Apple Knows When You’re Sleeping...and Reports When You’re Awake

That sound you heard midday Thursday was the collective groan of a million Mac users rebooting their super slooooow computers as Apple struggled with an apparent server outage. 

The slowdown coincided (coincidentally or not) with the rollout of Apple’s new operating system, Big Sur—but Mac users who had yet to install the latest California-themed OS also had trouble getting their apps to work correctly.

Ironically, though Apple leans into pro-privacy rhetoric and Big Sur claims to bring privacy enhancements, the problem highlighted a larger issue about unencrypted data.

According to Mac developer Jeff Johnson, Macs couldn’t connect to a server related to the online certificate status protocol (OCSP), which is used to make sure a digital certificate is valid. Apple servers couldn’t keep up with the server requests.

In a recap of the issue, security researcher Jeffrey Paul said yesterday’s failure exposed a privacy issue that was already there:

“It turns out that in the current version of the macOS, the OS sends to Apple a hash (unique identifier) of each and every program you run, when you run it. Lots of people didn’t realize this, because it’s silent and invisible and it fails instantly and gracefully when you’re offline, but today the server got really slow and it didn’t hit the fail-fast code path, and everyone’s apps failed to open if they were connected to the internet.”

So, when you’re online, Apple knows what apps you’re using. Moreover, it sends unencrypted OSCP requests, which internet service providers can see.

Matthew Hardeman, a software developer and network engineer, told Decrypt, “Every Mac running recent macOS releases sends OCSP queries to Apple—in the default configurations, at least.”

Via its Gatekeeper system, “macOS is checking in prospectively, when you try to launch an application, to see if Apple has second-guessed their assessment of the safety of the software you’re trying to launch.”

This brings with it several privacy concerns. First, because your computer has to send your IP to communicate with Apple, it means Apple can see your IP address and the application you’re trying to use. Second, OCSP uses unencrypted HTTP communications so “any entity with visibility to your macOS-based computer could also observe and/or log these facts.”

Though he said in most circumstances it’s not a major concern, Hardeman told Decrypt, “I think everyone probably dislikes that third parties might be able to observe that you’re launching an application and that they may be able to discern what application.”

Judging by the reaction to Paul’s article on Crypto Twitter, it was indeed a concern:

Hardeman implied that Apple is more or less using an industry standard protocol as it’s meant to be used—and that most people benefit from it. However, he called on Apple to fix the bugs that “resulted in all the screaming yesterday.” 

Moreover, if Apple is as dedicated to privacy as it says it is, the standard may no longer be good enough.

In a response to Decrypt after initial publication of this article, an Apple spokesperson pointed to an update to a knowledge base article on Gatekeeper. Among other things, it promises a "new encrypted protocol for Developer ID certification revocation checks." It states: "To further protect privacy, we have stopped logging IP addresses associated with Developer ID certificate checks, and we will ensure that any collected IP addresses are removed from logs."