hoakley January 3, 2021 General, Macs, Technology

Last Week on My Mac: Fessing up

If you’re using Catalina or Big Sur, you should by now only be obtaining apps from four sources: those delivered by an Apple installer or update, any you get from the App Store, notarized apps from other online sources, and those you build yourself. We’re assured that those sources are all deemed ‘safe’.

Apple reviews App Store apps in detail, but there’s been a long succession of apps which have pulled tricks such as sending private data to their servers, presumably to be sold on to others. However carefully Apple might try to check apps during review, developers who are determined enough seem able to get away with it, at least until someone exposes what they’re doing.

appstoreprivacy

One recent positive change has been the requirement to provide details of App Privacy, although that doesn’t come into effect until the next time that app is updated, so you’ll see few doing this just yet. It’s also entirely up to the developer how honest they are about their “privacy practices and handling of data”. That presumably means that we’re left to police each developer’s accuracy and compliance ourselves.

Notarized apps are even more difficult. As I’ll explain later this week, notarization seems primarily about early detection of malware. Among the few requirements of every notarized app is that it opts in to a hardened runtime, which is intended to provide robustness in the face of attack by malware. This is controversial, and in any case, although all notarized apps have to opt into this, they’re also allowed to opt out of most of its requirements.

Only this week, security researcher Csaba Fitzl @theevilbit uncovered what he considers to be a vulnerability in Streamlabs OBS, which is a consequence of it opting out of the full hardened runtime. That got me thinking how little information we provide users about security and privacy aspects of our apps, and whether we should all be more forthcoming. This didn’t go down well, as it seems accepted that even advanced users know almost nothing about the hardened runtime, which I fear is probably accurate, and true of many developers too.

It seems that we like things clear and simple. If it’s an App Store app, we know it runs in its sandbox and has been reviewed by Apple, so it must be secure and not raise any privacy concerns? If it has been notarized, it has a hardened runtime (whatever that might be) and has been checked by Apple for malware, so it must be secure and not compromise our privacy?

I think such faith is badly misplaced, as has been demonstrated so often by security researchers like Csaba Fitzl.

Many users, thanks to tools like Little Snitch, are now becoming much better-informed about some aspects of the security and privacy of the apps they use. Every so often, I get an email from someone who has discovered that SilentKnight, or another of my apps, appears to phone home, or at least to my GitHub server. I have actually documented that app’s online behaviours, including explaining its connection to my GitHub server, and why it does this, but it’s now common for us to ask questions rather than spend a little time checking in the documentation provided.

I’m beginning to wonder if I shouldn’t be adding clear statements on what security vulnerabilities each app might have, such as opt-outs to the hardened runtime, and what protection there is for your privacy. These are reasonable if not important questions for users to ask.

Does SilentKnight, for example, upload any information it has gathered about your Mac? Without going to the lengths of inspecting all its packet exchanges with the GitHub server, it’s very hard for a user to find out. Opening its source might allow some to verify that it doesn’t in fact upload any data at all, and that I don’t even know whether it’s a Mac which has asked for an excerpt from my databases (which you can also access and inspect if you wish). But for the great majority of users, open source is actually a closed book. Trying to grok someone else’s source code is often little easier than reversing it, another skill confined to a tiny proportion of users.

I’d like your opinion on this. Would a clearly worded explanation of an app’s security and privacy be of value to you? Or would it, like most other documentation, just be ignored? In the event that my promised account of the hardened runtime changes your views, you’re welcome to revise your opinion, of course.

23Comments

Add yours

1

Alex on January 3, 2021 at 8:37 am

Is there an app that you can run that might break down if an app is or has a “hardened runtime”?

LikeLiked by 1 person
- 2
  
  hoakley on January 3, 2021 at 10:28 am
  
  Yes: my own Taccy reports hardening, and the various flags indicating opt-outs, although the latter are a bit technical. That’s another issue I want to consider here.
  Howard.
  
  LikeLike
3

jeremyc99 on January 3, 2021 at 9:07 am

Personally I would not certainly not expect any app I downloaded from this site to require scrutiny. So any documentation would be wasted on me. Until now I was not even aware what a hardened runtime was. Ignorant mere users like myself need educating. The depth and breadth of what I am finding out through my daily visits here are invaluable and enlightening.

LikeLiked by 1 person
- 4
  
  hoakley on January 3, 2021 at 10:32 am
  
  Thank you.
  I don’t think ‘ignorant’ is fair, but am delighted to help enlighten where I can.
  Howard.
  
  LikeLike
5

Bryan Christianson on January 3, 2021 at 11:00 am

I provide documentation with applications that I write, but I’m also probably the only person who ever reads it. I once added ‘peel the potatoes and boil for 20 minutes’ into the middle of a how-to – never received a single WTF about that.

These days people prefer to ask by email, in forums etc before reading/searching documentation. Those of us who do use the documentation I think, are mostly relics of the pre-internet era when all we could do was read the books that came in the box with the software.

That said, I don’t think it hurts to include a privacy statement in documentation. I just woudn’t count on anyone reading it.

LikeLiked by 1 person
- 6
  
  hoakley on January 3, 2021 at 7:30 pm
  
  Thank you, Bryan. My experience is similar. However, one benefit in having thorough documentation is that when someone asks me a question, I can refer to it and copy what the docs say in response.
  Howard.
  
  LikeLike
7

jeremyc99 on January 3, 2021 at 11:09 am

Perhaps a ‘run on first execute splash screen’ might be a route?

LikeLiked by 1 person
- 8
  
  hoakley on January 3, 2021 at 7:31 pm
  
  Thank you.
  That seems a popular suggestion, although I find splash screens tend to get ignored in these days when you may also be clicking macOS dialogs for a while, so many will just click through them.
  Howard.
  
  LikeLike
9

ErikEL on January 3, 2021 at 5:30 pm

I guess your Hippocratic oath (of ethics) doesn’t apply to the software you so kindly develop for the interested Mac users, unfortunately. So we may have to look for something else 😉

More seriously, I would welcome a statement in a splash screen (or similar) which states that the app doesn’t collect any data or, if it does, a high level statement what it collects with a reference to further explanation in the documentation. I would also prefer the statement to honour the spirit of what privacy means rather than legal mumbo jumbo which would make it difficult to understand (but perhaps stand up in court, if you know what I mean).

LikeLiked by 1 person
- 10
  
  hoakley on January 3, 2021 at 7:35 pm
  
  Thank you.
  Whatever is provided, it must be clear and understandable, and reasonably succinct.
  Howard.
  
  LikeLike
11

Javier Gallardo on January 3, 2021 at 9:26 pm

Your article made me think about how software and platforms are functioning now, and how iOS is also dealing with privacy and security info.
I think, yes, info should be given just by routine, even if user doesn’t pay attention to it. I think it’s the honest way, something legal related in a mild sense, like a handshake. It’s also a defense move made in advance by developer, I think.
Just for knowledge, perhaps needed later, or not from user but a technician… info should be easy reachable. But it should be unobtrusive, quick to dismiss but with a link to clear details.
(I think Apple will implement something like that, as is doing, simpler, in iOS).

LikeLiked by 1 person
- 12
  
  hoakley on January 3, 2021 at 10:20 pm
  
  Thank you.
  Howard.
  
  LikeLike
13

Dan on January 4, 2021 at 2:21 am

Great idea. It got me thinking that all apps should have disclosures available via their About menu or similar. Could also display on first launch (with instructions to find them again). Many will click through without reading, but someone who uses a tool like Little Snitch would know how to find them.

LikeLiked by 1 person
- 14
  
  hoakley on January 4, 2021 at 9:25 am
  
  Thank you.
  Howard.
  
  LikeLike
15

Jan Steinman on January 4, 2021 at 2:34 am

I’m glad you brought up Little Snitch, one of my favourite tools!

What would be cool is if Objective Development published an API with a callback, so that an application that found itself being “snitched” could provide something for Little Snitch to display, like, “We’re contacting piratezrule.com just to verify that this software doesn’t match the bait that we seeded there. PS: the potatoes should be boiled for 25 minutes, with the peels on.”

But I suppose if a malicious developer were notified they were being “snitched,” they could attempt counter-measures of some sort, no?

LikeLiked by 1 person
- 16
  
  hoakley on January 4, 2021 at 9:25 am
  
  Thank you.
  I’ve just been reviewing the latest version of Little Snitch and will be writing about it here in due course.
  Howard.
  
  LikeLike
17

Bryan on January 4, 2021 at 3:47 am

We should be told about potential security issues and how our data is used. But I think this task should be given to a third party, independent of Apple and developers. Less room for misleading or untruthful advice.

LikeLiked by 1 person
- 18
  
  hoakley on January 4, 2021 at 9:27 am
  
  Thank you.
  I don’t see any third party stepping up to do this, I’m afraid. But much of the security information is straightforward to verify. Privacy is a bit more difficult, though.
  Howard.
  
  LikeLike
19

Matt on January 4, 2021 at 4:08 pm

I’m one of those rare folks who bothers to at least scan the Terms of Service and Privacy Policy of a thing before I sign up for it. When doing so, I often decide I don’t agree and don’t sign up. I think a good explanation of security and privacy would be valuable to me for two reasons. The first is it would help me understand the app better. The second is it would improve your reputation. (Your rep is already very high, don’t worry.)

When I read a privacy policy, in the back of my mind I always wonder how much can I trust what I read? There’s no trusted authority verifying the accuracy of a privacy policy. I don’t think Apple is verifying anything with the new App privacy policy ‘nutrition labels.’ At the end of the day, it all comes down to trust. I trust Agile Bits and I use 1Password. I trust Objective Development and I use Micro Snitch. A clear explanation of an app’s security and privacy considerations is trust worthy behavior. That’s a valuable currency.

LikeLiked by 1 person
20

Panda Mery on January 6, 2021 at 1:03 pm

As I’ve been reading your blog for a while and used some of your tools, a trust relationship has developed (which also means that if you were to release some truly evil tool I’d likely fall for it).

However ‘a clearly worded explanation of an app’s security and privacy’ would still be of value for two reasons: a) it’s a clear commitment on your part and b) more importantly it would help give confidence to another user when I recommend one of your utilities. These users new to your work have only my recommendation to go on, having a commitment they can check _before_ downloading and installing the utility would reassure them and possibly accept my recommendation.

Talking of documentation, I don’t find the current syste convenient. Having a separate documentation file means that I need to keep a directory structure for the tools you developed I downloaded. Currently I’ve kept the structure as per the zip name, which means I need to delete a directory and add a new one (that’s automatic) for each new version. As many/most of your tools have an update mechanism now, this organisation defeats that purpose and is overly complicated. Ideally there would just be the one app file with the documentation either integrated in the app or accessible from the app on a website. Also I’m often more interested in checking the documentation when using the app so having it there makes more sense.

LikeLiked by 1 person
- 21
  
  hoakley on January 6, 2021 at 1:14 pm
  
  Thank you.
  I have a surprise: in each app (there are a couple of minor exceptions still), if you go to the Help menu, you’ll find that app provides full help information, just as in the separate file.
  I normally enclose the app’s Help book as a separate file to save users having to look through the app’s contents if they want a separate copy. In most cases now, the Help file in the app’s bundle is exactly the same as that in the Zip archive. So you can do away with all those folders if you wish.
  Howard.
  
  LikeLike
  - 22
    
    Panda Mery on January 6, 2021 at 1:15 pm
    
    Thank you for that surprise!
    
    LikeLiked by 1 person
    - 23
      
      hoakley on January 6, 2021 at 4:51 pm
      
      It’s my pleasure. Enjoy!
      Howard.
      
      LikeLike