MacKuba

Defense in depth: there isn’t any single layer that can always perfectly protect you, so there are multiple layers of security, so if any single layer fails that doesn’t defeat the whole security of the system

Layers can delay the advance of the attacker, reduce the attack surface, create “choke points” that are easier to defend

Gatekeeper: designed to protect users from running malicious software, while allowing them to use the software they choose

What does Gatekeeper check:

• does the app contain any known malicious content?
• has the software been tampered with since it was signed?
• does it meet the security policy configured on the computer?
• first launch prompt  ⭢  does the user actually want to run this?

On Mojave, Gatekeeper runs the check on the 1st launch of quarantined software launched via Launch Services

Quarantine – a technology on macOS for marking files that arrived from some external source (website, airdrop, iMessage, email)

• includes metadata about where the file came from
• opt-in – the app has to opt-in to this, so e.g. when apps download their own updates they are usually not quarantined, except for sandboxed apps

Launch Services – a framework for finding and launching apps on macOS, used when launching apps from Finder, NSWorkspace, document handlers etc.

What does not use Launch Services: NSTask, NSBundle/dlopen, exec/posix_spawn

In macOS Catalina:

• all new software must be notarized to pass Gatekeeper
• all software is checked when first launched, even when launching through those non-LaunchServices methods
• all software (even not quarantined) is checked for malicious content on every launch

"You can always choose to run any software on your system" – there will always be a way to run a specific piece of software that you want to run

“We want to make macOS just as secure as iOS, while still maintaining the flexibility that you’ve come to expect from your Mac”

Platform security is increasingly reliant on validity of code signatures; that means if code has no signature, it’s impossible to detect tampering

In a future version of macOS, unsigned code will not load by default, so:

• sign and notarize all software
• don’t modify signed applications and bundles
• handle failures when loading libraries

Requires user confirmation for:

• screen recording
• keyboard input monitoring

Requires confirmation for access to:

• Desktop, Documents, Downloads
• iCloud Drive and third-party cloud storage
• Removable and network volumes

But:

• *not* required for creating new files, only for reading existing files
• tries to understand intent, e.g. doesn’t ask if user double-clicked a file in Finder, or drag&dropped it, or used an open/save panel
• declare handled CFBundleDocumentTypes with NSIsRelatedItemType to e.g. automatically have access to a subtitles file when opening a movie file

Purpose strings are accepted, but not required (NSDesktopFolderUsageDescription etc.)

Open and save panels always run out of process

Be careful with:

panel(_:userEnteredFilename:confirmed:)

panel(_:validate:)

panel(_:didChangeToDirectoryURL:)

Checking for readability without triggering a consent dialog: isReadableFile, isWritableFile, access()

Apps and other binaries that have previously been denied access to some kind of directory now appear automatically in the "Security & Privacy" access list, unchecked

Full disk access now required for access to Trash (except files that your app has moved there)