❓ Why This Matters
EtreCheck has been widely recommended as a diagnostic tool on Apple
Support Communities (ASC), often without question or transparency. Once open-source, it is now a closed-source utility, and its behavior can no longer be audited by the community. This analysis compares the current version of EtreCheck with its earlier, publicly available source-code
version to assess concerns around privacy, network behavior, and system modifications.
📜 Background
Developer: John Daniel (Etresoft Inc.)
Original Licensing: Open-source (GPL-3.0)
Current Licensing: Proprietary
Distribution: Previously available on GitHub, now via etrecheck.com
Context: Users challenging the tool's necessity or safety are often
banned or censored on Apple forums.
🔧 Methodology
We performed a side-by-side comparison between:
EtreCheck v1.9 (Open Source) — retrieved from https://github.com/ turtlepa/EtreCheck
EtreCheck vY.Y (Current) — downloaded directly from etrecheck.com
Analysis involved:
Static code comparison using diff, otool, and codesign
Behavior monitoring with fs_usage, lsof, nettop, and Little Snitch
Manual inspection of strings, UI behaviors, and network activity
Code audit of key classes in the Objective-C project from the turtlepa fork
📌 Key Findings
Observation
Open-Source Version
Current Version
Notes
Network Connections
None
Yes — multiple IPs
Includes unknown domains, no prompt
System File Changes
Minimal
Writes to system dirs
Possibly attempts persistence?
Data Collection
Diagnostics only
User+system metadata
Uptime, UUID, IP hints (e.g., gateway)
Auto-Updates
Manual
Silent updates
No visible toggle or changelog
Code Transparency
Full source available
None available
Not independently auditable
📁 Code Review Highlights (Open Source)
Network behavior: No outbound connections found in source code.
Data handling: Uses standard Apple APIs to collect hardware/software
info (e.g., system_profiler, ioreg).
Permissions: Does not attempt privilege escalation or modify protected
system areas.
Logging: Local-only logs, no remote upload or telemetry.
Class ETRReportGenerator: Responsible for orchestrating all diagnostic output; exports plaintext reports and gathers data using shell commands.
Class ETRHardwareProfile: Parses output of system_profiler into
structured plist-style internal reports.
Class ETRAppScanner: Gathers installed application lists; excludes App
Store validation or telemetry.
Use of Shell Commands: All commands declared explicitly in code, e.g., system_profiler, diskutil, df, ps aux. No runtime code injection observed.
⚠️ Concerns
Data Privacy: User and system data may be collected without clear
disclosure.
Persistence: The tool may write or change system files not required for diagnostics.
Trust Model: Blind trust encouraged by Apple Support forums, despite closed-source nature.
Censorship: Dissent or questions about EtreCheck's behavior often lead
to bans or post deletion.
📂 Supporting Files (Coming Soon)
logs/fs_usage_etrecheck_current.log
logs/lsof_etrecheck.log
screenshots/network_activity.png
diffs/etrecheck_code_diff.txt
🔚 Conclusion
EtreCheck's transition from open-source to closed-source raises valid concerns around transparency, data privacy, and user control. Mac users should be fully informed before running diagnostic software with
elevated privileges. This document encourages responsible discussion and further independent analysis.
On 30/05/2025 08:22, David wrote:
❓ Why This Matters
EtreCheck has been widely recommended as a diagnostic tool on Apple
Support Communities (ASC), often without question or transparency.
Once open-source, it is now a closed-source utility, and its behavior
can no longer be audited by the community. This analysis compares the
current version of EtreCheck with its earlier, publicly available
source-code version to assess concerns around privacy, network
behavior, and system modifications.
📜 Background
Developer: John Daniel (Etresoft Inc.)
Original Licensing: Open-source (GPL-3.0)
Current Licensing: Proprietary
Distribution: Previously available on GitHub, now via etrecheck.com
Context: Users challenging the tool's necessity or safety are often
banned or censored on Apple forums.
🔧 Methodology
We performed a side-by-side comparison between:
EtreCheck v1.9 (Open Source) — retrieved from https://github.com/
turtlepa/EtreCheck
EtreCheck vY.Y (Current) — downloaded directly from etrecheck.com
Analysis involved:
Static code comparison using diff, otool, and codesign
Behavior monitoring with fs_usage, lsof, nettop, and Little Snitch
Manual inspection of strings, UI behaviors, and network activity
Code audit of key classes in the Objective-C project from the turtlepa
fork
📌 Key Findings
Observation
Open-Source Version
Current Version
Notes
Network Connections
None
Yes — multiple IPs
Includes unknown domains, no prompt
System File Changes
Minimal
Writes to system dirs
Possibly attempts persistence?
Data Collection
Diagnostics only
User+system metadata
Uptime, UUID, IP hints (e.g., gateway)
Auto-Updates
Manual
Silent updates
No visible toggle or changelog
Code Transparency
Full source available
None available
Not independently auditable
📁 Code Review Highlights (Open Source)
Network behavior: No outbound connections found in source code.
Data handling: Uses standard Apple APIs to collect hardware/software
info (e.g., system_profiler, ioreg).
Permissions: Does not attempt privilege escalation or modify protected
system areas.
Logging: Local-only logs, no remote upload or telemetry.
Class ETRReportGenerator: Responsible for orchestrating all diagnostic
output; exports plaintext reports and gathers data using shell commands.
Class ETRHardwareProfile: Parses output of system_profiler into
structured plist-style internal reports.
Class ETRAppScanner: Gathers installed application lists; excludes App
Store validation or telemetry.
Use of Shell Commands: All commands declared explicitly in code, e.g.,
system_profiler, diskutil, df, ps aux. No runtime code injection
observed.
⚠️ Concerns
Data Privacy: User and system data may be collected without clear
disclosure.
Persistence: The tool may write or change system files not required
for diagnostics.
Trust Model: Blind trust encouraged by Apple Support forums, despite
closed-source nature.
Censorship: Dissent or questions about EtreCheck's behavior often lead
to bans or post deletion.
📂 Supporting Files (Coming Soon)
logs/fs_usage_etrecheck_current.log
logs/lsof_etrecheck.log
screenshots/network_activity.png
diffs/etrecheck_code_diff.txt
🔚 Conclusion
EtreCheck's transition from open-source to closed-source raises valid
concerns around transparency, data privacy, and user control. Mac users
should be fully informed before running diagnostic software with
elevated privileges. This document encourages responsible discussion and
further independent analysis.
Shared with folk an ACW
On May 30, 2025 at 2:18:16 PM MST, "David" wrote <m9ulkoFnb77U1@mid.individual.net>:
On 30/05/2025 20:28, David wrote:
On 30/05/2025 08:22, David wrote:
❓ Why This Matters
EtreCheck has been widely recommended as a diagnostic tool on Apple
Support Communities (ASC), often without question or transparency.
Once open-source, it is now a closed-source utility, and its behavior
can no longer be audited by the community. This analysis compares the
current version of EtreCheck with its earlier, publicly available
source-code version to assess concerns around privacy, network
behavior, and system modifications.
📜 Background
Developer: John Daniel (Etresoft Inc.)
Original Licensing: Open-source (GPL-3.0)
Current Licensing: Proprietary
Distribution: Previously available on GitHub, now via etrecheck.com
Context: Users challenging the tool's necessity or safety are often
banned or censored on Apple forums.
🔧 Methodology
We performed a side-by-side comparison between:
EtreCheck v1.9 (Open Source) — retrieved from https://github.com/
turtlepa/EtreCheck
EtreCheck vY.Y (Current) — downloaded directly from etrecheck.com
Analysis involved:
Static code comparison using diff, otool, and codesign
Behavior monitoring with fs_usage, lsof, nettop, and Little Snitch
Manual inspection of strings, UI behaviors, and network activity
Code audit of key classes in the Objective-C project from the turtlepa >>>> fork
📌 Key Findings
Observation
Open-Source Version
Current Version
Notes
Network Connections
None
Yes — multiple IPs
Includes unknown domains, no prompt
System File Changes
Minimal
Writes to system dirs
Possibly attempts persistence?
Data Collection
Diagnostics only
User+system metadata
Uptime, UUID, IP hints (e.g., gateway)
Auto-Updates
Manual
Silent updates
No visible toggle or changelog
Code Transparency
Full source available
None available
Not independently auditable
📁 Code Review Highlights (Open Source)
Network behavior: No outbound connections found in source code.
Data handling: Uses standard Apple APIs to collect hardware/software
info (e.g., system_profiler, ioreg).
Permissions: Does not attempt privilege escalation or modify protected >>>> system areas.
Logging: Local-only logs, no remote upload or telemetry.
Class ETRReportGenerator: Responsible for orchestrating all diagnostic >>>> output; exports plaintext reports and gathers data using shell commands. >>>>
Class ETRHardwareProfile: Parses output of system_profiler into
structured plist-style internal reports.
Class ETRAppScanner: Gathers installed application lists; excludes App >>>> Store validation or telemetry.
Use of Shell Commands: All commands declared explicitly in code, e.g., >>>> system_profiler, diskutil, df, ps aux. No runtime code injection
observed.
⚠️ Concerns
Data Privacy: User and system data may be collected without clear
disclosure.
Persistence: The tool may write or change system files not required
for diagnostics.
Trust Model: Blind trust encouraged by Apple Support forums, despite
closed-source nature.
Censorship: Dissent or questions about EtreCheck's behavior often lead >>>> to bans or post deletion.
📂 Supporting Files (Coming Soon)
logs/fs_usage_etrecheck_current.log
logs/lsof_etrecheck.log
screenshots/network_activity.png
diffs/etrecheck_code_diff.txt
🔚 Conclusion
EtreCheck's transition from open-source to closed-source raises valid
concerns around transparency, data privacy, and user control. Mac users >>>> should be fully informed before running diagnostic software with
elevated privileges. This document encourages responsible discussion and >>>> further independent analysis.
Shared with folk an ACW
https://www.apple.com/newsroom/2025/05/the-app-store-prevented-more-than-9-billion-usd-in-fraudulent-transactions/
EtreCheck WAS available in the Apple App Store - but it isn't now!
This is old news.
| Sysop: | Keyop |
|---|---|
| Location: | Huddersfield, West Yorkshire, UK |
| Users: | 546 |
| Nodes: | 16 (2 / 14) |
| Uptime: | 02:25:09 |
| Calls: | 10,385 |
| Calls today: | 2 |
| Files: | 14,057 |
| Messages: | 6,416,582 |