Security & Privacy

Understanding New macOS Mojave App Security Alerts

Posted on November 7th, 2018 by

Apple works hard to ensure the security of its operating systems and sometimes these security features can be confusing. In recent years, Apple has sandboxed their operating systems. This means that apps only have access to limited parts of your computer's operating system and files. The reason for this is to prevent rogue apps from accessing data that they shouldn't be able to read and to prevent malware from installing in certain parts of the system.

Related to this are specific accessibility permissions for apps that use the accessibility framework and automation permissions, for apps that use AppleScript, and other background technologies. You see dialogs asking you to grant these apps the permission to do certain things to your files.

While sandboxing and permissions are a good thing overall, they can be an annoyance. It means that some apps - notably utilities - are limited as to which files they can access on your Mac, and that some app features that you were used to using on your Mac may no longer work. While some of these permission dialogs existed before Mojave, they have become more common and can be confusing.

When you first launch an app that requires specific permissions you'll see a dialog like this:

If you weren't expecting this app to open, click deny. But in this case, it's hard to know which app is asking for permission. I've launched an app called Witch, which is an app switcher. The dialog says that "witchdaemon" wants to use my Mac; that sounds somewhat worrisome. Most users don't know that a daemon is a software element that runs in the background. Some apps display their actual names and others display the names of these background processes; developers cannot affect what text displays here.

To continue using the app, you must click Open System Preferences. The icon suggests that this is for Accessibility, which previously was only used to activate features to make it easier to use a Mac for people with limitations, such as hearing, sight, etc. It's actually the Accessibility section of the Security & Privacy pane which is about allowing apps to control your Mac in certain ways.

When you get to this pane you must click the padlock icon, enter your administrator's password, then manually check the entry for the app or process in question.

But that's not all. Depending on the way you use your Mac, you may see additional dialogs for the witchdaemon; these are because Witch controls your Mac with AppleScript in some cases when you want to switch from one app to another (similar to the way you use the built-in app switcher by pressing Command-Tab).

For these alerts you can merely click OK; you don't need to go to System Preferences again.

But in certain situations, Witch may cause Mojave to display yet another dialog requesting access to a specific app. This is an edge case, because for Witch to work with multiple Spaces, it needs to use AppleScript so Mojave requires your permission. This is the case with other apps that use AppleScript as well.

What's scary about this dialog is the text saying that "Allowing control will provide access to documents and data" in the application. If this is a web browser, will the app be able to access your browsing history, password, credit card numbers and more? Or for Mail, as in the screenshot below, does that mean that it can read your emails? Of course not; it's just a poorly worded dialog from Apple and developers can't add text more appropriate to their apps.

Another problem arises if you clicked Don't Allow for any of the above dialogs. There's no going back if you do this; there's no preference pane where you can change your mind. You may wonder why your app isn't working, because Mojave won't tell you if an action you tried to carry out failed because you had denied access to the app fails. You can see which apps you have approved or denied in System Preferences > Security & Privacy > Privacy > Automation.

In summary, you'll be seeing a lot of new dialogs in Mojave and you shouldn't worry about them unless the apps requesting access are not apps you are familiar with. Allowing unknown apps to access your Mac via these dialogs could allow malware to access your files. If you have any doubts, Google the name of the app or process that shows in the dialog to make sure it really belongs to an app on your Mac. If you aren't sure, you can deny it; for the first dialog, you can still go into the Security & Privacy preferences and allow it to have access to your Mac later.

About Kirk McElhearn

Kirk McElhearn writes about Macs, iPods, iTunes, books, music and more on his blog Kirkville. He is co-host of the Intego Mac Podcast, The Next Track, and PhotoActive, and a regular contributor to The Mac Security Blog, TidBITS, and several other websites and publications. Kirk has written more than twenty books, including Take Control books about iTunes, LaunchBar, and Scrivener. Follow him on Twitter at @mcelhearn. View all posts by Kirk McElhearn →