Apple Security

Calculator Phoning Home? Not Really

Wasn’t sure what this is all about, but according to Little Snitch 2.0 (which is awesome by the way) the Calculator in Mac OS X 10.5 (Leopard) apparently phones home. Based on the URL one would assume that’s checking for updates (wu typically stands for web update). Though I find this somewhat odd considering Mac OS X has an update system that’s all encompassing. I decided to take a closer look. Earlier it was said that 10.5 was phoning home, though that turned out to not be the case.

Calculator Phoning Home

So I did a little sniffing around (literally packet sniffing), and here’s what I found. On load it sends the following (seemingly blank) request to apple for currency conversion info. The response is the exchange rate. I’ve got a copy for reference below for anyone who wants to see. Calculator seems to use CFNetwork to communicate (not surprising). What’s interesting is that this info doesn’t seem to be cached, every time you load calculator it’s requested.

So yes, it does technically ping the mothership, but no it doesn’t seem to send back any data worth being concerned about. The only thing noteworthy is the cookie. The cookie itself is characteristic of Omniture, an analytics company (who provides analytics services to Apple among many of the largest sites on the web). This seems like a side effect of the implementation (likely sharing stuff from webkit). I don’t think Omniture is pinged during this transaction, so unless Apple were recording that cookie and matching it against web analytics data. I’d consider that extremely unlike even if I put a tin foil hat on my head. I guess Apple could further neutralize any privacy concerns by modifying the implementation to not send a cookie. At that point they would only have your IP to go by (which could be behind a proxy and therefore isn’t very reliable). I don’t think think this is a privacy risk, but also don’t think it would be so bad for Apple to modify and drop the cookie to make it more anonymous. Or at least give the option to not request data every time.