Apple is sending a request to their servers for every piece of software you run on your Mac

Andrés Cecilia Luque
2 min readMay 24, 2020

Yes, as you read it. For each app you open or executable that you run (even a one line script!) on MacOS Catalina, Apple is sending a network request to their servers. And until that network request returns, the app/executable will be frozen.

Credits for the discovery go to Allan Odgaard.

What are the implications for me?

  • In terms of performance: your Mac is slower. You may ask, how much? Well, that is difficult to answer: it even depends on the speed of your internet connection! But think that this happens for every-single-thing you run. I have done some preliminary tests: with a script (a small program) that standalone runs in 0.4 seconds, the extra network requests that Apple performs are taking that number to 6 seconds in average, and in some cases when my wifi is slow, 70 seconds. You can find the script here.
  • In terms of privacy: Apple potentially knows about every single piece of software you run on your Mac. That hash that they are sending to their servers can easily be used to identify the app or executable you are running, its version, if it has vulnerabilities… I will give you an example: lets say you open Tor version 9.0.10 on your Mac. Apple creates a hash for it, something like 1973fa7e935105dc11da0dbb8dcec3244e8aa188, and send it to their servers to check for malware. How do they know if it is malware? Because that hash has become an identifier, and they have a huge database with countless pairs of hashes and the software they relate to. And that hash your Mac sent them matches with Tor version 9.0.10. What can they do with this information? Way too many things, but probably one of the most profitable ones is to use it for targeting ads.
  • In terms of legality: I am not a lawyer, but, is this legal? At least it is questionable.

Why are they doing it?

Apparently, this is a security feature: they send some kind of hash of the app/executable that you are running in order to check for malware.

How are they doing it?

The check seems to be happening on the first time you open an app or run an executable. Subsequent executions do not trigger the check because the result from doing it the first time is cached locally.

Is there any way to disable this?

Not that I know. There are some ways to mitigate it, but not to fully disable it system wide.

Find more information here or here

Even if you find some way to make this practise legal, it does not seem to be the right way to secure MacOS. The privacy implications of it are frightening. The technical reasoning behind it is mind blowing: what are the engineers at Apple thinking when they freeze the opening of an app or executable until a network request finishes?