Apple has responded to concerns regarding user privacy, and the issue with unresponsive apps that happened with all Mac users during the server failure that impacted macOS Big Sur’s rollout. The company has clarified why the system exists and checks for developer’s signing certificates, how it ensures that no private user data is associated with the checks, and what it will be doing in the future to make sure that a server failure does not mean that Macs become unresponsive and unusable.
Apple answers privacy concerns over issue with unresponsive apps in macOS due to server failure
Apple responded to iPhoneinCanada and pointed them to the updated support document on its website. The company has explained the privacy protections that are in place in macOS, as users had raised privacy concerns with macOS constantly ‘phoning home’ whenever an app is launched. A macOS feature called Gatekeeper ensures that if any malware is detected in an app, it’s developer’s signing certificate can be revoked remotely by Apple to stop it from causing any harm.
Gatekeeper performs online checks to verify if an app contains known malware and whether the developer’s signing certificate is revoked. We have never combined data from these checks with information about Apple users or their devices. We do not use data from these checks to learn what individual users are launching or running on their devices.
Meanwhile, Notarization checks for malware over an encrypted connection and does not go down because of server failure.
The company has clarified that no user data is involved in these checks, such as Apple ID, app name, or unique device identifiers. The company has also stopped collecting IP addresses, which were previously part of the checks, for stronger user privacy, and will remove any existing IP addresses from its logs.
The company will also be making further modifications to its security checks over the next year, to ensure that the issue does not happen again, and users are given an option to opt-out of these checks.
In addition, over the the next year we will introduce several changes to our security checks:
- A new encrypted protocol for Developer ID certificate revocation checks
- Strong protections against server failure
- A new preference for users to opt out of these security protections
Apple also gave additional clarification to iPhoneinCanada over why the issue happened in the first place. The incident was due to server-side misconfiguration, coupled with CDN misconfiguration, which affected macOS’ ability to cache OCSP responses for Developer ID. OSCP (online certificate status protocol ) responses are an industry standard used to check if a developer’s signing certificate has been revoked or not, and is usually done through an unencrypted connection by every company. The company has since fixed the issue through a server-side patch, by increasing the duration for which macOS can cache developer ID OCSP checks.
Unencrypted (HTTP) connections are used because they prevent issues with request resolution. An HTTPS based connection would require further checks for connection security, which is not recommended. It is important to note that OCSP checks are different than notarization checks, which check for any malicious apps. Notarization checks are done over an encrypted connection and are resilient to server failures.