Apple started adding user consent alerts way back in High Sierra. The first time an app would try to access your location, contacts, calendar, reminders or photos a system alert would prompt the user for consent. Mojave expanded these prompts to automation, camera and microphone. And now Catalina adds screen recording, keyboard input monitoring, access to folders such as Desktop, Documents and Downloads, user notifications and Safari downloads…
These alerts are just another step on a long path Apple has been taking to protect user’s data. Previous steps include code signing, sandbox, gatekeeper, the “curated” Mac App Store and notarization.
But security features are most useful when they’re invisible. All previous steps were mostly invisible. This last one… Not so much.
There’s a lot of complaining going around in Apple circles regarding the latest Catalina betas and the excessive amount of permission alerts and associated user access problems. On his latest podcast, for instance, John Gruber detailed how it took him ages to figure out why the Terminal wouldn’t show him any directory listings, until he realised the Terminal needed disk access permission, but didn’t ask for it.
This is, of course, all quite reminiscent of Windows Vista, and the goal here seems to be to turn macOS into iOS, with similarly harsh restrictions on what users can do on their computers.
What Microsoft did with Vista was the right thing to do. Back in the day with Windows XP I needed to use an administrative account to browse the internet because the dialer app for my internet provider required administrative rights.
> This is, of course, all quite reminiscent of Windows Vista, and the goal here seems to be to turn macOS into iOS, with similarly harsh restrictions on what users can do on their computers.
SELinux might be a better comparison. It’s about sandboxing applications to keep malicious applications from compromising the system, and having a security first posture is good. Mandatory access control (MAC) and principle of least privilege (PoLP) are the two concepts in play here.
This allows the user to have more control over their machine as it prevents malicious software from using the machine against the user. For instance, this is a better alternative to the piece of tape on the webcam. Remove all access to the webcam, and nothing will be able to get access without having to take a additional steps. Having a hardware switch to disable the webcam and microphone would be better if they can’t be removed, but being able to disable access is a good measure.
Our computers live in a hostile environment, and anything Apple can do to harden their systems is welcome. This is going to be slightly annoying, but we can’t run wide open systems anymore.
I month ago, I had the same kind of permission issue with Skype, downloaded from Windows Store. I could not make the microphone work at all with it. I could even hear myself with the sound recorder. But god forbid I had probably clicked once the wrong choice on an ill-explained dialog. Took me 2 freaking hours to figure it out and to roam through the legacy and non-legacy config panels in Windows 10.
I’d rather be too careful than not careful enough. If I download an app designed to let me, say, partition a disk and it wants access to my contacts, I’d rather not allow that and it tells me something about the developer of said app. I’d rather Apple fix the bugs in it (not asking permission sometimes, or dialogs not clear) than stop doing it. It’s a far better cry than what we have on other systems, from a user-facing perspective. Systems like SELinux are better for server administrators and those who know how to configure a system and know what they want the machine to do, but asking for permission the first time seems reasonable enough to me as a compromise provided they can smooth out the experience. It’s far from restrictive to ask a user if it’s okay for an app to grab data it may not need.
My only concern is that it might train users to click through everything, the way UAC did. I’m not sure, from a useability perspective, how we solve that problem if we even can.
Yeah, I don’t see this as unreasonable at all, and with iOS it’s easy enough to add or remove permissions. I never feel like I’m restricted. Data being siloed between apps is kind of annoying rather then having a filesystem, but it’s not a laptop or desktop which I would expect to be more open.
I really wish SELinux would spend more time on the UX of the tooling. It’s never easy whenever I have to work with it, and most of the issues it revolve around finding and applying the correct context. Something like firewall-cmd for SELinux would be great. They way it abstracts IPTables, which is another obtuse piece of technology, is great.
We can’t really stop users from doing what they want to do. In business networks, sure. Make the user call the helpdesk to install somthing, and make the user explain why they need to install free games which are really just malware trojans.
At home, we can’t really nanny them. The most we can do is provide tools for those who want to secure their systems and secure defaults.
Agreed, though it looks like Apple may be trying to find a compromise between a full access filesystem and a sandboxed approach. Face it, having full filesystem access by default is what gets the average user in a lot of trouble, and is why that trojan can download ransomware that can blow through the entire filesystem and network. For those of us who do know what we’re doing, it’s great. For most home users though, it’s just confusing and an app-centric approach to data management makes more sense.
darknexus,
The system-modal dialog box used by UAC encourages the worst kind of behavior from users, like instinctively clicking yes. I like being in control of what apps can do, but UAC was a bad implementation even for professionals IMHO. I think a better solution would have been to deny permissions by default but popup a clear/obvious notification that the action was denied. By using a passive alert notification (say in the icon tray), a user will instantly see what permission is blocked and indicate why something might not be accessible to software. Crucially users would not be pressured into clicking on yes right away. As it stands today users such as my parents are forced to make a choice even though they are confused about the right course of action. Users who ignore the notification would be safe by default, and only if something is missing in software is it necessary for a user to take a deliberate action to grant the software extra permission.
Software could have a manifest file that lists all permissions it might ask for at run time that the user could review and grant/revoke at any time.
Under linux, SELinux can do most of this from the kernel’s perspective, although as far as I’m aware, we’re missing friendly GUI components to notify users about realtime blockages and a user friendly way to grant/revoke access.
I’ve been messing around with macOS desktop development, and you do have to state which permissions an application will need.
> with similarly harsh restrictions on what users can do on their computers.
with similarly harsh restrictions on what *apps* can do on *my* computer, in a world where most everything misbehaves.