Not really, or at least that’s not the goal. Let me explain.

So, people have been posting about the new macOS update being evil and sending an application hash to Apple before allowing you to open the application (unless you’re offline, then it will just open the application). This sounded very scary, and the reason for that is that people have been taking it out of context to spread fear and make headlines.

While I agree that Apple does many things wrong, and that they’re often times not as much into privacy as they’d like you to believe, in this case it’s a bit more complicated.

A bit of background

You always could run completely unsigned code on a Mac and you still can. A normal double-clicking on an unsigned application would pop up a warning saying that the application can’t be opened because “it’s from an unidentified developer”. To bypass it just right-click on the application, choose open, and confirm that you really want to open it.

Since macOS Catalina, Apple requires all applications to be “notarized” by Apple. This means that, on top of the already previously existing “requirement” to sign your application with a valid “Apple Developer” certificate, you now have to submit your signed application to Apple, for them to quickly check it and run it through a malware scanner and if it passes, they will add their signature on top. Yes, it’s known that their malware scanner doesn’t always catch everything. Apple has signed malware in the past. This requirement for applications to be notarized can also be bypassed with the right-click method.

So, what’s the situation with macOS Big Sur?

As you probably heard, people reported issues opening applications yesterday. I was affected too. I upgraded from macOS Catalina to macOS Big Sur, and after the upgrade all the apps had an update available. One of those applications was Affinity Photo, which I then later needed and I simply couldn’t launch it (it would just keep jumping in the dock). I was afraid that because I didn’t do the usual waiting of about a month before upgrading an OS to a bugfix release, that I now had a bugged system. But now I know what really happened.

You see, there’s this thing called “OCSP stapling”:

The Online Certificate Status Protocol (OCSP) stapling, formally known as the TLS Certificate Status Request extension, is a standard for checking the revocation status of X.509 digital certificates.

Wikipedia.org

When you launch an application on macOS for the first time, it will send a request to ocsp.apple.com to check if the certificate was revoked. If it wasn’t, it will open the application. This check is smart enough that if you’re offline it will just open the application so that you can use your computer and do whatever you wanted to do.

Your browser too, does use OCSP to verify that “TLS Certificates” haven’t been revoked (“to make sure the padlock is legit”).

Now here’s the problem: Many people updated to Big Sur when their Mac popped up a notification that an upgrade is available. With that upgrade, the apps had been updated from the App Store as well which means the application on disk changed, and when opening them, their certificate had to be checked against ocsp.apple.com and due to the high volume of checks happening (many upgrades + updates), the server timed out and people were stuck waiting. Now, I don’t know if the server issues at ocsp.apple.com was a result of a “natural” DDoS or if it was a coincidental issue at really bad timing. Either way the result was the same.

Conclusion

Apple is not directly tracking your application usage but rather, is just verifying certificates. However, this check could in theory be logged to see what certificate was checked at what time from what IP address. According to a quick online search, this check supposedly does not happen on every single application launch. Whether it rechecks at an interval without any change to the application on disk I do not know, however.

Whether this check is a privacy issue, and whether X outweighs the benefits of Y, is up to you to decide. If you’re really bothered by this, people stated that blocking ocsp.apple.com should do the trick however I do not recommend blocking something if you don’t know what you’re doing. Otherwise, feel free to do as you please.

UPDATE 2020-11-18

Apple now states they will stop logging IP addresses from the certificate checks and delete all existing IP addresses from their logs. Furthermore, they will make those checks optional in the coming year. They confirm that they did not tie those requests to any personal info (except for logging IP addresses from the requests). You can read their statement at the bottom of this page: https://support.apple.com/en-us/HT202491

But again, the “spying” headlines were all exaggerated and clickbait. I’m sure if I had done the same, I would have gotten more clicks. ;)