Does your Mac really ring Apple every time you launch an app? That̵
Info: This applies to both macOS Big Sur and macOS Catalina. The slowdown and the associated privacy issues aren’t new to macOS Big Sur.
Why Mac Apps Are Signed With Developer Certificates
On a Mac, apps that you download, whether from the Mac App Store or the web, are signed with a developer certificate. Whenever you launch an app, it checks the app to verify that it has been signed by a legitimate developer and has not been tampered with. This helps protect you from malware.
For example, when Mozilla creates Firefox, it compiles a Firefox application file and then signs it with Mozilla’s developer certificate. This is Mozilla’s way of proving that the file is legitimate and was created by Mozilla. If the application file has been tampered with afterwards, your Mac will notice the difference.
These certificates are only valid for a certain period of time – maybe a few years – but they can be “revoked” early. For example, if Apple discovers that a developer is using their certificate to sign malicious apps, Apple will revoke the certificate. Macs will not load apps with that revoked certificate.
OCSP Explained: Why Is Your Mac Calling Home?
But wait, how does your Mac know if Apple has revoked a certificate associated with an app on your Mac? To check this, your Mac uses something called the Online Certificate Status Protocol or OCSP; it is also used by web browsers to check website certificates while you are browsing.
When you start an app, your Mac sends information about the certificate to an Apple server at ocsp.apple.com. Your Mac asks this Apple server if the certificate has been revoked. If not, your Mac will launch the app. If the certificate is revoked, your Mac will not launch the app.
Does this happen every time you start an app?
Your Mac remembers these responses for a period of time. On November 12, 2020, responses were cached for five minutes; in other words, if you started an app, closed it, and restarted four minutes later, your Mac wouldn’t have to ask Apple for the certificate a second time. However, if you started an app, closed it, and started it six minutes later, your Mac should ask Apple’s servers again.
For whatever reason – perhaps due to changes in macOS Big Sur – Apple’s server was inundated and became very slow on November 12, 2020. Responses slowed significantly and apps took a long time to load as Macs waited patiently for a response from Apple’s server.
After that event, Apple’s OSCP server now tells Macs to remember the answers to certificate validity for 12 hours. Every time you launch an app, your Mac will call home and ask for a certificate, unless you have received a response within the last 12 hours. In that case, this does not have to happen. (The time period information here is from independent app developer Jeff Johnson.)
What if a Mac is offline?
The OCSP check is designed to fail. If you are offline, your Mac will silently skip control and launch apps normally.
The same is true if your Mac can’t reach the ocsp.apple.com server – perhaps because the server address on your network is blocked at the router level. If your Mac cannot connect to the server, it will skip the check mark and launch the app immediately.
The problem on November 12, 2020 was that while Macs were able to reach Apple’s server, the server itself was slow. But instead of silently failing and continuing to launch an app, Macs waited a long time for a response. If the server had gone down completely, no one would have noticed.
What is the privacy risk? What does Apple teach?
There are several privacy concerns that people have raised here. They are described in hacker and security researcher Jeffrey Paul’s blistering take on the situation.
- Certificates are linked to apps: When your Mac contacts the OCSP server, it will ask for a certificate that is likely associated with one app, or maybe a handful of apps. Technically, your Mac does not tell Apple which app you launched. For example, when you start Firefox, Apple finds out that you have launched an app created by Mozilla. It could be Firefox or Thunderbird, but Apple doesn’t know which one. However, if you start an app signed by the Tor project, Apple can get a pretty good idea that you’ve opened the Tor browser.
- Requests are linked to dates and times: These requests can of course be linked to a date and time and your IP address. That’s exactly how the internet works. Your IP address is associated with a specific city and state. Each OCSP request tells Apple the developer who created the app you launch, your general location, and the date and time you launched the app.
- No encryption means sniffing is possible: The OCSP protocol is not encrypted. Not only does Apple get this information, everyone in the middle can see this information too. Your ISP, workplace network administrator, or even a spy agency monitoring Internet traffic can eavesdrop on the OSCP traffic between you and Apple and find out all these details. These requests also go through an external content distribution network (CDN) called Akamai. This speeds them up, but adds one more middleman who can technically poke around.
Info: Your Mac does not tell Apple which app you start. Instead, your Mac simply tells Apple which developer created the app you launch. Of course, many developers only make one app. This technical distinction often does not say much.
(Remember, with the change in cache behavior, your Mac no longer prompts Apple every time you launch an app. It just does this every 12 hours instead of every 5 minutes.)
Why is your Mac doing this?
As you would expect, security is everything. The Mac is a more open platform than the iPad and iPhone. You can download apps from anywhere, even outside of the Apple Mac App Store.
To protect the Mac from malware – and yes, Mac malware is becoming more common – Apple has implemented this security check. If a certificate used to sign an app is revoked, your Mac can take immediate action and refuse to open that app. This gives Apple the ability to prevent Macs from launching known malicious apps.
Can you block the OCSP checks?
These OCSP checks are designed to fail quickly and quietly when a Mac is offline or unable to connect to the ocsp.apple.com server.
That makes them easy to block: just prevent your Mac from connecting to ocsp.apple.com. For example, you can often block this address on your router so that all devices on your network cannot connect to it.
Unfortunately, it seems that Big Sur no longer allows software-level firewalls on the Mac to block the Mac’s built-in trusted process from accessing remote servers in this way.
Warning: If you block the ocsp.apple.com server, your Mac won’t notice when Apple has revoked an app’s developer certificate. You choose to disable a security feature and it could put your Mac at risk.
What does Apple say and promise to change?
Apple seems to have heard the criticism. On November 16, 2020, the company added information about “privacy protections” for Gatekeeper on its website.
First, Apple says it has never combined data from these certificates or malware controls with other data Apple knows about you. The company promises it will not use this information to track which apps individuals launch on their Macs.
Second, Apple insists that these certificate checks are not tied to your Apple ID or any device-specific information outside of your IP address. Apple says it has stopped logging IP addresses associated with these requests and will remove them from Apple’s logs.
Over the next year – in other words, by the end of 2021 – Apple says it will make these changes:
- Replace OCSP with an encrypted protocolApple says it will create a new encrypted protocol to replace the unencrypted OCSP system for checking developer certificates. This prevents anyone from sniffing in the middle.
- Stop the delays: Apple also promises “strong protection against server failures,” in other words, apps don’t load slowly because a server slows down again.
- Give users choiceApple says Mac users can disable these security measures and prevent their Mac from checking for revoked developer certificates.
Overall, these changes will eliminate several issues – third parties can no longer poke around in the middle. Macs will still send Apple information it can use to keep track of which apps you open, but Apple promises not to associate that information with you. Slowdowns should be avoided as Apple fixes the performance issue as well.
What will this better protocol be? Well, Apple hasn’t said what it will replace OCSP with yet. As security researcher Scott Helme points out, something like CRLite could help with needle threading. Imagine if your Mac could download a single file from Apple and update it regularly. The file contains a compressed list of all certificate revisions. Whenever you launch an app, your Mac can check the file, eliminating network checks and privacy concerns.
Your Mac sometimes sends app hash to Apple
Besides, your Mac sometimes sends hashes of the apps you open to Apple’s servers. This differs from the OCSP signature checks. Instead, it has to do with Gatekeeper’s notarization.
Developers can upload apps to Apple, which checks them for malware and then “notarises” them if they seem safe. This notarized ticket information can be ‘stapled’ on the app. If a developer doesn’t enjoy the ticket information to the app file, your Mac will contact Apple’s servers the first time you launch that app.
This only happens the first time you launch a particular version of an app, not every time it opens. And the online check can be eliminated by the developer by stapling.
Macs are not unique here. For example, Windows 10 PCs often upload data about apps you download to Microsoft’s SmartScreen service to check for malware. Antiviruses and other security applications can also upload information about suspicious-looking apps to the security company.