Like much of what you see in the Finder and the rest of the GUI in macOS, controls in the Privacy tab of the Security & Privacy pane are an illusion. It’s a friendly front end to the major sub-system in macOS named TCC (ironically standing for Transparency Consent and Control), which manages an internal database from which those lists are derived.
If you’re using Catalina (or Mojave, for that matter), it’s essential to know how to use the Privacy tab and its lists, as they (partly) determine what apps can access all your protected resources and data. macOS blocks applications and their developers from having direct access to those lists: only the user should control them, although as I’ll show below, that isn’t accurate.
Using privacy lists
As a user, you can add items to
- Full Disk Access, hence indirectly to Files and Folders
- Developer Tools, when enabled.
The only way for apps to be added to other lists, including all the resources like Camera and Microphone, and the most complex of them all, Automation, is when an app requests access and TCC displays a consent dialog. Once an app or other item has been added, lists provide checkboxes which you can use to disable individual access, but only those same three lists allow the user to remove individual items from the list. In 10.15.2, the + and – tools are displayed for the Files and Folders list, but are disabled; it’s unclear whether Apple intends adding that later, or it’s just a bug.
In those lists which let you disable an item by removing the tick from its checkbox, the item remains in the list, and there is no simple way to remove it except by deleting or uninstalling the app, or resetting that entry using
tccutil. The latter can be a very blunt tool, but at last in Catalina allows you to remove rights for specific lists and specified bundle identifiers. I will explore its use in detail in a later article.
Apps are identified by TCC using their bundle identifier, such as
co.eclecticlight.Taccy, but this doesn’t appear to take version into account, or their location in the file system. If you have two different versions of the same app in different folders, both appear to be given the same access by TCC, so long as they have the same identifier, and that matches their signatures.
This could give rise to problems. Assume that version 1.0 of an app contains a vulnerability which enables it to leak data to which it has been given access through TCC and user consent. You then upgrade to version 2.0 which fixes that bug, and you allow that access to your private data. If the two versions have the same bundle identifier, then installing version 1.0 results in it automatically being given the same access as version 2.0. This can be made the more dangerous by the fact that TCC doesn’t check hardening or notarization, and version 1.0 could have neither protection.
This also emphasises the importance of running only properly signed software. Without a signature, it is all too easy for an app given access to protected resources to have those rights abused by an imposter with the same bundle identifier.
Maintaining the lists
Even if you don’t install many apps or other software, you should make checking these privacy lists a part of your routine checks and maintenance, performed at least once a week. For those who do install and remove products every day, those checks need to be more frequent, and are essential if you ever install any software over which you have any doubt. When you do come across an item which you don’t recognise, or you suspect might not be respecting sensitive data, uncheck it immediately and see whether you’re prompted to re-enable its access.
The biggest problems in these privacy lists arise from the fact that they don’t give an accurate account of what is in TCC’s database. This is worryingly simple to demonstrate. Choose an app which you don’t need to use immediately, and which could benefit from being added to the Full Disk Access list. Select that list in the Privacy tab, click on the padlock icon and authenticate, then click on the + tool and add that app to the Full Disk Access list.
When you select the Files and Folders list, you’ll see that the app has also been added there, as you’d expect. Verify that the app does now have this level of access by accessing some protected locations with it. Then quit the app, and delete it, ensuring that you empty the Trash immediately.
Look at the Full Disk Access list now, and that app has been removed. If there’s another app with the same bundle identifier, you will see that listed in its place, of course, because of TCC’s reliance on identifiers. But in its absence, you’d assume from this list that Taccy.app no longer had any right of access to your protected files.
Now install another copy of the same app, and look in the Full Disk Access list: it has miraculously been given exactly the same access as its deleted predecessor. TCC’s internal database remembered the ‘new’ app by its bundle identifier, and it was granted inherited rights without any requirement for consent.
Apple doesn’t document how long such rules remain in TCC’s database, but the only sure way of clearing out all old rights is to use
tccutil with the appropriate bundle identifier.
Accordingly, when you do want to delete or uninstall any app or other software which has been added to any of the privacy lists, you must first remove it or uncheck it in each of the lists in which it appears. That should at least disable its access in the event that you install another app with the same bundle identifier in the future.
If you forget to do this, the only option which will remove that item from the lists is
tccutil. Apple won’t allow any third-party apps access to the privacy lists or TCC’s database, and won’t produce a more friendly maintenance tool to allow you to clear out old rights so that they can’t be abused in the future.
These features are extensions of those already in Mojave. In the next article, I’ll look at what’s new with Catalina, the protection of common locations such as ~/Documents and removable volumes.