Security and privacy improvements in macOS Mojave
Apple has released macOS Mojave, which comes with a new Dark Mode, a redesigned Mac App Store, and many new and modified features. It also sports changes aimed at enhancing users’ privacy and security.
Improvements in Safari
Some of these have been already unveiled as they are included in Safari 12, which was released only a week ago.
The browser now comes with a new Passwords section in the browser’s Preferences, which flags password reuse (but just for passwords they’ve saved within the browser):
Safari 12 also has improved Intelligent Tracking Prevention (Andrew Cunningham offers more details about the changes) and fingerprint protection: Safari now “sends out” a simplified version of the system configuration and shows no custom-installed fonts, all with the goal of making the system and browser less unique so that advertisers can’t “fingerprint” users easily while they are browsing the Web.
Apple is also removing support for legacy NPAPI plugins and the HTML/CSS/JavaScript Safari Extensions API and is pushing developers to distribute their apps from the Safari Extensions Gallery in the Mac App Store.
Similarly to the newest iOS 12, macOS Mojave will allow users to fill in security codes received via iPhone with a single click, but that’s only if they have configured their phone to forward text messages to their Mac. This feature works for Safari and will work for other apps (when updated for Mojave).
OS-based security changes
Apple has introduced changes is MacOS’ Gatekeeper, which enforces code signing and verifies downloaded applications before allowing them to run, and System Integrity Protection (SIP), which protects system-owned files and directories against modifications by malware.
As detailed by Cunningham, in Mojave, Gatekeeper:
- Allows users to control which apps can access Location Services, Contacts, Calendars, Reminders, Photos, Mail, Messages, Safari browsing data, HTTP cookies, call history, iTunes device backups, Time Machine backups, the computer’s webcam and microphone.
- Puts limits of how apps can interact with other apps.
System Integrity Protection has been updated to keep an eye system processes and to kill those that attempt to execute code that is not signed by Apple.
A new Automatic Strong Passwords feature will allow Mojave to create and suggest strong passwords every time the user is creating a new account or changing a password on an old one. It will work for Safari and apps.
Security updates and new zero-day
Mojave comes with fixes for a number of security holes, including:
- An App Store permissions issue that may allow a malicious application to determine the Apple ID of the owner of the computer,
- A validation issue in the entitlement verification that may allow a malicious application to access local users AppleIDs, and
- A configuration issue that may allow a sandboxed process to circumvent sandbox restrictions.
On the same day the new OS was released, Patrick Wardle revealed the existence of a zero-day vulnerability that could allow a malicious app to bypass the operating system’s privacy controls and copy the contents of the user’s address book.
He demonstrated the exploit in a video, but refrained from publishing more details.