Security News > 2020 > November > Apple's privacy pledges: We sent dev checks over plain HTTP, logged IP addresses. We bypass firewall apps

Apple's privacy pledges: We sent dev checks over plain HTTP, logged IP addresses. We bypass firewall apps
2020-11-17 07:51

Now Apple has stressed that this app security check does not send anyone's Apple IDs nor device identifiers over the 'net, though it did log people's public IP addresses.

"To further protect privacy, we have stopped logging IP addresses associated with Developer ID certificate checks, and we will ensure that any collected IP addresses are removed from logs," Apple said.

The Register understands that the certificate checks are cryptographically signed by Apple, so they cannot be tampered with in transit without detection, though they can be observed, and so now Apple will wrap that communication channel in encryption to shield it from prying eyes.

Apple's decision to stop logging IP addresses associated with developer ID certificate checks demonstrates that the privacy concerns aren't entirely imagined.

Patrick Wardle, principal security researcher at Jamf and founder of Objective-See, noted that in Big Sur, Apple requires third-party firewall apps and app-based VPNs to use network monitoring and proxy software interfaces that are sidestepped by traffic from Apple's own apps and operating system processes.


News URL

https://go.theregister.com/feed/www.theregister.com/2020/11/17/apple_big_sur_privacy/