Wednesday, July 31, 2019

The Alert Hammer

Paulo Andrade:

Note how on one end of the spectrum alerts are useless for users that don’t understand the implications of allowing such access and on the other end experts want to turn them off.

So for the benefit of a few power users in the middle of the spectrum that feel more secure with these, every one else gets to be annoyed.

I don’t think anyone really understands the implications because you can’t tell whether the app is going to abuse the power it’s given. If I’m installing Zoom, of course I’m going to grant it access to the camera. That’s reasonable for an app of that genre. But I can’t know whether it’s going to try to turn on the camera at times I didn’t expect. And there’s nobody, not Apple, not a review, nor a friend who can definitively say whether an app is trustworthy. Even an actual good developer could have their signing keys compromised.

It’s not that I want to turn the alerts off, exactly. I appreciate being able to see which privileges an app wants so that I can compare them with what I think it should need. I want to know if an app is doing something unexpected. The problem is that the alerts are annoying and not very informative. And some types of access can only be granted in clunky ways like going to System Preferences, choosing the app from an open panel, and restarting it. It would also be nice to see up front everything that the app wants to do so that I’m not repeatedly prompted.

Secrets has this cool feature when setting up two-factor authentication where it would automatically search currently open windows for the QR Code with the seed value. On Catalina, this is now so cumbersome that’s just easier to manually type or copy/paste the value. So long for “surprise and delight”.


Still some people will say: “but I want to know if the app is doing that!”. That’s fair. Alerts aren’t the way to do it though. There’s a better solution [for live data] and Apple already employs it for location services.

I’m not sure that passive notification alone is enough for microphone and camera access, because the app could start recording when you’re not looking at the display to see the notification.

But I love the general idea of having a way to audit what an app did after the fact. In other words, instead of blindly trusting Secrets at first launch and forever after, I would be able to see that it’s only reading my window contents when I’m setting up 2-factor. If I granted an app Full Disk Access in order to install a Mail plug-in, I would be able to see that it’s not accessing other, unrelated files.

Furthermore, having a way to verify-later instead of just trust-up-front would help with the information asymmetry problem. Tricking the user about what an app is doing would no longer work over the long term because nefarious apps would be caught. And, conversely, there would be proof that expected good apps actually are well behaved.


Update (2019-08-01): Dimitri Bouniol:

I like this a lot. An audit-like feature, though something that won’t be used by everyone, could provide evidence after the fact that an app broke it’s promise to the user, and that version could be banned by the OS directly, helping other less experienced users.

ie. Trust apps by default, but have a heavy hammer for offenders to the platform, that don’t responsibly disclose what they are doing under the hood. Users won’t be bothered constantly and can enjoy their apps, and an offending app can be wiped and the user can be notified why.

Damien Petrilli:

I think Apple needs to improve the granularity of some access.

Like why is photo / media access all in?

Ex: I wish I could allow an App to put pictures and videos in the photo library but NOT read anything.

Same for contact and calendar: can save in it but not read.

Update (2019-08-05): Riccardo Mori:

Here’s my humble proposition: Security Monitor. It would be an application you find in your Utilities folder, and it would behave in a similar way as Activity Monitor. Maybe its interface could be made a bit more user-friendly, so that it could be readable by non-geek users as well. In its main window, you would see all active processes from a security perspective: what they are accessing in your system and, more importantly, whether their behaviour complies with the permissions they have been given — by the system and by the administrator user account.

2 Comments RSS · Twitter

I've been thinking for the past 20 years about writing such a audit tool, i.e. one that records all file system activities, with an UI that functions similarly to Little Snitch's, with default filters for known system files, and user-added filters based on different kinds of rules (by path, by app, etc.), so that you will, in end, get a log of "modifications of interest" without all the clutter that's not relevant.

I just never got to it, partly because, whenever I brought this up with other users, they never seemed to like/need this.

It would have so many uses, though, including figuring out what files were added + modified by an installer, and possibly even restoring them to the previous state (provided, for instance, you keep a TM backup so that even modified files could be restored - which might be a bit tricky, though).

Not sure how this could be extended to monitoring other kinds of operations, like mic and camera access, contacts bulk reading etc.

[…] excellent article by Paulo Andrade (found via Michael Tsai, of course) got me thinking. It’s titled The Alert Hammer and discusses “the increasing number […]

Leave a Comment