Last Week on My Mac: Children, animals and TCC

As the adage says, never work with children, animals or TCC.* Last week I broke the promise I had made to myself a couple of years ago, and started digging again into what Apple so ironically calls Transparency, Consent and Control (TCC). All the warnings are there: a human interface that sprawls incomplete over two different sections in System Settings, a command tool that can only wipe out settings, and documentation confined to a few presentations at WWDC. Given Apple’s avowed emphasis on the protection of privacy, you’d have thought that ten years would have been long enough for a thorough and explicit guide for developers.

I decided to give myself a gentle start by looking at the one thing TCC’s command tool tccutil seems good at: resetting. For anyone struggling with their privacy controls, this is the one and only answer, to throw away what you’ve got and start again from scratch. That’s a sorry admission for any important and active subsystem in macOS.

When observed in the log, TCC is now busier than ever. Even when running in a lightweight virtual machine (VM), without an Apple ID or iCloud access, and a minimum of distractions, resetting the whole TCC database creates a sustained flurry of log entries. What puzzled me most, though, were the profuse messages concerning iCloud, when the VM can’t access it because of its structural limitations imposed by Apple. It was then that I rediscovered its infuriating obfuscation, as it first deleted then restored multiple kTCCServiceLiverpool and kTCCServiceUbiquity services. It’s one thing refusing to provide decent documentation, but quite another to choose names that are constructed to be opaque, in a subsystem concerned with transparency.

I first reported these obfuscated names back in September 2018, when looking at some of Apple’s bundled apps in macOS Mojave. Not only did the Books app then claim access to the Camera in its public entitlements, but its private claims included kTCCServiceLiverpool. By the time I looked back at the protection of location data in March 2020, it seems to have become generally accepted that the Liverpool service was for private access to location data. A couple of months later, I even made that association in Saturday Mac riddles episode 46. Here, staring me in the face, was ample evidence that kTCCServiceLiverpool has nothing whatsoever to do with location data, something established way back in 2016, but still undocumented.

TCC is one of the few subsystems where major third-party developers have been caught cheating. Back in the summer of 2016, Phil Stokes revealed how Dropbox was abusing TCC’s database to change access to its Accessibility control without the user being informed or giving consent. Not only that, but at the time the Dropbox app forged an authentication dialog in order to trick the user into providing their password. Apple closed that TCC loophole in macOS Sierra, and seems to have been in a huff ever since.

Those who know TCC best now are security researchers, who have found it a rich source of vulnerabilities. Seeing its current complexity that’s hardly surprising. If Apple can’t see its way to documenting TCC, perhaps it could offer those researchers bounties for doing the job. After all, I wouldn’t think for a moment that Apple is relying on the security of TCC being achieved by means of obscurity.

Sometimes writing documentation is an excellent way of taking stock. It could draw attention to the great and ever-increasing complexity of TCC and inspire the design of a better way. With privacy certain to have a central role in Apple’s future operating systems, wouldn’t it be worthwhile embedding more support for it at a file system level? Apple is increasingly in a better position to do that with APFS, now the number of those still using HFS+ with current macOS is reducing, and all using recent versions of macOS are required to boot from APFS.

The switch to System Settings also provides an excellent opportunity to improve the user interface to these privacy controls. At least we can now expand its window vertically and see all those categories exposed in Privacy & Security without constantly scrolling. But this is let down by continuing conflicts between Full Disk Access and Files and Folders, and by its iCloud controls in System Settings > Apple ID > iCloud Drive > Options, where apps are unhelpfully listed in random order in a small window of fixed size.

While I’m sure that none of us would want to compromise Apple’s engineering effort to protect our privacy, now would be a very good time to document, design for its future, and improve its human interface.

* apologies to W.C. Fields, who coined the original.