Does Mac's Anti-Malware Mechanism Spy on Users? Here's What Apple Says

After Mac users reported server outage on November 12, cybersecurity researchers dug deep to find out that Apple was logging IP addresses, breaching privacy

With complete control over its hardware and software, Apple over the years has strengthened its security features for Mac. Called Gatekeeper, Mac's anti-malware platform was introduced with Mountain Lion back in 2012. So far, there was no problem. But on November 12 when Apple launched its macOS Big Sur and users tried to upgrade to the latest operating system, serious server outages prevented third-party apps and even Apple apps like iMessage and Apple Pay from launching.

The slowdown led security researchers to analyze the problem and they found that every time a user launches an application, it pings to the Apple server to check for a valid certificate. If the software was notarized by Apple, it would launch, otherwise, it will be blocked to prevent the user from opening a probable malicious piece of code. However, as Gatekeeper verifies notarization through the internet, the server logs in the IP address, allowing city-level geolocation. That's a breach of privacy even if it is not meant to harm the user.

macOS Big Sur
Cybersecurity researchers raised privacy concerns about Apple's notarization checks Apple

Breach of Privacy

What Apple does is use OCSP (Online Certificate Status Protocol) process to verify certificates. But the problem is OCSP uses the old plaintext HTTP on port 80 without any encryption, meaning that malicious actors or Apple can eavesdrop and collect information. That further raised privacy concerns.

"This means that Apple knows when you're at home. When you're at work. What apps you open there, and how often. They know when you open Premiere over at a friend's house on their Wi-Fi, and they know when you open Tor Browser in a hotel on a trip to another city," cybersecurity researcher Jeffrey Paul wrote in his blog post.

Apple checks app notarization before launching it for the first time Patrick Wardle

Is Apple Spying?

However, Apple uses the old HTTP to prevent loops. If OCSP was using HTTPS, the server had to check valid HTTPS certificate besides OCSP, lengthening the process and putting extra pressure on the server, explained another cybersecurity researcher Jacopo Jannone. Besides that, Apple checks the certification validity only once when you open the app for the first time after boot and stores the data on the computer to prevent OCSP from running again.

Later, Apple issued a clarification about the method and said that it never collected Apple IDs and device identification during software security checks or the OCSP process. However, Paul's concerns were valid and Apple said that it would make changes to the process and will stop logging IP addresses for checking validity. Furthermore, Apple will introduce an option for Mac users to opt-out of the notarization checks "over the next year."

"These security checks have never included the user's Apple ID or the identity of their device. To further protect privacy, we have stopped logging IP addresses associated with Developer ID certificate checks, and we will ensure that any collected IP addresses are removed from logs," Apple said in its updated privacy policy on November 16.