update: macOS Section #2702
update: macOS Section #2702
Conversation
✅ Your preview is ready!
|
| @@ -209,6 +209,21 @@ If an app is sandboxed, you should see | |||
| [Value] | |||
| [Bool] true | |||
| ``` | |||
|
|
|||
| ##### Hardened Runtime | |||
There was a problem hiding this comment.
This and the sandboxing section feel a little unnecessary to me. If the results are no, as they will be in most cases, what is the reader supposed to do about that?
We should try to add actionable advice in both of these sections.
There was a problem hiding this comment.
hmm? They should know if it's sandboxed or not. Then they can decide if they want to run it, run in a VM, etc. People ask me a lot how they can tell if an app is sandboxed.
|
Note to self: possibly mention .pkg vs .dmg for app installs. Also mention umask |
| @@ -19,7 +19,7 @@ Brand new Apple silicon devices can be set up without an internet connection. Ho | |||
|
|
|||
| macOS performs online checks when you open an app to verify whether an app contains known malware, and whether the developer’s signing certificate is revoked. | |||
|
|
|||
| Previously, these checks were performed via an unencrypted OCSP protocol which could leak information about the apps you ran to your network. Apple upgraded their OCSP service to use HTTPS encryption in 2021, and [posted information](https://support.apple.com/HT202491) about their logging policy for this service. They additionally promised to add a mechanism for people to opt-out of this online check, but this has not been added to macOS as of July 2023. | |||
| Apple's OCSP service uses HTTPS encryption, so only they are able to see which apps you open. They've [posted information](https://support.apple.com/HT202491) about their logging policy for this service. They additionally [promised](http://lapcatsoftware.com/articles/2024/8/3.html) to add a mechanism for people to opt-out of this online check, but this has not been added to macOS. | |||
|
|
|||
| While you [can](https://eclecticlight.co/2021/02/23/how-to-run-apps-in-private) manually opt out of this check relatively easily, we recommend against doing so unless you would be badly compromised by the revocation checks performed by macOS, because they serve an important role in ensuring compromised apps are blocked from running. | |||
There was a problem hiding this comment.
In the team chat, you emphasized the importance of OCSP checks to block malicious apps for which Apple revoked their certificates.
I think that this sentence can start out with talking about the importance of this feature, then you can mention the edge case for disabling the check.
badly compromised by the revocation checks
Because I'm not sure what this concretely entails
There was a problem hiding this comment.
Basically just means there's a longer period of time before your system would recognize the app as malicious.
docs/os/macos-overview.md
Outdated
|
|
||
| The [Hardened Runtime](https://developer.apple.com/documentation/security/hardened_runtime) is an extra protection for apps that prevents certain classes of exploits. It improves the security of apps against exploitation by disabling certain features like JIT. | ||
|
|
||
| You can check if an app uses the Hardened Runtime using the command |
There was a problem hiding this comment.
Not sure if this section needs to be here after our last convo, unless there's an obvious footgun that allows people to disable this, which you would like to emphasize not to do
However gatekeeper enforces hardened runtime
People are less likely to run an app when gatekeeper blocks them
And it’s not something you have to go out of you’ll way to check
In fact really it doesn’t apply on second thought
It’s enforced by gatekeeper my bad
In the same way the app store enforces the sandbox
There was a problem hiding this comment.
Yeah Gatekeeper is easily by passable as it is now, I think in the beta they're taking out the easy bypass and giving you a setting to disable it. So I'd like to keep this part in, maybe elaborate on that a bit. Also it only applies to apps and not other binaries.
It's kinda like the App Store in that you don't have to use it, but if you choose to only run apps that gatekeeper doesn't warn you about then you'll have better security.
|
This pull request has been mentioned on Privacy Guides Community. There might be relevant details there: https://discuss.privacyguides.net/t/macos-sequoia-supports-mac-randomisation/20988/5 |
Signed-off-by: Daniel Gray <dngray@privacyguides.org> Signed-off-by: redoomed1 <161974310+redoomed1@users.noreply.github.com>
Changes proposed in this PR:
Full disclosure: I copied parts of this from https://github.com/drduh/macOS-Security-and-Privacy-Guide?tab=readme-ov-file#app-sandbox however I wrote these parts so I'm only plagiarizing myself. The commands are from official Apple documentation which I link to so in the interest of having the most accurate info I haven't edited the commands at all
Contribution terms (click to expand)
1) I am the sole author of this work. 2) I agree to grant Privacy Guides a perpetual, worldwide, non-exclusive, transferable, royalty-free, irrevocable license with the right to sublicense such rights through multiple tiers of sublicensees, to reproduce, modify, display, perform, relicense, and distribute my contribution as part of this project. 3) I have disclosed any relevant conflicts of interest in my post. 4) I agree to the Community Code of Conduct.