ChatGPT Privacy and Mac Sandbox Containers
OpenAI has issued an update to its ChatGPT app for Mac, after a developer discovered the app was locally storing users’ conversations with the chatbot in plain text.
Pedro José Pereira Vieito told The Verge’s Jay Peters: “I was curious about why OpenAI opted out of using the app sandbox protections and ended up checking where they stored the app data.”
It’s not clear why ChatGPT isn’t sandboxed. It could be that they just chose not to or that it’s relying on an API or functionality that doesn’t work in the sandbox.
As the developer of several non-sandboxed apps, it seems like the right thing to do is to make every app sandboxed, potentially with some extra entitlements that wouldn’t be allowed in the Mac App Store. In other words, run with only the permissions that the app actually needs. However, I have not seen much written about how to accomplish this sort of migration. It’s not always clear what private entitlements are needed or whether they even exist. What will break after migrating the app’s files into a container? What if the customer wants to go back to the previous version of the app? What if something changes in macOS or the sandbox such that the extra entitlements no longer do the job? Until recently, there have been a lot of potential headaches for little apparent benefit (protection against bugs in your app causing damage outside its container to files that it wasn’t intentionally given access to).
Virtually all media coverage — including Peters’ article — has focused on the “plain text” aspect. Surely, though, the real privacy and security risk identified in the ChatGPT app — such that there is any risk — was in storing its data outside the app’s sandbox in an unprotected location. This decision made it possible for apps without any special access privileges to read its data without throwing up a permissions dialog.
I’ve seen lots of quoting of Vieito’s statement that macOS 10.14 and later have blocked access to private user data, which I interpreted as saying that there are longstanding protections that ChatGPT should have taken advantage of. However, these protections only applied to certain built-in apps from Apple. With macOS Sonoma, Apple announced that macOS would prompt the user when accessing files inside another app’s container. Thus, while, historically, sandboxing app A would only restrict what A could do, now making A sandboxed could also protect it from app B (whether or not B is sandboxed). macOS Sequoia expands this protection to group containers.
I don’t think I ever saw one of these prompts, so I figured that Apple had at some point backtracked. And, after seeing the above discussion, I wrote a quick test app that accessed files in lots of sandboxed apps’ containers—without generating any prompts. Where’s the protection? The answer seems to be that only containers of newly installed apps are protected from other apps. If you had first installed the app prior to updating to Sonoma, other apps can access its data, same as always. But, with ChatGPT being a new app that requires macOS Sonoma, sandboxing would have offered the protections, such as they are, to everyone.
Mostly everything stores your data in plain text on your Mac. Data is protected via full disk encryption from anyone who steals your Mac, but not from other apps.
[…]
Everyone seems happy the latest update encrypts stored chats. Haven’t seen anyone asking the obvious, where’s the key? If the key is randomly generated and stored on the Mac’s keychain, I have bad news for you.
This seems like much ado about nothing. Very little app data on Mac is encrypted on disk at runtime.
Sandboxed apps (e.g., from Mac App Store) can’t access the data anyway. And if you’ve installed a non-sandboxed malware app on your Mac, then frankly you’re screwed no matter what. Non-sandboxed apps can get you in a million different ways. There’s no reliable protection. Be careful of what you install. Plus there are approximately infinity TCC privilege escalation bugs.
And, I think it’s rather easy for sandboxed apps to trick users into granting access that they didn’t intend.
I think the local data storage is the least of your worries with these companies. All that data has to go to the cloud too. That is a much bigger risk IMO.
I still don’t see the scandal specific to ChatGPT.
I don’t either. People should be more worried about their Chrome history, for example.
Previously:
8 Comments RSS · Twitter · Mastodon
> OpenAI has issued an update to its ChatGPT app for Mac, after a developer discovered the app was locally storing users’ conversations with the chatbot in plain text.
So what? I hate to break the news to you but your Microsoft Word Documents, your Apple Pages documents, and so much more, aren’t encrypted either. Plus OpenAI is processing everything on their server anyway. It’s not a private conversation. Use ChatGPT to your advantage if you can. If you think the conversation you are having may not be to *your advantage* then don’t use it.
I’d love a good private chat on Mac but you really need Nvidia GPUs to do that which Apple has blackballed.
This whole conversation is about other apps might be able to access ChatGPT conversions. Wasn't sandboxing also introduced to keep the sandboxed app from accessing stuff that it shouldn't?
With the stories in mind that AI companies scraping data from the web where bots aren't allowed makes me think, if the ChatGPT app wasn't sandboxed on purpose so it could scrape data for AI training from the users machines? Is this a possibility?
As Michael pointed, sandboxing is interesting but close to nobody uses it because it’s a PITA for the developers, the end users and any way nobody really trusts Apple.
99.99% of the apps on the App Store are sandboxes, so saying that nobody uses it is a bit unfair. Many apps outside of the App Store are sandboxes too, for example Microsoft Office, HandBrake, and many more.
For an app like ChatGPT that doesn't required reading or writing files, enabling the sandbox takes two or three clicks in Xcode.
@Brian Right now, OpenAI says they only use the data that you supply, i.e. no scraping. I think these days most of the data they’d want requires prompts for non-sandboxed apps, too.
@galad Check out some of the special entitlements that Microsoft Office uses. ChatGPT definitely does read files, and it sounds like they have ambitions to do more stuff to figure out the current context of a request.
People freaking out about “plain text” and OpenAI scrambling to “fix” it is likely a result of the Microsoft Recall fiasco, and all the wave that made in the security world.
@galad I’m talking about applications distributed outside the Mac App Store. I would not take Microsoft apps as a good example because they are also distributed on the MAS. So it would make sense to share the same code base for both distribution channel if possible.
Extremely interesting that Apple felt the ned to put Phil Schiller as an observer on the OpenAI board. Shows that they don't trust OpenAI, and rightfully so, yet they jumped into bed with them.
