Mojave’s privacy protection and command tools: a collision in which the user is the loser

I have been pressing on with getting my apps notarized for Mojave, but stumbled into a curious problem: Apple Notary Service only works with fully-fledged apps. I have looked back at the presentation about it at WWDC (Session 702), and can’t find any mention of command tools.

Apps and command tools are formed quite differently. An app is a structured bundle containing executable code, code signatures, an Info.plist property list, and all sorts of other files. When it’s notarized, additional signatures are added, which Mojave knows how to handle.

In contrast, a command tool is normally a single file containing executable code, with a code signature tacked on. There’s no property list in which to claim any capabilities, and it seems no way of either ‘hardening’ or notarizing it.

Although users primarily see apps running on macOS, if you take a few moments to browse the list of active processes in Activity Monitor, you’ll notice that most of those are not apps at all, but faceless processes which follow the command tool model instead. Most are run by macOS itself, but depending on what you do with your Mac, many could be developed by third parties.

Command tools are a bit of a problem for Mojave’s new privacy and other protection. Many are intended to work quite low down inside your Mac, having access to files and folders which you don’t normally see. They may be run interactively from Terminal, in shell scripts, or through scheduling mechanisms like LaunchAgents. When they do run, you could be a long way from your Mac. They could be running an automated backup, or indexing metadata in your photos and videos.

In the newly protected world of Mojave, macOS can handle this one of three ways:

  • it can treat all third-party command tools as lacking the capabilities to access private data,
  • it can treat all third-party command tools as having full capabilities to access private data,
  • it can provide an authorisation mechanism by which specific third-party command tools can gain the capabilities to access private data.

So far, Apple has not indicated which of these will be used, and there seems to be no support for any authorisation mechanism equivalent to hardening and notarization for apps.

Assuming that one of the first two is enforced, the user will as usual be the loser. In the first case, all command tools other than Apple’s will cease working on significant portions of each user’s Home folder. If you use a third-party backup system which depends on command tools, your backups will be rather smaller and less useful than they were before.

With apps, the way that macOS responds to an app attempting to access protected data is to crash the app immediately. If the same happens with command tools, then not only will tasks run by them not do what they’re expected to, but many will crash out every time that they’re run on protected data.

On the other hand, giving command tools free reign over protected data provides an easy bypass for Mojave’s privacy protection. In particular, as it is common for malware to follow the command tool model, that would defeat much of the purpose of protection. But it could also be used as a backdoor for regular apps to gain access to private data, as they can run command tools to obtain whatever information they might want, even though they could be hardened and notarized.

In Mojave, app hardening and notarization are only voluntary, but from its release date privacy protection will be enforced. Apple needs to remember that, unlike iOS, in macOS there are many systems out there which rely on third-party command tools for getting their work done.