Thursday, December 6, 2018

Mac App Notarization and Customer Privacy

Jeff Johnson:

What does not appear to be documented is that Mojave “phones home” to Apple on first launch of every downloaded app, regardless of whether the app was notarized. […] This status is not cached.

[…]

In packet traces I see a reference to http://ocsp.apple.com, which suggests that Gatekeeper may be using some form of Online Certificate Status Protocol (OCSP), a standard method for checking whether a certificate has been revoked. The internet traffic is to api.apple-cloudkit.com on TCP port 443, in other words, https. Thus, the data is likely encrypted.

[…]

It’s important to note that no explicit consent has been given for this information to be transmitted to Apple. In System Preferences, I had disabled all of the Analytics in Security & Privacy and all of the automatic checks in Software Update, so as far as Mojave was concerned, Apple had no permission. I’m not aware of any official Apple privacy policy with regard to Gatekeeper. I have no reason to believe that Apple will use this data for competitive or marketing purposes, but… who knows? It would certainly be a gold mine of information about Mac consumer usage of third-party apps. Apple has announced that app notarization will be required for all apps in an upcoming version of macOS, so in effect Apple is forcing developers and end users to give Apple valuable business data.

I wonder how long Apple stores this data and whether anyone would be motivated to try to gain access to it.

Update (2019-08-30): Jeff Johnson:

Why doesn’t macOS just periodically download a list of revoked notarizations instead of checking on launch?

This would be more secure, because what if there’s a connection failure at launch in the current implementation?

Whereas a periodic system daemon could retry on connection failure and download the updated list whenever internet is reestablished.

This would also protect user privacy. Apple doesn’t need to know when users launch an app.

6 Comments RSS · Twitter


I'd assume Apple is doing this to deal with known trojan horses. I think they started blocking those a few years ago. Originally when it was just one or two I think it was hard coded in updates to the OS. It would seem like they've wisely started doing a central database check when the internet is available. That way controls on trojan horses and malware aren't tied to what version of the OS you are running.


OCSP don't have to know the app bundle id, nor any other sensitive data, this is only a certificate validity check.
The certificate check can be perform without user personal information, so it may even be impossible to Apple to bind the request to an user, so there is no privacy concern here IMHO.



Can Little Snitch block this, and will apps still launch?



[…] Mac App Notarization and Customer Privacy […]

Leave a Comment