Recently, several Mac users complained about apps opening slowly on macOS Big Sur—or not opening at all. As it turns out, the issue was down to Apple’s OCSP (online certificate status protocol) service, which ensures that apps are from trusted sources. As a side effect, Apple has been criticised for collecting too much information from its users in the process, with security researcher Jeffrey Paul publishing a post titled “Your Computer Isn’t Yours“.
Paul claims that the OCSP requests are unencrypted, which means that Apple (and your ISP) can access this information—on the apps that you’re opening and using on your Mac. In the past, there were apps to block this, although Big Sur has a new API that prevents this. As a result, he explains:
“On modern versions of macOS, you simply can’t power on your computer, launch a text editor or eBook reader, and write or read, without a log of your activity being transmitted and stored.”
Apple responds
As reported by The Verge, Apple has responded to the complaints via a support page. If you head over to the “Safely open apps on your Mac” page, there is a new “Privacy protections” segment, which explains that a service called Gatekeeper performs online checks to see if an app has any malware, and to verify the developer’s signing certificate.
The statement also says that Apple does not use this data with information on users or devices:
“Gatekeeper performs online checks to verify if an app contains known malware and whether the developer’s signing certificate is revoked. We have never combined data from these checks with information about Apple users or their devices. We do not use data from these checks to learn what individual users are launching or running on their devices.”
To address privacy concerns, Apple will also make changes in how IP addresses are handles during developer certificate checks:
“These security checks have never included the user’s Apple ID or the identity of their device. To further protect privacy, we have stopped logging IP addresses associated with Developer ID certificate checks, and we will ensure that any collected IP addresses are removed from logs.”
Additionally, Apple will introduce a couple of changes in the way it conducts security checks over the next year or so:
- A new encrypted protocol for Developer ID certificate revocation checks
- Strong protections against server failure
- A new preference for users to opt out of these security protections
If you’re still encountering slow-downs when launching apps on your Mac, disabling internet connectivity appears to solve the issue—albeit temporarily. In the meantime, you can read the full privacy statement from Apple here.
