macOS 15.4 Adds TCC Events to Endpoint Security
Since TCC is designed to protect these resources, it poses a challenge for malware that often tries to access them. Generally malware takes one of two approaches: exploiting TCC bugs, or obtaining explicit user permission access to the TCC protected item. The former is rather uncommon, while the latter is much more widespread as TCC can be trivially “circumvented” if the user acquiesces (sometimes as simply as clicking ‘Allow’ on a single TCC alert).
[…]
Since the majority of macOS malware circumvents TCC through explicit user approval, it would be incredibly helpful for any security tool to detect this — and possibly override the user’s risky decision. Until now the best (only?) option was to ingest log messages generated by the TCC subsystem.
[…]
In the macOS 15.4 SDK files, specifically
EndpointSecurity/ESTypes.hwe find a brand new Endpoint Security event:ES_EVENT_TYPE_NOTIFY_TCC_MODIFY[…]
This sounds good for anti-malware software, but I still think we need basic APIs for apps to query, request, and reset the permissions they need.
Previously:
- TCC and Gatekeeper Bypasses
- Resetting TCC
- Mojave Privacy Protection Aftermath
- Mojave’s New Security and Privacy Protections Face Usability Challenges
1 Comment RSS · Twitter · Mastodon
> I still think we need basic APIs for apps to query, request, and reset the permissions they need.
Couldn't agree harder. I maintain software for my company that requires permission for AppleScript, screen recording, a system extension, and Accessibility for three different apps! The user experience for setting all of that up is just atrocious, and there's nothing we can do about it. It's even worse when it bugs out.
Back in OS X 10.8, all the user had to do was run our installer and everything worked. Then 10.9 added a permissions box. Then 10.13 added another one. Then 10.14 added another one. Then 10.15 added another one. And so on and so on.
Why not just have a single dialog box that says, "This app is requesting these permissions" with a description of why it needs them for those who care to read it? And then a simple "Allow" button, all done at installation time?
That's actually *more* secure than what we have now. Apple of 15 years ago understood that less permissions prompts was better, because too many of them just trains naive users to reflexively agree to all of them, thus making it all the easier for malware to manipulate them into granting it the permissions it needs to wreak havoc. Apple of today doesn't care any longer. Posting here I'm sure I'm preaching to the choir, though.
