What is rapportd and why does it want incoming network connections?

Question

I've just updated to the latest MacOS 10.13.2 and after restarting, my machine asked me to allow incoming network connections for "rapportd".

After blocking it and checking in the firewall config, I can see that this is an executable in /usr/libexec/rapportd which was created on my machine on the 1st of December.

That's a day after I installed the security update 2017-001 (for the second time; autoupdate didn't seem to notice that I'd manually updated it), and I haven't installed or updated any other software recently / around that time. Google Chrome updates whenever it feels like it, so this could be related to a Chrome update (no idea when it last updated).

The internet suggests this is related to some banking protection program but that doesn't seem to fit here, and from a vague text-edit inspection of the binary I can see that it references /System/Library/PrivateFrameworks/Rapport.framework/Versions/A/Rapport (a framework created on my machine back in July and updated in October) which makes me think this is likely to be a new 1st-party OS daemon.

What does rapportd do?

It has a manpage, but it's not very helpful: "Synopsis: Daemon providing support for the Rapport connectivity framework." — sengi, Dec 07 '17 at 22:41
Don't know much about this kind of stuff, but have noticed that the incoming attempt to conect is coming from my iPhone (it's the IP address my iPhone is connected). — Gui, Apr 29 '18 at 23:56
I think it was your other apple device tried to connect to your mbp. — Vision Chang, Mar 20 '18 at 08:36
I came here because of the bonjour service rapportd advertises. The output of "dns-sd -B _services._dns-sd._udp" is "_tcp.local. _companion-link" which is misspelled as "Compagnion link" Service Type in iNet Network Scanner. Misspellings in unknown Bonjour services trip my malware detector. Even with Handoff off, this service stays running. I guess Apple needs to be able to keep phones/tablets/laptops connected at all costs. After checking with codesign I guess rapportd is first party. Why so obscure though. — geoO, Jan 21 '20 at 15:55
my rapportd opened:
/usr/libexec/rapportd,

/private/var/db/timezone/tz/2019c.1.0/icutz/icutz44l.dat,

/System/Library/PrivateFrameworks/CorePhoneNumbers.framework/Versions/A/Resources/CorePhoneNumbers.ruleset,

/usr/share/icu/icudt64l.dat,

/usr/lib/dyld,

Among others — geoO, Jan 21 '20 at 15:58

seren · Answer 1 · 2021-05-15T00:04:28.707

49

EDIT: It looks like the man page has been updated and now reads:

Daemon that enables Phone Call Handoff and other communication features between Apple devices.

I just had the same experience. The man page states that it is a:

Daemon providing support for the Rapport connectivity framework.

Checking the code signature with codesign -dv --verbose=4 /usr/libexec/rapportd shows it is signed by Apple and in a SIP-protected location (unless you turned off SIP), this appears to be legitimate Apple software. The man page implies it's related to communication, though I've yet to find any real documentation on it.

(Thanks to John Keates for the code-signature tip.)

edited May 15 '21 at 00:04

answered Dec 08 '17 at 08:07

seren

1,068

3

Just because Apple authorized it, doesn't make it "legitimate". Apple has been gathering and sharing information about its users with state security organs since October 2012. I don't have an iPhone and don't want a security hole open to share with other Apple devices. – Foliovision Jun 02 '18 at 16:38
5

"it's linked against a PrivateFramework (which Apple doesn't allow for others)": Apple doesn't care about this, unless you're planning to distribute through the App Store. In fact, one the apps I work on links to a private framework and Apple let us sign it just fine. – saagarjha Jun 03 '18 at 18:57
Good point Saagarjha. I've removed that point. – seren May 15 '21 at 00:04
also used by the new Universal Control feature. – jrg Sep 21 '22 at 16:22

score 23 · Answer 2 · answered Dec 16 '17 at 00:21

In addition to what already has been posted, /usr/libexec/rapportd is code signed by Apple and linked against a PrivateFramework (which Apple doesn't allow for others and therefore doesn't sign for others), and in a SIP-protected location. Unless you turn off SIP, this is simply part of the OS, put there by Apple.

You can check this on the commandline:

codesign -vvvv -R="anchor apple" /usr/libexec/rapportd

This should report something like:

/usr/libexec/rapportd: valid on disk
/usr/libexec/rapportd: satisfies its Designated Requirement
/usr/libexec/rapportd: explicit requirement satisfied

To show what libraries are linked to:

otool -L /usr/libexec/rapportd

Which will show something like:

/usr/libexec/rapportd:
    /System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation (compatibility version 150.0.0, current version 1450.14.0)
    /System/Library/PrivateFrameworks/CoreUtils.framework/Versions/A/CoreUtils (compatibility version 1.0.0, current version 1.0.0)
    /System/Library/PrivateFrameworks/Rapport.framework/Versions/A/Rapport (compatibility version 0.0.0, current version 0.0.0)
    /System/Library/Frameworks/Foundation.framework/Versions/C/Foundation (compatibility version 300.0.0, current version 1450.14.0)
    /usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current version 228.0.0)
    /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1252.0.0)

"which Apple doesn't allow for others and therefore doesn't sign for others": Try it yourself; you'll see that it works just fine: echo 'int main() {}' | clang -F/System/Library/Frameworks -framework MobileDevice -x c - -o test; codesign -s "Your certificate" test — saagarjha, Jun 03 '18 at 19:07
PrivateFrameworks, and codesigned by Apple, not Frameworks and codesigned locally by yourself. — John Keates, Jun 03 '18 at 20:57
Sorry, I meant echo 'int main() {}' | clang -F/System/Library/PrivateFrameworks -framework MobileDevice -x c - -o test; codesign -s "Your certificate" test. A rather unfortunate typo given what we're discussing. Also, I signed this with my Mac Developer certificate, not an ad-hoc one. — saagarjha, Jun 04 '18 at 09:59
@JohnKeates Very useful thank you. @saagarjha Can you please provide more information? I'm confused, do you mean that this PrivateFramework is not Private? — Yohan W. Dunon, Feb 06 '22 at 12:06
A "private framework" is intended for use by Apple, not third party developers. That said, there is nothing technical stopping you from linking against it and signing the result. — saagarjha, Feb 07 '22 at 23:28

score 16 · Answer 3 · answered Dec 28 '17 at 22:18

16

I believe it is used for iTunes Home Sharing and the Remote app to control iTunes.

I found this out because Little Snitch was blocking it and I couldn't work out why the iTunes remote stuff wasn't working because I accidentally closed the dialog :)

Once I allowed it my phone could then see iTunes on my laptop as well as discover the iTunes Home Sharing.

answered Dec 28 '17 at 22:18

Darius

261

1

I've never synced an iOS device on this machine but I do use iTunes home sharing, and have rapportd running with TCP *:65530 (LISTEN) open on both ipv4 and ipv6, I thought port 65530 was a pretty cheeky high port number just six below the highest possible but thankfully it sounds like legit software hopefully – Tomachi Aug 23 '19 at 13:16
if you look on a second system it'll be listening on a different port. It gets the port it's given by the OS at run time, and then registers it with Bonjour/mDNS. – jrg Sep 21 '22 at 16:21

score 10 · Answer 4 · answered Feb 22 '18 at 13:34

10

From my own pain^W experience I can tell that this service is needed at least for text message forwarding (relaying) to work.

Having it blocked with Firewall, for e. g., puts a big bold ban on "Text Message Forwarding" item in iPhone's settings. In fact it won't be even shown at all there

answered Feb 22 '18 at 13:34

poige

994

Interesting. I have blocked rapportd on my machine yet both iMessages and text message forwarding are still working fine for me. Is it possible you also have another blocked service? – Dave Feb 22 '18 at 18:26
How did you block? Did you try rebooting after you did that? – poige Feb 22 '18 at 22:43
By choosing “deny” when it asked, as noted in my original question (and it is still listed as blocked in the firewall settings). And yes I have rebooted many times since then. – Dave Feb 23 '18 at 08:26
You can check for sure with traffic sniffer and/or netstat/lsof – poige Feb 23 '18 at 09:56

score 9 · Answer 5 · edited Sep 10 '18 at 12:57

9

Type man rapportd in Terminal. This is the output:

NAME
     rapportd -- Rapport Daemon.

SYNOPSIS
     Daemon that enables Phone Call Handoff and other communication features between Apple devices.

     Use '/usr/libexec/rapportd -V' to get the version.

LOCATION
     /usr/libexec/rapportd

edited Sep 10 '18 at 12:57

Glorfindel

4,057

answered May 27 '18 at 23:39

Viktor

91

cepal67 · Answer 6 · 2017-12-09T09:10:53.813

(edit: I corrected my previous mix up of UID and PID - apologies to everyone!!!)

I checked what files this process has open, and that doesn't help much either. However, at least I know now what port it's trying to listen on (49161) and I can search hopefully what this port is "reserved" for (it's a high port, so it's not really reserved as such, yeah I know).

[username]mbp:~ root# ps -ef |grep -i [r]apport
  501   306     1   0 10:52AM ??         0:00.11 /usr/libexec/rapportd
[username]mbp:~ root# lsof -p 306
COMMAND  PID  USER   FD   TYPE             DEVICE   SIZE/OFF       NODE NAME
rapportd 306 [username]  cwd    DIR                1,4        992          2 /
rapportd 306 [username]  txt    REG                1,4      44768 8591706461 /usr/libexec/rapportd
rapportd 306 [username]  txt    REG                1,4     837248 8591705719 /usr/lib/dyld
rapportd 306 [username]  txt    REG                1,4 1155805184 8591716537 /private/var/db/dyld/dyld_shared_cache_x86_64h
rapportd 306 [username]    0r   CHR                3,2        0t0        308 /dev/null
rapportd 306 [username]    1u   CHR                3,2        0t0        308 /dev/null
rapportd 306 [username]    2u   CHR                3,2        0t0        308 /dev/null
rapportd 306 [username]    3u  IPv4 0x571b821607c38e93        0t0        TCP *:49161 (LISTEN)
rapportd 306 [username]    4u  IPv6 0x571b82160763854b        0t0        TCP *:49161 (LISTEN)
rapportd 306 [username]    5u  unix 0x571b821607941573        0t0            ->0x571b821607941c7b
rapportd 306 [username]    6u  unix 0x571b82160794069b        0t0            ->0x571b82160794050b

501 is the UID, not the PID! You need to lsof -p 306 for this process — Dave, Dec 08 '17 at 12:36

score -3 · Answer 7 · answered Aug 23 '18 at 12:40

-3

Have you recently agreed to install software to protect communications with your bank? https://en.wikipedia.org/wiki/Trusteer#Trusteer_Rapport

answered Aug 23 '18 at 12:40

Bill Freese

7
1

3

That software makes me cringe. It seems to be super heavy and have tons of vulnerabilities and in fact makes people security far worse. I think this is Apple software however and not the link you mentioned - just that the names are the same. – bmike Aug 23 '18 at 17:25
/usr/libexec/rapportd seems to be provided by Apple. – nohillside Jan 01 '22 at 14:59

What is rapportd and why does it want incoming network connections?

7 Answers7

Linked