Security, privacy, and why XProtect won’t stop apps reading your email

Having written quite a lot recently about Mojave’s new privacy protection, I have tended to gloss over the differences between privacy and security, why we need effective controls over both, and how those controls are so different. This article tries to explain using hypothetical examples as illustrations.

The security breach

Last night, I got an email from one of the system administrators at work, telling me that I needed to install some new security certificates and things so that I could continue to access my work account from home. He provided me with a link in the message, which I clicked on, and they seemed to install just fine.

I was a bit puzzled when I got to work today, as no one else knew anything about this, and hadn’t received the same email. The other folk in the tech team didn’t seem to know about it either, but were too busy to check whether something was wrong. Apparently, there was some sort of security scare over some of the execs.

That, of course, was a classic spear-phishing attack. What had happened was the email was forged, and the link downloaded malware which managed to get past the Mac’s security protection.

Because it was downloaded through an email, the incoming malware was marked with a quarantine flag. When the dropper app was run, this forced it to undergo a full Gatekeeper check. As this was professionally-developed malware, it was signed with a valid developer certificate, and those checks were passed. Its signature didn’t match that of any known malware when examined by XProtect.

That dropper installed a LaunchAgent which made the malware persistent. It now sits there, taking occasional screenshots, collecting keystrokes, and has already uploaded the user’s address book to its remote Command and Control server.

The privacy breach

A few days ago, a friend suggested that I join a new social network, HeadDesk. When I signed up, there were the usual agreements about sharing data, which I clicked through as you do. It looked really impressive, but because I was new I was careful not to give it access to personal information like my Calendar and Contacts. I then installed its app, which lets me keep a watch on it from my desktop.

Last night, it surprised me a little when it reminded me to buy a present for our anniversary next week. I presume that one of my friends must have let it share their Calendar data, as I opted out of that. Its ads are amazingly well personalised, and it always seems to come up with content I like. It’s amazing service considering it’s all free.

You can probably guess what’s going on here too. Whatever options may have been made online, the service’s app has checked through their Calendar, and probably quite a lot of other personal data, which has been uploaded to the service. The user is unaware of that going on, but the service is also selling that personal data on to fund its development.

The HeadDesk app which they downloaded and are now using is perfectly legitimate, not malware, but deceptive. It passed Gatekeeper’s checks, XProtect, and seems completely above board. However, it is abusing personal data without the user’s consent, or even awareness.

It’s not just hypothetical

Back in 2012, Dropbox had a major security breach affecting nearly 70 million of its users. When this was re-examined two years ago, by Phil Stokes of Sqwarq and, he discovered that Dropbox’s software was tampering with the macOS privacy database and giving itself permission to use Accessibility features without the user being aware, let alone being asked to consent.

Dropbox claimed at the time that this was “used to give Dropbox additional permissions to your computer, which enables certain Dropbox features, including: better-quality syncing”, “automatic app updates”, and “other user-interface (UI) interactions”. Fortunately, the practice was ended when Apple released macOS Sierra later that month, which put the privacy database out of reach, protected by SIP.

The Dropbox software clearly wasn’t malware, and had been installed dutifully by millions of Mac users. But it was deceptive, and we still don’t really know what it was doing. Oddly enough, its manipulation of the privacy database wasn’t actually needed, as the software worked just as well when denied access to that database by Sierra.

Just recently, Patrick Wardle has detailed how a top-selling Mac App Store app named Adware Doctor circumvents the restrictions imposed by current (High Sierra) macOS entitlements and the app sandbox to exfiltrate full browser histories for Safari, Firefox and Chrome – the same browsers which it claims to protect.

One important lesson for users from Patrick’s analysis of Adware Doctor is that Mojave can provide all the controls and tools for you to protect your privacy, but if you’re invited to give an app permission to access private data and you consent, then you don’t control what it does with that data.

Adware Doctor sought and often gained what in Mojave would be Full Disk Access to the user’s entire Home folder: apps can’t do that under Mojave’s new regime, but users can still give them full access if they wish. When you do hand over such extensive access, you don’t have control over what the app does with your data.

So why don’t permissions control privacy?

Unix permissions are very old, and stem back to a time long before personal computing, the internet, or today’s huge trade in personal data.

Permissions are blunt tools. When I am this Mac’s user, every app which I run is run as me, unless run as another user such as root. As all my personal data has its permissions set with me as its owner, every app has free run of all those files. There is no finer control which separates my ordinary data from what is personal, nor any sensible way of achieving that using regular Unix permissions.

Since then, permissions have been refined with Access Control Lists (ACLs), but these remain little-used and don’t provide the fine controls needed to protect privacy. Instead, Apple has been quietly developing a system known as TCC, which has been running in macOS for at least six years. It uses a database and a background service, tccd, to provide very fine-grained access control to a wide range of folders, services, and hardware such as the built-in camera and microphone.