Mac app notarization and customer privacy

December 6, 2018

By Jeff Johnson (Developer of StopTheMadness and Underpass)

When you download a Mac app from outside the Mac App Store and launch the app for the first time, macOS checks whether the app was signed with a valid certificate from a developer registered with Apple's paid Developer ID program. The macOS technology responsible for this verification is called Gatekeeper. On macOS 10.14 Mojave, Gatekeeper added a step to the verification: in addition to checking whether an app was signed with a Developer ID certificate, it also checks whether the app was notarized by Apple. App notarization requires that a developer submit the app to Apple for an automated malware scan, and if no malware is found, Apple notarizes the app; the notarization status is stored on Apple's servers, and a notarization ticket can be "stapled" to the app by the developer so that Gatekeeper can see the notarization when the app is launched. Every version of an app must be notarized separately, the notarization does not carry over to later versions. Apple has provided some documentation of Mac app notarization for developers and for end users.

What does not appear to be documented is that Mojave "phones home" to Apple on first launch of every downloaded app, regardless of whether the app was notarized. I notarized one of my apps on December 4, and when I download the app today, turn off my internet, and then launch the app, this is the Gatekeeper dialog:



It says "As of December 4, 2018, Apple checked it for malicious software and none was detected." When I press the Cancel button, turn my internet back on, and then launch the app again, the "As of December 4, 2018" phrase is no longer shown:



This status is not cached. If I press Cancel, turn my internet off again, and then launch, the Gatekeeper dialog goes back to saying "As of December 4, 2018". And if I press Cancel and turn my internet on again, Gatekeeper will "phone home" again on launch.

In packet traces I see a reference to http://ocsp.apple.com , which suggests that Gatekeeper may be using some form of Online Certificate Status Protocol (OCSP), a standard method for checking whether a certificate has been revoked. The internet traffic is to api.apple-cloudkit.com on TCP port 443, in other words, https. Thus, the data is likely encrypted.

The same OCSP traffic occurs on first launch of an older version of my app that was not notarized. According to Apple's developer documentation, pre-existing software that you already shipped before Mojave was released can still be submitted to Apple for notarization. I suspect that this explains why Mojave checks all apps, because an older app's notarization status may be stored on Apple's servers even if it's not "stapled" to the app.

I've seen no evidence that Mojave continues to check notarization status after you press the Open button and allow the app to run. On subsequent launches, there were no OCSP calls, so it seems that notarization status is only checked on first launch. That's not surprising, since the Developer ID certificate check also occurs only on first launch.

Mac app notarization raises privacy issues for Mojave users. On first launch of every app you download, Mojave phones home. At the very least, Apple sees your IP address, the exact app version that you downloaded, and the exact time that you first launched the app. It's unlikely that there's much more information than that, because Gatekeeper only sends a limited amount of data to Apple, less than 1 KB. However, given all of the information that Apple already has on you, they could probably associate your IP address with your Apple ID. It's likely that Apple keeps logs of these Gatekeeper notarization checks, because if customers are launching malware, Apple would want to know how widespread the malware was.

It's important to note that no explicit consent has been given for this information to be transmitted to Apple. In System Preferences, I had disabled all of the Analytics in Security & Privacy and all of the automatic checks in Software Update, so as far as Mojave was concerned, Apple had no permission. I'm not aware of any official Apple privacy policy with regard to Gatekeeper. I have no reason to believe that Apple will use this data for competitive or marketing purposes, but… who knows? It would certainly be a gold mine of information about Mac consumer usage of third-party apps. Apple has announced that app notarization will be required for all apps in an upcoming version of macOS, so in effect Apple is forcing developers and end users to give Apple valuable business data. In any case, more transparency here from Apple would be welcome.

Addendum

I forgot to mention that I also tested macOS 10.13.6 with yesterday's security update installed, and zero packets are sent on first launch of downloaded apps, so it's definitely a new behavior of 10.14 Mojave.

I also forgot to mention that any logs of customer activity would surely be subject to warrants from police and other authorities.