Last week’s collapse in the stockmarkets as a result of panic over the possibility of a Coronavirus pandemic coincided with a related debate about macOS security. Some well-known commentators had been as bold as to dismiss third-party anti-malware protection as being “almost worthless” for the reasonably careful Mac user. As you might expect, there was a strong reaction from those who make their living from those products and Mac security research.
The debate was sparked off by some surprising claims by one anti-malware vendor that ‘detections’ in macOS were high and rising. Unfortunately the figures provided beg so many questions that haven’t been answered that it’s still unclear exactly what these observations might mean. They’re a part of what some see as scare tactics being used to sell products that the great majority of Mac users don’t actually need.
As usual, there’s some truth in both sides. Strictly speaking, true malware remains an uncommon problem among those using macOS, although recently targeted groups such as traders in cryptocurrencies may have suffered a different experience. What is undoubtedly a more common problem, even among experienced and cautious users, is what we euphemistically call PUPs – potentially unwanted programs.
I write the Genius Tips section for MacFormat magazine, and answer all the questions sent in by users. Volumes and topics ebb and flow, but one consistent type of question that I get comes from those who have discovered that they’ve unwittingly installed a PUP. Such questions probably account for between 2-5% of all those I receive. That’s not a careful statistical analysis, but gives a good idea that PUPs are hardly uncommon. The troubles these cause are legion, but users often report poor performance, abnormal browser behaviour, and similar. PUPs are intrusive, impair normal function, and their effects can be severe. An excellent detailed account of them has been given by Thomas Reed of Malwarebytes.
Unfortunately, Apple chooses not to inform Mac users of whether the security protection built into macOS – XProtect and MRT in particular – does detect or remove the most common PUPs, but from my observations of user questions it doesn’t appear to. There are legitimate issues here: what I consider a PUP its authors no doubt view very differently. It’s much easier to define and tackle ‘proper’ malware than apps which operate on the boundary between annoyance and malice. PUPs are also far more adept at changing to evade detection, and can quickly alter their behaviour. That in turn makes them high risk: an app which one day behaves as a PUP could tomorrow start installing thoroughly malicious software.
Maybe Apple is concentrating its efforts on making notarization an acid test, although the same questions arise over whether PUP behaviour could or should trigger the Notary Service to reject the app. I’d be interested to know how many current PUPs are legitimately signed, or are even notarized.
Apple should be more transparent about this. One very good reason for a user choosing to pay for third-party protection is the lack of information provided about what Apple’s tools do. When it comes to security, bland assurances of protection are now worthless to those Mac users who take security seriously. We’re long past the day when a verbal pat on the back is sufficient. Who should you trust more: the third-party vendor whose articles explain which PUPs and malware their product detects and removes, or Apple’s generic statements about detecting “known malware”? And what does macOS do about PUPs?
Equally, third-party vendors of security products do try to scare users into becoming customers. I don’t know of an industry sector which doesn’t, to some extent, oversell its products. There’s the occasional refreshing contrast: some decades ago, a (real) estate agent in the UK took to advertising deliberately derogatory descriptions of the houses they were trying to sell. They wrote of properties being dingy and in desperate need of improvement, with grim views over other tumbledown cottages in rural squalor, and so on. This comical downspeaking proved highly successful, for a while at least. But I doubt whether any modern vendor would have the guts to try such a strategy, particularly with security-related products.
The other, more serious problem that third-party vendors need to face up to is that some of their products do more harm than good. In some cases this results from taking high-risk strategies with macOS that all too easily cause conflicts. In others their failure to emphasise the overriding importance of human behaviour can lead users to risk compensation: you’ve got ‘the best’ anti-malware protection, so can’t get infected, no matter how bad your browsing habits are.
My biggest concern with security and the protection of macOS is that it’s all a bit like the late Mad magazine’s Spy vs Spy. You’d have thought that Apple’s security researchers would be in regular contact with those outside, pooling their information about threats, and co-ordinating strategies to tackle different types of malware and PUPs. You’d probably expect Apple to be a corporate sponsor of the Objective by the Sea Mac Security Conference, and that its engineers and experts would present sessions there. After all, if Coronavirus isn’t going to become a pandemic like the 1918-19 influenza, that’s the sort of collaboration which has to happen. Without that, world stockmarkets really should be panicking.
Strangely, although Apple isn’t competing against third-party vendors of security products, all that I hear is that Apple shuns those researchers as if they had the plague. I’m still trying to understand how that could possibly benefit the user.
May you remain free of Coronavirus and PUPs.