Defense in depth: there isn’t any single layer that can always perfectly protect you, so there are multiple layers of security, so if any single layer fails, that doesn’t defeat the whole security of the system. Layers can delay the advance of the attacker, reduce the attack surface, create “choke points” that are easier to defend.
Gatekeeper: designed to protect users from running malicious software, while allowing them to use the software they choose.
What does Gatekeeper check:
does the app contain any known malicious content?
has the software been tampered with since it was signed?
does it meet the security policy configured on the computer?
first launch prompt ⭢ does the user actually want to run this?
On Mojave, Gatekeeper runs the check on the 1st launch of quarantined software launched via Launch Services.
Quarantine - a technology on macOS for marking files that arrived from some external source (website, airdrop, iMessage, email)
includes metadata about where the file came from
opt-in - the app has to opt-in to this, so e.g. when apps download their own updates they are usually not quarantined, except for sandboxed apps
Launch Services - a framework for finding and launching apps on macOS, used when launching apps from Finder, NSWorkspace, document handlers etc.
What does not use Launch Services: NSTask, NSBundle/dlopen, exec/posix_spawn.
In macOS Catalina:
all new software must be notarized to pass Gatekeeper
all software is checked when first launched, even when launching through those non-LaunchServices methods
all software (even not quarantined) is checked for malicious content on every launch
”You can always choose to run any software on your system” - there will always be a way to run a specific piece of software that you want to run
“We want to make macOS just as secure as iOS, while still maintaining the flexibility that you’ve come to expect from your Mac”
Platform security is increasingly reliant on validity of code signatures; that means if code has no signature, it’s impossible to detect tampering.
In a future version of macOS, unsigned code will not load by default, so:
sign and notarize all software
don’t modify signed applications and bundles
handle failures when loading libraries
Privacy changes:
Requires user confirmation for:
screen recording
keyboard input monitoring
Requires confirmation for access to:
Desktop, Documents, Downloads
iCloud Drive and third-party cloud storage
Removable and network volumes
But:
*not* required for creating new files, only for reading existing files
tries to understand intent, e.g. doesn’t ask if user double-clicked a file in Finder, or drag&dropped it, or used an open/save panel
declare handled
CFBundleDocumentTypeswithNSIsRelatedItemTypeto e.g. automatically have access to a subtitles file when opening a movie file
Purpose strings are accepted, but not required (NSDesktopFolderUsageDescription etc.).
Open and save panels always run out of process. Be careful with:
Checking for readability without triggering a consent dialog: isReadableFile, isWritableFile, access().
Apps and other binaries that have previously been denied access to some kind of directory now appear automatically in the “Security & Privacy” access list, unchecked.
Full disk access now required for access to Trash (except files that your app has moved there).
