How to run apps in private

Late last year there was a lot of concern about macOS leaking information about user activities when launching apps. These centred on certificate checks which are made when apps are launched. In the past, these have normally been confined to quarantined apps undergoing their first run, but by the release of Catalina in October 2019, they have been extended to the loading of all executable code even when no quarantine flag is set.

Those checks have been performed using HTTP, although recently Apple has switched to using HTTPS apparently. Since the introduction of notarization there’s also been a second type of online check, which both ascertains whether an app has been notarized and delivers Apple a cdhash to check for known malware. Thankfully, that takes place using TLS, making any recovery of the payload far less likely.

For some users, these checks are potentially dangerous, and of serious concern. If you’re unfortunate enough to have to use your Mac in a part of the world where surveillance is performed, even knowing when you use certain apps could prove to your great disadvantage. This article looks at two potential solutions: blocking all outgoing traffic to Apple’s OCSP service, which checks certificates against its list of revocations, and removing code signatures on selected apps.

Blocking OCSP

macOS operates a fail-safe system on connections with Apple’s OCSP service: when a connection can’t be made to the service, attempts to check certificate revocation are abandoned. By blocking outgoing connections to ocsp.apple.com and ocsp2.apple.com app launch should still proceed, usually more quickly too, without the check taking place. The great disadvantage is that blocking is all-or-none, and can’t be selective according to the app being launched. This forces the user into choosing between normal revocation checks, or none at all.

There three ways to do this:

in the Mac’s local hosts file,
in a network firewall/router,
in a local software firewall such as the popular Little Snitch.

Putting a block into your Mac’s hosts file is quick and simple using Terminal, with the commands
sudo sh -c 'echo "127.0.0.1 ocsp.apple.com" >> /etc/hosts'
sudo sh -c 'echo "127.0.0.1 ocsp2.apple.com" >> /etc/hosts'
You then need to put that into effect by clearing the DNS cache, traditionally performed using
sudo killall -HUP mDNSResponder
This is readily reversed, but not the sort of thing that you’d want to perform every day. It’s also easy to set it and forget it, leaving certificate revocation disabled longer than you intend.

Blocking HTTP connections to ocsp.apple.com and HTTPS to ocsp2.apple.com should also be straightforward in most network firewalls/routers. Those don’t protect when you use your Mac from outside that network, of course, which for many users makes them unsuitable.

Configuring a local software firewall such as Little Snitch has been a useful option in the past; denying outgoing TCP connections to port 80 (HTTP) of ocsp.apple.com, for both System and user of /usr/libexec/trustd, has been suggested by Jeff Johnson, but changes in Big Sur made this impossible for a while. If you’re adept with your software firewall, it shouldn’t be difficult to enable this when it’s required. You should also consider denying outgoing TCP connections to port 443 (HTTPS) of ocsp2.apple.com, which Apple has switched to more recently.

General advice from most experts is that blocking OCSP altogether isn’t something a user should choose to do unless they would be badly compromised by the revocation checks performed by macOS.

Silencing individual apps

If you don’t want to sacrifice all revocation checks, a better compromise may be to be more selective. You probably don’t care who knows when you open Microsoft Word or Pages, but do want to make your use of certain communications apps completely private.

Checks on certificate revocation can only be made on apps which are signed. If the app is unsigned, there’s no signing certificate to check. Use this to your advantage by removing the signature from those apps whose use you want to make private using a command such as
codesign --remove-signature MySecret.app
which works fine for apps running on Intel Macs.

There’s one problem with stripping signatures even on Intel Macs, though: that also removes the app’s cdhashes which are the only means of checking its integrity. You could perhaps do that using an integrity check which doesn’t rely on certificates, such as my free apps Fintch and Dintch.

Unsigned apps are an even greater problem on Apple Silicon Macs, though. Try stripping the signature from a Universal App and running it on your M1 Mac, and this is what you’ll see.

nosig01

One way to work around that is to force a Universal App to be run using Rosetta 2, which tolerates unsigned code. This is because, when Rosetta translates code, it automatically signs it with an ad-hoc signature so that it can be run by the M1’s cores. It has to do that, as the app’s original signature can’t cover the translated code. As you’ll probably prefer to run the native ARM code, try signing it yourself using an ad-hoc signature, using a command like
codesign -s - MySecret.app

As far as I can see, an app which has been ad-hoc signed still goes through the same checks as one which has been signed with an Apple-issued certificate. Its ad-hoc nature is discovered early during the launch process, with Apple Mobile File Integrity (AMFI) reporting that the app “is adhoc signed”, and amfid that the signature is “not valid” with an error of -67050. The kernel then records that “code signature validation failed”, but allows the app to continue to launch. Later, com.apple.securityd enters a security exception into the log, with a macOS error of -67018. Those two error codes have been little-used in the past.

Ad-hoc signatures make it far more difficult for anyone monitoring network traffic to identify an app whose signature is being checked against the OCSP service’s list of revocations, as well as obfuscating the secure cdhash check. But their biggest benefit is that, unlike simply stripping the signature, or blocking OCSP altogether, they still provide a cdhash so that the app’s integrity can be checked. Not as securely as fully signed and notarized apps, but much better than the alternatives.

Whatever you decide to do, please stay safe.

Amended 2 March 2022 to include Apple’s new TLS server address, with thanks to Thomas for pointing this out.

6Comments

Add yours

1

Milo on February 24, 2021 at 2:05 pm

Do you know the reason why M1 Macs only run signed code? On Intel Macs the security policies seem to be enforced only by the kernel. Could it be that the M1 SOC only runs signed code?

LikeLiked by 1 person
- 2
  
  hoakley on February 24, 2021 at 11:13 pm
  
  Yes. It’s not for security of the signature, which is why ad-hoc signatures are fine. It’s because the signing process provides cdhashes which can be used to verify the integrity of the code which has been signed. macOS now uses those to check all code before it’s run. On Intel, it will calculate those where necessary, which can delay app launching. To achieve higher performance on ARM, macOS now requires those cdhashes to check. For Intel code running on ARM that’s no problem – as it has to be translated by Rosetta 2, the old cdhashes don’t apply, so Rosetta automatically calculates new cdhashes for all the code it translates. For native ARM code, the developer is required to do that when signing.
  Howard.
  
  LikeLike
  - 3
    
    Milo on February 25, 2021 at 11:24 am
    
    The app launching time is an interesting issue I haven’t thought about. If I understand you correctly, the signing requirement on M1 SOC is not a feature of the hardware but is enforced by the kernel.
    
    I’m a bit worried Apple might make it a requirement to sign binaries with officially issued Developer Certificates in the future. In my opinion such a move would be a serious blow to hobbyist and open source development on the platform. I hope I’m wrong about this.
    
    Thank you for explaining all the details about macOS security and sandboxing features. It’s a complicated topic and your explanations are approachable even for non-developers.
    
    LikeLiked by 1 person
    - 4
      
      hoakley on February 25, 2021 at 12:57 pm
      
      Thank you.
      What on earth gives you the idea that Apple might at some time require code-signing with a Developer Certificate? It has actively been supporting open source porting to ARM, which is moving in exactly the opposite direction!
      Off the top of my head, I don’t know of any non-specialist CPU which mandates certificated code-signing – certainly ARM designs don’t. It’s purely a construct of macOS, as I explained.
      Howard.
      
      LikeLike
  - 5
    
    Milo on February 25, 2021 at 2:25 pm
    
    We are not there yet, I agree. Playing devils advocate, two observations:
    
    1. iOS and macOS platforms have been converging for some time. One is becoming slightly more open, the other platform more resticted, possilby more secure. If the trend continues, they will meet somewhere in the middle.
    
    2. On macOS software distribution through independent channels is still very popular. From a business point of view it seems reasonable to assume, that Apple will want to capture some of the business that happens outside of the App Store by making it harder to be outside.
    
    I hope you’re right about Apple’s commitment to open source. I’m cautiosly optimistic.
    
    LikeLiked by 1 person
    - 6
      
      hoakley on February 25, 2021 at 9:23 pm
      
      Thank you.
      I don’t think that 1 is correct at all. Of course Apple ports changes from one of its OSes to others, and the flow is in both directions – PDF support in iOS has benefited from macOS, and one day UIKit and rich text support in iOS may enjoy the same. macOS still has huge areas which are unique to it, including a great deal of its security. There’s no sign of any meeting in any middle.
      On 2, I think you’re confusing developer signatures with the App Store, which is particularly unfortunate as developers don’t sign the apps which you download from the Store – they’re actually signed by Apple. So forcing the use of developer certificates has no bearing on this issue. As I have written elsewhere, can you imagine Apple trying to tell Adobe that it must supply CC through the App Store?
      As I have written (as Apple has too), code signing for ARM native apps is all about checking code integrity through cdhashes, otherwise Apple certificates would already be required.
      Howard.
      
      LikeLike

Share this:

Related