Application security - Mac OS Tutorial

- So, do you ever worry about malicious applications on your Mac? Let's talk about security right now. - [Announcer] You're watching ITPro TV. - Hello and welcome back to ACSP Mac OS 11 Big Sur. I am Zach, This is Don. I am not Big Sur, We're talking about the Big Sur. So malicious applications, applications security, and so much more here. - Absolutely. You know, we hear about malicious applications all the time. They have viruses, Trojans, all sorts of bad things happen, modified software. How do we protect ourselves? Well, Mac OS has a lot of features built in that help take care of that for us. So in this episode, we're going to learn about those features. We'll talk about Gatekeeper, which we've kind of already seen. We'll talk about how applications get sandboxed. We'll talk about how applications are built, and the way the files are combined to create an application, and we'll talk about a few other privacy features that are available inside of Mac OS all to give us peace of mind, to know that when we run an application, it's a trustworthy app. - So why do we need to be so concerned about applications security. - Well, you know, when you install an application on your computer, you're kind of demonstrating a lot of trust, right? Trust that that application is going to do what it says it does. If I install Microsoft Excel on my Mac, I'm expecting a spreadsheet application that lets me work with a spreadsheet, But the reality is, behind the scenes, applications can do a lot of stuff. And sometimes that can be bad stuff that we don't know about. Now, it's hard for us to see that because applications are built in a kind of a particular way, right? But Mac iOS handles them and expects them to behave a certain way. There's some things like memory access that we have to concern ourselves with. Like you, you've probably heard about the difference between 32 bit and 64 bit applications. Mac OS 11 Big Sur is a 64 bit operating system that only support 64 bit applications. If you have 32 bit applications, it complains at you. Previous versions of Mac OS allowed 32 bit apps. Well, the biggest difference between 32 and 64 bit was that you could access more memory, an application could access more than four gigabytes of RAM, but that's not what most people care about. When Apple rolled out 64 bit support, they also increased their driver and hardware security. When your applications talk to the hardware, they go through drivers to do that, and we need to do it in a secure method. 64 bit applications provide that. But even aside from that, there's more stuff that goes on in an application. For example, who made it? Sometimes we don't even know. If you just download an application off the internet, do you know who made it? Have you ever met them? Have you talked to them? Do you know their name? We don't know, right? We trust whoever created that application. So applications have to be digitally signed, and a digitally signed application means that the developer has an Apple developer account. They signed up, they paid Apple a hundred dollars a years, it's kind of the minimum. And then they've had that application signed so you know it hasn't been modified since it left their hands and then Apple is saying, yes, we know that developer. So now it's a little easier to trust, because you know, there's a real person behind the scenes. And when I say modifying an application, it's really hard to tell if somebody's modified an application, let me show you why. I'm going to go on my hard drive, and I've got a number of different applications on here. So I'll go into my applications folder, and I'm going to take one, we'll take Forklift. Forklift is a third-party application that I downloaded from their website, I didn't get it from the app store, right? If I got it from the app store, I could kind of trust it, but in this case, I download it from the web. Well, with any application, if you do a two finger click on it, or control click, or whatever to bring your menu up, once you look at that, you'll see open, that would open the application, but I've also got show package contents. Applications in Mac OS are actually bundles. Bundles of files put together to create that application. And if I choose show package contents, now I see a folder. And when I navigate in there, I see more folders. And inside of there, I see various binaries, like here's the Forklift binary, and I see other library files that might be tied to it, launch services, frameworks, resources, there's a lot that's involved. And an attacker could put a malicious payload in here, and I wouldn't even see it, right? Back out on the main screen, I would just see that icon for Forklift and that's it. I wouldn't know about that payload. And so that's why Apple has these security features that are in place and that's why these applications are protected. Now, here in the GUI, we don't really see it, it's hidden from us. It's a little more obvious in the terminal. If I go into the terminal, and I switch to my applications folder, and take a look in there, notice how all the applications end in .app, dot a-p-p, that lets me know they're an application, because otherwise, if I just pull a full listing, they show up as directories. They look like directories. That .app is kind of the indicator that lets Mac OS know this is actually a program. And if I were to go into Forklift .app as a folder, now I can see those same contents and so on. So we can see it if we really want to dig into it, but otherwise this is all hidden from us. - So how do we protect ourselves from that darn malicious software? - Well, we got a few different tools and techniques that are available for us, and one of them is Gatekeeper, right? If you download an app from the app store, you know you can trust it. It's been through Apple's review process, and it's been received from them. You know it hasn't been tampered with, but if you get something from a third party site, like I've done here, we don't know if we can trust it, right? When you run an application that's been downloaded from the internet, you'll get a warning. So when I double click on Forklift, I'm going to get a pop-up message is going to come up right here. There we go. Forklift is an app downloaded from the internet, are you sure you want to open it? Now, two things happened here. One, it stopped the application from launching and it's asking me to confirm. And then two, it checked to see if the application was digitally signed. If it is it'll tell me. And right here, it says Apple checked it for malicious software and none was detected. So it knows that this is something that has been tested before and it's okay, right? Or it would see that it's not digitally signed and then it would refuse to run it. And it would say, Hey, this is not a signed application. We have not notarized it, they call it notarizing the app. We have not notarized it. So it's not one that's approved, you shouldn't run it. Now as an administrator, if you're an admin, you can override that and make it run anyway. So, you know, for example, if in this case, if I were to control click or two finger tap and choose open, if you're an administrator, that will make it open even if it's failed its notarization check. So it's kind of just a little kind of a side path there. But once you say, yeah go ahead and open it, I'll open it, so here's the program, it's running, I'll just do a free trial. So here I am in the program. When I quit out, so I'll quit the application. Now I can come in and run it again and I don't get that prompt again, right? Now it just allows it to run because I've said, no, I trust that application, I'm okay with it. Let, let it go, Okay. But as an administrator, we might take the stance of, you know, what? We don't want third-party apps from other websites. We want everything to go through the app store so that we know we can trust it. You can disable support for third-party applications. Let me show you how to do that, it's pretty easy. We go into our system preferences, and inside of the system preferences, if you just go under the general preference, right here, under general, you'll see where you can specify a number of different settings on your system. And one of those are actually, hang on, I'm in the wrong spot, not in general, I need to go under security and privacy, there we go, Security and privacy and then into general there. Wrong general. Once I'm in the right spot, I've got an entry down here, it's locked, let me unlock that real quick. And I will punch in my password, and notice these options down here at the bottom. Allow apps downloaded from, and I'm set to app store and identified developers. That means I'll allow ones that have been downloaded from the app store or ones that have been digitally signed or notarized by Apple. Notice there's no option here for things that aren't notarized, that I would have to be an admin and override, or I can say, nope, I just want the app store. I really want to lock this down, and by setting that option, now I will not allow apps, like I wouldn't be able to bypass Gatekeeper for Forklift, Forklift would not work now unless I got it from the app store. So we have that control and that gives us a lot of trust, but it also reduces the amount of applications available to us. - So you mentioned sandboxes is in the app store episode, so how are they securing applications? - All right, that's one of the real powerful things of the app store. When I run a normal app, it's an unbounded app, which means it's running under my credentials and has access to whatever my credentials have access to. So when I run Forklift, it can do pretty much anything that I can do, right. But when you download something from the app store and run it, it runs in a sandbox, It runs in a container, right? It has boundaries, walls around it, and it's only allowed to write areas where it has to write, where it needs the, for the application to work. And that can cause problems with some applications. I know I talked about it in another episode with Forklift where certain pieces of Forklift won't work from the app store, and that's why I get it from a third party site. But if we take an application like a Serial, that I've installed. So if I go back here, I'll go into my applications, and I'll find serial and launch it. This one, I did install from the app store, so it runs, it's ready to connect to a Bluetooth serial port, it's ready to rock. It's actually running in a sandbox. Now, I don't know that. Visually, it looks the same to me. So as a user, I don't know, it didn't warn me about the application because it came from the app store. It knew it was trustworthy, so it went ahead and launched it, right? But in the background, it still doesn't trust this application. It ran it in a sandbox. And we can't visually see that. So let me show you the technical way that you can view the sandbox if you really want to kind of peer into he background. I'm going to open up my terminal again, wrong terminal. There we go. And right now I'm in my home directory. So /user/DPezet, right? When I ran Serial, a sandbox was created in my user profile for the serial application. If Zach ran it, a sandbox would be created in his profile. His sandbox and my sandbox, separate. So stuff that Serial does from my account, can't talk to stuff it does for his account. And Serial is not allowed to talk to other applications either, it's only allowed to talk to itself. And the Mac OS API, the, the programming interface that we're able to reach out to and talk to to be able to communicate with the operating system and hardware and other things. So it's very, very limited in what it can do. And we can see those limits a little bit, if we browse around in here, I'm going to go into my library folder, and inside a library folder, we see a lot of stuff. The folder I'm looking for is this guy right here, containers. If I go into containers, now I'll see a list of applications. Each of these are the containers for the various different applications that I've run. Now I'll see a lot of Apple stuff, right? That's the built-in apple applications, they're sandboxed too, right? Apple wants safety and security. And right here at the end, I can see I've got this com.decisivetactics.serial, so their website is decisivetactics.com, Serial is the application. So I'm going to change into that folder. And inside of that folder, I see a data folder. This is the data that that application is allowed to see. And when I go in there, I'm going to see something kind of interesting. I see, wait a minute, desktop, documents, downloads, library. This looks like my home folder, right? If I were to do a LS of /users/DPezet, applications, desktop, documents, downloads, it looks the same, but it's not my home folder. What it is is a virtual reproduction of my home folder. This application is presented with a fake view of my home folder. If I do a long listing, you'll actually see that most of those are links, see how they're links pointing up for directories to my desktop, to my downloads and so on. But some of them aren't, like this documents folder. It will have its own documents folder where it's able to store things, its own preferences in the library. It's able to store these right here in this sandbox. So it thinks that it has access to my system, but it really doesn't. It's really partitioned off, walled off, in this one little area. So if malware were to sneak in in this application, it would not be able to access other applications data, assuming they were all containerized like this, all right. But if I'm mixing third party apps with app store apps, that starts to break down, I don't get those security permissions. So if we really want to be secure, we'll pull all of the apps from the app store when possible, so that we get that advantage of everything being compartmentalized. - Well, what other user security features are available in Mac OS? What magic is still available to us? - You know, so there's a handful of other things that you can be aware of. For example, when you run an application, it doesn't have to have access to everything. You know how, like on your phone, if you install an app, and it says this needs location services, allow or deny. And if you allow it, great, now it knows where you are, and if you deny, sometimes it breaks the application, the application just won't work because that feature is not there. Well, in Mac OS, you can actually do that stuff too. It's not as obvious as it is on the phone, where it's kind of in your face. I think in future versions of Mac OS we'll see it become more obvious. But if you ever want to adjust what access an application has, you can. All you need to do is go into your system preferences. So I'm going to go into system preferences. And then from here, I'm going to go to security and privacy. And inside of here, I'm going to go to the privacy tab. And right here, I'll see all the different types of access that an application might request. Does it need access to my location services, that was the example I gave a moment ago, or full disk access, I think we saw that in another episode. Particular files and folders. I can go through and dictate who has access to what? So, for example, when I go to files and folders, I can see where Forklift actually has access to certain files and folders. In fact, full disc access Forklift has access to everything. I could come and tweak that and change it, restrict that noun and change it to just certain folders. That's what the containers or the sandboxes do. I can determine whether they do screen recording or not. Whether they're allowed to play music, home kit, Bluetooth access, all of those different things. In fact, Serial supports connecting to Bluetooth serial ports. Well, it's not listed here in my Bluetooth section, and so it doesn't have that access. I would need to give it that access in order for me to talk to Bluetooth devices, and that application might actually request it. And you know, I didn't try, if I try and connect to a Bluetooth port, we'll see if it asks. No, it's just going to try and connect, but then it's going to sit there and do nothing. So it's going to have to be granted that access before it works. And some applications have gotten smart enough where they'll check for that. I can give you an example. Like, I know I use this Splashtop program, and with Splashtop, it lets me do screen mirroring. And so when I look here, it needs three sets of permissions. It needs full disc access, screen recording, and accessibility features, and so it actually checks to see whether it has those. And if it doesn't have one of the permissions, then it'll give me a little button here where I can click to jump right to that scene and be able to enable that setting to give it the access. And that's why, you'll see it over here, where I've got full disc access, Splashtop streamer is right there, and if I look at screen recording, we'll see Splashtop streamer again. And then accessibility, there it is a third time. And without those three permissions, the application doesn't work. So that gives us a little more control over what an application can and can't do. - Well now that you've thoroughly made me paranoid, is there a way to see a list of all the software that's installed on my computer? - Sure. So everything. I just said is great when you're starting from scratch, right? You can say from this moment on, I'm going to do X, Y, Z, but what about all the stuff you already have, right? Applications can be installed in several different places on the hard drive and they're kind of hard to keep track of. So if you ever want to perform an inventory, and just find out what applications are installed on your machine, all you have to do is use the system information utility. So I'm going to do that. I'm going to, well, I was going to try and get rid of this window, but it's not letting me. I'll use my spotlight search. I'll just do command space, and I'm going to type system information, all right. So we're going to launch system information, and, that is a persistent window. So I'll launch system information, and it's showing me a lot of information about my computer and it starts off by showing hardware. But if we collapse that, down beneath it, we can find software. And under software, you can actually pull a list by clicking on applications, of all the applications on your system. Now see how mine is blank. It's not, it just takes a moment to load. It's looking at all the different locations where an application could be, compiling it all together and dropping it right here in one place. So now I get this list. And so I can come through, and I can find something like Serial. And it is down here in the list, there it is. I can see what version it is, and more important, I can see where it came from. It came from the Mac app store, I know I can trust it. If I sort by that column, obtained from, now I can scroll through this list, all right. Here's all the Apple provided stuff, I can trust that. Then I get down to the apple app store stuff, right there, Mac app store, I can trust that. But what about identified developer? All right, An identified developer, that means it was digitally signed, and it was notarized by Apple. They have said this application is okay. So I'm pretty sure I can trust these, and looking at it, it's mostly printer drivers, right. But I might see something else in here, like Sublime Text, I installed, so it shows an identified developer, so I can trust that. But the ones I need to worry about are when we start getting into like unknowns. Unknowns, well, that might be a problem. And looking at, I can see a Cocoa AppleScript, an applet, a droplet, these are actually things from Apple that Apple themselves just haven't gotten around to notarizing these yet, so that'll probably get fixed in the future. But if you see anything else in here that jumps out at you as not being something from Apple, then that's a big warning indicator for you as an application you need to revisit, and make sure you should have it. - You know, I'm going to take all that back. You have made me feel better about security. You really have, and before we leave, I know you have a few other things you'd like to say. - Yeah. You know, application security, we focused on the features that were built into Mac OS. We talked about Gatekeeper, we talked about the app store and limiting to just app store apps. We talked about sandboxes and how they work, and we got a chance to look at the privacy settings, the way we can issue application permissions there, all of these are great features that are built into Mac OS. If you're really concerned about safe applications, though, you may choose to go an extra step, and get anti-malware or anti-virus type software for your computer. I know, like on my personal computer, I use Sophos antivirus, and it's not just anti-virus anymore. Now they do all the anti-malware stuff too. Really handy software to have, because it can help prevent you from getting a malicious software package installed in the first place, better yet, you know, actually running one. So those are nice tools to have. On the exam, they'll focus on just the tools built into the OS. - Fantastic, great information as always, we'll help you on the exam and so much more. Thank you for joining us for this episode of ACSP. and we are going to be back with some more episodes, so make sure you watch them. Bye bye now. - [Announcer] Thanks you for watching ITPro TV.