Last Week on My Mac: Informed Security

Apple rightly places user consent at the centre of its privacy protection. But mere consent isn’t sufficient: as Mojave and Catalina require, apps which seek your permission to access potentially sensitive information must give their reasons, and elsewhere explain exactly what they do with any data of yours they collect. So consent is only meaningful, indeed only valid, when it is informed.

Informed consent extends beyond privacy to the security which underpins it. Non-secure systems can’t protect your privacy, as those protections cannot be relied on. But if you can’t make a meaningful assessment of the security of a system, you can’t trust it either. Informed security isn’t just a nice option, it’s a requirement. Just as a system can’t pat you sweetly on your head and assure you that your private data are protected, so it can’t try the same trick with security.

Here there’s an obvious divergence in macOS. While I’m constantly reminded of how it protects my privacy, with all those fun dialogs, its security isn’t a presence, or informed, but a void in which there’s just the occasional reassurance that Apple has checked an app for malware and didn’t find any.

We know the names of the major security systems: Gatekeeper, XProtect, SIP, and so on. But that’s about it as far as a user is concerned. Without third-party utilities and articles, we’d never know whether our local security updates were timely, or had quietly stopped working a couple of months ago. Apple doesn’t inform us when it pushes its updates, so without the likes of SilentKnight, we can only assume everything’s working fine. Ironically, this also applies to the database used by TCC, the privacy protection system whose very initials stand for Transparency Consent and Control.

Last week Apple pushed an update to its Malware Removal Tool (MRT). As usual, it has said nothing. Even the curious user who might happen to glance at the list of installations in System Information is none the wiser: is version 1.49 the latest? Apple doesn’t tell. If your Mac showed that it was 1.45 which was installed instead, you’d be none the wiser. And many users do report that their Macs seem stuck on previous versions, something Apple doesn’t want you to discover.

Not only that, but as we now know, MRT updates only take full effect when you next start up macOS. This important information is buried away in a document for system administrators, and the only support article likely to be read by users doesn’t mention this crucial fact. Indeed, Apple’s claim that a notification is displayed whenever a security update is installed is commonly incorrect, or that notification is so momentary as to be subliminal.

We’re not informed about when these updates occur, nor of their purpose, nor do we know what changes they bring. In the past, Apple’s security tools used to refer to malware using names which, although not always the best-known, at least enabled us to know what they protected us from. Then last year Apple switched to using internal code names, so we now know that the latest MRT update enables that tool to remove MACOS.87fabeb and MACOS.07758e9. Oh boogaloo.

If you went to your physician and they said that you needed an immunisation but refused to tell you what it protected you from, would you consider that informed consent? Surely, everyone would be suspicious and refuse. Who knows, maybe Apple is just making these things up as part of some security theatre, or maybe MACOS.87fabeb and MACOS.07758e9 are so obscure that this added protection is mere illusion.

Sometimes Apple does seem to want us to know what these pushed security updates do. When it updated MRT to version 1.45 to remove the hidden and vulnerable Zoom web server, an unnamed Apple spokesperson tipped off TechCrunch, but failed to mention that update also appeared to cover a problem with the open source virtualiser QEMU. Furthermore, contrary to Apple’s advice to sysadmins, that spokesperson “said the update does not require any user interaction and is deployed automatically”.

Return for a moment to the physician and the mystery immunisation: would you trust them any more if their answer to your question was “flu and a few other things too”?

I keep trying to imagine who Apple thinks it’s protecting by this prolonged silence and refusal to inform. It’s not the malware developers, who will quickly be able to tell the effect of any changes that Apple makes to the protection in macOS. It’s not the users, who are unable to make informed decisions about whether third-party protection is worthwhile. It’s not system administrators, who are as baffled as anyone else on the receiving end.

The only party that this benefits is Apple, who continues to be wedded to the demonstrably false assumption that security by obscurity is a sound way to proceed.