Conversation
✅ Deploy Preview for privsec-dev ready!Built without sensitive environment variables
To edit notification comments on pull requests, go to your Netlify site configuration. |
|
NIST offers configuration profiles and scripts for automatic configuration: https://github.com/usnistgov/macos_security/tree/sequoia. Can some of them be recommended? |
|
|
||
| macOS comes with a built-in [firewall](https://support.apple.com/guide/mac-help/change-firewall-settings-on-mac-mh11783/mac). Make sure it's enabled at the very least, but you can block all incoming connections for the best security/privacy. | ||
|
|
||
| Avoid third-party firewalls like LittleSnitch or LuLu that require you to install a system extension. They don't cover DNS so data exfiltration is still possible. |
There was a problem hiding this comment.
- LittleSnitch and LuLu block outgoing connections; built-in firewall – only incoming. There's no built-in replacement for these tools.
- Latest version of LittleSnitch does cover DNS. With LuLu, it's possible to use dnscrypt-proxy locally.
There was a problem hiding this comment.
There are other bypasses. This should be updated with the empty TCP connection bypass - that one is trivial
|
|
||
| All encryption keys are handled by the Secure Enclave. Swap space is also [encrypted](https://support.apple.com/en-euro/guide/mac-help/mh11852/mac). | ||
|
|
||
| Your Mac is at its most secure when it's fully off and the data is at rest. Depending on your threat model, it might behoove you to turn your Mac off completely whenever you're not using it, especially since Macs do not have memory encryption. |
There was a problem hiding this comment.
macOS can be forced to clear FileVault keys from memory when hibernating by executing:
sudo pmset -a hibernatemode 25and installing DestroyFVKeyOnStandby profile.
There was a problem hiding this comment.
Is this actually documented anywhere by apple or nah?
There was a problem hiding this comment.
man pmset, online version e.g. at https://www.unix.com/man_page/osx/1/pmset/
hibernatemode = 25 (binary 0001 1001) is only settable via pmset. The system will store a copy of memory to persistent storage (the disk), and will remove power to memory. The system will restore from disk image. If you want "hibernation" - slower sleeps, slower wakes, and better battery life, you should use this setting.
Configuration profiles documentation: https://developer.apple.com/documentation/devicemanagement/fdefilevaultoptions.
All configuration profiles in an official Git repository; check new commits after every system update to see the difference between releases: https://github.com/apple/device-management/tree/release/mdm/profiles.
There was a problem hiding this comment.
hibernatemode = 25 makes fingerprint unlock useless. Everytime you trying to wake Mac from sleep you have to wait for 10 seconds and input your password.
|
May be worth adding: Compared to Linuxes, macOS doesn't sanitise
Defaults env_keep += "HOME MAIL"It may also be worthwhile to mark shell init scripts as immutable as the link suggests. |
|
@friadev @nihil-admirari is right on the point about schg - it is not bypassable like chattr -i on Linux. This is quite interesting. We 100% should mention this. And we gotta somehow word it so that its clear this mitigates attacks against the shell but still will not stop other scenarios of unsandboxed apps attacking each other |
|
I suggest to use configuration profiles instead of command line to alter system settings. |
|
Is anyone aware of an in-depth analysis of macOS telemetry? Germany's Federal Office for Information Security did one for Windows: #287 (comment). Microsoft also provides Diagnostic Data Viewer which allows one to look at the data that was collected. Doug Leith from Trinity College did analysis on stock Android and iOS: https://www.scss.tcd.ie/doug.leith/pubs/apple_google2.pdf
macOS apparently transmits tons of data to Apple: https://sneak.berlin/20210202/macos-11.2-network-privacy/. There wasn't an attempt to decrypt it to find out what is transmitted exactly, compared to Windows, Android, and iOS. |
On iOS you can easily see the analytics it sends in the settings, can't find it on macOS though. It's really nothing of substance, just a bunch of crash reports and random stuff. No personal data or anything from what I can see. It's really very boring. I think if there was anything interesting it definitely would be reported on by now. |
It was found out and reported, please look at the quote:
The info was obtained by jailbreaking iPhone, patching SSL library to accept any connection as valid, and then decrypting what iPhone sends to Apple on a MitM proxy, with iPhone thinking that it's talking to genuine Apple servers. It doesn't show up in analytics logs. Same was done to Android. Windows telemetry components were disassembled (if I'm not mistaken). The question is: does anybody know about similar research done on macOS? |
I'd like to note that this is very annoying to deal with if you have lockdown mode |
|
Hello, What's the consensus on "Protect Mail Activity" vs unchecking it and checking "Hide IP Address and Block All Remote Content". Protect Mail Activity: Mail Privacy Protection Emails you receive may include remote content that allows the email’s sender to learn information about you. When you open an email, information about your Mail activity can be collected by the sender without transparency and an ability to control what information is shared. Email senders may learn when and how many times you opened their email, whether you forwarded the email, your Internet Protocol (IP) address, and other data that can be used to build a profile of your behaviour and learn your location. Protect Mail Activity helps protect your privacy by preventing email senders, including Apple, from learning information about your Mail activity. When you receive an email in the Mail app, rather than downloading remote content when you open an email, Protect Mail Activity downloads remote content in the background by default — regardless of whether you engage with the email. Apple does not learn any information about the content. In addition, Protect Mail Activity routes all remote content downloaded by Mail through two separate relays operated by different entities. The first knows your IP address, but not the remote Mail content you receive. The second knows the remote Mail content you receive, but not your IP address, instead providing a generalised identity to the destination. This way, no single entity has the information to identify both you and the remote Mail content you receive. Senders can’t use your IP address as a unique identifier to connect your activity across websites or apps to build a profile about you. You can disable Protect Mail Activity at any time in iOS and iPadOS by going to Settings > Apps > Mail > Privacy Protection, then tapping to turn off Protect Mail Activity. On Mac, go to Mail > Settings > Privacy, then unselect Protect Mail Activity. If you choose to disable Protect Mail Activity, the Hide IP Address feature will still mask your IP address using the same two-separate-internet-relays design. You can disable Hide IP Address at any time in iOS and iPadOS by going to Settings > Apps > Mail > Privacy Protection, then tapping to turn off Hide IP Address. On Mac, go to Mail > Settings > Privacy, then unselect Hide IP Address. |
|
It seems like M5 Macs may have EMTE. Note that Apple’s documentation is misleading. |
|
Why it's not merged |
✅ Deploy Preview for privsec-dev ready!Built without sensitive environment variables
To edit notification comments on pull requests, go to your Netlify project configuration. |
|
I think this PR got bogged down in a lot of minutia. It would be easier to get the main points in and then add improvements one by one over individual PRs, it's really hard to focus when there's so many different suggestions in the same PR. |
Is there any source? |
https://developer.apple.com/documentation/xcode/installing-the-command-line-tools |
nothing there is about security |
Everything installed on a device can potentially be abused in creative ways, thus increasing the attack surface. If you want a specific example of using developer tools for malicious purposes, see e.g. how to use Python to bypass application whitelisting:
To be fair, any interpreter can be used for such a purpose, which is one of the reasons why interpreters bundled with macOS were deprecated and Python was actually removed. (Perl and Ruby still remain; shells and awk can't be removed, but they are somewhat limited; I've no idea whether AppleScript or OSA JavaScript can be used to invoke arbitrary syscalls.) Some references you've been looking for:
(Windows version of the above: LOLBAS, LOLDrivers, and Applications that can bypass App Control and how to block them) On top of that, XCode ships with Python 3.9.6, which is not just EoL but the last release was actually 3.9.25. Apple does have a history of shipping unpatched software. |
|
|
||
| ## Other Executables | ||
|
|
||
| Gatekeeper, the App Sandbox, and the Hardened Runtime only apply to apps (packaged with the .app extension) and not other types of executables. They also do not apply to CLI utils shipped inside an app if you invoke them directly using the terminal. |
There was a problem hiding this comment.
macOS has sandbox-exec for CLI tools: https://igorstechnoclub.com/sandbox-exec/. Despite being deprecated a long time ago, it's still widely used by browsers (Chromium, Firefox), AI agents (OpenAI Codex, Anthropic Sandbox Runtime) and the system itself. According to https://stackoverflow.com/a/61880980:
Internally, it [AppSandbox] makes use of the older sandboxing profile system above by applying the profile
/System/Library/Sandbox/Profiles/application.sbduring app startup. App Sandbox is much more limited than the full profile system, relying only on a few flags and lists, which can't offer the same flexibility as using profiles directly. As far as I know, there's no way to control this newer system as a user, since you'd needed repackage and resign an app to do so.As a user, sandboxing profiles for sandbox-exec are still your main and only option on macOS. While it may say deprecated, it doesn't look like they are going away any time soon either, since it's still widely used in both profile form and as an internal layer for the newer App Sandbox feature.
|
|
||
| ## Securely Erase Your Mac | ||
|
|
||
| To completely wipe your Mac securely, use the [Erase All Content and Settings](https://support.apple.com/en-us/102664) option. This will ensure all data is securely wiped and no traces of your ownership are left on the Mac. This is important so that the next owner is able to set it up without running into issues with verification. You'll need to know an Administrator password and Apple Account password to turn off Find My if you've enabled it previously. |
There was a problem hiding this comment.
‘Erase All Content and Settings‘ only wipes the data volumes. Full wipe of the entire SSD can only be done by using DFU recovery. Intermediate options include erasing Boot Volume Group and Apple_APFS container. See https://eclecticlight.co/2026/02/19/how-to-erase-your-apple-silicon-mac/ for all the details.
9 participants
Want to cover FileVault, App Sandbox, Hardened Runtime, XProtect, Gatekeeper, Notarization, threat models for each
Disclosure: I copied/used parts of https://github.com/drduh/macOS-Security-and-Privacy-Guide?tab=readme-ov-file#app-sandbox but I wrote those parts so I'm only plagiarizing myself. I also copied parts of official Apple documentation, didn't want to change them for the sake of accurate information. Wherever I do I link back to the source.