Big Sur Plagued By Reports of Privacy Issues and Download Failures

Big Sur dropped last Thursday and so far, it’s been a bit of a bumpy ride.

The issues started as soon as Thursday, with an outage on Apple’s server causing some absurd download times or errors preventing users from installing Big Sur entirely. The problems persisted even after Apple said the issue had been fixed. (Yours truly tried to install Big Sur 12 times on Thursday to no avail.)

But while install delays seem to have improved over the weekend, it appears other Big Sur issues have cropped up. For starters, some users on older MacBook Pros are taking to forums to say Big Sur has bricked their machines. The complaints have been seen on a MacRumors forum thread, Reddit, and Apple Support Communities.

In general, it appears that while trying to update to Big Sur, users on MacBook Pros from late 2013 and mid-2014 are getting stuck on black screens. However, some users reported the same issue occurring on newer Macs from 2015 and even a 27-inch 2019 iMac. Others noted that while the Apple logo and progress bars would appear, the bar itself wouldn’t move for hours. The troubling bit was that after forcing restarts, many users were left with Macs that wouldn’t reboot or reset, with NVRAM, SMC, safe mode, and internet recovery inaccessible. While some users reported they were eventually able to successfully restore their machines, several others reported no such luck.

Following Thursday’s outage, murmurs of privacy concerns also began popping up, thanks in part to this essay by security researcher Jeffrey Paul. The gist of the essay notes that because of how Apple implements its Online Certificate Status Protocol (OCSP), Apple “knows when you’re at home. When you’re at work. What apps you open there, and how often.” Paul also says that the OCSP requests are unencrypted during transmission, meaning anyone can actually see your activity, and this information ends up at a third-party content delivery network run by Akamai. This is also problematic as whenever you launch a non-Apple program, your Mac sends the app’s hash—a unique identifier—to Apple’s OCSP server to verify that the program isn’t bogus. However, an outage like what happened on Thursday would render apps unable to launch—even on Macs that aren’t running Big Sur.

It should be noted that Paul emphasizes this problem did not start with Big Sur’s public release and possibly began as early as with macOS Catalina or even Mojave. But while previous iterations of macOS allowed for firewalls and VPNs to block this, it appears that Apple apps on Big Sur can simply bypass them. This was known to security researchers during the Big Sur beta, but it seemed many assumed the issue would be patched up before public release. That doesn’t appear to be the case.

What this means is bad actors can potentially exploit the fact that Apple apps bypass VPNs and firewalls to pass on malware. This was demonstrated by security researcher Patrick Wardle on Twitter, who noted the security and privacy risks were reported to Apple before Big Sur’s release.

Apple has since responded. In a statement to iPhone in Canada, Apple said it had updated its “Safely open apps on your Mac” page to better explain its privacy protections. “Gatekeeper performs online checks to verify if an app contains known malware and whether the developer’s signing certificate is revoked. We have never combined data from these checks with information about Apple users or their devices. We do not use data from these checks to learn what individual users are launching or running on their devices,” Apple writes on the page. “These security checks have never included the user’s Apple ID or the identity of their device. To further protect privacy, we have stopped logging IP addresses associated with Developer ID certificate checks, and we will ensure that any collected IP addresses are removed from logs.”

Additionally, Apple says over the next year, it will add encrypted protocols for Developer ID certificate revocation checks, stronger protections against server failures, and an option for users to opt-out of these security protections.

As for why the server failed and caused slow app launches, Apple told iPhone in Canada it was due to a “server-side misconfiguration that specifically interfered with macOS being able to cache OCSP responses for developer ID.”

OK! Sure! This is totally a perfectly fine, not at all sketch thing to happen for a company that absolutely prides itself on being a bastion of security and privacy. It’s not in the slightest hypocritical given all the new privacy features it touted for both iOS 14 and Big Sur. In any case, if all this has got you a bit spooked about Big Sur, take a bit of a breather. This sort of back and forth between security researchers and companies are fairly standard any time a new OS launches—and it’s better for the public when security researchers make a big stink to “encourage” Big Tech to fix the vulnerabilities they find. If you’re worried though, it’s not a bad idea to hold off on updating to Big Sur until patches addressing all these issues are released.