Thursday, December 19, 2019

Apple Platform Security Guide (Fall 2019)

Apple (PDF, via Rosyna Keller):

This documentation provides details about how security technology and features are implemented within Apple platforms. It also helps organizations combine Apple platform security technology and features with their own policies and procedures to meet their specific security needs.


Apple continues to push the boundaries of what is possible in security and privacy. For example, Find My uses existing cryptographic primitives to enable the groundbreaking capability of distributed finding of an offline Mac — without exposing to anyone, including Apple, the identity or location data of any of the users involved. To enhance Mac firmware security, Apple has leveraged an analog to page tables to block inappropriate access from peripherals, but at a point so early in the boot process that RAM hasn’t yet been loaded. And as attackers continue to increase the sophistication of their exploit techniques, Apple is dynamically controlling memory execution privileges for iPhone and iPad by leveraging custom CPU instructions — unavailable on any other mobile devices — to thwart compromise. Just as important as the innovation of new security capabilities, new features are built with privacy and security at their center of their design.

There’s also a Web version.

See also: Behind the Scenes of iOS and Mac Security.


Update (2019-12-20): Jeff Johnson:

Apple security folks, what does this mean? Is it a typo? apps that are not using Full Disk Access?

Update (2019-12-23): Perhaps it’s worded correctly, and the point is that apps can no longer access data or executable code that happens to be in the trash. Users don’t intend for the trash to be shared storage, but that’s what it ends up being without addtional protections.

See also: Ivan Krstić.

4 Comments RSS · Twitter

Michael, it's not worded correctly. No need to speculate, this is easy enough to test. I did find the phrase "the user won't get prompted for app access" strange, because AFAIK there's never been a prompt or special category for Trash access.

@Jeff What did you test? It could be read as that Trash is now so protected that you can’t access it at all, hence no prompt.

Full Disk Access works just as expected. On Catalina, FDA allows apps to access the Trash. Without FDA, no Trash access. I suppose the mention of a prompt is in contrast to Desktop and Documents, which are prompted.

Sören Nils Kuklau

Without Full Disk Access:

$ ls .Trash/
ls: : Operation not permitted

There’s no prompt. If I manually remove Terminal from the list and try again, it gets re-added with the checkbox unticked. I don’t know if this is by design.

With Full Disk Access, I can access the trash. I would interpret it like Michael — it’s supposed to block access even with Full Disk Access, but as of 10.15.2, this isn’t implemented correctly.

I find the whole distinction between Full Disk Access (which is older, right?) and Files and Folders confusing and cannot even fathom how an ordinary user would begin to understand this. But if this interpretation is correct, now “Full” means “full” even less than one might expect.

Leave a Comment