Apple continues to enhance security on its Macs, narrowing the available attack surface one step at a time.
Enterprises are becoming increasingly impressed by the robust security of Macs, and Apple is locking its platform down even more firmly with macOS Sequoia and a couple of changes to improve defenses against malware and “camfecting.” This reflects the company’s continued mission to ensure platform security by design.
Gatekeeper empowerment
The first change is the biggest. Apple’s Gatekeeper protection is designed to stop people from running unsafe applications on their Macs. When you try to install software downloaded from the Internet, you are presented with a security warning before the application will work (though it has long been possible for Mac users to bypass the protection by Control-Clicking on the application icon).
Apple has abandoned this in the latest Sequoia beta. Now, users must actively open Settings > Privacy & Security to permit their system to run such apps on a per-app basis.
While the impact of this change is slight — you can still install and use apps obtained elsewhere — it should help prevent users from accidentally installing malware because it makes the whole process more intentional. Less-experienced users become less likely to be tricked into giving such approval by the app installation screen.
Apple recommends notarization
The real aim of the change is to prevent users who might be less tech-savvy from being tricked into bypassing Gatekeeper. In an ideal world, Apple would like all apps installed on Macs to at least notarized, the company confirms.
“If you distribute software outside of the Mac App Store, we recommend that you submit your software to be notarized,” Apple says. “The Apple notary service automatically scans your Developer ID-signed software and performs security checks. When your software is ready for distribution, it’s assigned a ticket to let Gatekeeper know it’s been notarized so customers can run it with confidence.”
This is a similar process to what Apple is trying to achieve on iOS devices in Europe. The goal is to secure the user and the platform, while also narrowing the size of the attack surface on its systems.
Camfecting and how to stop it
The second change will seem annoying to some, but does at least put Mac users in control. If you have ever installed screen recording or video conferencing software, you were probably asked to provide permission for those applications to capture your Mac screen. You likely went ahead and gave that permission and forgot about it — but that means applications you (or someone with access to your Mac) gave such permission to might be able to secretly continue recording your actions.
This improves in macOS Sequoia, which will require that you review and confirm this permission once a week. A dialog box will appear explaining the app wants to access the computer screen and audio, and giving you two choices: disable that permission, or “Continue to Allow” access.
While some might see this process as overly intrusive, it should help protect Macs against some in-person and malware-based camfecting attacks, as any application that has permission to access the camera/screen recording will be surfaced once a week. That means if an app you didn’t expect to see there appears on the list, you should take immediate steps to secure your device.
User controlled security
Seen in context, these latest security improvements mean the Mac is becoming better locked down as Apple works to make security protections you already have in place more understandable.
Take the Privacy & Security section of Settings for example: Over time, this has become an extensive, perhaps daunting, collection of options Apple has made easier to understand. In Sequoia, you can now more easily see how many apps enjoy full or partial access to the various settings and have a guide to help you manage those settings.
Again and again with its security improvements, Apple continues working to make security an intentional choice, explains what it is users are securing, and is creating device management APIs IT can use to ensure that their entire fleet remains as secure as it can possibly be — no kernel access required.
Please follow me on Mastodon, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.