Most active commenters
  • brundolf(6)
  • thelean12(3)
  • valuearb(3)

←back to thread

macOS unable to open any non-Apple application

(twitter.com)
2603 points mattsolle | 20 comments | 12 Nov 20 21:00 UTC | HN request time: 1.801s | source | bottom
Show context
Lammy ◴[12 Nov 20 21:38 UTC] No.25075443[source]
Maybe it's just me but the idea that my computer lets Apple (+ any LE organizations) surveil my app launches seems so much scarier than any malware.
replies(6): >>25075490 #>>25075500 #>>25075562 #>>25075747 #>>25075841 #>>25076444 #
brundolf ◴[12 Nov 20 21:44 UTC] No.25075490[source]
I don't know about you, but hashes of the binaries I run don't exactly reveal any sensitive personal information about me. That said, obviously they should have much more graceful degradation in place for when something is wrong with the service.
replies(8): >>25075523 #>>25075525 #>>25075542 #>>25075578 #>>25076133 #>>25076290 #>>25076425 #>>25076603 #
djsumdog ◴[12 Nov 20 21:46 UTC] No.25075523[source]
In this case, isn't the hash of the binary consistent across all devices, so Apples can in fact derive exactly which binary you're running (assuming they have a large database of application binary and hashes)?
replies(3): >>25075572 #>>25075582 #>>25075672 #
1. brundolf ◴[12 Nov 20 21:59 UTC] No.25075672[source]
Yes. My personal data involves what I do within those apps, not which ones they are.
replies(3): >>25075725 #>>25075758 #>>25075894 #
2. thelean12 ◴[12 Nov 20 22:03 UTC] No.25075725[source]
That's not even close to true. Apps that you have downloaded can reveal a massive amount of potentially personal information.

Think about someone having a dating app that would out them. Or a therapy app that they don't want people to know about. And that just scratches the surface.

replies(2): >>25075858 #>>25075965 #
3. remus ◴[12 Nov 20 22:05 UTC] No.25075758[source]
I don't think that's necessarily true. Meta data about your usage can be very revealing in itself. To use an analogy, if someone tracked every location you visited that'd be very invasive, regardless of whether they recorded any details about what you did at those locations.
replies(1): >>25077676 #
4. valuearb ◴[12 Nov 20 22:13 UTC] No.25075858[source]
Only if linked to personally identifiable information. Do we have any evidence this is happening?
replies(4): >>25075991 #>>25075995 #>>25076004 #>>25077372 #
5. simonh ◴[12 Nov 20 22:15 UTC] No.25075894[source]
Its what apps you’ve got, exactly when and how often you use them, and where you are at those times via network info. Casual gay pickup app, last night in a coffee shop in the red light district, while your wife thought you were at the office working late for example.
6. brundolf ◴[12 Nov 20 22:20 UTC] No.25075965[source]
Part of it is that, when we're talking about a traditional computer (contrasted with a phone), all of that stuff happens in the web browser these days. The average user's native binaries are mostly limited to said web browser, some work communication apps, maybe a notes app, maybe some dev tools or office tools or media tools depending on the person. Nothing remotely interesting to advertising companies. Maybe that will change with the new iOS app support, but I kind of doubt it.

And anyway, when we are talking about a phone, it would be literally impossible to run an app store without recording (and personally identifying!) that information. Maybe that's one more argument to allow third-party app stores, which I'm not against (though who knows if they're more trustworthy with that data?), but nevertheless.

My point is that in the grand scheme of privacy concerns, this is a very silly hill to die on. In the grand scheme of system reliability, on the other hand, it's totally legitimate to be upset that this effectively took down thousands of expensive workstations across the world for a few minutes.

replies(2): >>25076106 #>>25076159 #
7. thelean12 ◴[12 Nov 20 22:22 UTC] No.25075991{3}[source]
That's unrelated to my comment. I was simply responding to the astoundingly wrong claim that "My personal data involves what I do within those apps, not which ones they are."
8. ◴[12 Nov 20 22:22 UTC] No.25075995{3}[source]
9. gpm ◴[12 Nov 20 22:23 UTC] No.25076004{3}[source]
You are moving the goal posts.

It is also trivially linked to ip address, which is usually personally identifying.

replies(1): >>25076166 #
10. overkalix ◴[12 Nov 20 22:32 UTC] No.25076106{3}[source]
> My native binaries are mostly limited to said web browser, some work communication apps, dev tools, maybe a notes app. Nothing remotely interesting to advertising companies.

Translation: "I've got nothing to hide".

replies(1): >>25076126 #
11. brundolf ◴[12 Nov 20 22:34 UTC] No.25076126{4}[source]
That's a bad-faith reading of what I said. I've edited it to be extra unambiguous.
12. thelean12 ◴[12 Nov 20 22:37 UTC] No.25076159{3}[source]
So you're okay with it because at the moment you personally (or at least some vague idea of the "average user") don't have any "interesting" apps on your traditional computer? You should step back and understand why this is the wrong way to look at it.

Take a look at the macOS App Store medical section. Doing a quick scan of the top apps there is one app to help with some diabetes pump, one for a personal ECG machine, one that says it's a "mobile lactation consultant". Those can reveal a lot about a person that they might want to keep private. Searching "therapy" or "dating" also shows many results that people might want to keep private.

13. valuearb ◴[12 Nov 20 22:37 UTC] No.25076166{4}[source]
Do you have any proof this is happening?

This is Apple we are talking about, which has the strongest privacy commitment of any device maker, and no advertising business outside of the App Store. Linking IP addresses to app certificate requests provides them zero benefit and exposes them to substantial brand damage.

replies(1): >>25076307 #
14. gpm ◴[12 Nov 20 22:49 UTC] No.25076307{5}[source]
Do I have proof they have your ip address? Of course, that's how the internet works.

Do I have proof that they could be ordered by a court to store it? Of course, that's how warrants work.

Do I have proof they are currently storing it? No, nor was that ever the claim.

replies(1): >>25117700 #
15. deadbunny ◴[13 Nov 20 00:41 UTC] No.25077372{3}[source]
I'm not an Apple user so forgive my ignorance here.

1. Do you need an apple account to use the app store?

2. Do you need to provide personal information to use an apple account (I'm thinking at least enough to get a credit card working for app purchases/subscriptions)?

3. Is the data sent to this anti-malware service linked to your Apple account or an apple hardware id? (Has someone wiresharked the data to confirm/deny)

replies(1): >>25077666 #
16. brundolf ◴[13 Nov 20 01:17 UTC] No.25077666{4}[source]
1. Yes

2. Yes

3. I doubt it

But regardless of 3, simply by using the App Store at all (similarly to any other App Store out there) you're already giving them more information than they get from these hashes (at least for the apps that come from the store). I know for a fact that they keep a record of which apps you've downloaded there, associated with your account, because they check for updates and let you re-download them. As does the Android store. As does the Windows store.

replies(1): >>25078248 #
17. brundolf ◴[13 Nov 20 01:18 UTC] No.25077676[source]
I think this is more analogous to someone tracking what models of car you drive.
replies(1): >>25080934 #
18. damnencryption ◴[13 Nov 20 02:50 UTC] No.25078248{5}[source]
Correction: You don't need to login to install apps from Microsoft store and software control on Linux.

Android, yes playstore requires an account but you can install an alternative store without signing in.

19. e_proxus ◴[13 Nov 20 10:31 UTC] No.25080934{3}[source]
And where you drive it since they track IP numbers.
20. valuearb ◴[16 Nov 20 22:11 UTC] No.25117700{6}[source]
Then the claim is ridiculous. Apple isn’t keeping any of this info, because it would have no purpose.