You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: jklinect
jklinect Author
User level: Level 1
5 points

"promotedcontentd"

Hi all,


Little Snitch caught this process (`/usr/libexec/promotedcontentd`) phoning home to strongbad.voiceopia.com on boot the other day. Pretty sketchy, given I had started nothing to that point, but it noted the process was signed by Apple. Upon further investigation, it's running on both of my systems.


The collective mind of the internet has to have some information regarding this process:


  1. What is this process? (simple guess: a program that fetches ads for the operating system... ?)
  2. Why are typical attempts to stop the process from running via launchctl fail? I get "unknown error: 150" on a `launchctl bootout` call, and `launchctl disable/stop` do not work as expected.
  3. Does removing this binary, and the associated plist file, have any larger fallout on the system that I should be aware of? (e.g. is the app store gonna still function after this if it can't talk to the local daemon?)


I've denied the binary all internet access via Little Snitch, but if the process is gonna dryrun itself in the background anyway, I'd like to stop it from running altogether to save on battery.

Posted on Feb 21, 2022 12:17 PM

Reply
Question marked as Top-ranking reply
User profile for user: etresoft
etresoft
User level: Level 9
50,698 points

Posted on Feb 21, 2022 1:08 PM

jklinect wrote:

Little Snitch caught this process (`/usr/libexec/promotedcontentd`) phoning home to strongbad.voiceopia.com on boot the other day. Pretty sketchy, given I had started nothing to that point, but it noted the process was signed by Apple. Upon further investigation, it's running on both of my systems.

Little Snitch just does a reverse DNS lookup for an IP address and reports some name that was associated at some point. You can manually lookup this name to get the IP address (52.6.160.3). And then look that up on ARIN to see who owns it. The answer is, surprise, surprise, "Amazon Technologies Inc." In other words, "the internet".


But none of that means anything. These servers, names, and IP addresses get passed around, cached, and re-used constantly. There is no way to tell if the IP address that Little Snitch found was associated with that domain name or the above IP address.

1. What is this process? (simple guess: a program that fetches ads for the operating system... ?)

You can run "strings" on it to find out all kinds of information. Your guess is pretty accurate. Apple provides an advertising network designed to protect people's privacy. It is part of the operating system. Is it malicious? Do you regularly see any pop-up ads? There is one company (Apple) trying to do advertising honestly and you are blocking them. I'm sure you're not blocking the other companies that are doing advertising dishonestly.

2. Why are typical attempts to stop the process from running via launchctl fail? I get "unknown error: 150" on a `launchctl bootout` call, and `launchctl disable/stop` do not work as expected.

It is part of the operating system, which is read-only.

3. Does removing this binary, and the associated plist file, have any larger fallout on the system that I should be aware of? (e.g. is the app store gonna still function after this if it can't talk to the local daemon?)

No way to tell. Depending on your computer, it might not even boot again.

I've denied the binary all internet access via Little Snitch, but if the process is gonna dryrun itself in the background anyway, I'd like to stop it from running altogether to save on battery.

Did you detect some kind of heavy energy use from this process?


Here's the problem. Little Snitch is not doing you any favours. It is impossible to prevent apps from "phoning home". You could use an app like Little Snitch to interfere, but you aren't blocking anything malicious. You are simply interfering with the normal operation of the operating system.


If Apple, or any company for that matter, wanted to be sneaky and upload your personal information, why would they use a name like "strongbad.voiceopia.com" anyway? Why not "certificate-validation.apple.com"? Nobody's going to block that, are they?


But here is the problem. There is no way that you can tell the server isn't "certificate-validation.apple.com". As I mentioned above, these associations between a domain names and and IP addresses are not fixed or permanent. They could change at any minute. Big companies have hundreds or thousands of servers on Amazon. They spin new ones up in batches of hundreds and then shut them down when they are no longer needed. Some DNS server automatically links a name to an IP address and then changes it later. The next day, some other company does the exact same thing, with the exact same IP addresses, maybe even using the exact same computers. It's all on Amazon, after all. Little Snitch is doing a reverse name lookup, which simply isn't accurate.


Furthermore, there is no way to tell that promotedcontentd is actually doing this. The executable links to 16 different Apple frameworks. Any one of those could be responsible for making this network connection. The irony here is that it is likely that this specific request actually is validating some security certificate. By intercepting or blocking this request, you may be actually reducing your security. Maybe the Apple software actually is accessing "strongbad.voiceopia.com" merely to check the security certificate.


It is simply not possible for you to selectively identify and/or block internet traffic on your computer. It is absolutely impossible to look at a reverse DNS name and make some kind of judgement. All of this information is encrypted anyway. If any companies did want to track you, they can do it quite easily. You can't block it. All you are doing is interfering with the one company that is trying to help you - Apple.

View in context

Similar questions

3 replies
Question marked as Top-ranking reply
User profile for user: etresoft
etresoft
User level: Level 9
50,698 points

Feb 21, 2022 1:08 PM in response to jklinect

jklinect wrote:

Little Snitch caught this process (`/usr/libexec/promotedcontentd`) phoning home to strongbad.voiceopia.com on boot the other day. Pretty sketchy, given I had started nothing to that point, but it noted the process was signed by Apple. Upon further investigation, it's running on both of my systems.

Little Snitch just does a reverse DNS lookup for an IP address and reports some name that was associated at some point. You can manually lookup this name to get the IP address (52.6.160.3). And then look that up on ARIN to see who owns it. The answer is, surprise, surprise, "Amazon Technologies Inc." In other words, "the internet".


But none of that means anything. These servers, names, and IP addresses get passed around, cached, and re-used constantly. There is no way to tell if the IP address that Little Snitch found was associated with that domain name or the above IP address.

1. What is this process? (simple guess: a program that fetches ads for the operating system... ?)

You can run "strings" on it to find out all kinds of information. Your guess is pretty accurate. Apple provides an advertising network designed to protect people's privacy. It is part of the operating system. Is it malicious? Do you regularly see any pop-up ads? There is one company (Apple) trying to do advertising honestly and you are blocking them. I'm sure you're not blocking the other companies that are doing advertising dishonestly.

2. Why are typical attempts to stop the process from running via launchctl fail? I get "unknown error: 150" on a `launchctl bootout` call, and `launchctl disable/stop` do not work as expected.

It is part of the operating system, which is read-only.

3. Does removing this binary, and the associated plist file, have any larger fallout on the system that I should be aware of? (e.g. is the app store gonna still function after this if it can't talk to the local daemon?)

No way to tell. Depending on your computer, it might not even boot again.

I've denied the binary all internet access via Little Snitch, but if the process is gonna dryrun itself in the background anyway, I'd like to stop it from running altogether to save on battery.

Did you detect some kind of heavy energy use from this process?


Here's the problem. Little Snitch is not doing you any favours. It is impossible to prevent apps from "phoning home". You could use an app like Little Snitch to interfere, but you aren't blocking anything malicious. You are simply interfering with the normal operation of the operating system.


If Apple, or any company for that matter, wanted to be sneaky and upload your personal information, why would they use a name like "strongbad.voiceopia.com" anyway? Why not "certificate-validation.apple.com"? Nobody's going to block that, are they?


But here is the problem. There is no way that you can tell the server isn't "certificate-validation.apple.com". As I mentioned above, these associations between a domain names and and IP addresses are not fixed or permanent. They could change at any minute. Big companies have hundreds or thousands of servers on Amazon. They spin new ones up in batches of hundreds and then shut them down when they are no longer needed. Some DNS server automatically links a name to an IP address and then changes it later. The next day, some other company does the exact same thing, with the exact same IP addresses, maybe even using the exact same computers. It's all on Amazon, after all. Little Snitch is doing a reverse name lookup, which simply isn't accurate.


Furthermore, there is no way to tell that promotedcontentd is actually doing this. The executable links to 16 different Apple frameworks. Any one of those could be responsible for making this network connection. The irony here is that it is likely that this specific request actually is validating some security certificate. By intercepting or blocking this request, you may be actually reducing your security. Maybe the Apple software actually is accessing "strongbad.voiceopia.com" merely to check the security certificate.


It is simply not possible for you to selectively identify and/or block internet traffic on your computer. It is absolutely impossible to look at a reverse DNS name and make some kind of judgement. All of this information is encrypted anyway. If any companies did want to track you, they can do it quite easily. You can't block it. All you are doing is interfering with the one company that is trying to help you - Apple.

Reply
User profile for user: lllaass
lllaass
User level: Level 10
210,459 points

Feb 21, 2022 12:39 PM in response to jklinect

It is VoiP service in which uses the internet vice a phone line.

Just because signed by Apple does not mean much.

Have you install any internet security, VPN or similar?


Download and run this app so we can find more information about your installation.

https://etrecheck.com/upgrade

It shows what is launched and other information and is very useful in finding causes of problems. After you first launch the app make sure you check Enable full disk access in the box in lower left.


After running the app use the app's feature to paste to clipboard. Then paste it in the text box for a reply in this forum click on the addition text icon. This is because the normal reply text box limits how much you can type.

No personal identifiable information is contained if the app output. The app was written for a person who is contributor to these Apple Support Communities

Reply
User profile for user: jklinect
jklinect Author
User level: Level 1
5 points

Feb 21, 2022 2:07 PM in response to lllaass

Hi etresoft,


The detailed response is appreciated, thank you for your time in helping me understand the subject at hand. Will respond to some points, but I think this satisfies my curiosity itch:


> There is no way to tell if the IP address that Little Snitch found was associated with that domain name or the above IP address.


Reverse DNS inaccuracy aside, selecting/listing the wrong outgoing IP is an objective failure for part of the primary use case Little Snitch aims to satisfy. If it failed that, that would infer either (1) the operating system interfered with its ability to select the correct outgoing IP, or (2) it's poorly written and buggy enough to mis-function accordingly - both of which are disappointing conclusion to reach.


> No way to tell. Depending on your computer, it might not even boot again.


This was my concern, which is why further guidance on the subject was sought out before making knee-jerk reactions like removing the binary entirely.


> It is part of the operating system. Is it malicious? Do you regularly see any pop-up ads?


At the time of alert, the answers were inconclusive and no, respectively. I have little snitch on all my machines and this is the first time this process was flagged on any of them. Hence the reaching-out for help.


> Did you detect some kind of heavy energy use from this process?


If it's running, it's gonna use some volume of CPU cycles, no matter how minuscule that may be, that don't provide a benefit to my end experience if it's blocked. Why bother with it running if it's not gonna function right? (moot point, just wanted to explain the logic behind this)


> Here's the problem. Little Snitch is not doing you any favours.

> There is one company (Apple) trying to do advertising honestly and you are blocking them. I'm sure you're not blocking the other companies that are doing advertising dishonestly.


It's a process-by-process, connection-by-connection approach, the same vigilance/diligence applied here is uniform to all running processes. This one is just a gray area given the Apple affiliation. Not sure what to infer from "not doing you any favours" - to this point, Little Snitch has functioned as expected.


> If Apple, or any company for that matter, wanted to be sneaky and upload your personal information, why would they use a name like "strongbad.voiceopia.com" anyway? Why not "certificate-validation.apple.com"? Nobody's going to block that, are they?

> The executable links to 16 different Apple frameworks. Any one of those could be responsible for making this network connection.


More motivation behind the ask - if the daemon is functioning on behalf of another process (as some daemons typically do), I wanted to know which it was. Part of the "if-i-remove-it-what-stops-working" fallout.


> It is absolutely impossible to look at a reverse DNS name and make some kind of judgement.


In this era where a significant amount of the internet runs on AWS/Azure/GCP infrastructure, and IPs / domains are as ephemeral as you've noted, this might be sadly more true than I'd like to believe but notwithstanding - point made.


> It is simply not possible for you to selectively identify and/or block internet traffic on your computer ... [a]ll of this information is encrypted anyway. If any companies did want to track you, they can do it quite easily. You can't block it.


Point made. Blocking connection attempts only goes as far as effort, if a process really wants to "phone home" it can leverage its way around the block/out of the machine eventually.


Thank you, again, for your help/knowledge here, will unflag the process from the deny list accordingly.

Reply

"promotedcontentd"

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up