Privacy + Scripting = Problems

Yesterday, I looked at how Mojave’s new privacy protection works for data, services (Location) and hardware (camera and microphone), and largely ducked the most thorny issue of apps and scripts controlling other apps – Automation.

Regulating direct access by apps to protected data is relatively simple, and should be highly effective. But macOS has always had powerful means by which apps can control other apps – AppleEvents – which are exposed to the user in scripting systems, notably AppleScript, and Automator. Many excellent apps are built largely on bringing together features of different apps using AppleEvents. And some of the most surprising apps call the occasional snippet of AppleScript to enable important features.

So all a developer would have to do would be to locate features in an app which does have access to protected data (or services or hardware), and control that app using AppleEvents, to circumvent Mojave’s privacy. This makes controls on Automation one of the most important features in Mojave’s new privacy system.

The snag is that putting simple limits on the use of AppleEvents to control other apps can easily leave vulnerabilities. An app running a line of AppleScript could be using it to display a file’s location in a Finder window, running a command with elevated privileges, or stealing the contents of emails. There is no system of whitelists or blacklists to distinguish between the effects of commands on your privacy.

What Mojave currently does for Automation is very likely to evolve over the coming days, weeks, and months. What I describe here may well have changed completely by Christmas, or maybe even sooner.

When an app calls an AppleEvent (or runs AppleScript) which performs an entirely innocent task, such as
set thePath to POSIX file "/Users/me/Documents/myDoc.text" tell application "Finder" to reveal thePath
the privacy control system, TCC, lets this pass without any concerns over privacy, and it doesn’t trigger any dialogs.

Actions which are potentially more risky are handled with much greater care. For example, using System Events in code such as
tell application "System Events" to get the name of every login item tell application "System Events" to delete login item "MyApp" tell application "System Events" to make login item at end with properties {path:"/Applications/My.app", hidden:false}
will trigger a consent dialog. However, it does not require the calling app to provide usage information, even when that app is built against the 10.14 SDK.

aeprivacy01

So if no usage information is provided, the user sees a dialog which currently has a lot of text, isn’t likely to make much sense to a naïve user, and doesn’t explain the purpose. Apple is considering how best to change this, but without both app-specific and contextual information, it’s hard to see how this can be improved much.

aeprivacy02

Apps which do more ambitious things, such as controlling real apps rather than System Events, are required to have usage information if they have been built with the 10.14 SDK, much as they do to access other private data. This is then added to the consent dialog as shown above, and can make a big difference to the user when they are forced to make a decision.

One significant limitation at present is that only a single usage string can be supplied. In the case of my apps, which use AppleScript to install themselves as Login Items, that is unimportant. But apps which use a lot of AppleEvents can do so for a wide range of different purposes. It isn’t yet possible for them to change the app-specific content in the consent dialog so that it is specific for that individual consent.

aeprivacy03

When consent is obtained for Automation, it must be specific for that pair of apps, as shown in the Privacy settings. Here, the user has consented to Bailiff scripting System Events, but that doesn’t permit Bailiff to script any other apps: separate consent must be obtained for each, still using the single usage statement for all.

In an app which scripts several different apps, that means the user should see a separate consent dialog for each of those relationships, which is neither efficient nor kind to the user.

Developers who are struggling with these problems hope that Apple will come up with a better solution. You can read full details in Felix Schwarz’s excellent article here.

What about your own AppleScripts, though: surely you don’t have to comply with all this privacy protection when they’re your own scripts and your own data?

aeprivacy04

Sadly, there’s no robust way of telling whether any given script or app is owned by the same person as the data, so TCC’s rules have to extend to user scripts in exactly the same way as they do to commercial apps. If you run an old AppleScript app on Mojave, you will see the same consent dialog as for any app.

aeprivacy05

Mojave’s AppleScript editor does try to help you get it right, though. If you have developer signing certificates, it is happy to sign your AppleScript apps, but they cannot be hardened or notarized, and don’t have entitlements.

aeprivacy06

The Script Editor also adds default usage information to a script app’s Info.plist, which you can edit to clarify your purpose. There is a slight snag here with signed apps, though, as their code signatures should include the Info.plist, which would prevent you from modifying that after signing. Hopefully that apparent conflict will be resolved to allow scripters to create properly signed apps with custom usage information.

aeprivacy07

The strange thing with apps created by the Script Editor is that it does what everyone agrees you shouldn’t do: it adds usage information for every class except Location services, as shown in this shot from Taccy.

Building scripting into Mojave’s privacy control is not easy, nor is it yet complete. I think that Apple is going to have to provide more extensive support to app developers, and the human interface will inevitably improve. It would make a great deal of sense for apps to be able to obtain pre-approval when first opened, so that users can give their consent to the features that they have just paid for, to access their own data. But this is going to require great care, for fear of opening vulnerabilities which will allow rogue apps to exploit the system.

If you rely on apps which make use of AppleEvents – something which is almost impossible to determine, although you can usually make a good guess – then you may find them struggling during your early days with Mojave. Once the barrage of consent dialogs is out of the way, they should behave more like their old selves again. Keep a careful watch on their support sites, where developers should provide detailed information about any issues with Mojave.

15Comments

Add yours

1

Joss on September 7, 2018 at 10:25 am

I used to have a lot of proprietary Automator workflows, and the occasional AppleScript app. I’ve since switched to Nimble Commander as a substitute for Finder, and I’m now running all of the old workflows & services directly as shell scripts with keyboard shortcuts and TouchBar support via BetterTouchTool. For pure AppleScripts I even use the #!/usr/bin/osascript shebang instead of #!/bin/bash. Will be interesting to see how this all pans out in Mojave. 😉 Doesn’t change anything about AppleScripts & Events from other developers, though.

LikeLiked by 1 person
- 2
  
  hoakley on September 7, 2018 at 12:09 pm
  
  I don’t think this should prove a problem, but when you first set them up in Mojave, you’ll have a few consent dialogs to trudge through!
  I’d give Nimble Commander Full Disk Access from the start, which should settle all the shell scripts and commands from that, but you’ll also need to work through consents for any AppleScripts run as that goes along. You can’t pre-authorise them as things stand at present, but maybe that will be included in Mojave very soon.
  Once everything is consented and listed in the respective Privacy listings, it should all run as before.
  Howard.
  
  LikeLike
  - 3
    
    Joss on September 7, 2018 at 12:18 pm
    
    That’s what I thought. Nimble Commander is a file manager, and it even has full rwx access to /var/root in admin mode, so it definitely needs full access.
    
    LikeLike
  - 4
    
    Joss on November 3, 2018 at 1:49 pm
    
    Ran into one problem so far, but found at least one solution (see below): an AppleScript (Services workflow) that starts by reading the message ID (IDs) of the selected message(s) in Apple Mail, then runs a shell script using `find` to search through $HOME/Library/Mail/V6 to find the associated message files, then sends the emlx paths as arguments to another app to get geolocation for the message’s originator. At some point I want to parse the files myself and use my own app for that. (Currently I’m using MailSpy and Mail Detective.) Obviously the workflow has no access for the Mail folder. Putting the find CLI into Full Disk Access didn’t work. Running the script from ScriptEditor or Automator directly didn’t work either. So I looked for Automator Runner in CoreServices, but it’s not there anymore to put on the FDA list. (Any idea where that app went in Mojave?) Changed the AppleScript into a shell script with osascript embedded, and this worked in iTerm (already on the FDA list), but not as a workflow. Then I remembered that I had also added it to BetterTouchTool for quick launch via TouchBar, and voila, after putting BetterTouchTool on the FDA list, it finally worked. (I haven’t yet tested whether reverting from shell script to AppleScript workflow will now work with BTT as well, but will report back, if it does.)
    
    LikeLiked by 1 person
  - 5
    
    Joss on November 4, 2018 at 12:09 am
    
    And another problem which ties directly into the article. I have an AppleScript app that’s basically a wrapper for Transmission, so Transmission only launches if a VPN is active via Viscosity. And now I have to grant access *twice* *every time*, once for Viscosity, once for System Events, on every launch, only because the Viscosity developer was so kind to make his application scriptable.
    
    Have to dig into this now to see if there’s any solution.
    
    LikeLiked by 1 person
  - 6
    
    Joss on November 4, 2018 at 12:18 am
    
    OK, found a solution quickly. Just export your script as an application from ScriptEditor, code-sign, and after clicking OK on the TCC prompts, these prompts will not return the next time you launch. You can even use self-issued code-signing certificates, even whole certificate chains issued via third-party CAs like xca. Sweet! Hope the system doesn’t revoke this at some point.
    
    LikeLiked by 1 person
    - 7
      
      hoakley on November 4, 2018 at 5:18 pm
      
      Yes, that’s the best way to get scripts through the new privacy checks. I don’t think that macOS should ever revoke that, and it should persist through TCC updates too, as it has been entered into its database.
      Howard.
      
      LikeLike
  - 8
    
    Joss on November 4, 2018 at 10:52 pm
    
    I was just surprised that it works with non-Apple code-signing certs (cert chains). Haven’t tested ad-hoc code signatures yet.
    
    LikeLiked by 1 person
9

skotop on September 7, 2018 at 10:31 am

“for fear of opening vulnerabilities which will allow rogue apps to exploit the system.” Already thought that the system was protected by XProtect, Gatekeeper, System Integrity Protection and the Malware Removal Tool

LikeLike
- 10
  
  hoakley on September 7, 2018 at 10:34 am
  
  Those protect your Mac’s security. They do nothing to protect the privacy of your personal data, which is what all this is about.
  Howard
  
  LikeLike
  - 11
    
    hoakley on September 7, 2018 at 12:10 pm
    
    I will be explaining this in better detail, with examples, in an article for tomorrow morning.
    Howard.
    
    LikeLike
12

Joss on September 7, 2018 at 10:35 am

I’ve been wondering if this whole new access security system is the reason why Apple hired Jonathan Zdziarski, the dev of Little Flocker (now XFENCE at F-Secure).

LikeLiked by 1 person
- 13
  
  hoakley on September 7, 2018 at 12:11 pm
  
  Thank you.
  Possibly, although I would imagine that he is working on security (for which Little Flocker was magic, and a fine way ahead) rather than privacy systems including TCC.
  Howard.
  
  LikeLike
  - 14
    
    Joss on September 7, 2018 at 12:16 pm
    
    I’m still using XFENCE, though it’s a bit of a pain in the a** now, but that’s due to Apple’s new security methods, boot volume blessing, T2, volume mounting etc. A lot more dialogs than before. But it’s still a great security tool.
    
    LikeLike
15

Michael Tsai - Blog - AEDeterminePermissionToAutomateTarget Added, But AEpocalyse Still Looms on September 7, 2018 at 3:46 pm

[…] Howard Oakley: […]

LikeLike

Share this:

Related