A Guide to Catalina’s Privacy Protection: 2 Controlling privacy settings

Like much of what you see in the Finder and the rest of the GUI in macOS, controls in the Privacy tab of the Security & Privacy pane are an illusion. It’s a friendly front end to the major sub-system in macOS named TCC (ironically standing for Transparency Consent and Control), which manages an internal database from which those lists are derived.

If you’re using Catalina (or Mojave, for that matter), it’s essential to know how to use the Privacy tab and its lists, as they (partly) determine what apps can access all your protected resources and data. macOS blocks applications and their developers from having direct access to those lists: only the user should control them, although as I’ll show below, that isn’t accurate.

Using privacy lists

As a user, you can add items to

Accessibility
Full Disk Access, hence indirectly to Files and Folders
Developer Tools, when enabled.

The only way for apps to be added to other lists, including all the resources like Camera and Microphone, and the most complex of them all, Automation, is when an app requests access and TCC displays a consent dialog. Once an app or other item has been added, lists provide checkboxes which you can use to disable individual access, but only those same three lists allow the user to remove individual items from the list. In 10.15.2, the + and – tools are displayed for the Files and Folders list, but are disabled; it’s unclear whether Apple intends adding that later, or it’s just a bug.

In those lists which let you disable an item by removing the tick from its checkbox, the item remains in the list, and there is no simple way to remove it except by deleting or uninstalling the app, or resetting that entry using tccutil. The latter can be a very blunt tool, but at last in Catalina allows you to remove rights for specific lists and specified bundle identifiers. I will explore its use in detail in a later article.

Apps are identified by TCC using their bundle identifier, such as co.eclecticlight.Taccy, but this doesn’t appear to take version into account, or their location in the file system. If you have two different versions of the same app in different folders, both appear to be given the same access by TCC, so long as they have the same identifier, and that matches their signatures.

This could give rise to problems. Assume that version 1.0 of an app contains a vulnerability which enables it to leak data to which it has been given access through TCC and user consent. You then upgrade to version 2.0 which fixes that bug, and you allow that access to your private data. If the two versions have the same bundle identifier, then installing version 1.0 results in it automatically being given the same access as version 2.0. This can be made the more dangerous by the fact that TCC doesn’t check hardening or notarization, and version 1.0 could have neither protection.

This also emphasises the importance of running only properly signed software. Without a signature, it is all too easy for an app given access to protected resources to have those rights abused by an imposter with the same bundle identifier.

Maintaining the lists

Even if you don’t install many apps or other software, you should make checking these privacy lists a part of your routine checks and maintenance, performed at least once a week. For those who do install and remove products every day, those checks need to be more frequent, and are essential if you ever install any software over which you have any doubt. When you do come across an item which you don’t recognise, or you suspect might not be respecting sensitive data, uncheck it immediately and see whether you’re prompted to re-enable its access.

Removing apps

The biggest problems in these privacy lists arise from the fact that they don’t give an accurate account of what is in TCC’s database. This is worryingly simple to demonstrate. Choose an app which you don’t need to use immediately, and which could benefit from being added to the Full Disk Access list. Select that list in the Privacy tab, click on the padlock icon and authenticate, then click on the + tool and add that app to the Full Disk Access list.

privacy21

privacy22

When you select the Files and Folders list, you’ll see that the app has also been added there, as you’d expect. Verify that the app does now have this level of access by accessing some protected locations with it. Then quit the app, and delete it, ensuring that you empty the Trash immediately.

Look at the Full Disk Access list now, and that app has been removed. If there’s another app with the same bundle identifier, you will see that listed in its place, of course, because of TCC’s reliance on identifiers. But in its absence, you’d assume from this list that Taccy.app no longer had any right of access to your protected files.

privacy23

Now install another copy of the same app, and look in the Full Disk Access list: it has miraculously been given exactly the same access as its deleted predecessor. TCC’s internal database remembered the ‘new’ app by its bundle identifier, and it was granted inherited rights without any requirement for consent.

privacy24

Apple doesn’t document how long such rules remain in TCC’s database, but the only sure way of clearing out all old rights is to use tccutil with the appropriate bundle identifier.

Accordingly, when you do want to delete or uninstall any app or other software which has been added to any of the privacy lists, you must first remove it or uncheck it in each of the lists in which it appears. That should at least disable its access in the event that you install another app with the same bundle identifier in the future.

If you forget to do this, the only option which will remove that item from the lists is tccutil. Apple won’t allow any third-party apps access to the privacy lists or TCC’s database, and won’t produce a more friendly maintenance tool to allow you to clear out old rights so that they can’t be abused in the future.

These features are extensions of those already in Mojave. In the next article, I’ll look at what’s new with Catalina, the protection of common locations such as ~/Documents and removable volumes.

4Comments

Add yours

1

Valdo on January 15, 2020 at 1:53 pm

The Catalina becomes an enigma. Not that Mojave was better – on every new released MRT and Gatekeeper I had double installations. Now in Catalina only the Gatekeeper is doubled.

Yesterday I installed one app, its Helper requested access to Accessibility, granted.
Strange thing is that this app is NOT listed in System Information > Software > Installations,
but appears in System Information > Software > Applications together with own Helper!

I don’t have the courage to ask why…

LikeLiked by 1 person
- 2
  
  hoakley on January 15, 2020 at 8:21 pm
  
  Sometimes, ours is not to ask or try to reason why!
  So long as it works.
  Howard.
  
  LikeLike
3

Javier Gallardo on January 15, 2020 at 6:45 pm

Quite clear and logical until now, and it’s not difficult to follow your explanation (thank you; enjoyable and didactic reading.)
Until now, I can figure how System Protection works. In the whole. If something goes wrong with an app, I can exam if Protection is the culprit, and I understand how it should be scheduled or repaired. (I’m in Mojave).
…Eagerly waiting for the next article. Will “what’s new with Catalina” be as logical and have a complete explanation? I think this will take you more time, more words. (I’m beginning to think there’re some broken mechanisms, closed roads, works in progress still in Catalina).

LikeLiked by 1 person
- 4
  
  hoakley on January 15, 2020 at 8:29 pm
  
  Thank you.
  I’ll try my best – the next article is published here tomorrow morning, and should reveal all that I know.
  Howard.
  
  LikeLike

Share this:

Related