Defense in Depth
Gatekeeper
User privacy protection
Defense in Depth:
macOS is designed with layers of security
One layer failing doesn't defeat all security
Rely on multiple layers:
- Delay the advance of an attack
- Reduce attack surface
- Trap attackers
Gatekeeper works with user privacy protection
- If something gets past Gatekeeper, user privacy protections may block malicious software from accessing user data.
What does Gatekeeper check?
- Malicious content scan
- Signature validation - has it been tampered with?
- Does it meet the Mac's security policy? (MAS only, MAS and Developer ID, None)
- Does the user want to run it? (Ask the user if they want to run it.)
When does Gatekeeper check on Mojave?
- First launch of quarantined content
Quarantine
- Marks files that arrive on the system from a variety of external sources
- Adds metadata about the external source (like web address, etc.)
- Apps can opt-in to quarantining files
- Default for files written by sandboxed apps
On Mojave 10.14.5:
Local policy check was updated to include checking for notarization
On macOS Catalina:
Local policy check: All new software requires notarization.
First launch prompt: User must approve software in bundles
Non-quarantined software:
All software (quarantined and non-quarantined) gets the malicious content scan.
Note: Apple's position is that you can always choose to run any software on your system. Apple will provide tools and methods to enable software to run.
Goal:
Make macOS as secure as iOS, while preserving macOS's flexibility.
Platform security is reliant on validity of code signatures.
In a future version of macOS, unsigned code will not run by default.
For developers:
Sign and notarize all software you distribute
- Even if it doesn't get quarantined
Don't modify signed applications or bundles
Loading code can fail
- Ensure your apps handle failure gracefully
User privacy protections
Recording capabilities
Files and folders
Automation
Recording capabilities:
Users have to consent to:
On Mojave:
Camera
Microphone
On Catalina:
Camera
Microphone
Screen recording
Keyboard input monitoring
Keyboard input monitoring:
No approval necessary to monitor events for own app.
Monitoring all keyboard events requires user approval.
Files and folders protection:
- Data that requires user consent to access
- Private data which is managed by the system.
New protected areas in Catalina:
Desktop
Documents
Downloads
iCloud Drive
Third-party cloud storage (Dropbox, OneDrive, Box, etc.)
Removable volumes
Network volumes
User consent is not required to create new files in protected locations. Only reading data from protected locations.
Open and save dialog panels are now hosted out of process.
Files can be checked to see if they're readable / writable without triggering consent dialogs.
Private data managed by the system:
Mojave:
Messages
Safari browsing history
HTTP cookies
Call History
iTunes backups
Time Machine backups
In Catalina:
Messages
Safari browsing history
HTTP cookies
Call History
iTunes backups
Time Machine backups
Trash
Do not need Full Disk Access to move a file to the Trash
Just need authorization to the file being moved.
Caller retains access to the file, even once it's in the Trash.
Automation authorization:
Synthetic input events
- Governs ability to synthesize mouse clicks or keyboard presses
- Important to prevent malware from clicking through security consent dialogs.
Privacy preferences in macOS are being expanded to support a number of new privacy keys, including:
File Provider Presence
Listen Event
Media Library
Screen Capture
Speech Recognition
System Policy Desktop Folder
System Policy Documents Folder
System Policy Downloads Folder
System Policy Network Volumes
System Policy Removable Volumes