hoakley June 18, 2023 Macs, Technology

Last Week on My Mac: Lies, notarization and privacy

I suppose I shouldn’t have been surprised that emails claiming to be from my internet provider turned out not to be phishing but yet another lie. When their subject promised “email security is being improved in a weeks time” what it actually meant was that the provider was going to block all access using POP/SMTP and IMAP, and force me to use Office 365 on the web. And have the gall to tell me how much better that will be.

Why do so many – politicians, social media moguls, huge businesses – lie through their teeth in this way?

Its effect is corrosive, and leads us to doubt everything and everyone, even Apple. For the week after WWDC has once again been a time when anxious Mac users have been asking whether the next version of macOS will still allow apps that don’t come from the App Store and haven’t been notarized. Yet others have been telling me how Apple is moving inexorably to requiring all apps to be both sandboxed and notarized.

While no one at WWDC mentioned anything about these, could Apple be about to spring a surprise? After all, it hasn’t yet published its annual update to the Platform Security Guide, so reading between the lines, app security could well be set for a shocking change. Apple is then going to tell us how these changes are all to our benefit, just as my internet provider writes that losing useful access to my email service is an improvement in security.

Having watched my way through several of the security and privacy sessions at this year’s WWDC, I can confirm that Apple hasn’t announced any tightening of requirements for notarization or sandboxing. These currently amount to:

macOS requires that executables are signed (at least on Apple silicon Macs), but that can be ad hoc, and doesn’t require an Apple signing certificate.
Apps and other executable code distributed by developers must be fully signed and notarized, but normally there’s no requirement for sandboxing.
Apps and other executable code distributed through the App Store follow the Store’s rules for sandboxing (required) and signing (by Apple).
Hobbyists and others who aren’t developers aren’t required to sign with Apple certificates, or to notarize. However, those apps and other executable code should only be distributed personally, not online, and those who use them should be made fully aware of their vulnerabilities.
Distributing source code for others to compile and build is fine, provided everyone is aware of the risks involved.

My next step was to test this using one of my own apps. There are some catches for the unwary here, now that macOS relies on several different forms of identification for executable code, including the app’s bundle identifier (e.g. co.eclecticlight.myapp) and code directory hashes (in the signature). My test app is based on my own DelightEd, with a different identifier, and substantial change in its code to ensure different cdhashes.

I first created an unsandboxed, un-notarized, unhardened test app with a new bundle identifier, and signed it using my developer certificate. This is how we used to build apps for distribution before the introduction of notarization.

I then made a copy of that signed app, stripped its signature using codesign, and re-signed it using an ad hoc signature. This is how non-developers used to build apps before the introduction of notarisation, with the addition of ad hoc signing to satisfy the requirements of Apple silicon.

Both apps were copied over AirDrop to a test Mac running a beta; using AirDrop ensured that they were quarantined. The apps were then moved into the Applications folder, and the ad hoc signed app was tested first.

Both apps opened as expected, on the second user request using the Finder’s Open command, to ensure the user is fully aware that they aren’t notarized, just as in Ventura. To assess whether this had any effect on their privacy handling, each was then used to open and save files to protected folders including Documents and Downloads. Neither of those resulted in any privacy alerts, nor were the apps added to Privacy & Security Settings.

For anyone puzzled as to how an unsandboxed, un-notarized, unhardened and ad hoc signed app can read and write to protected folders without a flurry of dialogs, we have to go back to Apple’s principles on privacy, that the user remains in control and gives their consent. TCC stands for Transparency, Consent and Control, after all.

When an app uses the standard Open and Save dialogs, the user is in full control, and by clicking the Open or Save button actively consents to that action. This normally won’t require any additional privacy settings, nor trigger consent dialogs. For sandboxed apps, there’s a pair of entitlements com.apple.security.files.user-selected.read-only and com.apple.security.files.user-selected.read-write to cover this situation, but apps that don’t run in a sandbox don’t require those. macOS tries to strike the right balance between privacy and practicality.

Until Apple tells us otherwise, I think it’s clear that nothing is changing significantly in sandboxing and notarization that would prevent hobbyists and others who aren’t developers from continuing what they do currently, nor should this hinder the distribution and use of source code. For those who are developers, notarization is more than a formality: it’s recognition of the fact that the last thing any of us would wish on others is for their Macs to be compromised or exploited.

19Comments

Add yours

1

joestoner49 on June 18, 2023 at 7:13 am

Which IP is forcing you to use Office 365 Howard?
ATB
Joe

LikeLiked by 1 person
- 2
  
  hoakley on June 18, 2023 at 7:31 am
  
  BT Business, btconnect.com, in cahoots with Microsoft of course.
  Howard
  
  LikeLike
3

Andrew Reilly on June 18, 2023 at 7:26 am

I hope that you can change service providers! Blocking the email or, indeed, any ports would be a red-line for me. I’ve not heard of any local (Australian) ISPs going down that route. Best of luck.

I appreciate the care that Apple is going to, for (our) security. It’s a far cry from the old days of just running whatever code was executable. Reflects both a vastly increased prevalence of executable code and a vastly more malicious environment, I think. (Remembering, always, that a sufficient quantity of incompetence is indistinguishable from malice.) I do still run an old-school Unix system, with none of these protections, but I am also acutely aware of everything that can run on it: nothing runs on it by accident.

LikeLiked by 1 person
- 4
  
  hoakley on June 18, 2023 at 8:54 am
  
  Thank you. So far I’m running fine with forwarding.
  Howard.
  
  LikeLike
- 5
  
  kapitainsky on June 18, 2023 at 9:01 am
  
  BT provided connection is not blocking any ports.
  
  What they started doing though is not to allow to connect over POP/SMTP and IMAP to their email server. Email address (@btconnect.com) comes as a perk when you get BT connection.
  
  LikeLiked by 1 person
  - 6
    
    hoakley on June 18, 2023 at 9:03 am
    
    A perk? You’re joking I hope. These are expensive connections sold as business solutions including the email service.
    Don’t get me started!
    Howard
    
    LikeLiked by 1 person
  - 7
    
    Andrew Reilly on June 18, 2023 at 10:53 am
    
    Telstra (AUS) threatened to pull that stunt about ten years ago. I believe that there was a _lot_ of push-back, and I think that they relented and changed the outlook option to opt-in and kept running a proper mail service as well. In any case, my email stayed available over IMAPS+SMTP, but SMTP switched to the submission port with SSL and authentication, as it should be.
    
    And no, an ISP email service is part of the package: not a “perk”. The nature of the modern email environment makes it near-impossible for non-infrastructure client systems to run SMTP services. Needs things like static IP, reverse DNS, and a bunch of signed DNS records, and to not run foul of RBLs. Not a trivial exercise.
    
    (Used to be that ISPs also provided NNTP service, as a rule, but those days are long gone.)
    
    LikeLiked by 2 people
    - 8
      
      kapitainsky on June 18, 2023 at 6:31 pm
      
      Got it. I used BT for some time but always thought that nobody really uses their email service for anything serious – why to get into something making me changing ISP painful? (of course it is great for BT) It is just utility provider – like electricity or gas. For me it was like buying car and then signing for life to refuel only on XYZ petrol station.
      
      LikeLiked by 1 person
    - 9
      
      hoakley on June 18, 2023 at 8:13 pm
      
      We started with BT as our ISP before ADSL was available here, with their satellite service, the first alternative we had to dial-up. For many years they were the only ISP here, and the only one that offered a business connection and services until just a few years ago. I do have alternative email accounts elsewhere, but BT’s was the only worthwhile choice in the days when we had to use satellite.
      Their business service is otherwise excellent, although because of geography we can only get fibre to the cabinet.
      What has most shocked me about this is there is no alternative on offer: a good business might try this sort of trick and offer an additional subscription, but in this case they can’t even migrate custom domains, or support Office 365 apps with 0Auth 2 authentication (for which I already have a subscription). It’s a complete cock-up on their part “to improve security”.
      Howard.
      
      LikeLiked by 1 person
    - 10
      
      Andrew on June 18, 2023 at 9:53 pm
      
      That “for security” line must be something that Microsoft pushes quite hard. It’s the argument that my workplace (a Microsoft Enterprise-using shop) always provided for not enabling IMAP access to the work email server. The only reason I’ve been able to figure out (because IMAPS + SMTP-submission are fully secure in the network communication sense) is that the ActiveSync access protocol provides them with a “kill switch” that should delete mail from the client when commanded. I can see why a company would want that, but not a host of client email.
      
      LikeLiked by 1 person
    - 11
      
      Andrew on June 18, 2023 at 9:43 pm
      
      You can guard against the lock-in effect by having your ISP host your (business) email under your domain name, rather than theirs. However what you describe is certainly the “modern” thinking. Unfortunately, like a lot of those sorts of unbundling exercises, it has resulted in a much higher concentration of email servers: these days if you’re not a gmail, you’re an icloud or outlook, most likely. The free ones are mapping your contacts network (if it’s free, you are the product). I’ve noticed that DNS registrars have taken on the role of providing mail hosting for their clients, which makes a bit of sense too. I’m old fashioned: I like the ties to the past that my ISP address provides. It dates from the very early days of cable service, nearly 30 years. I did have to lose my previous dial-up ISP’s email address, which was much less painful then than I imagine it would be today.
      
      LikeLiked by 2 people
    - 12
      
      hoakley on June 18, 2023 at 10:14 pm
      
      Actually, those are the users who have fared worse. I have just three accounts to set to forward email to two other accounts, while those with their own domains have the problem for every single mail user. They’re being offered a ‘service’ to do this for them, costing £149, but it’s vastly oversubscribed, with a waiting list of weeks, and those who have been through the process seem to be reporting that it doesn’t work, and they lose all their mail accounts.
      This ISP isn’t my original provider: I was one of the early adopters (just outside the first 100) of the ‘tenner a month’ Demon service, where I had my own subdomain and email way back in the days of dial-up.
      Howard.
      
      LikeLike
    - 13
      
      kapitainsky on June 18, 2023 at 10:01 pm
      
      yes but when you already own and pay for e.g. eclecticlight.co domain I do not understand why to use @btconnect.com unless of course legacy. I can move my domain to my own server if I want or can pay a bit to host it somewhere – but if not happy just move keeping my email address. It is all a bit off topic from main subject of this post but still fascinating. “If it’s free, you are the product” is true until you realise that your premium provider is doing the same – trying to increase their profit a bit – if not today they will do it next quarter. I have zero trust for this. Be it BT or Apple – TNO (trust no one) is what is only sensible approach when going online.
      
      LikeLiked by 1 person
    - 14
      
      hoakley on June 18, 2023 at 10:20 pm
      
      This domain is one of quite a few I have owned, and I didn’t buy it until I started this blog over 8 years ago. At that time, Automattic/WordPress didn’t offer a mail service, but they do now, so I now have an address @eclecticlight.co, hosted by Titan.
      Funnily enough, I’m just abandoning a domain and hosting service that I’ve been using since before this blog, but I’ve never used that for email.
      Howard.
      
      LikeLike
15

Beatrix Willius on June 18, 2023 at 7:30 am

Holy guacamole on the Office 365. The admin alone is seriously terrifying.

Last year there was a new stupid message “The app wants to make changes” when trying to add a LaunchAgent. This year there is a new stupid message “The app wants to access data from another app.” It’s the same FUD: apps communicate. They have done so in the past. In my case it was a Microsoft app probably trying to tell something to the main app. But because there is no context in the message is just meaningless.

LikeLiked by 1 person
- 16
  
  hoakley on June 18, 2023 at 8:55 am
  
  Thank you.
  Apple has been told repeatedly about those uninformative messages, but seems unable or unwilling to come up with anything better. I suppose it’s up to us to provide Apple support in such matters.
  Howard.
  
  LikeLike
17

Alberto on June 18, 2023 at 9:06 pm

“[…] This normally won’t require any additional privacy settings, nor trigger consent dialogs.“

I do wonder how Microsoft Excel is programmed. If you try to change the current file’s name by clicking on the title bar it will ask permission to write inside the folder where the file is located. I don’t know if it if sandboxed… maybe not? I have installed it from the installer on Microsoft’s website.

LikeLiked by 1 person
- 18
  
  hoakley on June 18, 2023 at 10:01 pm
  
  All the Office apps are sandboxed, and have elaborate entitlements that allow them to do almost anything they could do if they weren’t sandboxed.
  Howard.
  
  LikeLike
19

Michael Tsai - Blog - Privacy and Security in macOS 14 on June 19, 2023 at 1:45 pm

[…] Update (2023-06-19): Howard Oakley: […]

LikeLike

·Comments are closed.

Share this:

Related