A Guide to Catalina’s Privacy Protection: 1 Principles and structure

If you’re already running Catalina, you’re sure to have noticed that it makes a big thing of privacy, even more so than Mojave. Over the next few articles, I’m going to try to explain how 10.15 has changed, how you can manage its privacy protection, and how to cope with its glitches and problems. This first article explains the principles, and what the user should experience when all is working properly.

Privacy and security are different, although interrelated. You can’t protect a user’s privacy without having good security in place, but privacy protection isn’t just concerned with keeping malware out of your sensitive data. Over the last few years, the greatest concerns over privacy have arisen with apps and services which aren’t intending to be malicious as such, just profligate with your private data, usually to sell it on to enable advertising, for example.

Macs already use permissions to protect some data, but they’re a blunt tool. If I enable Location Services, for example, the information it stores about my location is private. But that’s going to be kept in locations like the Library folder in my Home folder (~/Library), and all the apps that I run have access to that. So what’s to stop any other app that I run from accessing my location data, even though I may not be aware of that happening?

The aim of Catalina’s privacy system is to segregate facilities, such as any built-in camera, microphone, and screen recording, so that only the apps that I trust can access them, and to do the same for data collections, files and other documents. As you might guess, that turns out to be more complex than it sounds.

Apple’s approach to privacy is founded on two basic user controls: user consent, and user intent. These are fundamentally different, and are used in different types of protection.

For an app to gain access to your built-in camera, the app has to ask to use it, and macOS then has to ask you to give your consent to that request. Although that dialog may seem tedious and even pointless, it lets you make that decision. If the app is for web conferencing, then the dialog may seem pointless: after all, what’s the point of opening the app if it can’t have access to your camera? But you’ll sometimes be surprised at the apps which do want camera access. If you simply click through every consent dialog, then you won’t catch the rogue PUP, for instance.

Protected locations are different. You might want almost any app to save a document you’ve been editing in your ~/Documents folder, or on a removable volume. So when you use the File Save dialog, you expect macOS to give the app that ability, by expressing your intent. Apps may access files in other ways, in which your intent isn’t implied: a search tool might want to look in all the files in your ~/Documents folder, but you can’t express your intent for every one. So access to protected locations may require user intent or consent.

Protected services and locations break down into the following categories:

Recording systems, such as camera and microphone
Data requiring user consent to access, such as Contacts and Calendars
Locations requiring user intent or consent, such as your Desktop and removable volumes
Data managed by the system, such as Mail and Messages
Automation services, including Accessibility and AppleEvent Automation
System security policy exemption, for developer tools.

I’ll take these one at a time.

privacy41

Recording systems include:

Camera
Microphone
Screen Recording (new in 10.15)
Input Monitoring (keyboard, keylogging)(new in 10.15)

These are controlled by user consent: the app has to ask macOS to be able to use the specific system, and you then have to consent to it gaining access. The requesting app is then added to the respective list. Screen recording and keylogging may appear less valuable, but can of course be used to capture other protected information, even passwords. They’re also common features of malware.

privacy42

Data requiring user consent to access includes:

Contacts (address book)
Calendars
Reminders
Photos (Photos libraries)
Location Services
Speech Recognition (using Apple’s voice to text service)

Each of these has its own list, and user consent is required for each before it can be added to its list.

Locations which require user intent or consent to access, which are all new for 10.15, include:

~/Desktop, widely used for active documents
~/Documents, main document storage
~/Downloads, the default location for downloaded files
iCloud Drive, now widely used for shared working documents
third-party cloud storage, if used
removable volumes
network volumes

The aim with these is that, when an app tries to access them using standard File Open and File Save dialogs, by double-clicking in the Finder, dragging and dropping, or similar actions which work via LaunchServices, then user intent is clear, and you shouldn’t see a consent dialog. However, there are some circumstances in which code can trigger one, unfortunately. These are also controlled by the Full Disk Access list, and reflected more specifically in the Files and Folders list.

privacy43

removablevol02

Data managed by the system, requiring user consent to access, includes:

Mail
Messages
Safari’s browsing history
Cookies
Call history
iTunes backups of devices
Time Machine backups
Trash (new in 10.15)

Access here is controlled by the Full Disk Access list. Access to the Trash folder is complex, as the user can still of course move items into and out of the Trash, as can an app, but other apps need consent through Full Disk Access.

privacy44

There are just two automation services:

Accessibility – ‘Synthetic input events’ as used to control apps by ‘pretend’ mouse clicks and keypresses
Automation – AppleEvents, which are used to control other apps

These get complex: the first category covers some techniques used in accessible software, but can also be abused by malware, while the latter covers the situation where one app controls another in an explicit pairing. This makes obtaining user consent tedious, as each pairing must have specific consent.

privacy45

privacy46

There is just one system security policy exemption, Developer Tools, such as Xcode, which need to run code locally which may not meet normal security policy. If you don’t have Xcode installed, then you’re unlikely to see this item in the Privacy lists.

This account has so far considered only apps with a GUI. The same rules also apply to command tools and scripts, and in those circumstances the privacy system uses an Attribution Chain to look for a way of obtaining user consent where possible. If you type a command into Terminal, for instance, the command tool itself may be in the appropriate privacy list, or Terminal may be, and consent may then be attributed from that.

6Comments

Add yours

1

Valdo on January 10, 2020 at 2:12 pm

Great introduction to privacy and security on Mac. Thank you Howard!

Maybe one question. I was using an app, a translator, which requested full disk access after upgrade to Catalina. If not granted the app refused to open or is blocked by Catalina.

My question is why such app, which works in “screen” mode, highlight a portion of text, press Cmd and twice the C to invoke the app to translate the highlighted portion needs full disk access?
I know that an qualified answer can made by the original coder, but in those days when private data is siphoned from devices in incredible quantities, the people including me, are suspicious to such requests with unclear and unknown consequences.

LikeLiked by 1 person
- 2
  
  hoakley on January 10, 2020 at 2:22 pm
  
  Thank you.
  I would have refused to give such an app FDA: as you say, there seems no good reason to. If it needs to access files properly, then it should result in the standard invitations for user consent, or they shouldn’t be needed because you use an Open File dialog which tells macOS of your intent.
  If the app didn’t work after refusing that, I’d raise it with the developer – after all, it could be stealing your personal data. That is the whole point of this protection.
  I’d be very suspicious that either the developer didn’t understand privacy protection, or they are up to no good.
  Howard.
  
  LikeLike
3

Nik on January 12, 2020 at 10:16 am

Nicely explained Horward. Thank you. I too have a few questions:

1. Do you have any idea/guesses as to whether Apple would extend these permissions/intents/consents to other areas in file system?
2. In beta 1 of Catalina, one of my command line utilities using TCP/IP socket asked for network volume access consent but in subsequent betas I didn’t get any. You think this should be a bug or is Apple trying something there for introducing it in futures OS ?

LikeLiked by 1 person
- 4
  
  hoakley on January 12, 2020 at 4:57 pm
  
  Thank you.
  I have no idea whether Apple intends extending this to cover other folders, and we won’t find out until WWDC in June. I’d like to think that they’d get this right before going any further, but I suspect they’re happy with it as it is.
  The situation with command tools is a bit more complex: I will be addressing that in a future article. However, that may well have been an issue with that beta.
  Howard.
  
  LikeLike
5

El Aura on February 3, 2020 at 1:26 pm

Do most people really use ~/Documents for their ‚documents‘? In my view, too many apps store data there that a user shouldn’t mess with, and I don’t like to mix that with ‚my own‘ data. I’d rather use a (self-created) ‚My Documents‘ folder in my home directory.

LikeLiked by 1 person
- 6
  
  hoakley on February 3, 2020 at 2:44 pm
  
  Yes – most do.
  If any app played games in my Documents folder, I’d quickly get rid of it. They have ~/Library/Application Support to play with.
  I do have other folders which I use, but they’re still usually linked to ~/Documents for ease of access from Finder.
  Howard.
  
  LikeLike

Share this:

Related