
macOS Security and Privacy Guide - Nginx487
https://github.com/drduh/macOS-Security-and-Privacy-Guide
======
pvg
This has popped up a bunch of times before:

[https://hn.algolia.com/?query=macOS%20Security%20and%20Priva...](https://hn.algolia.com/?query=macOS%20Security%20and%20Privacy%20Guide&sort=byDate&dateRange=all&type=story&storyText=false&prefix&page=0)

It's not good. See:

[https://news.ycombinator.com/item?id=17904304](https://news.ycombinator.com/item?id=17904304)

~~~
draebek
tptacek's criticisms are quite valid. However, "it's not good" seems
oversimplified to me? I found lots of interesting information in this.

For example: information about the activation process for Macs, importance of
setting a firmware password, disable some of the Spotlight services, and
binary whitelisting through Santa. The repo also has the most comprehensive
discussion I've seen about evicting FileVault keys from RAM on sleep:
[https://github.com/drduh/macOS-Security-and-Privacy-
Guide/is...](https://github.com/drduh/macOS-Security-and-Privacy-
Guide/issues/124)

Also, I'm not sure if this has been changed more recently than the comment you
linked, but it seems like they actually don't recommend AV software anymore:
"Therefore, the best anti-virus is Common Sense 2020. See discussion in issue
#44."

I grant you that having someone follow this top to bottom might be bad, but to
say "it's not good" seems to both lack nuance and also to discard some useful,
hard work done in good faith.

~~~
pvg
A guide that can't be used safely by non-specialists while being aimed at them
is not a good guide. It is a very simple conclusion with the added benefit of
also being almost tautologically true.

The thing probably does contain a bunch of interesting information but it's
not good at its stated purpose.

------
mindfulhack
I love how this is offered fully in Chinese, and that reminds me of something.
Every operating system like macOS has its place, no matter what one's threat
model is. Don't just say 'move to Linux if you're really worried about
security or privacy'.

Maybe someone in China or another authoritarian regime needs to look less
suspicious on the outside by using macOS instead of Linux. For those people,
this information is gold.

BTW, this is indeed the famous Github guide many of us have known for years,
just now renamed and updated.

2016 HN discussion of it with the old title, 'A practical guide to securing
macOS':
[https://news.ycombinator.com/item?id=13023823](https://news.ycombinator.com/item?id=13023823)

~~~
AsyncAwait
> Maybe someone in China or another authoritarian regime needs to look less
> suspicious on the outside by using macOS instead of Linux.

There's even an official Chinese Ubuntu spin. You're probably more suspicious
with macOS, since these tend to be in the hands of high-profile businessmen
and such.

~~~
beenBoutIT
In an authoritarian regime everyone with a computer looks suspicious.

~~~
seniorivn
quite the opposite, in a mass surveillance state anyone without virtual
personality fingerprint and tracking data is suspicious

~~~
Shared404
How about:

In an authoritarian regime/mass surveillance state everyone is suspicious?

------
snazz
I'm somewhat surprised that this guide recommends Homebrew. I agree that using
a package manager is a good way to keep software updated from a central,
trusted repository--always a good thing--but Homebrew makes a number of trade-
offs for convenience instead of security. MacPorts has most of the same common
packages and doesn't mess up filesystem permissions like Homebrew does. If I
remember correctly, the all-inside-the-home-directory technique used in this
guide is unsupported by the Homebrew developers as well.

See [https://saagarjha.com/blog/2019/04/26/thoughts-on-macos-
pack...](https://saagarjha.com/blog/2019/04/26/thoughts-on-macos-package-
managers/) for a more nuanced take on this.

~~~
jabirali
> MacPorts has most of the same common packages and doesn't mess up filesystem
> permissions like Homebrew does.

This is more a convenience than security question. I understand that Homebrew
can install not only open source command-line tools, but also third-party
binaries (via `cask`) and Mac App Store apps (via `mas`), and that all three
types of software can be installed, updated, or removed via the same `brew`
command or synced `Brewfile`.

Does MacPorts offer something similar? In that case, how is its coverage
compared to the systems above?

(Context: I’m a long-time Linux user in the process of migrating to macOS.)

~~~
snazz
As I understand it, MacPorts is a fair bit more limited in that regard. For my
purposes, I haven't found a need for the ability to install third-party
binaries and Mac App Store apps through my package manager, since every third-
party binary I have installed includes its own updater and the Mac App Store
updates apps as well. I can see how setting up everything in one place could
be useful, but I haven't run into a situation where it has been useful in my
macOS usage quite yet.

Homebrew and MacPorts are philosophically pretty different from each other and
neither can be directly compared to Linux package managers. I think you'll
find the solution of MacPorts for OSS command-line tools + Mac App Store for
Xcode and other random stuff + third-party installers for things like Sublime
Text and Microsoft Office works pretty well in practice, although it's not
quite as clean as using one package manager for everything.

~~~
jabirali
Thank you for sharing your experience on this :).

> I can see how setting up everything in one place could be useful, but I
> haven't run into a situation where it has been useful in my macOS usage
> quite yet.

What appeals to me personally is having a list of apps (the “Brewfile”), that
I can sync between my work and personal computer via my dotfiles, and let the
system mirror what apps are installed on both devices (“brew bundle” installs
or uninstalls apps based on that app list). And that if I need to replace my
machine, I can just sync my dotfiles to new machine and let Homebrew
autorestore apps, including third-party apps and things from App Store.

I’ve tried some “declarative package managers“ before and enjoyed that, so
when articles like this [1] said Homebrew can apparently do the same across
open-source software, Mac App Store apps, and third-party apps, via a single
synced Brewfile, that seemed interesting. The same Brewfile also appears to be
usable on Linux for open-source apps (via Linuxbrew).

But I don’t yet have any experience with it, so I have no idea how well it
works or whether it’s worth it. If we disregard third-party apps, do you know
if MacPorts has an equivalent to Brewfile?

[1]: [https://openfolder.sh/macos-migrations-with-
brewfile](https://openfolder.sh/macos-migrations-with-brewfile)

~~~
saagarjha
Somewhat, it does have a way of recreating your current setup (generally
intended to be used across OS upgrades, but doesn't have to be limited to that
usecase):
[https://trac.macports.org/wiki/Migration](https://trac.macports.org/wiki/Migration)

------
abledon
I was looking at Yabai [1] as a window manager and it requires SIP[2] to be
disabled for advanced features... Is SIP really needed ? I see that it didn't
even exist since "since OS X 10.11 "El Capitan".".

[1]
[https://github.com/koekeishiya/yabai/wiki](https://github.com/koekeishiya/yabai/wiki)

[2] [https://github.com/drduh/macOS-Security-and-Privacy-
Guide#sy...](https://github.com/drduh/macOS-Security-and-Privacy-Guide#system-
integrity-protection)

~~~
twhb
Here’s an instance of SIP preventing a Chrome update from bricking computers.

[https://arstechnica.com/information-technology/2019/09/no-
it...](https://arstechnica.com/information-technology/2019/09/no-it-wasnt-a-
virus-it-was-chrome-that-stopped-macs-from-booting/)

~~~
SahAssar
Bricking means that the computer is no more useful for computing than a brick
(or that you might as well use it as a brick). Don't use it for stuff that can
be fixed with software.

~~~
VRay
Where do you draw the line, though? Something that might be a brick to a web
developer would probably be perfectly serviceable to me as a firmware engineer

Meanwhile, something that's a brick to me is often perfectly serviceable to
someone who can operate a soldering iron

Something that's a brick to a competent hardware tech might still be
serviceable to a 3 letter agency

~~~
extra88
If you can still boot a Mac from the recovery partition or an external drive,
it’s not bricked.

~~~
VRay
It IS bricked if you're a semi-technical Chrome user whose mac is stuck at the
question mark screen, though

------
krn
As a side note: isn't ChromeOS a _safer_ alternative to macOS in 2020[1]?

[1] [https://www.chromium.org/chromium-os/chromiumos-design-
docs/...](https://www.chromium.org/chromium-os/chromiumos-design-
docs/security-overview)

~~~
jmnicolas
Afaik ChromeOS phones home to Google, so if Google is among your threat model
(privacy) it's not good.

Las time I checked, installing ChromiumOS wasn't easy and i'm not even sure
there's a "ungoogled" version like there is for the Chromium web browser.

~~~
krn
I meant, ChromeOS migth be a more _secure_ , not necessarily a more _private_
option.

If macOS had a way higher likehood of zero-day attacks, ChromeOS phoning home
wouldn't be the biggest concern to most users.

Because in the first case the threat would be the entire world, and in the
second case – only the US government.

~~~
stjohnswarts
Secure is a very vague word, I think you're looking for "less hackable by
hostile actors" then definitely chromeOS has a smaller footprint.

------
secfirstmd
This guide is great. It's a pity there is no easy to use (maybe GUI) tool for
the average user go be able to implement a lot of the things mentioned here.
There used to a few scripts around but most seem outdated. I'm thinking along
the lines of Harden Tools for Windows. Great open source project for someone.

[https://securitywithoutborders.org/tools/hardentools.html](https://securitywithoutborders.org/tools/hardentools.html)

~~~
djeiasbsbo
[https://objective-see.com](https://objective-see.com) have pretty good
security related GUI tools for macOS. Things like ransomware protection,
firewalls, task explorers. They also do malware analysis for macOS, definitely
an interesting website.

~~~
secfirstmd
Totally I'm a huge fan of the stuff on there

------
tptacek
The thing about PRNG "entropy" and when to enable Filevault is almost
certainly false, and based on a misconception of how PRNGs work.

Also, recommending libpurple-based IM clients as a security/privacy measure,
so you can run OTR over them, is probably a bad idea.

And it recommends Mac antivirus! Do not install antivirus on your Mac.

~~~
draebek
The guide seems to say, "the best anti-virus is Common Sense 2020. See
discussion in issue #44." I take this to mean that they recommend common sense
instead of anti-virus software.

It does also say, "Anti-virus programs are [...] possibly useful for catching
'garden variety' malware on novice users' Macs", so maybe that's what you
disagree with, which is reasonable.

I just wanted to point out that their main recommendation does not, to my
reading, suggest to use AV.

------
lwouis
Does anyone knows of a similar collection of tweaks, but for getting
performance out of macOS?

Things like disabling Spotlight so it's not indexing node_modules and other
folders, or adding tools to the Developer Tools to disable network checks with
apple servers when you want to run a binary

~~~
neilalexander
You can already exclude things from Spotlight’s index in System Preferences.

~~~
lwouis
I know, i'm doing it. I was saying I would love for a list of tweaks of that
nature. Things I don't know about that I could do to improve performance

------
fouc
Nice guide. I didn't realize the security implications of iOS devices and the
Touch Bar (being practically an iOS device itself).

I'd be interested to see an equivalent guide for Android devices. My current
suspicion is that I'd be far more alarmed by Android than iOS but it would be
nice to verify this.

~~~
throWaythxMod
You can pretty much do anything with Android, the same cannot be said about
Apple's dictatorship.

I am not even sure about stock installs given Apple's poor security record.

~~~
jabirali
> You can pretty much do anything with Android, the same cannot be said about
> Apple's dictatorship.

The problem is that _app developers_ can also do anything with Android, often
against the users‘ will.

Before I switched to iPhone, my choices for location access on Android apps
were basically “access location 24/7”, or “no location support at all”; and
even that was an improvement upon the earlier “the app will get these
permissions, don’t install it if you disagree” model. iPhone, in contrast, had
a sensible “only access location when the app is open” option. Similarly,
uploading a single photo to Facebook on Android required the app to get full
access to your whole SD card; on iPhone, I can send a photo without the app
getting access to my storage at all (that single photo is copied into the
Facebook sandbox by the OS). Perhaps Android has improved since, but so has
iOS (see e.g. the feature list for iOS 14).

For some of us, controlling our data without turning the phone into a full-
time hobby is more important than having full system access.

> I am not even sure about stock installs given Apple's poor security record.

Do you have a link supporting that Apple’s security record is worse than other
systems, relative to market share?

As far as I know, the macOS permission system provides better sandboxing than
either Windows or Linux by default. (Though if you work for it, you can harden
Linux more.)

And although there is a lot of malware for macOS, last I checked nearly all of
it was in the form of Trojans and similar vectors, where a user has to
download and execute untrusted code. That is an issue on any platform; a user
running a malicious bash-script with sudo shouldn’t count the same as remote
exploits in my opinion.

~~~
shazow
You're correct, both Android and iOS have improved. Both have the features you
described today, neither had them several years ago.

~~~
jabirali
It’s good to hear that Android supports this as well now, but I think you
understate the difference in when these features arrived. From a quick search,
the location example was fixed in iOS 8 in 2014 [1], and in Android 10 in 2019
[2], putting Apple 5 years ahead of Google on privacy features. Based on the
list of privacy features being introduced in iOS 14, my impression is that
this is still the case?

[1]: [https://9to5mac.com/2014/06/04/apple-improves-location-
servi...](https://9to5mac.com/2014/06/04/apple-improves-location-services-in-
ios-8-with-when-in-use-mode-visit-monitoring/)

[2]:
[https://en.m.wikipedia.org/wiki/Android_10](https://en.m.wikipedia.org/wiki/Android_10)

~~~
shazow
Thanks for looking up the timeline, I was not sure. Also full disk encryption
on phones is another thing Apple did way earlier.

I agree it's not exactly apples to Apples. Does Apple still have special
permissions for their own apps which allows them to run unobstructed, but
other apps need to jump hoops with callbacks and other workarounds?

Are we expecting for Apple to always be 5 years ahead of Google on privacy
features? Or did Google shift priorities with Android 10?

Honestly if we're talking about buying an iOS device or an Android device in
2014, I'd lean towards iOS for sure. I don't feel the same way about it today.

~~~
jabirali
> Are we expecting for Apple to always be 5 years ahead of Google on privacy
> features? Or did Google shift priorities with Android 10?

Good question! My personal impression is that Google, being primarily a
tracking company, reluctantly added just enough privacy features for people
not to flock to Apple. (I think people have grown more privacy-conscious over
the past few years, and Apple has marketed their privacy features heavily.)
Links like this [1], listing the iOS 14 privacy features that will arrive in
late 2020, appear to still be ahead of what Google has done yet – and e.g.
Facebook’s reaction to the cross-app tracking block appear to indicate that
this isn’t something they’ve encountered from Google.

But being an iPhone user now, I of course notice more easily what’s happening
in the Apple world than Google world. If you have an overview of new privacy
features in Android, which aren’t in iOS, I’d be very happy to be proven
wrong. I’d love to see a full arms race between Google and Apple on privacy,
with both parties introducing novel features.

[1]:
[https://www.macrumors.com/guide/ios-14-privacy/](https://www.macrumors.com/guide/ios-14-privacy/)

> Does Apple still have special permissions for their own apps which allows
> them to run unobstructed, but other apps need to jump hoops with callbacks
> and other workarounds?

Unfortunately, yes. There is e.g. no way to get as reliable background sync
with things like Nextcloud and Resilio as you do with iCloud, since there’s no
“run in the background” permission. Not sure about this, but I don’t think any
other app can take over the lock screen in the same way as Apple Maps. You
can’t set a default browser than Safari, but I believe this is changing in iOS
14.

While I respect Apple for their stance on privacy and therefore use an iPhone,
I do disagree with some of these missing permissions, and hope that a new
round of anti-trust investigations may force them to open up on this.

------
clairity
i've increasingly been having issues with hands off![0] on my machine
(intermittent high cpu usage, regular kernel panics), and was actually looking
at this guide a while back to decide whether i should switch to pf instead[1].

but pf seems to require much more configuration and management. anyone have
experience/pointers in this regard?

[0] i used to use little snitch many years ago, but ran into similar issues
with it over time (maybe it's better now).

[1] [https://github.com/drduh/macOS-Security-and-Privacy-
Guide#ke...](https://github.com/drduh/macOS-Security-and-Privacy-Guide#kernel-
level-packet-filtering)

~~~
celias
I use Murus to manage pf on a couple of Macs. They also have an application-
layer firewall named Vallum.
[https://www.murusfirewall.com](https://www.murusfirewall.com)

------
t0mmyb0y
This fails to make much sense overall. My macs only talk to apple when I let
them and it was way simpler than this.

------
jmnicolas
> Is your adversary a three letter agency (if so, you may want to consider
> using OpenBSD instead);

A 3 letter agency won't be stopped by OpenBSD or any other OS.

There is so much security holes in the hardware itself and ultimately they can
always "convince" you to release your data.

~~~
mikece
No, you can’t stop “an agency” but you can make their job harder and slow them
down. Using a hardened O/S is part of the mix but not connecting to the net if
you can avoid it is another. A good overview of how to configure you computer
for privacy can also be found on episode 177 of Michael Bazzel’s “Privacy,
Security, and OSINT Podcast”:

[https://overcast.fm/+Hbyfl32i0](https://overcast.fm/+Hbyfl32i0)

------
Simon_says
It's enough to make one want to switch to OpenBSD or Linux.

~~~
jabirali
I think most of that guide would require roughly the same amount of work on
Linux though (e.g. setting up firewalls, DNS, VPN, and FDE).

~~~
Simon_says
Are you kidding? You still have to do work, but a third party doesn't get to
decide if you can boot and what image you boot.

> What is particularly worrying about this process is that it is a network-
> linked secure boot process where centralized external servers have the power
> to dictate what the device should boot.

This is an abomination.

~~~
jabirali
Firstly, your quote is about iOS not macOS as far as I can tell, so the
competitor here would be Android not OpenBSD.

Secondly, I interpreted your comment as “that list is long enough to make one
want to switch to Linux”. I then stand by my comment that most of the
suggestions on the list require at least the same amount of work on Linux.
(Source: I’m a Linux user that has setup things like fscrypt, ufw, openvpn on
my devices.)

------
ChrisMarshallNY
This is great! Thanks for sharing it. Obviously a labor of love.

------
Razengan
Should add an explanation for what "sepOS" is.

