{"id":43966,"date":"2024-07-04T16:07:43","date_gmt":"2024-07-04T20:07:43","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=43966"},"modified":"2024-07-04T17:06:36","modified_gmt":"2024-07-04T21:06:36","slug":"chatgpt-privacy-and-mac-sandbox-containers","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2024\/07\/04\/chatgpt-privacy-and-mac-sandbox-containers\/","title":{"rendered":"ChatGPT Privacy and Mac Sandbox Containers"},"content":{"rendered":"

Tim Hardwick<\/a>:<\/p>\n

OpenAI has issued an update to its ChatGPT app for Mac<\/a>, after a developer discovered the app was locally storing users’ conversations with the chatbot in plain text.<\/p>

Pedro José Pereira Vieito told The Verge<\/a><\/em>’s Jay Peters: “I was curious about why OpenAI opted out of using the app sandbox protections and ended up checking where they stored the app data.”<\/p><\/blockquote>\n\n

It’s not clear why ChatGPT isn’t sandboxed. It could be that they just chose not to or that it’s relying on an API or functionality that doesn’t work in the sandbox.<\/p>\n\n

As the developer of several non-sandboxed apps, it seems like the right thing to do is<\/em> to make every app sandboxed, potentially with some extra entitlements that wouldn’t be allowed in the Mac App Store. In other words, run with only the permissions that the app actually needs. However, I have not seen much written about how to accomplish this sort of migration. It’s not always clear what private entitlements are needed or whether they even exist. What will break after migrating the app’s files into a container? What if the customer wants to go back to the previous version of the app? What if something changes in macOS or the sandbox such that the extra entitlements no longer do the job? Until recently, there have been a lot of potential headaches for little apparent benefit (protection against bugs in your app causing damage outside its container to files that it wasn’t intentionally given access to).<\/p>\n\n

Nick Heer<\/a>:<\/p>\n

\n

Virtually all media coverage<\/a> — including Peters’ article — has focused on the “plain text” aspect. Surely, though, the real privacy and security risk<\/a> identified in the ChatGPT app — such that there is any risk — was in storing its data outside the app’s sandbox in an unprotected location. This decision made it possible for apps without any special access privileges to read its data without throwing up a permissions dialog.<\/p>\n<\/blockquote>\n\n

I’ve seen lots of quoting of Vieito’s statement<\/a> that macOS 10.14 and later have blocked access to private user data, which I interpreted<\/a> as saying that there are longstanding protections that ChatGPT should have taken advantage of. However, these protections only applied to certain built-in apps from Apple. With macOS Sonoma, Apple announced that macOS would prompt the user<\/a> when accessing files inside another app’s container. Thus, while, historically, sandboxing app A would only restrict<\/em> what A could do, now making A sandboxed could also protect<\/em> it from app B (whether or not B is sandboxed). macOS Sequoia expands this protection to group containers<\/a>.<\/p>\n\n

I don’t think I ever saw one of these prompts, so I figured that Apple had at some point backtracked. And, after seeing the above discussion, I wrote a quick test app that accessed files in lots of sandboxed apps’ containers—without generating any prompts. Where’s the protection? The answer seems to be that only containers of newly installed apps<\/a> are protected from other apps. If you had first<\/em> installed the app prior to updating to Sonoma, other apps can access its data, same as always. But, with ChatGPT being a new app<\/a> that requires macOS Sonoma, sandboxing would have offered the protections, such as they are, to everyone.<\/p>\n\n

Miguel Arroz<\/a>:<\/p>\n

Mostly everything stores your data in plain text on your Mac. Data is protected via full disk encryption from anyone who steals your Mac, but not from other apps.<\/p>

[…]<\/p>

Everyone seems happy the latest update encrypts stored chats. Haven’t seen anyone asking the obvious, where’s the key? If the key is randomly generated and stored on the Mac’s keychain, I have bad news for you.<\/p><\/blockquote>\n\n

Jeff Johnson<\/a>:<\/p>\n

\n

This seems like much ado about nothing. Very little app data on Mac is encrypted on disk at runtime.<\/p>\n

Sandboxed apps (e.g., from Mac App Store) can’t access the data anyway. And if you’ve installed a non-sandboxed malware app on your Mac, then frankly you’re screwed no matter what. Non-sandboxed apps can get you in a million different ways. There’s no reliable protection. Be careful of what you install. Plus there are approximately infinity TCC privilege escalation bugs.<\/p>\n<\/blockquote>\n\n

And, I think it’s rather easy for sandboxed apps to trick users into granting access that they didn’t intend.<\/p>\n\n

Drew McCormack<\/a>:<\/p>\n

\n

I think the local data storage is the least of your worries with these companies. All that data has to go to the cloud too. That is a much bigger risk IMO.<\/p>\n<\/blockquote>\n\n

Joshua Nozzi<\/a>:<\/p>\n

\n

I still don’t see the scandal specific to ChatGPT.<\/p>\n<\/blockquote>\n

I don’t either. People should be more worried about their Chrome history, for example.<\/p>\n\n

Previously:<\/p>\n