<i>As it turns out, it’s just HTTP requests. The alarm bells should be going off now. So you’re telling me that the part of the O.S. that runs as root and replaces system files is downloaded via unsecured, unauthenticated HTTP? Yup.</i><p>Well, I'm not sure it makes a difference. As he later points out, update packages are signed by Apple, so unless you have access to Apple's private key you can't make an update package that will actually be installed.<p>Using HTTPS instead of HTTP would be wise, but in the end it doesn't make a difference.<p>On the whole though, this is a fascinating exercise. Thanks!