Why Mac Apps Are Signed With Developer Certificates
On a Mac, apps you download—whether from the Mac App Store or from the web—are signed with a developer certificate. Whenever you launch an app, it checks the app to verify that it was signed by a legitimate developer and that it hasn’t been tampered with. This helps protect you from malware.
For example, when Mozilla creates Firefox, it compiles a Firefox application file and then signs it with Mozilla’s developer certificate. This is Mozilla’s way of proving that the file is legitimate and created by Mozilla. If the application file is tampered with afterward, your Mac will notice the difference.
These certificates are only valid for a certain interval of time—perhaps a few years—but they can be “revoked” early. For example, if Apple discovers that a developer is using its certificate to sign malicious apps, Apple then revokes the certificate. Macs won’t load apps with that revoked certificate.
OCSP Explained: Why Does Your Mac Phone Home?
But wait—how does your Mac know if Apple has revoked a certificate associated with an app on your Mac? To check, your Mac uses something called the Online Certificate Status Protocol, or OCSP; it’s also used by web browsers to check website certificates as you browse.
When you launch an app, your Mac sends information about its certificate to an Apple server at ocsp.apple.com. Your Mac asks this Apple server whether the certificate has been revoked. If it hasn’t, your Mac launches the app. If the certificate has been revoked, your Mac won’t launch the app.
Does This Happen Every Time You Launch an App?
Your Mac remembers these responses for a period of time. On November 12, 2020, responses were cached for five minutes; in other words, if you launched an app, closed it, and launched it again four minutes later, your Mac wouldn’t have to ask Apple about the certificate a second time. However, if you launched an app, closed it, and launched it six minutes later, your Mac would have to ask Apple’s servers again.
For whatever reason—perhaps due to changes in macOS Big Sur—Apple’s server was swamped and became very slow on November 12, 2020. Responses slowed down considerably, and apps took a long time to load as Macs patiently waited for a response from Apple’s slow server.
After that event, Apple’s OSCP server now tells Macs to remember certificate validity responses for 12 hours. Your Mac will phone home and ask about a certificate every time you launch an app—unless you’ve received a response in the last 12 hours, in which case it won’t need to. (The information about time periods here comes from independent app developer Jeff Johnson.)
What If a Mac Is Offline?
The OCSP check is designed to fail with grace. If you’re offline, your Mac will silently skip the check and launch apps normally.
The same is true if your Mac can’t reach the ocsp.apple.com server—perhaps because the server address has been blocked on your network at the router level. If your Mac can’t contact the server, it skips the check and immediately launches the app.
The problem on November 12, 2020 was that while Macs could reach Apple’s server, the server itself was slow. But rather than silently failing and getting on with launching an app, Macs waited a long time for a response. If the server had been down completely, no one would have noticed.
What’s the Privacy Risk? What Does Apple Learn?
There are several privacy concerns people have brought up here. They are spelled out in hacker and security researcher Jeffrey Paul’s blistering take on the situation.
Certificates Are Associated With Apps: When your Mac contacts the OCSP server, it asks about a certificate that’s likely associated with one app—or, perhaps, a handful of apps. Technically, your Mac does not tell Apple which app you’ve launched. For example, if you launch Firefox, Apple just learns that you’ve launched an app created by Mozilla. It could be Firefox or Thunderbird, but Apple doesn’t know which. However, if you launch an app signed by the Tor Project, Apple can get a pretty good idea that you’ve opened the Tor Browser. Requests Are Associated With IP Addresses and Times: These requests can, of course, be associated with a date and time and your IP address. That’s just how the internet works. Your IP address is associated with a certain city and state. Each OCSP request tells Apple the developer that created the app you’re launching, your general location, and the date and time on which you launched the app. Lack of Encryption Means Snooping Is Possible: The OCSP protocol is unencrypted. Not only does Apple get this information—anyone in the middle can also see this information. Your internet service provider, workplace network administrator, or even a spy agency monitoring internet traffic could eavesdrop on the OSCP traffic between you and Apple and learn all these details. These requests also go through a third-party content distribution network (CDN) named Akamai. This speeds them up—but adds another middleman that could technically snoop.
(Remember: With the change to caching behavior, your Mac is no longer asking Apple every time you launch an app. It’s only doing this every 12 hours instead of every 5 minutes.)
Why Is Your Mac Doing This?
As you might expect, this is all about security. The Mac is a more open platform than the iPad and iPhone. You can download apps from anywhere, even outside of Apple’s Mac App Store.
To protect the Mac from malware—and yes, Mac malware has become more common—Apple implemented this security check. If a certificate used to sign an app is revoked, your Mac can immediately spring into action and refuse to open that app. This gives Apple the power to stop Macs from launching known-malicious apps.
Can You Block the OCSP Checks?
These OCSP checks are designed to quickly and silently fail when a Mac is either offline or can’t contact the ocsp.apple.com server.
That makes them simple to block: Just prevent your Mac from connecting to ocsp.apple.com. For example, you can often block this address on your router, preventing all devices on your network from connecting to it.
Unfortunately, it seems like Big Sur no longer lets software-level firewalls on the Mac block the Mac’s built-in trustd process from accessing remote servers like this.
What Does Apple Say and Promise to Change?
Apple appears to have heard the criticism. On November 16, 2020, the company added information about “privacy protections” for Gatekeeper on its website.
First, Apple says it has never combined data from these certificate or malware checks with any other data Apple knows about you. The company promises it doesn’t use this information to track which apps individuals are launching on their Macs.
Second, Apple insists that these certificate checks are not associated with your Apple ID or any device-specific information beyond your IP address. Apple says it has stopped logging IP addresses associated with these requests and will be removing them from Apple’s logs.
Over the next year—in other words, by the end of 2021—-Apple says it will make these changes:
Replace OCSP With an Encrypted Protocol: Apple says it will create a new encrypted protocol to replace the unencrypted OCSP system for checking developer certificates. This will prevent anyone in the middle from snooping. Stop the Slowdowns: Apple also promises “strong protections against server failure”—in other words, apps won’t be slow to load because a server slowed down again. Provide Choice to Users: Apple says Mac users will be able to turn these security protections off and prevent their Mac from checking for revoked developer certificates.
Overall, these changes will eliminate various problems—third parties can no longer snoop in the middle. Macs will still send Apple information it can use to track which apps you open, but Apple promises not to associate that information with you. Slowdowns should be eliminated as Apple fixes the performance problem, too.
What will this better protocol be? Well, Apple hasn’t yet said what it will replace OCSP with. As security researcher Scott Helme notes, something like CRLite could help thread the needle here. Imagine if your Mac could download a single file from Apple and regularly update it. The file would contain a compressed list of all certificate revocations. Whenever you launch an app, your Mac could check the file, eliminating the network checks and privacy problems.
Your Mac Does Sometimes Send App Hashes to Apple
By the way, your Mac does sometimes send hashes of the apps you open to Apple’s servers. This is different from the OCSP signature checks. Instead, it has to do with Gatekeeper notarization.
Developers can upload apps to Apple, which checks them for malware and then “notarizes” them if they seem safe. This notarization ticket information can be “stapled” to the app. If a developer doesn’t staple the ticket information to the app file, your Mac will check with Apple’s servers the first time you launch that app.
This only happens the first time you launch a given version of an app—not every time it opens. And the online check can be eliminated by the developer through stapling.
Macs aren’t unique here. For example, Windows 10 PCs often upload data about apps you download to Microsoft’s SmartScreen service to check for malware. Antivirus programs and other security applications may upload information about suspicious-looking apps to the security company, too.