How does one identify if a process is from Apple or not?

numbles45 wrote:

How does one determine if a process is legit and safe when it's trying to connect to an IP address?

Here's a screenshot of the processes and connection attempts:

Hello numbles45,

You can check the signature of the process. You will have to track down the actual executable file on disk. Then check it with a tool like RB App Checker (https://itunes.apple.com/us/app/rb-app-checker-lite/id519421117?mt=12).

An Apple file will have a section that looks like this:

The signature contains 3 certificates.

Certificate “Apple Root CA”:

Your keychain contains this trusted root certificate.

Will expire on Feb 9, 2035.

Certificate “Apple Code Signing Certification Authority”:

Will expire on Oct 24, 2026.

Certificate “Software Signing”:

Will expire on Apr 12, 2021.

SHA1 fingerprint: “013E2787748A74103D62D2CDBF77A1345517C482”.

Team ID or Organizational Unit: “Apple Software”.

A Mac App Store app will look slightly different:

The signature contains 3 certificates.

Certificate “Apple Root CA”:

Your keychain contains this trusted root certificate.

Will expire on Feb 9, 2035.

Certificate “Apple Worldwide Developer Relations Certification Authority”:

Will expire on Feb 7, 2023.

Certificate “Apple Mac OS Application Signing”:

Will expire on Feb 6, 2023.

SHA1 fingerprint: “B93BDAAAF1A8846B34BA32332635CB2B84853DA8”.

A app with a valid Apple Developer ID app will look like:

The signature contains 3 certificates.

Certificate “Apple Root CA”:

Your keychain contains this trusted root certificate.

Will expire on Feb 9, 2035.

Certificate “Developer ID Certification Authority”:

Will expire on Feb 1, 2027.

Certificate “Developer ID Application: Etresoft, Inc. (U87NE528LC)”:

Will expire on Feb 2, 2021.

SHA1 fingerprint: “4D0E23DE51BDC65119E8D161C0003D792B2A78C9”.

Team ID or Organizational Unit: “U87NE528LC”.

This matches the Team ID contained in the signature.

If you see something else, you should probably be suspicious.

Regarding network connections, it is perfectly normal for any app, including Apple apps, to connect to IP addresses all over the world. Technically speaking, you can use Little Snitch to validate the authenticity of network connections. But those capabilities are turned off by default and require a fair amount of networking knowledge to figure out. The standard dialogs that Little Snitch pops up are meaningless. If you use it to block connections, you are likely only going to cause problems for yourself.

Open Activity Monitor and search for the process name you're interested in. When you find it double click on it and then you can investigate it thru the various buttons and links

to see what it is related to.

Some, but not all, and more could be added at any time: About macOS, iOS, and iTunes server host connections and iTunes background processes - Apple Support

Apple leases an enormous number of IP addresses including the entire top level 17.0.0.0 IPv4 space, and that could also be subject to change at any time.

If want to know what outgoing connections are "legitimate and safe" you're going to have a lot of work on your hands. Start with a totally stock and unmodified macOS installation and you can be as reasonably assured as possible that whatever outgoing connections it initiates are "legitimate and safe". Those outgoing connections are already going to include a tremendous amount of communication for the App Store, iCloud, iTunes, iBooks to name only a few trivial examples. The moment you modify macOS with programs and processes that require their own outgoing connections, those connections will multiply very quickly.

I do not modify macOS in that manner, which means no Adobe programs, no Microsoft and definitely no Google, but those are only a few popular examples of programs that routinely initiate outgoing connections for purposes known only to them. Whether you consider that "legitimate and safe" is a question left to your own judgement and opinion.

How does one determine if a process is legit and safe when it's trying to connect to an IP address?

You cannot. That's the problem with using things like "Little Snitch". Use it if you find it beneficial, otherwise, don't use it.

numbles45 wrote:

I found this website to be helpful to learn more about the processes running on my mac:

http://triviaware.com/macprocess/

Apple's lack of transparency is making it very difficult for us to protect our privacy and secure our computers.

Interesting. I tried it out. I'm not too impressed with the results. I don't disagree that Apple's lack of transparency makes it hard to figure out what is going on. But mostly that site just pulls from Apple's own documentation, which is pretty much the opposite. Sometimes, Apple provides documentation that the site doesn't include in favour of information that is flat-out wrong.

Most of this information is readily available. It may be found in developer tools or man pages, but it is there. I am interested in building a database to fill in the gaps.