Become a fan of Slashdot on Facebook

 


Forgot your password?
Close
typodupeerror
×
Privacy Security Apple

Apple Responds To Gatekeeper Issue With Upcoming Fixes (techcrunch.com) 54

Posted by msmash from the closer-look dept.
Apple has updated a documentation page detailing the company's next steps to prevent last week's Gatekeeper bug from happening again. The company plans to implement the fixes over the next year. From a report: Apple had a difficult launch day last week. The company released macOS Big Sur, a major update for macOS. Apple then suffered from server-side issues. Third-party apps failed to launch as your Mac couldn't check the developer certificate of the app. That feature, called Gatekeeper, makes sure that you didn't download a malware app that disguises itself as a legit app. If the certificate doesn't match, macOS prevents the app launch. Many have been concerned about the privacy implications of the security feature. Does Apple log every app you launch on your Mac to gain competitive insights on app usage? It turns out it's easy to answer that question as the server doesn't mandate encryption. Jacopo Jannone intercepted an unencrypted network request and found out that Apple is not secretly spying on you. Gatekeeper really does what it says it does. "We have never combined data from these checks with information about Apple users or their devices. We do not use data from these checks to learn what individual users are launching or running on their devices," the company wrote.
This discussion has been archived. No new comments can be posted.

Apple Responds To Gatekeeper Issue With Upcoming Fixes More

Apple Responds To Gatekeeper Issue With Upcoming Fixes

Comments Filter:

  • I call bullshit (Score:5, Insightful)

    by Rosco P. Coltrane ( 209368 ) on Monday November 16, 2020 @11:06AM (#60730062)

    Jacopo Jannone intercepted an unencrypted network request and found out that Apple is not secretly spying on you.

    It may not link the user and ther usage pattern directly, but it does build a usage pattern. Wait long enough (not very long probably), or combine that with other naturally de-anonymising requests from the same IP, and Apple has a pretty good profile on you. All this Jannone guy discovered is that Apple doesn't do it blatantly.

    And don't tell me I should trust Apple to be virtuous, because that's beyond naive. There's a metric shitton of money to be made in dataraping your customer base, and I see no reason why Apple would refrain from engaging in it just as much as the other Big Data sumbitches.

    • Ok tin foil hat wearer. Apple stands to get sued to oblivion if they collect this data. They're just not. And no evidence of collection doesn't mean you get to claim they are doing it anyway.
      • HAH, you think a lawsuit is going to stop them? They've already made billions of dollars off of the people who put blind faith into them.

        • HAH, you think a lawsuit is going to stop them? They've already made billions of dollars off of the people who put blind faith into them.

          Dollars. That’s all you see, baby seal-clubber.

          They are called “units of love” asshole, and yes, Apple made billions while you sat around and spewed bile and hate speech.

        • And the flow of billions of dollars would stop if they abused their users like Google and Microsoft do.
          Follow the money? Apple is making money just fine selling products and services to their users.

          If they lost their users by selling them, they'd have to drop down to Google and Microsoft's level and fight for a third of those profits, at best.

    • In other words:

      "I've decided that Apple is evil and, regardless of the amount of evidence to the contrary that I'll be presented with now and in the future, I'll never change my mind."

      There are plenty of legitimate reasons to hate Apple as a company without having to make up fake ones.

      • "I've decided that Apple is evil and, regardless of the amount of evidence to the contrary that I'll be presented with now and in the future, I'll never change my mind."

        Right???

        Psychotic, the lot of them. My god if you can’t trust a large US corporation then who can you trust?

        You know who else thought Apple was evil?

        Hitler!

        Not just Hitler, but Hitler’s Czar of Evil!

        Sig Heil, you evil chunks of horse excrement!

    • You don't have to assume they're being virtuous, assume they're being greedy.

      1. They wouldn't want to collect this data for OTHER people
      2. They don't really sell anything that would benefit from collecting this data themselves—Apple doesn't charge for most of their apps
      3. They already know you're buying their product and have your information through iCloud. They already have a direct-to-consumer relationship that they can advertise to you through; collecting this data is meaningless indirection
      4. Thi

      • 1. Why not? They can claim innocence. I mean, they're perfectly willing to sell out their users to Google for a couple billion. 2. You're joking right? Their first party vendors of multimedia content. Hell, they even have a dedicated app to recommend TV Show content. They have advertising inside their app store. Where do you think they get these recommendations from? 3. Usage patterns of said apps are extremely valuable. I have a TON of stuff on my phone (filled about 150GB of my 128GB+32GB SD with

      • You don't have to assume they're being virtuous, assume they're being greedy.

        Please wait by the door with your hands up and your pants off. Someone will be along to collect you shortly. An anal probe will be involved.

        You were warned many times about this shit, but you just had to push it.

      • Re: (Score:2)

        by tlhIngan ( 30335 )

        That said, it's an exceptional display of both hubris and incompetence to write a system that works fine if you're disconnected from the internet, but breaks if it can contact the server but the server sends no response because it's overloaded.

        It didn't break though, it just took a long time to happen.

        The question then becomes, what timeout is appropriate? Because it's trivial to check if you can make a connection to the server if you have no network connected. But a lot less trivial if there is a connectio

    • And don't tell me I should trust Apple to be virtuous, because that's beyond naive. There's a metric shitton of money to be made in dataraping your customer base, and I see no reason why Apple would refrain from engaging in it[...]

      Perhaps because as the off-and-on most valuable company in the world (at least based on market cap), Apple has shown that there's even more money to be made by selling premium-priced products that respects their users' privacy?

      Of course, you needn't take my word on it. Apple updated its documentation for Gatekeeper [apple.com] (the feature in question) in response to the concerns that were raised, adding a section about privacy at the very end. Read through it and you'll find the following that directly contradicts you

  • Trust, but verify. (Score:5, Interesting)

    by Edge ( 640 ) on Monday November 16, 2020 @11:54AM (#60730256)

    Security researchers investigating network traffic and pointing out vulnerabilities is a good thing. Rushing to conclusions that (insert_company_name_here) is spying on users based on this data is careless at best, and makes the "researcher" out to be a fool.

    I trust what Apple says - they make their money selling products. Their users are not their products. Apple haters would love to prove this false, but I just don't see Apple as being naive and short-sighted enough sell customer data for comparably minuscule revenue.

    • This.

      Coupled with the fact that there are 2 glaring errors in the original blog post (e.g. hashes of the application itself are not sent, and the OCSP requests are not sent every time an app is launched), it is clear that this was agenda driven. The "researcher" apparently didn't do very thorough research.

    • Re: (Score:2)

      by Cyberax ( 705495 )

      I trust what Apple says - they make their money selling products. Their users are not their products.

      OF COURSE, Apple sells users. Why do you think they have 30% AppStore cut? They are selling users to third-party developers.

    • I trust what Apple says

      Well of course you do. You’re sane. Apple loves you and you feel that love. I trust Apple implicitly too. In fact, I went to the Apple store yesterday, and totally just fell backward.

      Even though ten workers were around, I hit the floor, hard, seriously that shit hurt, but that just proved to me how much they loved me.

      See, it would have been easy for them to to catch me, but I wouldn’t have learned anything. They loved me enough to let me get the concussion.

      It’s

  • Basically download a local copy of the hash for each application as you install it and then store a hash of that in the Apple equivalent of the TPM.

    Then you can verify every application locally without requiring an internet connection. The only reason to actually require an internet connection to get the hash is to collect data.

    This is especially true when you consider that given the request is not encrypted then the whole thing is pointless as you can trivially launch a man in the middle attack on the proc

    • You're correct, it is unnecessary. Which is why Apple doesn't do that. OCSP has a validation period that can be several days between checks. Jacopo Jannone confirmed this in his blog post.

    • Re:Check on every launch is unnecessary (Score:5, Informative)

      by EvilSS ( 557649 ) on Monday November 16, 2020 @01:12PM (#60730604)

      This is especially true when you consider that given the request is not encrypted then the whole thing is pointless as you can trivially launch a man in the middle attack on the process.

      This isn't an Apple thing so much as a OCSP thing. The requests are sent over HTTP but the reply is cryptographically signed to help prevent MITM tampering attacks. Of course, a MITM would be in a position to cause the OCSP call to fail, which can negate the revocation check when the bad actor has compromised the certificate in question. However a MiTM attack on a code-signing cert would be pretty difficult, as they would need to compromise the signing cert AND manage to insert themselves between the end user and the target OCSP servers. Not impossible, but not practical outside of a very target attack against a single company. And quite frankly, if your company traffic is compromised to that extent, you have bigger problems.

      On the privacy side, there is OCSP stapling, which conducts the OCSP check over HTTPS inside the HTTPS callout to the target webserver, but that really only works for web certs, since a code signing cert won't have a HTTPS session based on that cert. Overall the OCSP system needs some work, but this isn't just an Apple problem, it's a standards problem.

  • Just use linux ... (Score:5, Insightful)

    by arit ( 1338477 ) on Monday November 16, 2020 @12:43PM (#60730492)

    Then you can have full control of what your OS is doing.

    • Or turn off the security feature that checks that your apps haven't been tampered with. What you do is not allow the checking in security preferences, so the app will initially be rejected, and then you can allow using it manually.

      The result: Apple doesn't know about the app, and if it has been hacked, you are on your own. Like the standard behaviour in Linux.

    • Don't you have a kernel to patch or a compatible driver to locate or something?
      At least you've got Full Control. No bluetooth after that last install, but Full Control.

    • Then you can have full control of what your OS is doing.

      Pffft, like Linux will slow down my shit when it needs more revenue.

      No thanks.

  • Summary is 180 degrees wrong (Score:4, Informative)

    by battingly ( 5065477 ) on Monday November 16, 2020 @01:55PM (#60730802)
    Jannone's analysis, which is not linked in the summary does _not_ conclude "Apple is not spying on you". It concludes gatekeeper is sending a cleartext identifier of the developer instead of the app. However, since many developers have a single or a most prominent app, that's effectively the same thing in many cases. In other words, this confirms Apple is spying on you. https://techcrunch.com/2020/11... [techcrunch.com] Apple did not address the privacy issue at all with their announcement today. They only addressed the issue of whether app launching should be slowed by server problems. That completely misses the point. It's the privacy issue that has caused alarm, not the slow app launches.

    • I assume you did not read Apple's official post since they clearly did attempt to address the privacy concerns:

      Excerpts:

      To further protect privacy, we have stopped logging IP addresses associated with Developer ID certificate checks, and we will ensure that any collected IP addresses are removed from logs.

      • A new encrypted protocol for Developer ID certificate revocation checks
      • Strong protections against server failure
      • A new preference for users to opt out of these security protections

      Seems like they are addres

      • There is no official post from Apple on this subject. There have been reports of private email sent to select recipients saying Apple will do something about this in the future, and making unsubstantiated claims that they will stop storing the information that is transmitted to their ocsp server. Anyway, the point is not that Apple might look into this someday, but rather that the summary incorrectly claims Apple is not spying on you.

    • Terrorists.

      Funny that you say that, but UK and European police got the complete messages sent mostly by criminals over the course of three months, using a very expensive Android app (about $1,800 a year if I remember right). These criminals didn't trust Apple.

      Police got _every_ _single_ user of that app and all their messages. Estimates are that of the 60,000 users, 50,000 were serious criminals and 10,000 rich and paranoid people.

      • You may think that 1800$ per year is very expensive, but it's pocket change for a police department. That's only 150$ per month, or 5$ per day. If they caught 50K criminals over a year, that's only 0.036$ or 3.6 cents per criminal caught.

        Even at 100 times that price, it would be worth it.

  • Once all of their devices are on ARM, they will close "sideloading" and force everyone to their store.

    Sweet 30% cut here we come!

  • Yea right (Score:1)

    by Anonymous Coward

    So why when on a macOS Mojave (and other versions) when you click Apple -> "About This Mac" there is request made to "com.apple.geod.xpc, gsp-ssl.ls.apple.com, gsp64-ssl.ls.apple.com, gsp19-ssl.ls.apple.com, gsp35-ssl.ls.apple.com" ? and this is just one of hundreds request that modern OSX OS will make if you let it go.

    They all harvesting/telemetry data like there is no tomorrow & we are the product.

    Apple -> kiss my ass!

Slashdot Top Deals

As long as we're going to reinvent the wheel again, we might as well try making it round this time. - Mike Dennison

Close