Big Sur is bricking Mid-2014 13 inch MacBook Pro computers. I have a 15 inch Mid-2014 MBP, so no Big Sur for me.