Monday, September 10, 2018 [Tweets] [Favorites]

Mojave’s New Security and Privacy Protections Face Usability Challenges

Rich Mogull:

Apple has been inching down this path of protected files in macOS since it introduced Gatekeeper and sandboxing. With each release, Apple has tightened the sandboxing screws to limit the traditionally near-unfettered access of apps.


You might be thinking that there’s quite a bit more that deserves protection, and you’d be right. In fact, Mojave extends protection to data in Mail, Messages, Safari, Home, Time Machine, and certain administrative settings, but without the granular notifications of the data types we’ve been discussing. Apps can request access to data in Mail or Messages or Safari too, and they’ll appear in the Full Disk Access list in the Privacy pane of the Security & Privacy preference pane.

I don’t think there is actually a way for apps to programmatically request Full Disk Access.

Apple needs to improve Mojave to provide both developers and users with clear alerts that avoid the pitfalls that crippled so many similar attempts in the past. There’s a reason any mention of Windows Vista still sends shudders down the spine of anyone who worked a help desk during those perilous times. And the company needs to improve the current situation for anyone who creates AppleScript-based apps to make sure such apps don’t prompt constantly for access.

Luc Vandal:

Well this is going to be fun in a couple of weeks!

See also: xkcd.

Previously: AEDeterminePermissionToAutomateTarget Added, But AEpocalyse Still Looms, Apple Events Usage Description, Call Recorder for FaceTime Won’t Be Compatible With Mojave, Ghostery Lite, Little Flocker.

Update (2018-09-11): Christopher P. Atlan:

Even with full disc access apps can’t access rootless_mkdir folders (a.k.a DataVaults). So a backup app can’t make a perfect replica.

Update (2018-09-13): Howard Oakley:

Important lessons for Mojave early adopters are:

  • Mojave’s privacy protection extends to some folders beyond your Mojave startup disk; these aren’t currently documented, but include /Library/Applications Support/
  • When you think an app needs to be given Full Disk Access, it may actually be a helper tool which must be added to the Privacy settings, not the app itself. This appears to be a special case to the rule that command tools are traced through their Attribution Chain to the ‘parent’ app which called them in the first place: in this case, adding the C3 app to Full Disk Access doesn’t give its command tool helper com.bombich.ccchelper full disk access. This may be because it is run as a Launch Service, but none of this is documented.
  • Third party apps which use helper tools, as C3 does, need to be provided with a mechanism similar to that in C3 to guide the user through the process of adding their helper tools to the Full Disk Access list, when required. As far as we know at present, that cannot be performed by the app, but requires the user to make that addition. Users can add command tools to the Full Disk Access list, but need to be helped to do so.


macOS permissions are a mess. Multiple user prompts. Multiple tabs in System Preferences to check. A requirement to purchase Little Snitch to discover and deny network requests.

On first launch, macOS should show all of an app's required and optional permissions, and all network activity the app can request along with usage descriptions. The user should have the right to deny any optional permission and network request. The app should not launch if the user denies a required permission or request. Apple should send developers feedback on what options are denied.

I also want system-wide audit facilities. I want a history of every file and network request an app has made. I to be alerted if a app is messing with files in an unusual location. This should even apply to non-sandboxed apps.

@Hammer Yes, I think the sandbox is far less useful than Little Snitch at protecting the user.

Safari 12's fingerprinting protection is supposed to provide a generic list of fonts, but it fails to protect against the canonical fingerprint checking site's font enumeration:

Stay up-to-date by subscribing to the Comments RSS Feed for this post.

Leave a Comment