Multiple Flaws in New Update to macOS Mojave’s Privacy Protection
Apple isn’t always in the news for the wrong reasons. Unlike Google and Facebook, Apple has had little to no privacy breach complaints. It also doesn’t have to deal with malicious apps on the App Store.
Apple CEO Tim Cook has said in the past that privacy is every user’s moral right. Therefore, the company will never compromise it.
Apple is True to Its Word
True to that, Apple has rarely had complaints about tracking users or collecting their information without consent. Apps on the Apple App Store are also safer than the ones on the Google Play Store. Even the locking mechanism of every iPhone is foolproof.
However, recently Apple came under the scanner with the launch of the macOS update of Mojave 10.14 last year.
Ever since the launch, some researchers have been dedicated to the task of finding flaws with the new update. Most of them have been successful so far. This is embarrassing for Apple, which is one of those companies with few security issues; we know if there is a security breach how dangerous that can be.
Flaws are no big deal every time a software update is released. The flaws are either noticed at the very beginning or after people have been using the new update for some time. In Apple’s Mojave update case, the flaws have been discovered in the beginning and newer flaws continue to be found.
Faulty Implementation
At the time of launch, a security researcher had found the first loophole in Apple’s privacy protection implementations in macOS.
The researcher called Patrick Wardle had demonstrated in a video clip that the security in the new macOS can be easily bypassed to gain access to sensitive data, such as the address book.
Clever
Wardle also explained that he was able to get access to the confidential data using an unprivileged app that did not require administrator permissions. This shows the extent to which the new operating system has been lacking in security measures.
The bypass can be accessed by going to System Preferences, then selecting Security & Privacy and then selecting Privacy. This wasn’t the only bypass, though. Soon enough, other bypasses followed, and all of them were addressed to Mojave.
Apple isn’t one to take things lying down. It highly regards the security of users and immediately got down to fixing the issues.
But it seems like the issues just keep coming up. Last week, just when it seemed like Apple had taken care of the issue, a new flaw was discovered by StopTheMadness browser extension developer Jeff Johnson.
This flaw affects all versions of Mojave including the update that’s been released only a few days ago.
This flaw also involves an unprivileged app without requiring admin permissions. According to Johnson, he could find a way to get to ~/Library/Safari without requiring to ask the system or user for any kind of permission.
This is a cause for concern; that directory should only be accessed by privileged apps that have explicit permission to do so.
The only limitation about the flaw was that it did not work for sandboxed apps that have been separated from critical system files and other programs. This bypass only seems to work for the apps that aren’t sandboxed, and have been signed by a Developer ID after passing Apple’s automated malware check.
In an interview, Johnson said he had found the issue while working on his own Safari extension using a different API.
More Than Just iOS
Apple has always been known to value the security and privacy of users and have also been applauded for its security measures in the past.
Needless to say, Apple isn’t going to remain inactive about the flaws that keep arising with Mojave. However, the company could have too much on its plate right now.
Apple has taken all the flaws into consideration and has been trying to deal with them all at once. But it’s proving to be challenging. The company has to channel the access of apps to sensitive content such as Mail, Messages, Cookies, and Suggestions using a consent layer without the process turning into a chore.
That means every time someone tries to access these folders, they will need to be authenticated. Users may soon become frustrated at having to provide consent to access even the basic stuff on their devices.
These new measures should also work seamlessly for older apps that were built at a time when software had an intrinsic right to access all the information it wanted without the need for consent.
How Close is Apple to Solving These Issues?
It turns out the problems keep getting bigger. For example, it is common knowledge that privacy protection is useless in stopping someone from bypassing it through the use of Secure Shell to localhost when remote login is enabled.
Again, a malicious app could also continuously invoke “tccutil” in order to reset the privacy settings until the user is frustrated with the barrage of dialogue boxes and gives up. These and more are issues require fixing by Apple as soon as possible.
Time Will Tell
Johnson reported that he had already brought the issues to Apple’s attention. They will hopefully be fixed in the new update. However, when one issue is fixed, another arises. It remains to be seen exactly what issues future updates of Mojave give rise to. For better privacy and security while using Mojave, we recommend you take a look at our list of best VPNs for Mac.