{"id":25589,"date":"2019-06-06T16:31:52","date_gmt":"2019-06-06T20:31:52","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=25589"},"modified":"2020-07-03T16:49:05","modified_gmt":"2020-07-03T20:49:05","slug":"security-privacy-in-macos-10-15-beta","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2019\/06\/06\/security-privacy-in-macos-10-15-beta\/","title":{"rendered":"Security & Privacy in macOS 10.15 Beta"},"content":{"rendered":"

Advances in macOS Security<\/a>:<\/p>\n

\n

We are on a journey to continuously improve macOS security, with a particular focus on preventing malware and protecting user data. Join us on the next step and learn more about what's new in Gatekeeper—for keeping malware out of macOS—as well as new protections that help keep users' data and activity under their control.<\/p>\n<\/blockquote>\n\n

Kyle Howells<\/a>:<\/p>\n

\n

Apple still refuses to put an “Allow” button on the macOS security prompts I can see.<\/p>\n<\/blockquote>\n\n

Thomas Tempelmann<\/a>:<\/p>\n

\n

And still no option to tell macOS that you trust an app accessing everything at once, instead of being asked for every detail separately? It’s already a pain with apps like iClip and Timing to be acknowledge them using AppleEvents on every app you touch.<\/p>\n<\/blockquote>\n\n

Zack Whittaker<\/a> (tweet<\/a>):<\/p>\n

\n

But the protections [in macOS 10.14] weren’t very good. Those ‘allow’ boxes can be subverted with a maliciously manufactured click.<\/p>\n

[…]<\/p>\n

Wardle, who revealed the zero-day flaw at his conference Objective By The Sea in Monaco on Sunday, said the bug stems from an undocumented whitelist of approved macOS apps that are allowed to create synthetic clicks to prevent them from breaking.<\/p>\n<\/blockquote>\n\n

Felix Schwarz<\/a>:<\/p>\n

\n

Just when you thought kext development couldn’t get any more frustrating… a “New Feature” arrives.<\/p>\n<\/blockquote>\n\n

DriverKit<\/a> (Hacker News<\/a>):<\/p>\n

The DriverKit framework provides C++ classes for IO services, device matching, memory descriptors, and dispatch queues. It also defines IO-appropriate types for numbers, collections, strings, and other common types. You use these with family-specific driver frameworks like USBDriverKit and HIDDriverKit.<\/p><\/blockquote>\n\n

Felix Schwarz<\/a>:<\/p>\n

\n

Wow! macOS #Catalina adds new frameworks to allow drivers to run IN USER SPACE & manage them via “SystemExtensions”!<\/p>\n

More on macOS Catalina #DriverKit drivers:<\/p>\n

- packaged alongside the app like modern app extensions.
\n- removed from the system when the host app is
\n- (possibly) can be dynamically loaded & unloaded them as needed using OSSystemExtensionRequests<\/a><\/p>\n

In #SOTU, Apple just announced that “in a future #macOS release”, KEXTs targeting driver categories covered by #DriverKit will no longer work and encouraged developers to adopt #DriverKit now.<\/p>\n<\/blockquote>\n\n

Jeff<\/a> Johnson<\/a>:<\/p>\n

<\/p><\/blockquote>\n

\n

A lot of things bothered me yesterday, but I think the one thing that bothered me the most was 10.15 locking down the Documents folder.<\/p>\n

In the past, Documents was the place that apps were supposed<\/em> to use. Now it’s forbidden ground.<\/p>\n

The Mac is dying from permission dialogs.<\/p>\n<\/blockquote>\n\n

All About Notarization<\/a>:<\/p>\n

Notarization is all about identifying and blocking malicious Mac software prior to distribution, without requiring App Review or the Mac App Store. Introduced last year and already widely adopted by Mac app developers, this is your opportunity to take an in depth tour of Notarization workflows and find out what's new with the Notarization service.<\/p><\/blockquote>\n\n

Mark Munz<\/a> (Rich Trouton<\/a>):<\/p>\n

\n

‘All About Notarization was somewhat disappointing.<\/p>\n

They kind of quickly explained Sparkle.framework issue. 🤷‍♂️<\/p>\n

But looks like zero workflow improvements to automation & notarization. 😞<\/p>\n<\/blockquote>\n\n

Jeff Johnson<\/a>:<\/p>\n

\n

For Mac App Store apps, I suspect that Catalina will be a very easy update. Not many changes as far as I can tell.<\/p>\n

For non-sandboxed apps on the other hand... I pray for you.<\/p>\n<\/blockquote>\n\n

Steve Troughton-Smith<\/a>:<\/p>\n

\n

Good news: macOS Catalina still respects your System Integrity Protection setting and lets you write to to the hard disk root if SIP is off<\/p>\n<\/blockquote>\n\n

Previously:<\/p>\n