Mojave’s privacy protection: informing users

In my previous post, I pointed out that it is the app developer who is most likely to be confronted with problems arising from Mojave’s new privacy protection, as the most severe effect is going to be that their app crashes when trying to access protected data. Users will see this as a failing in the app, rather than the consequence of their action, or of macOS defending their privacy.

Unless a user takes to browsing the Info.plist of the applications they run, and understands in some depth how Mojave’s privacy protection works, there is no easy way for them to discover what limits an app might have. There’s no convenient display in Finder’s Get Info dialog, for instance, which tells them that the image editor they’re about to use doesn’t have access to images in their address book, or Photos library.

Indeed, when they use the Finder, they will see that they have normal read and write access to all of these folders and files. Unlike Unix permissions, Mojave’s Finder doesn’t give any indication of what is protected, either in its own windows or in its Get Info dialog.

Apps which are not currently permitted to access protected folders do display conventional No Entry signs on those folders when you try to open a protected area in their Open File dialog. But that conflicts with the Finder’s display of those same folders being fully accessible. I can see some users considering that to be a bug in the app, and complaining about it.

Apple would no doubt argue that users have to do something different in order to see protected data, such as opening their hidden Home Library folder, or looking inside a Photos library. Whilst that is true, I know of plenty of users who have done such things, but don’t even understand normal file permissions, let alone what Mojave is about to unleash.

At the very least, the app developer needs to tell users what their apps are able to do, and where they can’t go. If privacy protection is going to be meaningful and work to our benefit, we shouldn’t be enabling every app to access protected data, nor should the user be giving them all Full Disk Access.

My suggested example is a simple, predominantly graphical panel based on Mojave’s Privacy settings, listing for an app what it can and cannot do, and how. For instance, here is one for my extended attribute editor, xattred:

I am putting that information in its documentation, and in a new command in its Help menu. Many users may ignore both, but we can only take the horse to water.

The Help window is quick and simple to do. Here is an archive containing blank light and dark mode files, and completed examples: privacyhelp

Mark up one of each for your app, and add them to a new image set in Xcode’s Asset Catalog. Use the Any, Light, Dark appearance to ensure that your app will automatically use the right image for the current mode.

Make a new Window Controller in Interface Builder, around 279 x 377 in size, and with a suitable Storyboard ID such as Privacy Window Controller. Add an Image View, and set it to display your image.

Then, in your AppDelegate source, add the code to show that window, in a function which you then connect to a menu command of Privacy settings in the Help menu.

When it’s all built and running, using that command will display the image.

And switching to Dark Mode will automatically show that version instead.

If you’ve got your scaling right, the user should be able to put your window next to the Security & Privacy pane, and match the items listed in each.

For an app which seeks no special access to protected areas, the only item which should be ticked is, of course, Full Disk Access. That sends the clear message that, should the user not grant that access, trying to open any protected data may be unwise.

You are very welcome to use this and the examples provided, to adapt, remix, or do whatever you want with them, if you think they might help.

In future versions of Mojave, I think that it would be helpful to everyone if:

The Finder’s Get Info parsed app information and gave some idea of its privacy constraints, and
Privacy-protected folders and files were visibly identified as such when viewed in Finder windows (not just Open File dialogs). Come to think of it, we don’t seem to have a general icon to signify what is private; this might be its first good purpose.

5Comments

Add yours

1

Barry Marshall on August 29, 2018 at 5:31 pm

I decided to give Mojave a spin in a virtual setting to see what is like. For F.D.A. I hope the developers either give their apps full consent or as your screenshot says, “with consent”. With Consent seems the most logical and let the user decide before caution to the wind, There are some apps that wouldn’t want to have full Consent, like a Facebook App or anything to do with on-line chat forums.

LikeLiked by 1 person
- 2
  
  hoakley on August 29, 2018 at 5:39 pm
  
  That’s the really good aspect of Mojave’s design: a developer can lead the user to give consent, but ultimately it remains up to the user whether to allow that app to have access to protected data. There is no flag available which lets any app storm in and see private files without the user agreeing.
  The snag is that users haven’t really had to do this much before. I know that both iOS and macOS have some controls, but they are not as extensive, nor is the penalty for an app attempting to access protected data when it shouldn’t. Hopefully we’ll all prove quick learners.
  Howard.
  
  LikeLike
3

Barry Marshall on August 29, 2018 at 6:55 pm

What does Apple consider “protected data.”?

LikeLike
- 4
  
  hoakley on August 29, 2018 at 7:05 pm
  
  This includes: Mail’s Mail folder, Messages, calendars and reminders, Contacts’ address books, Safari’s browsing history and cookies, Photos libraries, iTunes backups, and Time Machine backups. Services include location, camera and microphone, and automation (e.g. scripting other apps to access information).
  Currently they are centred on Apple’s bundled apps, and I don’t know whether third-party developers can or will be able to designate their apps’ data as protected within the same system.
  The user, though, doesn’t have that ability. If you have a folder of accounts or personal correspondence, you can’t designate it as private within this system, but would need to encrypt it, for instance.
  Howard.
  
  LikeLike
5

Barry Marshall on August 29, 2018 at 7:31 pm

Yup, most apps other than the ones using them should be the only ones using the data. I know now on High Sierra that apps ask for permission to access your Contact List and I believe I had one a year ago that thought the privilege was given without consent and it wound up getting deleted. I really don’t like moving my Bookmarks between browsers either, but what is really becoming annoying is Google which has nothing to do with this conversation but there annoying stalking of your mobile number.

LikeLiked by 1 person

Share this:

Like this:

Related