Compare commits

...

34 Commits

Author SHA1 Message Date
kimg45
51bc87adc4
Merge b05556857e into b1c63004f2 2024-09-17 17:39:03 -05:00
kimg45
b05556857e
update settings 2024-09-17 17:39:01 -05:00
kimg45
af61e7aa88
bold fix 2024-09-17 17:37:42 -05:00
kimg45
89db7b455d
update mac addres randomization 2024-09-17 13:52:05 -05:00
kimg45
309284aaff
Merge branch 'privacyguides:main' into pr-macos 2024-09-17 13:45:23 -05:00
kimg45
66a3ac3729
Merge branch 'privacyguides:main' into pr-macos 2024-09-10 22:55:18 -05:00
kimg45
cb3281b5f8
Merge branch 'privacyguides:main' into pr-macos 2024-09-07 21:00:36 -05:00
kimg45
8557a158da
Merge branch 'main' into pr-macos 2024-08-26 01:20:27 -05:00
kimg45
84d065b744
Merge branch 'main' into pr-macos 2024-08-24 07:00:25 -05:00
kimg45
ea80145ac5
Merge branch 'privacyguides:main' into pr-macos 2024-08-22 03:51:25 -05:00
kimg45
05fcb5f2c9
Merge branch 'main' into pr-macos 2024-08-16 20:33:01 -05:00
kimg45
b6b1b4cb5d
Merge branch 'main' into pr-macos 2024-08-10 19:18:17 -05:00
kimg45
2665a6cd08
Merge branch 'privacyguides:main' into pr-macos 2024-08-09 17:39:51 -05:00
redoomed1
17da7ee107
Remove hyphen b/c "opt in" used as verb
Signed-off-by: redoomed1 <161974310+redoomed1@users.noreply.github.com>
2024-08-09 15:24:26 -07:00
redoomed1
da760a8759
Fix internal link
Signed-off-by: redoomed1 <161974310+redoomed1@users.noreply.github.com>
2024-08-09 14:45:32 -07:00
kimg45
8442f54ce0
add clarification on what to do if the app is not sandboxed
Co-authored-by: redoomed1 <161974310+redoomed1@users.noreply.github.com>
Signed-off-by: kimg45 <138676274+kimg45@users.noreply.github.com>
2024-08-09 16:43:11 -05:00
kimg45
477f3c78ad
wording
Co-authored-by: redoomed1 <161974310+redoomed1@users.noreply.github.com>
Signed-off-by: kimg45 <138676274+kimg45@users.noreply.github.com>
2024-08-09 16:42:28 -05:00
kimg45
536a34bdab
add threat model label and explanation about sandbox
Co-authored-by: redoomed1 <161974310+redoomed1@users.noreply.github.com>
Signed-off-by: kimg45 <138676274+kimg45@users.noreply.github.com>
2024-08-09 16:41:42 -05:00
kimg45
904d65b1ba
typo fix and add threat model label
Co-authored-by: redoomed1 <161974310+redoomed1@users.noreply.github.com>
Signed-off-by: kimg45 <138676274+kimg45@users.noreply.github.com>
2024-08-09 16:40:46 -05:00
kimg45
f546aa6550
add info about notarization to antivirus section 2024-08-07 19:22:53 -05:00
kimg45
c6c8f32459
add explanation of threat model for app sandbox and hardened runtime 2024-08-07 19:12:12 -05:00
kimg45
aa139429b6
remove suggestions for app sandbox and hardened runtime 2024-08-07 19:03:11 -05:00
kimg45
cfa98bb332
add advice about sandboxing and hardened runtime 2024-08-07 18:26:46 -05:00
kimg45
c7482922bf
add clarification about sandboxing on macos 2024-08-07 18:23:06 -05:00
kimg45
c77038d0fd
add notarization info 2024-08-07 18:17:09 -05:00
kimg45
44372d4ff6
add info about hardened runtime 2024-08-07 17:50:54 -05:00
kimg45
ef91d16c91
add info about app sandbox 2024-08-07 17:12:04 -05:00
kimg45
240829c727
add info about standard vs advanced data protection 2024-08-07 16:55:24 -05:00
kimg45
dcb5d858a1
remove claim that the majority of concerns are about icloud 2024-08-07 16:53:28 -05:00
kimg45
b453c311e4
add link for opt out promise 2024-08-07 16:40:23 -05:00
kimg45
a70f5f0f3f
add info about opt out ocsp check promise 2024-08-07 16:39:57 -05:00
kimg45
cb47145192
mention that there's no option to opt out of ocsp checks 2024-08-07 16:24:02 -05:00
kimg45
8cd5477e5b
remove macos enterprise privileges since you can run things as administrator from a standard account already 2024-08-07 16:18:27 -05:00
kimg45
c5e57ee0e9
remove information about past version of macos and future promises 2024-08-07 15:42:46 -05:00

View File

@ -19,7 +19,7 @@ Brand new Apple silicon devices can be set up without an internet connection. Ho
macOS performs online checks when you open an app to verify whether an app contains known malware, and whether the developers signing certificate is revoked.
Previously, these checks were performed via an unencrypted OCSP protocol which could leak information about the apps you ran to your network. Apple upgraded their OCSP service to use HTTPS encryption in 2021, and [posted information](https://support.apple.com/HT202491) about their logging policy for this service. They additionally promised to add a mechanism for people to opt-out of this online check, but this has not been added to macOS as of July 2023.
Apple's OCSP service uses HTTPS encryption, so only they are able to see which apps you open. They've [posted information](https://support.apple.com/HT202491) about their logging policy for this service. They additionally [promised](http://lapcatsoftware.com/articles/2024/8/3.html) to add a mechanism for people to opt-out of this online check, but this has not been added to macOS.
While you [can](https://eclecticlight.co/2021/02/23/how-to-run-apps-in-private) manually opt out of this check relatively easily, we recommend against doing so unless you would be badly compromised by the revocation checks performed by macOS, because they serve an important role in ensuring compromised apps are blocked from running.
@ -31,11 +31,9 @@ However, exploits in protective utilities like `sudo` have been [discovered in t
If you do use a second account, it is not strictly required to ever log in to your original Administrator account from the macOS login screen. When you are doing something as a Standard user which requires Administrator permissions, the system should prompt you for authentication, where you can enter your Administrator credentials as your Standard user on a one-time basis. Apple provides [guidance](https://support.apple.com/HT203998) on hiding your Administrator account if you prefer to only see a single account on your login screen.
Alternatively, you can use a utility like [macOS Enterprise Privileges](https://github.com/SAP/macOS-enterprise-privileges) to escalate to Administrator rights on-demand, but this may be vulnerable to some undiscovered exploit, like all software-based protections.
### iCloud
The majority of privacy and security concerns with Apple products are related to their *cloud services*, not their hardware or software. When you use Apple services like iCloud, most of your information is stored on their servers and secured with keys *which Apple has access to* by default. This level of access has occasionally been abused by law enforcement to get around the fact that your data is otherwise securely encrypted on your device, and of course Apple is vulnerable to data breaches like any other company.
When you use Apple services like iCloud, most of your information is stored on their servers and secured with keys *which Apple has access to* by default. This is called [Standard Data Protection](https://support.apple.com/en-us/102651) by Apple. This level of access has occasionally been abused by law enforcement to get around the fact that your data is otherwise securely encrypted on your device, and of course Apple is vulnerable to data breaches like any other company.
Therefore, if you use iCloud you should [enable **Advanced Data Protection**](https://support.apple.com/HT212520). This encrypts nearly all of your iCloud data with keys stored on your devices (end-to-end encryption), rather than Apple's servers, so that your iCloud data is secured in the event of a data breach, and otherwise hidden from Apple.
@ -53,6 +51,8 @@ Depending on if you are using **Wi-Fi** or **Ethernet** (denoted by a green dot
Click on the "Details" button by your network name:
- [x] Select **Rotating** under **Private Wi-Fi address**
- [x] Check **Limit IP address tracking**
##### Firewall
@ -133,19 +133,11 @@ On older Intel-based Mac computers, FileVault is the only form of disk encryptio
### MAC Address Randomization
macOS uses a randomized MAC address when performing Wi-Fi scans while disconnected from a network. However, when you connect to a preferred Wi-Fi network, the MAC address used is never randomized. Full MAC address randomization is an advanced topic, and most people don't need to worry about performing the following steps.
macOS uses a randomized MAC address when performing Wi-Fi scans while disconnected from a network.
Unlike iOS, macOS doesn't give you an option to randomize your MAC address in the settings, so if you wish to change this identifier, you'll need to do it with a command or a script. To set a random MAC address, first disconnect from the network if you're already connected, then open **Terminal** and enter this command to randomize your MAC address:
You can set your MAC address to be randomized per network and rotate occasionally to prevent tracking between networks and on the same network over time.
``` zsh
openssl rand -hex 6 | sed 's/^\(.\{1\}\)./\12/; s/\(..\)/\1:/g; s/.$//' | xargs sudo ifconfig en0 ether
```
`en0` is the name of the interface you're changing the MAC address for. This might not be the right one on every Mac, so to check you can hold the option key and click the Wi-Fi symbol at the top right of your screen. "Interface name" should be displayed at the top of the dropdown menu.
This command sets your MAC address to a randomized, "locally administered" address, matching the behavior of iOS, Windows, and Android's MAC address randomization features. This means that every character in the MAC address is fully randomized except the second character, which denotes the MAC address as *locally administered* and not in conflict with any actual hardware. This method is most compatible with modern networks. An alternative method is to set the first six characters of the MAC address to one of Apple's existing *Organizational Unique Identifiers*, which we'll leave as an exercise to the reader. That method is more likely to conflict with some networks, but may be less noticeable. Given the prevalence of randomized, locally administered MAC addresses in other modern operating systems, we don't think either method has significant privacy advantages over the other.
When you connect to the network again, you'll connect with a random MAC address. This will be reset on reboot.
Go to **System Settings** > **Network** > **Wi-Fi** > **Details** and set **Private Wi-FI address** to either **Fixed** if you want a fixed random address for each network or **Rotating** if you want it to change over time.
Your MAC address is not the only unique information about your device which is broadcast on the network, your hostname is another piece of information which could uniquely identify you. You may wish to set your hostname to something generic like "MacBook Air", "Laptop", "John's MacBook Pro", or "iPhone" in **System Settings** > **General** > **Sharing**. Some [privacy scripts](https://github.com/sunknudsen/privacy-guides/tree/master/how-to-spoof-mac-address-and-hostname-automatically-at-boot-on-macos#guide) allow you to easily generate hostnames with random names.
@ -178,20 +170,62 @@ System Integrity Protection makes critical file locations read-only to protect a
##### App Sandbox
On macOS, whether an app is sandboxed is determined by the developer when they sign it. The App Sandbox protects against vulnerabilities in the apps you run by limiting what a malicious actor can do in the event that the app is exploited. The App Sandbox *alone* can't protect against [:material-package-variant-closed-remove: Supply Chain Attacks](../basics/common-threats.md#attacks-against-certain-organizations){ .pg-viridian } by malicious developers. For that, sandboxing needs to be enforced as it is on the App Store.
macOS apps submitted to the App Store after June 1, 2012 are required to be sandboxed using the [App Sandbox](https://developer.apple.com/documentation/security/app_sandbox).
<div class="admonition warning" markdown>
<p class="admonition-title">Warning</p>
Software downloaded from outside the official App Store is not required to be sandboxed. You should avoid non-App Store software as much as possible.
Software downloaded from outside the official App Store is not required to be sandboxed. If your threat model prioritizes defending against [:material-bug-outline: Passive Attacks](../basics/common-threats.md#security-and-privacy){ .pg-orange }, then you may want to check if the software you download outside the App Store is sandboxed, which is up to the developer to *opt in*.
</div>
You can check if an app uses the App Sandbox in a few ways:
You can check if apps that are already running are sandboxed using the [Activity Monitor](https://developer.apple.com/documentation/security/app_sandbox/protecting_user_data_with_app_sandbox#4098972).
<div class="admonition warning" markdown>
<p class="admonition-title">Warning</p>
Just because one of an app's processes is sandboxed doesn't mean they all are.
</div>
Alternatively, you can check apps before you run them by running this command in the terminal:
``` zsh
% codesign -dvvv --entitlements - <path to your app>
```
If an app is sandboxed, you should see
``` zsh
[Key] com.apple.security.app-sandbox
[Value]
[Bool] true
```
If you find that the app you want to run is not sandboxed, then you may employ methods of [compartmentalization](../basics/common-threats.md#security-and-privacy) such as virtual machines or separate devices, use a similar app that is sandboxed, or choose to not use the unsandboxed app altogether.
##### Hardened Runtime
The [Hardened Runtime](https://developer.apple.com/documentation/security/hardened_runtime) is an extra protection for apps that prevents certain classes of exploits. It improves the security of apps against exploitation by disabling certain features like JIT.
You can check if an app uses the Hardened Runtime using the command
``` zsh
codesign --display --verbose /path/to/bundle.app
```
If Hardened Runtime is enabled, you will see flags=0x10000(runtime). The "runtime" means Hardened Runtime is enabled. There might be other flags, but the runtime flag is what we're looking for here.
You can enable a column in Activity Monitor called "Restricted" which is a flag that prevents programs from injecting code via macOS's [dynamic linker](https://pewpewthespells.com/blog/blocking_code_injection_on_ios_and_os_x.html). Ideally, this should say "Yes".
##### Antivirus
macOS comes with two forms of malware defense:
1. Protection against launching malware in the first place is provided by the App Store's review process for App Store applications, or *Notarization* (part of *Gatekeeper*), a process where third-party apps are scanned for known malware by Apple before they are allowed to run.
1. Protection against launching malware in the first place is provided by the App Store's review process for App Store applications, or *Notarization* (part of *Gatekeeper*), a process where third-party apps are scanned for known malware by Apple before they are allowed to run. Apps are required to be signed by the developers using a key given to them by Apple. This ensures that you are running software from the real developers. It also requires the Hardened Runtime to be enabled which limits methods of exploitation.
2. Protection against other malware and remediation from existing malware on your system is provided by *XProtect*, a more traditional antivirus software built-in to macOS.
We recommend against installing third-party antivirus software as they typically do not have the system-level access required to properly function anyways, because of Apple's limitations on third-party apps, and because granting the high levels of access they do ask for often poses an even greater security and privacy risk to your computer.