top | item 26418809

PSA: macOS updates often modify your System Preferences to violate your Privacy

122 points| webmobdev | 5 years ago | reply

I went to change a Firewall setting for an app and discovered to my shock all the listed apps in it had been set to "Allow incoming connections" (which I had never done) and the options

- "Automatically allow built-in softwares to receive incoming connections" and

- "Automatically allow downloaded signed software to receive incoming connections"

had been enabled, even though I had disabled them. In the Privacy > Advertising section. Limit Ad Tracking had been disabled even though I had enabled it. (And if it needs to be said for some - no, I don't have any malware on my computer).

Edit: I am pissed because all I had installed were security updates.

41 comments

[+] userbinator|5 years ago|reply

Those who use Windows, especially 10, are all-too-familiar with this sort of thing (and worse[1]). The "excuse" is usually something along the lines of "the configuration file has changed format so let's remove it and revert everything to defaults". (Why would it change format? https://news.ycombinator.com/item?id=21174947 ) It's certainly taught me to treat updates as basically nearly equivalent to a new OS install --- you have to spend the time to look through everything and fix settings that were reverted, or disable whatever new horrible thing was introduced. The ultimate goal, of course, is to gradually bludgeon the "rebellious" users into docile sheeple to control and extract more profit from...

[1] https://news.ycombinator.com/item?id=18189139

...then again, similar things have happened on the Apple side: https://news.ycombinator.com/item?id=21229249

[+] tumblewit|5 years ago|reply

The latest macos updates (11.3.3 or something released this week) broke git for me on my M1 mac. Firstly the update was a security fix and more than 3GB which felt ridiculously. Then I had to reinstall command line tools because apparently with a macos update that can be needed. It really is a new OS these days since I believe apple has some kind of read only system partition probably for integrity so they basically just replace those binaries with new ones I’m guessing which makes the sizes big and sometimes breaks configuration files.

[+] wux|5 years ago|reply

This report worried me, but it was timely because I was literally in the process of upgrading to macOS 11.2.3.

So, while the update was downloading, I changed my firewall settings specifically to allow built-in software to receive incoming connections, but disallow downloaded signed software. I also specifically set GarageBand to block incoming connections but not other programs among those listed.

I'm happy to report that all of these settings were maintained after updating to macOS 11.2.3 exactly as-is. I wonder if the OP is referring to a different update (none that I'm aware of recently).

There is no Privacy > Advertising > Limit Ad Tracking setting on macOS 11.2.2 or 11.2.3: there's a checkbox for "Personalized Ads," which remains turned off after the update also, just as it was before.

[+] webmobdev|5 years ago|reply

I am still on macOS Mojave. And I also suspect that these things may vary with the applicable laws of the particular country. Indian laws regarding data protection and privacy are still in a limbo.

[+] m463|5 years ago|reply

Apple's updates will clear all sorts of things, specific firewall rules was the most egregious in my mind (pf.conf).

But allowing incoming connections without a prompt, I think it may be getting worse now.

Related, what annoyed me is that 3rd party installers can gather telemetry even before you've installed. The one I recall from a year or two ago was docker. The Docker installer is doing telemetry before you've even decided to install it.

[+] tonyedgecombe|5 years ago|reply

But allowing incoming connections without a prompt, I think it may be getting worse now.

Assuming that is what really happened. I've heard so many of these stories about Apple that end up being disproved a few weeks later that I have become extremely sceptical of the claims.

[+] Brian_K_White|5 years ago|reply

What the holy hell. I hate the world.

[+] Alex3917|5 years ago|reply

Apple also tries to trick you into enabling Siri every time you install a security update.

[+] LeoPanthera|5 years ago|reply

By "trick you into enabling" do you mean "asks"?

[+] wayneftw|5 years ago|reply

Same thing with iOS updates. Every major update will force you to go through all of the options that Apple wants you to use like having a passcode and using Siri and other such things. If you don't choose the options that Apple wants you to choose – they will put a notification on the Settings app that you did not finish setup. Then you have to go through the entire setup again choosing the same exact options that you did the first time. A few times this is tripped up my wife who then complains that her phone is now forcing her to use a passcode to open the phone.

Also some settings are irreversible. For me, I made the mistake of using my personal Apple ID as my developer ID for a while. At some point Apple started forcing developers to enable to 2FA. Now that I've enabled it I am not allowed to disable it. So, one day I will have to start a whole new Apple account and lose anything that I have purchased.

Luckily I avoid getting locked in, I don't buy many apps and none of the apps that I use on a daily basis are purchased. Unfortunately I will lose all of my saved passwords and I will have to transfer my contacts, messages and photos manually. I don't even think I can transfer my messages so I will just have to lose the old ones.

[+] gumby|5 years ago|reply

I just installed the latest security update and was not asked to enable Siri.

[+] dzhiurgis|5 years ago|reply

Does anyone know why Siri on Mac is so pathetic. It never seems to work with "Hey Siri" and even after invoking manually it never understands when you've finished talking...

[+] batmaniam|5 years ago|reply

It would be great if someone from Apple could chime in on this. Like, the team who implemented this change... what was the reasoning? Were they directives from the boss or something? Why would the team compromise the user's settings like this? Was there no one on the engineering team in a high enough position to push back on this?

[+] aftabh|5 years ago|reply

In my case, I didn't see any reset in Firewall settings or Limit Ad Tracking as I just updated one of my macOS Big Sur from v11.2.2 to v11.2.3 (on a MacBook Pro 2015).

P.S.: I checked these settings after reading your post and before updating my laptop.

[+] AndroidKitKat|5 years ago|reply

I've got 11.2.3 downloaded and ready to update. I'll set these same you've seen to have been changed and I'll report back. I know another commenter did this too, but I don't think hurts to have another test.

For reference, I've got a 2020 Intel MacBook Pro 13.

[+] webmobdev|5 years ago|reply

OP here - I didn't mention it, but I am still on macOS Mojave. (And as I mentioned elsewhere, I suspect Apple has different processes for different countries, depending on the applicable data protection and privacy laws.)

[+] brokenmachine|5 years ago|reply

Jeffrey Paul - Your Computer Isn't Yours

https://sneak.berlin/20201112/your-computer-isnt-yours/

Does this surprise anyone?

[+] throwitaway12|5 years ago|reply

This is not the first time, as Catalina was one of their last to push less crap like this.

[+] floatingatoll|5 years ago|reply

I’ve had no trouble with this since I made changes in that pane at least a year ago. Do you do expert user things with your Mac, like disabling SIP or running LittleSnitch or so on? Have you opened a bug report for Apple with sysdiagnose attached? Are you using or have you used developer betas on this device or other macOS devices linked to the signed-in iCloud account of this device, if any? Have you run out of drive space since you set those settings, and/or performed a migration from another system?

What evidence have you collected that demonstrates that this is an intentional act by Apple, as claimed in your post headline?

HN isn’t an appropriate venue for unsupported accusations of malfeasance or conspiracy. Please substantiate your post.

[+] webmobdev|5 years ago|reply

> Do you do expert user things with your Mac, like disabling SIP or running LittleSnitch or so on?

I have never disabled SIP. I do run an application firewall.

> Have you opened a bug report for Apple with sysdiagnose attached?

No. Apple never clarifies if something is a bug or a feature. (And depending on the lax data protection and privacy laws of certain countries, this could well be a feature).

> Are you using or have you used developer betas on this device or other macOS devices linked to the signed-in iCloud account of this device, if any?

No.

> Have you run out of drive space since you set those settings, and/or performed a migration from another system?

No. All my internal hard disks have more than 50% free space. The last upgrade to it was macOS Mojave, with the occasional security updates.

> What evidence have you collected that demonstrates that this is an intentional act by Apple, as claimed in your post headline?

The circumstantial evidence is pretty clear - This isn't the first time this is happening to me after installing an OS update. Only Apple benefits by allowing Apple software to always have unhindered internet access and enabling ad-tracking.

[+] platinumrad|5 years ago|reply

I too am ready to lay down my life to defend the honor of Apple Inc. sir!

[+] ntSean|5 years ago|reply

This has been discussed here: https://news.ycombinator.com/item?id=26303946

[+] m45t3r|5 years ago|reply

This is very different from a sudoers file though. Apple has full control of how those things are configured, so they could easily migrate the values if they want, for example.

The fact that they doesn't shows either a malice from them, or at least very sloppy engineering/product management.

Because this kinda of attitude is really bad, and if it was a product from any other company (like Google) I am sure that people would say that this is proposital.

[+] eyelidlessness|5 years ago|reply

This sounds exceedingly uncharacteristic of Apple and almost certainly a bug, not intentional. I know it’s hard to get their attention filing bugs so upvoting in case anyone can help get this to the right eyes. But I definitely don’t think there was malice or even conscious intent on this one.

[+] Delk|5 years ago|reply

To be honest, it doesn't even sound like a privacy threat as much as it as a potential security (and respect of user choice) question to me.

If software that's already running on the system wants to e.g. exfiltrate something from the system, or to phone home or whatever, it could do that just as well by making an outwards connection as by accepting an incoming one. (I'm assuming the OS or firewall isn't limiting or reporting on outgoing connections.) Denying incoming connections is more useful for reducing attack surface in case of security vulnerabilities in the running software, and generally not so useful for limiting what the software can intentionally do.

Resetting firewall settings to accept incoming connections to listed or built-in apps overrides user security choices with a more lax policy, and that's concerning whether it's intentional or not. But I'm not sure it's really so much about privacy as it's about respecting user choice.

[+] jaimex2|5 years ago|reply

[deleted]

[+] egberts|5 years ago|reply

I wonder if Lil’ Snitch firewall app for macOS is impacted by this SSH port being opened up by macOS upgrade(s). — Holding back the upgrade until then.

[+] alphabettsy|5 years ago|reply

Hmm. I’ve never had this happen.

[+] shmerl|5 years ago|reply

Those who care about privacy wouldn't be using macOS to begin with.

[+] jaimex2|5 years ago|reply

Apple do like to hoot on about how they're privacy first and that's why their products cost more.

They just guard the data from third parties to not have competition milking their own ecosystem. It's a great way to have their cake and eat it too.