Big Sur-prise

[LAST UPDATED 11/28/2020: See the additional notes below the original article. This story evolved quickly and there were several important new pieces of information, including an official response from Apple.]

Apple released a big update to its Mac operating system: macOS 11, aka Big Sur. While this release has several new and interesting features, including security and privacy features, I would recommend waiting at least another week before you upgrade. Personally, I always wait at least a week on these major updates, just to make sure they don’t find any major issues. But in this case, there’s a particular issue that’s bothering me, one that I’m hoping Apple will fix soon.

To Launch or Not to Launch

Over the years, Apple has been adding stronger security to its operating system. One of the key features is a mechanism that “signs” all the applications in the App Store, basically giving them a digital seal of approval. This is a fancy cryptographic technique that essentially makes it impossible to forge Apple’s signature.

When a user tries to launch an application, the Mac operating system validates this signature before it allows the application to run. Only valid applications are allowed to open. These digital signatures expire after a year or two, requiring app developers to update the signatures on a regular basis. But sometimes a bad app will still slip through. Therefore, there is another mechanism that allows Apple to disqualify a particular app’s signature, after the fact. This basically requires the operating system to check an app’s signature every time you launch it. (Not quite… see the update below.)

I’m Busy, Try Again Later

Unfortunately, the process to verify the signature requires communicating with an Apple server on the Internet. But what if you’re not online? In that case, the operating system will allow the app to launch (that is, it “fails open”). You can’t require Internet connectivity to run an app, that’s just not going to fly.

But what if the validation server is overwhelmed or unresponsive? Apparently, Apple didn’t handle that very well. Many Mac owners that upgraded to Big Sur this week found that their apps were failing to launch. It’s unclear exactly what the problem is/was, but the result was a lot of frustration. (Update: this seems to have been fixed.)

One Outta Three is Bad

Saying that a system is “secure” in the cybersecurity sense comes down to three qualities, called the CIA Triad: Confidentiality, Integrity and Availability. We’ve already failed that last one, as described above. But it turns out that Apple’s chosen implementation for this app signing validation technique fails to address Confidentiality, too.

Why? Because the communication between your Mac and the validation server isn’t encrypted. This fails the confidentiality criterion because the data in each request isn’t masked or hidden. Your ISP and any router or server along the data path can see what you’re trying to validate. Theoretically, that means they will know which apps you’re launching and when you’re launching them. (Again, not quite true – see update below.) Some feel this isn’t a big deal, but Apple has been pretty good with user privacy, and to me there’s no reason to leak this data.

This actually isn’t new to Big Sur. But what is new is that Big Sur doesn’t allow this particular network connection to be blocked by your macOS firewall or redirected with a VPN. I get why they’re doing that, but it bothers me that I can’t fully control my network traffic.

I haven’t read anything that indicates that the integrity of this process is in question. Even though the communications aren’t encrypted, it seems like the mechanism doesn’t require it in order to work properly.

So, bottom line: I would hold off a bit on upgrading to Big Sur. Hopefully Apple will at least fix the availability issue. And if we’re lucky, they’ll find a way to address the confidentiality problem, too.

---

LAST UPDATED: Nov 18, 2020

It’s not surprising that this issue has provoked a lot of differing and emotional reactions. Some of you have even reached out to me with links to these responses. But I’ve learned some new information myself and I wanted to be sure to follow up on this situation. As I find any more info, I’ll keep this section updated.

First of all, the authentication server availability issue seems to have been fixed, at least for the time being.

Second, it seems to me that there are three distinct issues here:

1. The claim that Apple is collecting and broadcasting private information about which apps you open and when you open them.
2. The claim that Apple has given themselves the capability to bypass some common security and privacy mechanisms.
3. Because of the above two claims, Apple can at any time prevent you from using software you purchased, and therefore you really don’t own your computer.

The truth is that this is not black and white. There are some highly technical aspects to this and a lot of nuance. Let me take a crack at addressing each of these claims.

Claim 1: Apple and others will know what apps you launch and when

The claim made by the original poster (and still claimed even after reading some of the same analyses and responses that I did) is that your Mac is sending an unencrypted message to Apple’s servers every time you open an application, and that that message contains personal information. If true, this would mean that Apple and potentially your ISP and other third parties could monitor and record your app activity.

From what I’ve read, this is only partly true. The identifier being sent to Apple belongs to the maker of the software, not the software app itself. That is, it would say that you launched a Microsoft app, not that you launched Word or Excel. Now, many app developers only make one app, so in that case it’s functionally equivalent. But still, it’s not what was originally claimed.

The connection is in fact not encrypted. Your ISP and any other server in a position to monitor your network traffic could therefore read the content of these requests. That’s not good, but Apple has already committed to fixing this. All of these messages will contain your IP address, which in some ways does identify you. Though probably only your ISP (or their partners) can reliably map that IP address to you (your name, address, etc).

Also, this security-related message is not sent every time you launch an app. It’s not clear yet how often it’s sent, but only often enough to make sure that this app maker’s license hasn’t been revoked. Maybe once a day, maybe once a week? But it’s not every time you launch the app.

Note that there are two related security mechanisms here. One is OCSP, which is the one we discuss above. The other is a security process called “notarization” – and that does use an encrypted connection. Part of the confusion around this issue (exacerbated by Apple, frankly) is conflating these two processes.

So, the bottom line is that it doesn’t appear that the original claim is completely correct and Apple has committed to addressing the privacy issue, such as it is.

Claim 2: Apple can bypass your firewall and VPN

This appears to be true and appears to be new (or at least enhanced) in Big Sur. Basically, Apple is making sure that its security-related processes can’t be blocked. I understand why Apple has done this. If you block these security check connections with a software firewall or a VPN service, then macOS can’t verify that the apps you run are from an approved developer and haven’t been labeled as malware.

There may be other operating system or Apple application processes that have privileged access to the network connection. Let’s just assume that even if they don’t exist now, they certainly could exist in the future, given that the firewall and VPN bypass mechanism is there.

I haven’t seen Apple address this particular issue yet. While I wouldn’t recommend that anyone block these security check network connections, we (as owners of the computer) should be capable of doing so. Furthermore, Apple should be more transparent about the fact that your VPN may not be carrying 100% of your computer’s network traffic. This could be a real privacy issue for some people.

Note that there’s nothing preventing you from blocking these connections using an external firewall or VPN, like one built into your home router. (If you really want security and privacy, you should probably be protecting your entire home network – and all the devices connected to it – in one place, anyway.)

Claim 3: You don’t own your computer

This is a sensational statement, though I understand the sentiment. By having a gatekeeper mechanism on every piece of software you run, this effectively allows Apple to limit your freedom. As the ultimate and only arbiter of “good” vs “bad”, they can not only protect you from true malware, they can also block competing software products under the pretense of protecting you. This is the reality of a walled garden ecosystem like Apple’s. If you want to live in their world, you are submitting to a tyrannical overlord, and you’re hoping that they’re going to be a benevolent dictator.

However, you can bypass this security feature in macOS, on a per-app basis. Apple even tells you how. And in the future, Apple (in response to this dust-up) has said it will create a system setting that will allow you to turn off this security check globally – though it remains to be seen how that will work. (Note that you cannot bypass this on an iPhone or iPad, which is at the heart of the Fortnite lawsuit.)

Worst case, you can always leave the walled garden – it’s not a gilded cage. You can buy a Windows PC or build yourself a truly open and free Linux-based computer. (If that latter one interests you, check out the Free and Open Source Software movement and computer hardware vendors like Purism and System76).

See Also

There have been many other articles written about this subject. You might want to check these out, particularly the one from EFF.

• EFF article: macOS Leaks Application Usage, Forces Apple to Make Hard Decisions
• The Verge: Apple responds to privacy concerns over Mac software security process