hoakley January 26, 2020 Macs, Technology

Last Week on My Mac: When more security subverts security

You’d think that adding more security measures to your Mac would make it more secure. Last week I learned that, in some circumstances, it doesn’t. In fact, if those added security measures aren’t carefully thought out, they can lead you to behave recklessly, and effectively disable the primary defences in macOS. Without your being fully aware of what you’re doing.

This all arose with several who, in trying to use my free apps, found that they couldn’t open them successfully on their Macs. In most cases – and these are now the most frequent cause of support problems here – these Macs are running Little Snitch, the excellent software firewall which is intended to prevent unwanted software and malware from ‘phoning home’. In essence, when these users tried to open one of my apps as a new install or update, Little Snitch was blocking the app by preventing it from completing its ‘first run’ checks.

Apple has progressively increased the extent and depth of these ‘first run’ checks on apps which are downloaded to your Mac from all software suppliers apart from Apple and its App Store, to make them more comprehensively protective. With Sierra, it introduced app translocation (officially known as Gatekeeper Path Randomisation), which in certain circumstances means that the first run of a freshly downloaded app occurs from a special temporary location. This is to prevent a malware behaviour known as ‘repackaging’, and has been judged an effective measure by many Mac security experts outside Apple.

In Catalina, ‘first run’ checks are even more extensive. They include a deep signature check and assessment of that app’s notarization, both of which will normally involve macOS – not the app – checking the app’s credentials with Apple’s servers. Although Apple is only just about to enforce it fully, notarization brings another important security measure: as of next month (February), all apps which are freshly notarized are also required to be hardened, which brings with it additional protections when the app is running.

The consequence of all this protection should be that any app you download which passes all its first run checks – translocation (where applied), full signature check, notarization check, hardening (required soon for all notarized software), and the concomitant XProtect malware scan – should have an extremely low probability of behaving maliciously, or of being vulnerable to manipulation by malicious software. These are the primary defences in macOS against malware, and apply to software which is transferred by relatively non-secure local mechanisms such as AirDrop too.

As I and many others have pointed out, these all rely on a gentleman’s agreement, for a quarantine flag to be attached to downloaded software. There are rumours that Apple intends closing the loopholes in this: for example, it is well-known, and commonly exploited by malware, that downloading software using the tool curl is outside this agreement, and doesn’t result in a quarantine flag being attached, so bypassing all first run checks.

The user is also free to strip, or clear, the quarantine flag on any downloads that they wish. This provides a way round situations in which items which are correctly put into quarantine, but which the user knows can’t pass first run checks, can still be used when there is no better solution. But stripping a quarantine flag should always be a last measure, and should never be undertaken lightly because it does significantly increase risk.

So what has any of this to do with Little Snitch and running my apps?

My apps and command tools (those which are compatible with Catalina) are all fully signed and notarized, and most have been for more than a year now. Before I Zip up any of those apps and tools for distribution, I attach a quarantine flag and run them in macOS 10.15.2 from a non-application folder on a removable volume, to verify that they pass first run tests. I have also tested many specifically to ensure that they work fine with app translocation, and they do.

I go further than that. Mindful of the fact that, once an app has cleared its first run, its signature is normally never checked fully again, each of my apps checks its signature properly whenever it starts up. This gives you the added assurance that it hasn’t become damaged, either accidentally or as a result of malware. Unfortunately, verifying its notarization isn’t as quick and simple, so the apps don’t attempt to do that.

I have also introduced a simple mechanism by which each app checks whether it is up to date, and offers to download a more recent version when one is available. This involves connecting to my GitHub server and reading a Property List there; where an update is downloaded, this is performed through your default web browser, so that you still have the benefit of its full protection, including the attachment of the quarantine flag so that the downloaded app undergoes full first run checking when you open it.

I have looked very carefully at using the commonly-used Sparkle mechanism for providing updates. This has an option whereby the update is installed without a quarantine flag, but to do so requires high confidence that your update server is completely secure. While this blog is served by Automattic, I can’t put my hand on my heart and promise you that it will remain completely secure, nor do I have any ability to assess its security for serving updates. I would therefore have to pay for a proper secure server, and keep a very close watch on its security, if I were to consider adopting Sparkle’s approach and bypassing first run checks.

In any case, Sparkle only works with updates. No new install of any software downloaded from the Internet should ever bypass first run checks, as doing so blocks the user from receiving any of the benefits of the macOS primary defences, and would allow your Mac to run unsigned, non-notarized, unhardened software with only a quick check by XProtect (in Catalina). Whilst you may wish to do that on occasion, that must be a conscious choice on the part of the user, following careful assessment of the risk.

Bear in mind the fact that software update servers are attractive targets for bad actors. Just over a couple of years ago, a quite substantial and reputable Mac commercial developer had its servers hacked to deliver malware to customers, and every few months another online source of Mac apps gets subverted. The security benchmark here is the App Store: apps delivered from that don’t undergo first run checks because Apple considers its security to be sufficiently robust to guarantee your safety. Any third-party who wishes to make a matching claim needs to attain comparable standards of security in storage and delivery, and that simply isn’t feasible without charging substantially for your products.

Unfortunately, the security behaviour of my apps can cause problems with Little Snitch, most particularly when macOS translocates them for their first run. This stems from two behaviours of Little Snitch: first, its rules are applied not to software identified by its ID (e.g. co.eclecticlight.CirrusMac) but by the full path to the app. Run a whitelisted app from a different folder, and Little Snitch won’t apply the same rules which you already set for running it from, say, your main Applications folder. The other behaviour which trips innocent apps up is that Little Snitch doesn’t appear to apply any default universal rules which, for example, allow apps to have their signatures and notarization checked against Apple’s servers.

So, what advice is given to Little Snitch users to cope with such circumstances? The only support material which I’ve been able to discover is a blog article dating from soon after the introduction of app translocation, back in February 2017. This recognises the problems which occur when an app is translocated and attempting to pass first run checks: Little Snitch blocks the first run checks, so the quarantine flag is left set, then the next time that user tries to run the app, it is launched from a different location, blocked again by Little Snitch, and so on until you give up trying.

That article makes a clear recommendation to resolve this issue: “Well, the best solution of course would be that app developers properly de-quarantine all parts of their software when downloading updates.” The only way that an app can do this is by removing the quarantine flag which macOS has attached.

The recommendation to the user is: “You can de-quarantine all parts of an application yourself. Just launch the Terminal app (/Applications/Utilities/Terminal.app), enter the following command and press Return:” Followng that, a prototype command is given to remove the quarantine flag, “And after doing that please write a friendly reminder email to the guys that created that app… :)”

Nowhere in that blog article is there any caution given to users that stripping the quarantine flag, as recommended, will bypass all first run security checks run by macOS. Indeed, the description of Gatekeeper given at the start omits any mention of those first run checks, stating merely that “Among other things it makes sure that apps that are in quarantine (= were downloaded from the internet or received via AirDrop) are temporarily moved to a private location when launched …”.

Predictably, online discussions about problems with app translocation and Little Snitch usually recommend stripping quarantine flags, and from what I can see, this has become quite widespread practice. Yet – just as in the blog article – no one seems to be concerned that what they are doing is bypassing macOS’s primary security defences.

Gatekeeper’s first run checks and Little Snitch have quite different security roles. Protections provided by macOS are primary defences, in that they are intended to prevent malware from being run on your Mac in the first place. Although there are circumstances in which Little Snitch could act as a primary defence, it normally only has a secondary role, when you are already running malware which then tries to connect to a remote site to download additional malicious software, or to transfer stolen data from your Mac. Secondary defences are important and valuable, but only insofar as they don’t weaken any primary defence.

I believe that however much we might be sceptical about some features of macOS security, additional security should only enhance that common baseline, and never lead users to bypass the protections afforded by macOS.

Bad actors are well known for exploiting weaknesses in human behaviour, and encouraging users to strip quarantine flags to prevent newly-downloaded apps from undergoing full first run checks is inviting them to welcome malware to their Macs. Putting pressure on Mac developers to adopt update methods which rely on server security is also an excellent way of encouraging attacks on those servers, and the delivery of more malware to unsuspecting Mac users.

That isn’t the end of the story, though. Apple’s documentation of app translocation is, as you’d expect, scant and lacking in detail. In the final minute or so of Session 706 at WWDC 2016, Apple gave a little insight into what triggers app translocation in the first place. All my app downloads consist of a Zipped folder, inside which is the app and various supporting files, usually documentation. What determines whether that app is translocated on its first run is whether it alone is moved into another folder, such as /Applications.

Most users, when they have downloaded one of my apps either as a first install or an update, drag the app from the folder it arrived in and put it in /Applications. When you do that, app translocation will be disabled, even though the quarantine flag remains attached and the app will undergo full first run checks.

If you move the whole folder, or leave it where it is, and then try running the app, it will be translocated. If you happen to be running Little Snitch too, this will become an unresolvable problem, as you will be unable to allow the app first run checks, and every time that you try, as it’s translocated to a different folder, Little Snitch will fail you.

Amazingly, Apple seems not to have got around to explaining this problem to users, sysadmins, or developers, except in those few seconds of a presentation over three years ago, as in the transcript:
“If the user […], if they move the app with something else, then this mechanism does not get turned off. If the user moves the single app by itself, maybe to /Applications, then this mechanism will be turned off.”
This is also explained in Jeff Johnson’s article written shortly after that presentation and his own testing.

If you’ve been using Little Snitch or another firewall and have resorted to stripping quarantine flags to bypass your primary security, so that you can get an app through its first run checks, chances are that all you needed to do was to move the app (alone) to your /Applications folder – indeed, any other folder away from the rest of the contents of that download. This won’t of course work with apps which try to update themselves in place, which can apparently face similar problems.

Perhaps after three years, it’s time for Little Snitch to address some of these issues, rather than recommend users to bypass macOS primary protection altogether. It would also be helpful if Apple would tell users about this, now that software firewalls are becoming so popular.

Further reading

Session 706, WWDC 2016, the only place where I can find this described by Apple
Jeff Johnson’s article detailing translocation behaviour, and again here
Patrick Wardle, who describes how he had to work around the problem
Michael Tsai has an extensive compilation of quotes and links (as always).

I am very grateful (really!) to those users who have contacted me about this problem, particularly Ric Ford of Macintouch. I apologise if my responses have been critical, but hopefully this article explains why.

21Comments

Add yours

1

David B. on January 26, 2020 at 10:56 am

This was a REALLY interesting article, for which I thank you, Commander!

Have you read here?

https://www.bleepingcomputer.com/news/security/10-percent-of-all-macs-shlayered-malware-cocktail-served/

Your comments requested!

David

LikeLiked by 1 person
- 2
  
  hoakley on January 26, 2020 at 12:16 pm
  
  Thank you.
  Although that is reasonably balanced account of what has already been reported elsewhere, there are a couple of major errors which are common to most accounts.
  First, there is absolutely no evidence that 10% of all Macs have been attacked successfully by Shlayer. Given that there must be between 100 and 200 million Macs in active use around the world, there is no evidence that more than 10 million Macs have even been attacked by Shlayer. Kaspersky – which recall makes it money by selling anti-malware products – has claimed that 10% of the Macs which they monitor have come into contact with it. They didn’t give any details of their sample size or distribution, and the ‘average’ Mac user doesn’t run their product. Without that information, I consider their claim to be promotional and alarmist.
  The other more remarkable observation is the screenshot which they show of a Shlayer ‘attack’. Anyone who clicks to download the fake Flash Player update in that obviously bogus window frankly shouldn’t be trusted with a computer. It shouts that it’s fake. At the height of Flash malware, it would have been one of the weaker attempts to con the user. And why is anyone now downloading Flash Player at all?
  Really, if you’re that easily tricked, you’re safer not using the Internet at all.
  Howard.
  
  LikeLike
  - 3
    
    JoseHill on January 26, 2020 at 8:20 pm
    
    FWIW, I didn’t interpret the Kaspersky statement as saying that 10% of Macs had been attacked successfully by Shlayer. Kaspersky’s assertion was that approximately 10% of Macs running a Kaspersky security tool had “encountered this malware at least once.”
    
    I presume the vast majority of these “encounters” were simply instances of the Kaspersky browser plugin recording a visit to a website carrying a Shlayer payload. (I agree that Kaspersky should have provided more detail on methodology and exactly how they were defining “encounters.”)
    
    Given the frequency with which vulnerabilities in even legitimate websites and automated ad networks are targeted by bad actors, I have no difficulty believing that one in ten Macs (or more) have encountered Shlayer-containing websites at least once. That is a very different thing from saying that one in ten Macs have been infected by Shlayer, which I agree would be a preposterous figure.
    
    LikeLiked by 1 person
    - 4
      
      hoakley on January 26, 2020 at 9:54 pm
      
      I don’t know what the Kaspersky article is actually referring to, as it doesn’t explain what it means, and appears to interpret or present it in different ways too. However, my point about it being interpreted is borne out in the Bleeping Computer article which the reader referred to first: it’s headline starts “10% of all Macs Shlayered”, which on any reading is patent nonsense.
      If Kaspersky or anyone is going to start quoting figures, then they must explain exactly what they mean, not leave it to the reader to misinterpret in panic.
      Howard.
      
      LikeLike
5

David B. on January 26, 2020 at 12:56 pm

Many thanks for your thoughts, Howard. Much appreciated.

Perhaps you have already done so, but you may just like to review matters here, too:- https://securelist.com/shlayer-for-macos/95724/

Do YOU use any AV software on your Apple computers?

Did you ever get around to checking out ClamXav from Canimaan Software Ltd? I was surprised when I read their company accounts at Companies House! There must be more than just a few gullible Mac users! 😉

Kind regards,
David

LikeLike
- 6
  
  hoakley on January 26, 2020 at 6:59 pm
  
  Thank you: I read that article when it was first published, and still haven’t a clue what its 10% means, but it certainly isn’t 10% of all Mac users, which it has been interpreted as meaning.
  Yes, I do use anti-malware from time to time, when I consider that I may have been at risk.
  We have discussed ClamXav previously. It’s not a product that I know, nor have any particular interest in, but I would caution you not to write anything about it which might be construed as defamatory.
  Howard.
  
  LikeLike
  - 7
    
    EcleX on January 27, 2020 at 5:32 pm
    
    Thanks. Yes, I know, but I thought that both the older free and the new commercial ClamXav were the same. At least, they are both from the same company.
    
    On the other hand, I think that ClamXav is complementary to Malwarebytes Anti-Malware, which also was a free version and now is commercial and named just Malwarebytes. I mean, they do not detect the same malware: ClamXav takes much longer to scan a disk with many items than Malwarebytes.
    
    Finally, I think that DetectX Swift is also interesting and complemmentery to the other two above. What do you think? Thanks again!
    
    LikeLike
    - 8
      
      hoakley on January 27, 2020 at 8:28 pm
      
      Thank you: I haven’t used ClamXav for many years, but have used DetectX Swift, and know its author. I also recommend it.
      Just don’t think of using Avast at the moment 🙂
      Howard.
      
      LikeLike
- 9
  
  EcleX on January 27, 2020 at 3:49 pm
  
  Do you mean that ClamXav es useless. I thought that it was the best Mac anti-virus. Which one is considered the best for Mac? Thanks!
  
  LikeLiked by 1 person
  - 10
    
    hoakley on January 27, 2020 at 5:03 pm
    
    I have used ClamXav in the past – you may recall there was a neat freeware package which had a Mac GUI for many years. The underlying anti-virus engine is well-proven and effective, although it has generally been higher rated against Windows malware than macOS.
    The product which David is referring to is a commercial one based on ClamXav.
    My favourite macOS anti-malware product is Malwarebytes: I know the people, and have used the product whenever I suspect I might have malware around. It is very effective and extremely well supported, and is the product which I recommend for most users. Corporate requirements are different, of course.
    Howard.
    
    LikeLike
  - 11
    
    EcleX on January 27, 2020 at 5:35 pm
    
    Oops! I tried to reply to your post starting with “I have used ClamXav in the past…” but my reply starting with “Thanks. Yes, I know…” went further up, and I cannot change it!
    
    LikeLike
  - 12
    
    EcleX on January 27, 2020 at 11:33 pm
    
    Off-topic, but wow!
    
    Eclectic Light Company Founder Dr. Howard Oakley – TMO Background Mode Interview
    https://www.macobserver.com/podcasts/background-mode-howard-oakley
    
    LikeLiked by 1 person
    - 13
      
      hoakley on January 28, 2020 at 5:33 pm
      
      All I can do is blush!
      Enjoy,
      Howard.
      
      LikeLike
14

Valdo on January 26, 2020 at 1:11 pm

I experienced in the past the issue with translocated app on LuLu. Allowed the first run from the temporary location then also the next run from stable location and deleted the first run from LuLu rules.
What I don’t understand are the security changes from 10.15.1 to 10.15.2.
I tried to install AESCrypt with Open to previous version and was a no go. The install to 10.15.2 was successful….!?

LikeLiked by 1 person
- 15
  
  hoakley on January 26, 2020 at 7:00 pm
  
  Thank you – that’s interesting to know. Another article is coming in the morning.
  Howard.
  
  LikeLike
16

Valdo on January 26, 2020 at 1:13 pm

…. location THEN also ….

LikeLike
- 17
  
  hoakley on January 26, 2020 at 7:01 pm
  
  Thanks – I have made that correction.
  Howard.
  
  LikeLike
18

J. G. Vía on January 26, 2020 at 3:39 pm

…Adding this problem you describe to others recently you have been exposing, and considering Apple’s poor effort to divulge Catalina’s inner changes… I find a subjacent intention in Mac OS future: a closed system with an exclusive app-shop, being “in the wild” when external devices are connected, and everything like in iOS.
Additional expert profile care needed if you dare to open the hood.
Actualise your OS, install from AppStore, keep folders where suggested, don’t touch anything. It just should work. (If you have a problem with a plugged device, contact its maker).

LikeLiked by 1 person
- 19
  
  hoakley on January 26, 2020 at 7:03 pm
  
  Thank you.
  App translocation in Catalina – as I’ll detail in tomorrow’s article – hasn’t changed for over three years, although it continues to catch users out. Hopefully, tomorrow’s article will be a bit clearer.
  Howard.
  
  LikeLike
20

Valdo on January 26, 2020 at 5:53 pm

@ J.G.
Sorry but as non native English speaking person it is not clear for me if your posting is an Apple appraisal with the specific 30% margin in app store, but maybe I’m wrong.

LikeLiked by 1 person
- 21
  
  J. G. Vía on January 26, 2020 at 9:02 pm
  
  I’m also a non native English user… so perhaps it’s not clear I was being sarcastic (or trying to).
  I know, more or less, where possible Catalina inconveniences are, thanks to the Editor (and other reading). I try to understand if all these deep (often buggy) changes in Catalina are due just to privacy & security protection, and/or if they’re intended to work properly only in a more closed OS in the future.
  I don’t like it; I’m staying in Mojave. I feel every Catalina user is kind of an involuntary beta tester.
  
  LikeLiked by 1 person

·Comments are closed.

Share this:

Related