Access controls under macOS are becoming increasingly strict: Before apps can access files, folders, contacts or the location, they must ask for permission at least once. Users can find these permissions in the system settings under “Privacy & Security” and can revoke them from an app. Apple calls this “Transparency, Consent & Control” (TCC). But when it comes to files and folders, there are gaps in the fine-meshed network of access permissions, reports Howard Oakley. Before a freshly installed app can open or store files in the Documents or Downloads folder, for example, it must request the user’s consent: A dialog asks the user whether they grant this or not. This app can then look around the folder, open files and create new ones. At the same time, a new entry with the name of the app and the respective folder is created in the system settings under Data Protection & Security/Files & Folders. If you switch off access again, the app can no longer open files from there.
Exception via “Open” dialog
If you use the Open dialog instead and grant an app one-time access to a folder, the respective app receives permanent reading rights for the selected folder – and this is independent of the dialog in the system settings. What’s more: which folders an app can access thanks to this regulation can neither be viewed nor deleted in the graphical user interface.
According to the system settings, Insent does not have access to the documents folder – but can read and write files in it.
App for experimenting
To investigate this phenomenon, Oakley wrote the software Insent. It requests file accesses and then attempts to read or write text files. So far he has only been able to find one way to remove all folder access from his app – and this requires a terminal command followed by a restart:
tccutil reset All co.eclecticlight.Insent
Hidden in the (folder) attributes
A possible answer is revealed in the user comments: macOS most likely stores the access permission in the extended attributes (xattr) of the respective folder. In the com.apple.macl entry this appears to be stored in binary form. Oakley doesn’t see a significant security vulnerability due to the complex design, but is puzzled by the lack of transparency – along with the complicated way to reset this setting. Apple may see this phenomenon as an unfortunate side effect of the more open structure of macOS: The behavior described applies to programs that are designed without a sandbox; Apple doesn’t allow these in the App Store.
What is protected?
In further experiments, Oakley tried to find out which folders actually trigger a consent request. So far he has found six locations: Desk, Documents, Downloads, Cloud folders, network folders and ejectable volumes – the latter only if they were not already registered when booting up. This in turn means that the “Pictures” and “Movies” folders are apparently not protected by the TCC mechanism – nor are any folders created in the user folder.
