hoakley Macs, Technology

Mojave’s privacy consent works behind your back

When you uninstall or remove software from your Mac, manually or using a utility, you expect all its settings and authorisations to be removed too. If you take a look in the various lists in the Privacy tab of the Security & Privacy pane, you may be comforted to see that it has vanished from any of those to which it may have been added.

Unfortunately, what’s shown there isn’t an accurate reflection of what macOS sees. Within macOS, the Transparency Consent and Control (TCC) system maintains a database of each user’s consents. What is shown in the Privacy tab is only a small fraction of that database. If you were to reinstall that software, you would see that it was immediately granted the same access as when it was removed, without your consent being sought again.

This article explains what you must do when uninstalling software in Mojave, and presumably Catalina, in order to remove previous consents for access to protected resources.

Apple steadfastly refuses to give developers any access to or control over the consent lists in the Privacy tab, so even an uninstall command in an app, such as the Zoom conferencing client (a topical and relevant example) can’t help you. As I’ll explain later, Apple does provide a command tool which could in theory be used to remove an app from TCC’s lists, but it currently can’t do that.

It’s easy to demonstrate this using the Zoom client app. Install it, and follow its directions to add it to both the Camera and Microphone lists in the Privacy tab. Verify that it does have access to your camera by previewing the image in its preferences. Confirm that it is now included in the lists in the Privacy tab, then open the app again and use the command in its File menu to uninstall it. Once it has been removed, you should see that it has also vanished from the Privacy tab’s lists as well.

zoomprivacy03

Then reinstall the app using its installer. When you open it, it immediately has access to both camera and microphone, without your having to give your consent again, and is back in the Privacy tab’s listings as if you had never uninstalled it.

There are several problems which this behaviour poses. Most obviously, users assume (as I did) that when consents are removed from the Privacy tab, that reflects their removal from TCC’s database. It clearly doesn’t, and your database could still contain many old consents which will reactivate should you ever install another app with the same bundle identifier. I suspect that could be exploited by malware too: if a malicious app can assume the same bundle identifier as one which already has consent to access protected resources, then it should be automatically be granted that access without the user being asked to give consent again.

For someone who just wants to get rid of an app properly, it requires them to undertake an additional task before removing the app. You then need to open the Privacy tab and check through each of its lists, unticking the app which you’re about to remove. You have to do this before removing the app, as once it is gone, the Privacy tab won’t let you see it listed any more.

If you forget to do this before removing the software, the only way to do it is to reinstall it, untick its Privacy consents, and remove it again, which is absurd.

There should be a smarter way around this, and those who know the tccutil command may think there is: for an app bundle named co.eclecticlight.MyApp, you should be able to type the following into Terminal:
tccutil reset All co.eclecticlight.MyApp

According to tccutil‘s man page and help, that should remove the bundle named co.eclecticlight.MyApp from all the Privacy lists. Except that, as far as I can see, that form of the tccutil command has never worked, not since the first Mojave betas, as documented by Felix Schwarz almost a year ago. No matter which bundle ID I have used this with, it consistently returns an error
No such bundle identifier

If that command were to work, it would provide a route for apps, uninstaller scripts and users to address this problem. You’d still need to know the bundle identifier of course, and if you had just removed that bundle it might not be any easier than the Privacy tab method, as you’d probably still have to reinstall the software to look in its Info.plist to discover the bundle ID.

Even better would be a little honesty on the part of TCC, and a control to force display of all consents in force for each list in the Privacy tab. That would allow users to deny access to these protected resources for many apps which have been removed, a step which could be added to the process of removing an app.

To summarise:

  • Lists given in the Privacy tab only cover currently installed apps, and are otherwise incomplete and misleading.
  • Apps which have previously obtained consent for access to protected resources retain those rights even after they have been uninstalled, and on reinstallation will be granted them back automatically.
  • Before uninstalling any app, untick all its entries in the lists in the Privacy tab to prevent this.
  • Apple needs to implement the bundle-specific control in tccutil to allow that to be used in uninstallation.
  • Apple needs to give access to the full lists in the Privacy tab, rather than just those apps which are currently installed.
  • Apple needs to document privacy controls in Mojave properly, so that catches like these are properly explained, not discovered by accident.