Com.apple.geod.xpc Little Snitch

Today little snitch captured a connection from com.apple.geod.xpc to interpol.int - any clue on why it tried to connect there? More Less MacBook Pro with Retina display, OS X Yosemite (10.10.2). Com.apple.geod.xpc Assetcachelocatorservice.xpc Little Snitch Song nsurlsessiond UserEventAgent Also, I noticed descriptions on some locked LS rules which I would prefer to be denied, if I deny them, do they affect other OSX services? Since the announcement on Monday, I've been monitoring these requests using a firewall called Little Snitch. Funny enough, even Little Snitch didn't use HTTPS for its initial download or software updates until very only a few months ago. So far I've encountered 9 separate OS X services or first-party apps that are still relying on plaintext HTTP.

Updated to make it clear that using port 80 does not mean that Apple's software is insecure. Thanks to Jeffrey Paul for pointing out that this could be misconstrued.

At WWDC this week, Apple announced the App Transport Security feature for iOS and OS X. Apple is strongly encouraging developers to use HTTPS exclusively on new apps, and to make plans to migrate old apps to HTTPS in the near future. While encryption is not yet a requirement, it is the new default. Apps that want to continue to use plaintext HTTP on port 80 will need to explicitly disable the feature in their app manifests.

The ideas behind App Transport Security are great. It's essentially HTTP Strict Transport Security for apps, making it much harder for developers to inadvertantly disclose private user information. The feature that will benefit the privacy and security of millions of Apple customers. The writing is also on the wall that Apple intends to make this feature mandatory at some point, essentially deprecating plaintext HTTP altogether.

Apple, however, has yet to take their own advice. There are many OS X components and Apple apps that still do not use encryption exclusively, relying on HTTP over port 80. Here's an example from the brand new Photos app, communicating with AWS S3 over port 80:

Since the announcement on Monday, I've been monitoring these requests using a firewall called Little Snitch. Funny enough, even Little Snitch didn't use HTTPS for its initial download or software updates until very only a few months ago.

So far I've encountered 9 separate OS X services or first-party apps that are still relying on plaintext HTTP:

  • nsurlsessiond via S3 / and Akamai

Disclaimer: It's worth noting that although some HTTP requests are happening over plain HTTP on port 80, this does not mean that Apple's apps are insecure. Most of the apps using port 80 still encrypt or or sign their content. Even if Apple's apps are not insecure, using plain HTTP does mean that they leak at least some extra metadata (HTTP headers) and that they are not following the rules they're pushing 3rd party developers to follow.

As an aside, it's fascinating just how many different CDNs Apple makes use of, and how heavily they rely on S3 for Photos and iMessage content.

When I first discovered that Photos communicates with AWS S3 without encryption, I submitted a security report to Apple. At the time, they did not consider it an issue and replied with the following:

Follow-up: 622218711

Hello Blake,

Thank you for contacting the Apple Product Security team. We take every report of a potential security issue seriously. This message is being sent to you by a security analyst who has reviewed your note.

Photos are encrypted at rest within iCloud, and are uploaded and downloaded to/from iCloud using an encrypted transport channel.

For more information on iCloud security, please see https://support.apple.com/en-us/HT202303

Regards,

Apple has tons of talented crypto engineers, so I don't doubt that Photos and iCloud store photos with at-rest encryption, or that they are encrypted in the HTTP payloads during transfer. Using plain HTTP does leak at least some additional metadata, though it may not be enough to compromise anybody's privacy in this specific case. But if Apple is asking all 3rd party developers to use HTTPS exclusively, they should be willing to do the same.

Little

In summary, Apple's new App Transport Security feature is a great step towards enhancing the privacy and security of Apple customers around the globe. I look forward to the day when it is a mandatory feature. In the mean time, though, Apple should lead by example by avoiding plaintext HTTP in their own apps and services.

Mini

This is due to a limitation in Apple’s Network Extension API, which surprisingly whitelists a number of system services like Maps, FaceTime, App Store or Software Update and therefore doesn’t report the network activity of these services to third-party application firewalls.

The use of this new API is now mandatory for third-party developers on macOS Big Sur, because Apple no longer supports the previous kernel extension based approach, which didn’t suffer from this limitation.

We’ve been investigating a solution in Little Snitch to make these whitelisted connections visible by means of alternative techniques. This solution is already available in our latest nightly build of Little Snitch 5.1.

Com.apple.geod.xpc Little Snitch Free

Com.apple.geod.xpc Little Snitch

There’s an ongoing discussion about this problem in various online media, and we assume that Apple will address these concerns in a future macOS update. See our blog article to learn more about this topic.

UPDATE: This issue has been resolved in macOS Big Sur 11.2. Apple has removed this whitelist completely, allowing third-party firewalls like Little Snitch to reliably monitor and filter any network traffic.

Com.apple.geod.xpc little snitch gameCom.apple.geod.xpc little snitch box

Up until macOS 11.1 the whitelist inlcudes the following macOS processes:

Com.apple.geod.xpc Little Snitch App

/System/Applications/App Store.app/Contents/MacOS/App Store
/System/Library/CoreServices/cloudpaird
/System/Library/CoreServices/mapspushd
/System/Library/CoreServices/Software Update.app/Contents/Resources/softwareupdated
/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
/System/Library/Frameworks/CoreTelephony.framework/Support/CommCenter
/System/Library/PrivateFrameworks/ApplePushService.framework/apsd
/System/Library/PrivateFrameworks/AppStoreDaemon.framework/Support/appstoreagent
/System/Library/PrivateFrameworks/AppStoreDaemon.framework/Support/appstored
/System/Library/PrivateFrameworks/AssetCacheServices.framework/Versions/A/XPCServices/AssetCacheLocatorService.xpc/Contents/MacOS/AssetCacheLocatorService
/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/Support/assistantd
/System/Library/PrivateFrameworks/AuthKit.framework/Versions/A/Support/akd
/System/Library/PrivateFrameworks/CloudKitDaemon.framework/Support/cloudd
/System/Library/PrivateFrameworks/CommerceKit.framework/Resources/commerced
/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/commerce
/System/Library/PrivateFrameworks/CoreLSKD.framework/Versions/A/lskdd
/System/Library/PrivateFrameworks/CoreParsec.framework/parsecd
/System/Library/PrivateFrameworks/CoreSpeech.framework/corespeechd
/System/Library/PrivateFrameworks/DistributedEvaluation.framework/Versions/A/XPCServices/com.apple.siri-distributed-evaluation.xpc/Contents/MacOS/com.apple.siri-distributed-evaluation
/System/Library/PrivateFrameworks/FamilyCircle.framework/Versions/A/Resources/familycircled
/System/Library/PrivateFrameworks/FamilyNotification.framework/FamilyNotification
/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
/System/Library/PrivateFrameworks/HomeKitDaemon.framework/Support/homed
/System/Library/PrivateFrameworks/IDS.framework/identityservicesd.app/Contents/MacOS/identityservicesd
/System/Library/PrivateFrameworks/IDSFoundation.framework/IDSRemoteURLConnectionAgent.app/Contents/MacOS/IDSRemoteURLConnectionAgent
/System/Library/PrivateFrameworks/IMCore.framework/imagent.app/Contents/MacOS/imagent
/System/Library/PrivateFrameworks/IMFoundation.framework/XPCServices/IMRemoteURLConnectionAgent.xpc/Contents/MacOS/IMRemoteURLConnectionAgent
/System/Library/PrivateFrameworks/IMTransferServices.framework/IMTransferAgent.app/Contents/MacOS/IMTransferAgent
/System/Library/PrivateFrameworks/MapsSuggestions.framework/MapsSuggestions
/System/Library/PrivateFrameworks/MapsSupport.framework/MapsSupport
/System/Library/PrivateFrameworks/MediaStream.framework/MediaStream
/System/Library/PrivateFrameworks/MusicLibrary.framework/MusicLibrary
/System/Library/PrivateFrameworks/PassKitCore.framework/passd
/System/Library/PrivateFrameworks/ProtectedCloudStorage.framework/Helpers/ProtectedCloudKeySyncing
/System/Library/PrivateFrameworks/SyncedDefaults.framework/Support/syncdefaultsd
/System/Library/TextInput/kbd
/usr/libexec/coreduetd
/usr/libexec/diagnosticd
/usr/libexec/findmydeviced
/usr/libexec/fmfd
/usr/libexec/locationd
/usr/libexec/mdmclient
/usr/libexec/mobileactivationd
/usr/libexec/mobileassetd
/usr/libexec/networkserviceproxy
/usr/libexec/rtcreportingd
/usr/libexec/secd
/usr/libexec/siriknowledged
/usr/libexec/swcd
/usr/libexec/tailspind
/usr/libexec/teslad
/usr/libexec/timed
/usr/libexec/trustd
/usr/sbin/securityd
com.apple.facetime