Last Week on My Mac: Off to a good start, then

Not a week in, and the New Year has been frenetic.

First, there was the mystery of what looked like an app in an odd folder new to High Sierra, which couldn’t be trashed because of System Integrity Protection (SIP). Whilst the security implications of this novel behaviour in 10.13 were sinking in, the press was buzzing with the vulnerabilities revealed in Intel processors, then in Apple’s own SoCs in iOS devices, then pretty well anything else with a processor, except for the Apple Watch.

Important though the Meltdown and Spectre vulnerabilities are, and essential though their fixes are, there really isn’t a great deal that the user can do about them, apart from ensuring that they keep up to date with security updates. If, or when, malware emerges which exploits these, we are going to have to rely on Apple and others to provide protection.

Unlike some other browser features, controls over JavaScript, for example, are global and it cannot be enabled only for specific sites. So you either lock your browser down completely and disable key features of many major and important websites, or leave it enabled to all of them. Similarly, there are many far more imminent dangers from malware which is already out in the wild; if you’re not browsing wisely and cautiously, you’re much more likely to catch something else first.

For me, at least, the most perplexing and immediate problem is with iCloud Drive.

We have come to accept that the world consists of a lot of black boxes, systems and services which just work, over which we have little control. Cloud services in general offer only one control: on or off. You can opt to use specific features within them, such as whether to share the keychain via iCloud, but you can’t change the way that works, or doesn’t.

When I was testing out my extended attribute (xattr) editor xattred this week, I was trusting the iCloud Drive black box, and using it to move test files and new versions of the app from my desktop Sierra system to my MacBook Air which runs High Sierra. I had loaded some test files up with a batch of challenging xattrs, but when I opened those in High Sierra, most of those xattrs had vanished.

A lot of people have told me that they have had serious problems with iCloud Drive, and many say that they now won’t use it at all. My experience has been different: although I don’t use it for large amounts of data, I have not had a significant issue with this type of file transfer before. When it happened, I first wondered if it was the result of a bug in xattred, or possibly in APFS which is running on that Mac.

After several hours of testing, it became clear that I was observing an intentional stripping of xattrs when moving files between Sierra and High Sierra using iCloud Drive. And since then, I have been carrying out further testing to try to discover the heuristics used to determine which xattrs to strip.

Those heuristics are more complex than a simple whitelist, or removal of all xattrs storing data in particular formats, or of xattrs above a certain size. Some xattrs – in particular, those whose types don’t begin with – seem to be stripped every time, regardless of what is in them. Others get stripped even though they begin with and are tiny, such as at only 32 bytes.

Others, like and series, seem to be passed through when they are small, but stripped when they become larger.

Because users see so little of xattrs, the impact of this stripping is largely hidden. Many of the metadata-bearing xattrs are now duplicated by metadata embedded in data files. Others may seem largely superfluous, but are used by some apps. Many are seen as optional extras rather than essential features.

But buried in the hundreds of thousands of documents on your Mac there are very large numbers of xattrs, which HFS+ and now APFS are careful to preserve. A few apps work almost entirely using xattrs – the PDF annotation tool Skim is a good example, and I am sure that there are others. Imagine if you had hundreds of annotated PDFs crafted using Skim, decided to move or share them via iCloud Drive, and every one was blown away.

If we are to believe Apple’s developer documentation, this behaviour is a recent change, and may only be applied to a limited number of iCloud accounts, who are the exceptions rather than the rules. Is it an attempt to prevent the steganography possible using xattrs? If so, isn’t it far simpler for users to just encrypt sensitive documents, and render them completely inaccessible to anyone without the password? Is it a defence against the spread of malware carried as payload inside xattrs, despite the fact that macOS cannot directly execute code from a xattr?

There’s clearly more to come on this story. Are xattrs stripped when moving files between Macs, regardless of which version of macOS they are running? Is this behaviour universal to iCloud accounts, or only applied to a few? Is this all just a figment of my Macs’ imaginations?

I’d love to hear of your experiences, please.