Apple hashing applications and logging data remotely before starting applications on MacOS

So I don’t use any Apple products - the only one I’ve ever owned was a used 2nd generation Xserve I had (and wish I had kept). However, I stumbled across this blog post today:

I’ve seen some of Jeffrey Paul’s writings in the past and I’m not a huge fan of a lot of how he presents things, so I almost didn’t read the article out of bias. However, I’m glad I did, and if anyone else is in the same boat, I’d recommend reading it.

To summarize:

  • Apple hashes applications on MacOS before they are run, and records that along with Date, Time, Computer, ISP, City, and State, and sends them unencrypted to their own validation server via Akamai.
  • It is not a commonly known feature because it is designed to not be noticed, but due to server difficulties, applications apparently weren’t launching the other day.
  • It used to be somewhat straightforward to block the network requests by using a specific program called Little Snitch, but with Big Sur, Apple has restricted 3rd party access to system network data (if I’m interpreting this correctly).

I’m confused as to if I just missed this story, if if somehow the media hasn’t covered it up to now, but it seems like this has been going on for some time. Was anyone else aware of this?


You’re forgetting the most important thing, which is that it’s never Apple’s fault. The antenna isn’t poorly designed, you’re just holding it wrong. Software won’t launch? Well you shouldn’t be using non-Apple software.


Yeah I’ve known about it for some time as they’ve had issues before about slow responses for OCSP responces

This isnt entirely true, and Jeffrey Paul is deliberately leaving out some important details.

What’s going on here is the OS is verifying developer certificates of apps as they are initially run.

To do so, it sends a base64 encoded message to the OSCP responder over HTTP. But theres a couple of key points:

The encoding includes the developer certificate info, not unique app certificates as suggested by Jeffrey

Why over HTTP? OCSP responders verify certificates, running on HTTPS would cause an endless loop of it trying to verify its self, so they’re run over HTTP which is pretty standard for OCSP responders.

As for location information, that’s not sent in the encoding. That’s just how IP addresses work, and it doesn’t matter if you use HTTP or HTTPS.

There’s actually a good write up on this issue here thats worth a read

His next blog post will presumably be about how Mozilla is tracking every website you view and so is anyone else, based on the exact same premise (it sends OCSP requests to verify certificates) only in this case the OCSP requests will be the domain of every site so it would in fact know what exact sites you’re visiting.

For anyone who knows networking the response to this is essentially “uh yeah… that’s how OCSP works”


was about to past that blogpost as well.

So, what I’m seeing from this is “we here at Apple can’t effectively validate that applications we sign are secure, so just in case, we check that we haven’t fucked up before you launch your program”

Is there a way to disable this, aside from hosts’ing the domain?


1 Like

Isn’t the issuer Apple if it’s a developer certificate? Or am I missing something? Coming into this late…

Issuer would be the app developer, otherwise it wouldn’t matter to send that data.

If so, the vast majority of developers only make one app, so in the vast majority of cases, this is a unique identifier for what app you’re launching.

Either way:

echo | sudo tee -a /etc/hosts

And you have no issues.

Except on big sur where the connection is at a lower level?

Oh, is it now?

Fun. :frowning:

Or just don’t use apple?

More concerned about that serial number tbh… or is that just an attribute of the developer cert? Verifying a cert each time you open a signed app is similar to a cert for a website as @Eden mentioned. Obviously, that’s not as privacy-respecting as Linux where you rely on local checks on gpg keys, hashes, checksums, etc for software validation, but I don’t think it’s at the level of Windows 10 telemetry unless there’s other data being transmitted (or more likely, correlated).

I also assume it doesn’t send anything when you run unsigned apps… I wonder if you can remove the developer certificate from an application.

:neutral_face: did he really just screenshot the page showing the base64 encoded message is in fact a base64 encoded message and not a hash and then claim… it’s a hash?

No, it’s more a case of “we’re reserving the right to terminate applications that somehow evade detection of malicious activity for the sake of our users”.

I have no problem with it.

If you run Windows, microsoft essentially reserve the right to record anything on your machine.

I’ll throw a big /S and a meme:

ok now I’ll write:

inb4 I use windows because graphic design programs and I don’t hate it, also don’t hate macs, I was just memeing, now to my opinion:

Apple hashing applications and logging data remotely before starting applications

that sounds bad, man, really bad :frowning:

phone home too much?

sigh just when I was rather liking the m1 chip


It’s looking like this needs explored more as what im reading suggests connections can be filtered at a lower level using pf since all system level VPNs work perfectly fine at this level. It seems like application level firewalls are what don’t have permission to filter system level applications. (could be wrong, that just seems to be what im seeing atm)

This could be a concern, but it also depends on who you’re hiding from.

Frankly I find his approach distasteful and not really honest.

its the serial number of the certificate. that’s just part of how certificates work

I believe it warns you about unsigned apps when you run them

Whats the problem?

Was considering making the move to apple after seeing m1 benchmarks but phoning home everytime you open an apple application is kind of gross and unnecessary

1 Like

Right. So what exactly is the concern you have with it?

I’m not saying there aren’t issues, but this is how ocsp works. Same thing happens for every single web page you visit with the exact same information.

1 Like

I have no horse in this race just thinking.

Why do they need this at all. If it only works on apple approved apps what are they checking there after, they have already been approved.

If it is for security of the system and users as claimed when why would it still let you run unchecked stuff yourself and not check in what they are doing at launch.

That sounds like a very strange argument.

1 Like

If memory serves it doesn’t. It screams murder at you and doesn’t run as the software is unsigned, you need to manually allow unsigned apps to run. Somewhat similar to windows.

Because the developer or Apple may have revoked the certificate