MacOS – Apple Push Notification Service: misbehaviour

daemonsmacosSecurity

On a new test iMac (running Mavericks 10.9.2) I discovered 2 repeated errors related to apsd (Apple Push Notification Service daemon).

Repeated failing connections

A netstat command displays a huge number of not correctly terminated tcp connections. All these dead connections are toward a domain at Apple, and using port 5223/tcp.Actually I have 400 of them:

$ netstat -An 
Active Internet connections
Socket           Flowhash Proto Recv-Q Send-Q  Local Address      Foreign Address    (state)    
[...]
ffffff8024040d88 c23b1438 tcp4       0      0  •••.My_IP.••.50929 17.149.36.133.5223 ESTABLISHED
ffffff8022ef8d88 31793d40 tcp4       0    106  •••.My_IP.••.50604 17.149.32.8.5223   FIN_WAIT_1 
ffffff8022cc2d88 c977e8ee tcp4       0    143  •••.My_IP.••.50491 17.172.232.142.522 FIN_WAIT_1 
[...]

Repeated invalid certificates

Every each 90 minutes, apsd is telling it can't recognize a certificate. A large grep on system.log logs display this repeated error:

$ zgrep apsd /var/log/system.log.[0-6].gz
[...]
/var/log/system.log.0.gz:May 25 00:48:01 ••.My_name.My_domain.•• apsd[106]: Unrecognized leaf certificate
/var/log/system.log.0.gz:May 25 02:18:22 ••.My_name.My_domain.•• apsd[106]: Unrecognized leaf certificate
/var/log/system.log.0.gz:May 25 03:48:44 ••.My_name.My_domain.•• apsd[106]: Unrecognized leaf certificate
[...]

Questions

This daemon is clearly misbehaving and typical of many security problems
(bad connection, bad certificate validation, data leak…).

How should this daemon work?
Which service is it useful to?
Is this daemon functioning with these repeated misbehaviours?
How may I check it?
How might I have fired this misbehaving daemon?
And finally, shouldn't I stop it definitively?

Best Answer

The service is used for delivering you push notifications. Push notifications usually appear in the Notification Center in the top right corner of your desktop. Read more about it here:

http://support.apple.com/kb/ht5362

If you disable the service, you'll probably lose notifications for events such as received iMessage-messages, Facetime calls and notification from websites that you have requested notifications from.

From what you write, there does not seem to be a weighty reason for disabling it. It is a normal, system service that should not pose a problem to your system.

The connections in FIN_WAIT_1 state does not pose a problem to your system. You can safely ignore it (in those numbers).

You can also safely ignore the log message. The log message does not indicate that there has been a "data leak" as such.

The reason for the log message is that Apple uses a large number of servers for sending your push notifications. Your computer will connect to a (somewhat) random of those servers. The server will present a generic certificate for the service, and not one customized to the exact "sub-server" you have connected to. That is the cause of the log message. This is something Apple needs to fix on their servers, but it is a known bug and not something you yourself can do anything about.

This does not mean that you lose encryption or anything like that, but it might mean that your system could be vulnerable to a Man-In-The-Middle attack, where you could be sent falsified Push Notifications. Whether that is indeed the case would require further research. It is most likely that Apple employed some sort of certificate pinning or similar to avoid this type of exploit. The likelihood that you should be attacked this way is pretty low anyhow. I.e. don't worry about it.

I don't see why you say the daemon is "misbehaving". It is not misbehaving more on your computer than on any other computer. You could say that it is misbehaving, but it is doing so by Apple's design. So instead, create bug reports with Apple to let them know that you're seeing a problem.

Of course, if you do not actually use Push Notifications for anything, you can safely disable it.

Related Solutions

IOS – Terminal Actived Push Notification Utility for OS X and iOS

OS X Server integrates nicely for push notifications using APNS, but it's more focused on mail and chat notifications as opposed to sending generic notifications like a turn based game server.

It would get your Apple ID approved and be a very nice first step towards getting APNS to be ready to listen to commands from a Mac.

Here is a nice step by step article on setting up push notifications:

http://krypted.com/mac-os-x/enable-push-notifications-in-os-x-mountain-lion-server/

From there, you could use a chat hosted from your Mac as opposed to using iMessage (messages app on iOS to get messages sent with push notifications).

MacOS, Firewall, Services – Disable Apple Push Notification Service (apsd) to Avoid Firewall Bypassing

I figured out that I needed to enter the following in the terminal:

sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist

I did this already, and it seemed to fix the issue, but would love to know if this is the advisable way to solve the problem.

========================================================

Also, in case you want to enable the process afterwards, you can use this:

sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.apsd.plist

sources:

https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man1/launchctl.1.html

http://www.cyberciti.biz/faq/disabling-unnecessary-mac-osx-services/

MacOS – Apple Push Notification Service: misbehaviour

Repeated failing connections

Repeated invalid certificates

Related documentation

Questions

Best Answer

Related Question