By Jon Porter
The company says it doesn’t keep tabs on the apps macOS users run.
Last week, a number of Mac users had trouble opening apps — a problem that seemed to be caused by an Apple security protocol responsible for checking that software comes from trusted sources. The slow-down prompted some to criticize Apple for collecting too much information about users’ activities; criticism which the company has now responded to with promises that it will change how these security protocols work in future.
Apple announced the changes via its support pages, adding a new “Privacy protections” section to a page entitled “Safely open apps on your Mac” (as spotted by iPhone in Canada). Apple says a service known as Gatekeeper “performs online checks to verify if an app contains known malware and whether the developer’s signing certificate is revoked.” It goes on to clarify how Apple currently uses the data, and outlines new safeguards that are being introduced over the next year.
“WE DO NOT USE DATA FROM THESE CHECKS TO LEARN WHAT INDIVIDUAL USERS ARE LAUNCHING OR RUNNING ON THEIR DEVICES”
Complaints about this verification process focused on a protocol known as the online certificate status protocol service, or OCSP. This security feature checks that an app’s developer certificate hasn’t been revoked before it’s allowed to launch. The outage lead to scrutiny of Apple’s practices, most notably by security researcher Jeffrey Paul.
In a blog post titled “Your Computer Isn’t Yours,” Paul claimed that this security process means Apple collects a hash of every program a Mac user runs, along with their IP address, over an unencrypted connection. The end result, wrote Paul, is that anyone use a modern version of macOS can’t do so without “a log of [their] activity being transmitted and stored.”
However, not everybody agreed with Paul’s analysis. One blog post by cybersecurity student Jacopo Jannone notes that the data sent to Apple’s OCSP server contains information that could identify an app’s developer but not the app itself. However, Paul argues that since many developers only publish a single app it wouldn’t be hard to infer which app someone is using from information about its developer.
In its updated support document, Apple makes clear that security checks it makes when authenticating software do not include a user’s Apple ID or device identity. The company also says it’s stopped logging IP addresses associated with the Developer ID certificate checks. “We have never combined data from these checks with information about Apple users or their devices,” writes the iPhone-maker. “We do not use data from these checks to learn what individual users are launching or running on their devices.”
However, something about these complaints do seem to have registered with Apple, as the company says it’s changing how it handles these checks in the future. Over the next year the company says it will roll out a new encrypted protocol for developer ID certificate checks while adding “strong protections against server failure” — that is, protections against the issues that stopped apps from opening last week. Finally, users will also be given the option of opting out of these security protections all together, a change that seems designed to appease complaints like Paul’s.
Affiliate News Feeds
- Internet of Things
- Industry News
The tech titan Amazon used its show in Las Vegas to talk about watery matters, supply chains and much more. The post AWS re:Invent 2022: A tiered tour of technology… [...]
In a recent interview with Ravi Pendekanti, SVP of Product Management & Marketing at Western Digital, he explained how they have expanded their HDD technology to lower total cost of… [...]
Our picks for the top Amazon Cyber Week deals to ease the stress of those who work from home. The post 5 Amazon Cyber Week deals sure to make remote… [...]
UK-based IoT connectivity platform provider seeks élan and style by snapping up French firm. The post Wireless Logic continues acquisition spree with IoThink Solutions deal appeared first on TechRepublic. [...]
Consider securing your remote work setup with a three-year subscription to a top VPN. Windscribe Pro is more than 70% off today only. The post Lock in 3 years of… [...]
The company’s products seek to address real-time data transport, edge data collection instruments. The post NVIDIA unveils supercomputing and edge products at SC22 appeared first on TechRepublic. [...]
An account takeover (ATO), in which criminals impersonate legitimate account owners to take control of an account, are on the rise in Asia and across the world. Fraudsters are swindling… [...]
Experts warn that API attacks will soon become the most common type of web application attack. As a result, organizations and their security vendors need to align across people, processes,… [...]
Read how to install the Trello app in macOS and why it will make your project management even easier. The post How to install the Trello app on macOS and… [...]
Find out if one of these top seven Wrike alternatives are an ideal project management solution for you and your team. The post Top 7 Wrike alternatives for project and… [...]