Apple is trying to clear the air around a macOS anti-malware feature after a security researcher claimed it could be abused to spy on users.
The controversy involves Gatekeeper, which checks to ensure a user’s Mac is only running trusted apps. But to do so, the Mac has to periodically contact Apple so that its servers can verify that the app’s developer certificate is legit. At the same time, the Mac’s IP address—which contains city and country identifiers—is also transmitted to Cupertino.
“This means that Apple knows when you’re at home. When you’re at work. What apps you open there, and how often,” claims German security researcher Jeffrey Paul. Last Thursday, he wrote a blog post on the matter called "Your Computer Isn't Yours," which argues that macOS users are in danger of losing their privacy.
However, Apple says Gatekeeper is merely checking whether a developer certificate on a macOS app has been revoked or not—nothing more.
“We have never combined data from these checks with information about Apple users or their devices. We do not use data from these checks to learn what individual users are launching or running on their devices,” the company wrote on Monday in an updated support document. “These security checks have never included the user’s Apple ID or the identity of their device.”
Apple’s statement runs counter to Paul’s conclusion, which claims the Gatekeeper function sends Apple a unique identifier for every app run on a Mac computer. But a separate post from a computer science student named Jacopo Jannone points out macOS will only send the developer certificate—not a unique ID for the app. Thus, Apple can’t determine the exact program a Mac computer is running, only the developer to whom it belongs.
Nevertheless, Paul still argues that periodic Gatekeeper checks are dangerous because they are unencrypted. As a result, an internet service provider or a content delivery network (CDN) could view the Gatekeeper data flowing from a user’s Mac.
The other issue Paul raises is how Mac owners will eventually have no way to opt out of the Gatekeeper check. Previously, you could run a program called Little Snitch to approve or deny what data connections are running from a Mac computer. However, the new macOS update, Big Sur, can enable Apple’s own apps to circumvent Little Snitch’s processes.
“Additionally, the new rules in macOS 11 even hobble VPNs so that Apple apps will simply bypass them,” Paul claimed. “There will be no way to boot any OS on the new Apple Silicon Macs that won’t phone home, and you can’t modify the OS to prevent this.”
In response, Apple says it’s working on making sure all developer certificate checks from Gatekeeper will be encrypted. The company will also let Mac owners opt out from the anti-malware protection. Expect the changes to arrive over the next year. But the company's support document didn't address how the Big Sur update can bypass VPNs and firewalls.
“To further protect privacy, we have stopped logging IP addresses associated with Developer ID certificate checks, and we will ensure that any collected IP addresses are removed from logs,” Apple adds.
Paul wrote his blog post in the wake of last Thursday's server error at Apple, which temporarily slowed down Big Sur upgrades. The same error also dragged down the Gatekeeper checks, causing some macOS apps to fail to launch. Apple says it's implementing new protections to prevent future server failures.