Random

What are all those macOS Catalina security alerts?

Posted on October 30th, 2019 by

If you’ve upgraded to macOS Catalina, you’ve probably noticed that you get lots of dialogs asking you to allow apps to access different parts of your Mac’s operating system, it’s hardware, to give you notifications, and perhaps to access your contacts, photos, and more. Some of these aren’t new, such as this Gatekeeper dialog that ensures that you really do want to open that app you downloaded from a website.

You’ll see the above when you launch a new app that you’ve downloaded (but not from the Mac App Store), but you also might see it if a malicious app tries to launch something you’re unaware of; hence the dialog.

We’ve gotten used to these dialogs: they’ve been part of macOS for several years. But what we may not be used to is several other dialogs that alert us and ask us for permission; many are new in macOS Catalina.

Notifications

Under Catalina, every app that may ever want to send notifications has to ask your permission. This means that after you upgrade, and when you install new apps, you’ll have to decide for each app whether you want to potentially allow notifications. Because for some apps, say, a calendar app or reminder checklist, it’s normal to get notifications. But I have a number of productivity tools that have asked about notifications, and I find this a bit odd.

Notifications are managed in System Preferences > Notifications, and you can turn them off entirely, or choose which types of notifications you are willing to receive.

Safari per-site download alerts

If you download a file from a website, you’ll have to grant Safari permission to do so. This feature was added shortly before Catalina was released, as part of Safari 13. This is a good thing, because it prevents drive-by downloads; downloads that are initiated by JavaScript, which are often malicious software.

You’ll find settings for downloads in Safari’s Preferences, on the Websites tab. You can turn off these requests if you wish, but that’s probably not a good idea. One you approve downloads for a site, Safari remembers this, unless you go back to the preferences to change the setting.

Special permissions

If you go to System Preferences > Security & Privacy > Privacy, you’ll see 16 categories for permission to access certain hardware and software elements on your Mac. They include location services; your camera and microphone; your contacts, calendars, and reminders; full disk access and access to your Documents and Downloads folders; and Accessibility, which is a catch-all for apps that can “control your computer.”

Some categories are easy to understand, such as contacts, calendars, and reminders, or camera and microphone. You know why certain apps want to access these. I use a third-party calendar app, so it naturally needs access to the first three categories. And when I use Skype, it needs to be able to use my camera and microphone.

It makes sense to require users to explicitly grant access to these categories. Your contacts, calendars, and reminders contain personal information about you. And your camera and microphone could be used to spy on you.

One of the stranger categories is Screen Recording. There are screen recording apps, such as Screenflow, that you can use to make screencasts, but there are also some other apps that need to access screen recording for different reasons.

Bartender does not record your screen, but in order to access certain information about your Mac, such as what’s in the menu bar, this is what it needs to request. (Read this support document explaining why Bartender needs this permission.)

Some of these permissions require a lot of work for the user. You can’t just set them all with a simple dialog; in some cases, you may need to go to the Accessibility section of the Privacy preferences and manually add apps, then quit and relaunch them. And if users don’t do this correctly, then some apps won’t run. Here is one example of a developer needing a lengthy explanation of the process for the app Moom. From a developer’s perspective, it’s not exactly ideal to have to walk a user through so many steps before they can use your software.

Note that you’ll only see these Accessibility requests for apps that are not from the Mac App Store, or for Mac App Store apps that are not sandboxed. Currently, all new apps must be sandboxed—this is a special way of limiting their access—but some older apps have been allowed to be updated without sandboxing if they are updated just to fix bugs, not to add new features.

Partial and Full Disk Access

New in Catalina is the requirement for apps to ask to access certain folders, such as Desktop, Documents, Downloads, and others, including any external drives. These fall into two broader categories: Files and Folders, and Full Disk Access. Apps that need Full Disk Access include antivirus apps, backup apps, FTP apps, Dropbox, and, curiously, Apple’s own Terminal app. Apps that need more limited access seem to be those that can both read and write files. Apps that access your photos also need to ask permission, although I have a number of photo editing apps that seem to work fine without this explicit permission and don’t seem to need access to files and folders either.

What I found is that for some apps that I had on my Mac before upgrading to Catalina, these new permissions aren’t always required. I deleted one such app (Acorn, a photo editor) then redownloaded it, and the new copy asked to access my Downloads folder, which the previous copy hadn’t requested, but it still didn’t ask permission to access my photos.

Does all this provide more security, or simply inspire complacency?

It’s undeniable that many of these limitations enhance security, but when there are so many dialogs, they can also unintentionally encourage complacency. Users may just click OK for every dialog they see so they’re not bothered. Ironically, Apple mocked Windows Vista’s overwhelming permissions requests back in 2007, but a dozen years later, macOS Catalina has actually turned out pretty similar.

It’s helpful to understand why you’re seeing all these alerts, and not just accept them blindly. And if you accidentally allow an app access support of your Mac when you didn’t intend to, go into System Preferences where you can remove this access.

How can I learn more?

Each week on the Intego Mac Podcast, we discuss the latest Apple news as well as security and privacy topics—this week, in episode 107, we talk about the macOS Catalina dialog fatigue and much more. Be sure to subscribe to make sure you never miss the latest episode.

Subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for updates.

Also, follow Intego on your favorite social and media channels: Facebook, Instagram, Twitter, and YouTube (click the 🔔 to get notified about new videos).

About Kirk McElhearn

Kirk McElhearn writes about Macs, iPods, iTunes, books, music and more on his blog Kirkville. He is co-host of the Intego Mac Podcast and PhotoActive, and a regular contributor to The Mac Security Blog, TidBITS, and several other websites and publications. Kirk has written more than twenty books, including Take Control books about iTunes, LaunchBar, and Scrivener. Follow him on Twitter at @mcelhearn. View all posts by Kirk McElhearn →