Apple is a very polished company, both in how it designs and advertises its products. The latest macOS release of Big Sur, however, was anything but smooth. This can be partially attributed to Apple’s decision to use Online Certificate Status Protocol (OCSP) for certificate authentication and certificate revocation tracking. The issue is not only due to using OSCP, but that their querying intervals were too short for the deluge of OSCP Responder calls to ‘oscp.apple.com’ server. The real “meat” of the OS rollout mishap came from a user’s discovery of how its application certificate verification process revealed a significant portion of private data.
Jeff Johnson and others revealed that OSCP queries were used to verify certificate revocation for third-party applications. This process sent unencrypted data to Apple such as the Internet Protocol (IP) address, date, city, Internet Service Provider (ISP), and the application hash, each time an application was opened. This meant information that would be considered personal to some, such as application use, was being leaked to users’ ISP. The process of checking applications’ hashes to ensure their integrity is standard and considered good security. What is considered less standard is how this data is transported between macOS devices installed with Big Sur and the servers checking the hash integrity. One might consider it a burdensome process to encrypt each OSCP query, but the alternative is a disappointing level of privacy.
The transition from Catalina to Big Sur included another big overhaul of Apple’s security framework. Apple phased out the Network Kernel Extension and transitioned to their new Network Extension API. Companies like LittleSnitch and others in the security community noticed that Apple’s new API not only whitelisted many Apple services (as is normal for certain core services) but also hid this traffic. This meant Apple services like Apple Maps would deliver data to Apple hidden behind the cover of their API. A basic expectation of a firewall is to know of all traffic going in and out of a device regardless of whether you can control the data being transmitted. This raises security concerns on how hackers may find ways to tunnel behind a third-party firewall via an Apple service to avoid detection.
These security concerns have been magnified by the fumbling of the Big Sur rollout. Apple has already acknowledged some of what they need to improve on. This has started a conversation in the tech community around the privacy and transparency customers should expect from a company.