> There are two fundamental flaws in TCC that make this exploit possible
We know that TCC is a major burden for legitimate Mac apps. But is it a major burden for malware? That's the question, and it seems to me the answer is no. There are so many holes in this system, it only stops the good developers who wouldn't stoop to using the countless hacks readily available to malware developers.
It's a burden for me as a user!
My home theater setup is basically just a Mac connected to a projector. Every button on my Harmony remote runs an Applescript. Many of them start with lines like:
tell application (path to frontmost application) to
I make very heavy use of Applescript for all sorts of things on my computer. It's one of the things that has kept me on Mac over the years, because there is no broadly-supported equivalent on Windows.
I get the sense that no one at Apple uses Applescript much, though, because if they did, they wouldn't have added an impossible-to-disable feature which renders it effectively useless.
Does the Harmony process request Apple automation permissions, and is the Harmony process enabled for it if so? (Whatever the parent process of the scripts you're launching is, i.e. Harmony.app in the chain Remote button -> Harmony.app -> Your Apple.scpt)
Does exiting the Harmony process and all scripts, purging all of your events decisions with `tccutil reset AppleEvents`, and then restarting the Harmony process and running a script result in any improvements?
Is Developer Tools new in Catalina, or do I need to install XCode or some such in order for it to appear? Never saw it in Mojave.
Fwiw, at one point I had a 250 rep bounty on this StackExchange question, and got nothing. :(
'The endless bugs in TCC demonstrate that its burden is not worth the costs to developers.'
What was written in the post did not lead me to understand this, even including the quantity/repetition modifier "over and over again". I think the missing piece for me is the cost to developers bit — without that, it reads as "the bugs prove that this isn't worth the privacy improvement", with that it reads as "the bugs prove that the cost to developers isn't worth the privacy improvement".
There's a couple reasons locks work IRL despite this, one of which is that they don't really stop honest visitors. You don't usually want anyone coming into your house that you haven't let in yourself, unless they're family members with keys.