Apple makes changes after macOS Big Sur privacy criticism on app check
Apple will stop logging users’ IP addresses when validating macOS apps and will apply encryption to checks for Developer ID certificates of apps. The company is implementing the changes after privacy criticism and app launch issues last week.
Apple will make changes to the way it validates apps in the coming year. This is evident from text passages that Apple has added to its support document about safely opening apps on macOS. The company will use a new encryption protocol to check for Developer ID certificates, provide more protection if the servers fail, and offer an opt-out option for users who do not want the protection.
The promise for the changes comes after app launch issues with the release of macOS 11.0 Big Sur. Those problems arose because the servers for the Online Certificate Status Protocol, or OCSP, went down. Apple uses these servers for its Gatekeeper technology; which checks whether apps contain malware and are properly signed by the developers with certificates. These are X.509 certificates and Apple can revoke them in real time if it detects problems after an online check, even if the app itself is installed correctly.
When examining the nature of the app problems, security researchers like Jeffrey Paul emphasized that OCSP requests were sent unencrypted. There was also criticism of the collection of IP addresses, the limitation of the network tool Little Snitch in macOS Big Sur and the disappearance of the possibility in that OS to block validation in firewalls.
Apple reports to iPhone in Canada that the company never combines data from the checks with information from Apple users or their devices, nor does it monitor what individual users run for apps. The company reports that it has stopped logging IP addresses with the Developer ID checks and that it will delete already collected IP addresses.