macOS File and Folder Security.
0 Facebook x.com Reddit
Apple provides security features in macOS to give apps access to files on local storage and removable drives. Here's how to set them up.
A few years ago, Apple added the ability for macOS to restrict which apps can access your files and folders stored on local volumes connected to your Mac.
Some apps, like Finder, require this access. But for third-party apps, you may or may not want them to have access to your files.
In macOS, there are settings in System Preferences to allow or block apps from accessing your files.
Some apps can also access removable volumes, like USB drives or CD/DVD volumes inserted in your Mac's DVD drive.
You can also specify which apps have access to removable devices in System Preferences. Not all apps provide this ability, and if they do, the apps and their settings will appear in the System Preferences -> Security & Privacy pane.
Apps must be built with access
When Mac apps are built using Apple's Xcode development environment, certain security settings are included with each app. These are based on how the developer has configured these settings in Xcode.
One of these settings is whether to allow or deny access to files and folders.
If the app developer enabled this setting when building the app, it will appear in the System Settings->Security & Privacy Privacy->Files and Folders panel. If not, the app will not be listed there.
Specifically, these settings are configured in Signing & Capabilities->App Sandbox->File Access for each build target. Settings in Xcode:
App Sandbox target settings in Apple's Xcode.
The App Sandbox
The App Sandbox is a security system built into macOS that, by default, restricts apps' access to sensitive parts of the system, such as the file system and network. Apps are only allowed to access parts of the system that they have been granted permission to access.
These settings in Xcode include specific user folders such as Downloads, Pictures, Music, etc., but there is also a setting for A user-selected file.
This is the setting that allows a third-party app to allow users to select files to access using the standard macOS open file selection table. Developers can also specify whether to allow read-only access or read-write access.
The Hardware -> USB checkbox in Xcode controls whether to allow apps to access USB devices, including flash drives.
How these settings are configured during the app build determines whether they appear in System Preferences for File and Removable Device Access.
Developers can also disable access to all files entirely, disabling file access at the system security level regardless of what APIs the app may call. There are also Sandbox settings for Camera, Sound, Printing, and Bluetooth.
This is why you may see a macOS warning, for example, the first time you launch a VOIP app like Skype, or some gaming apps that require access to your computer's microphone.
Taken together, App Sandbox settings limit or allow what kind of access an app has to your Mac. Apple added these settings to macOS to prevent malware from doing things like sending the entire contents of your startup disk to an attacker.
Check out our previous article, How macOS Protects Your Data from Malware, for a detailed look at how malware can steal your data.
With App Sandbox and other security features, you don’t have to worry so much about downloading a Mac app and having it steal all your local data the moment you launch it.
All macOS apps distributed to the Mac App Store must have Sandbox enabled in Xcode during the build, even if all other settings are disabled.
Changing access settings
To access files and folders, you can toggle these settings in two places in the app System Preferences:
- System Preferences->Security & Privacy->Files & Folders
- System Preferences->Security & Privacy->Files & Folders
Privacy->Full Disk Access
In the case of Full Disk Access, there is no setting in Xcode in App Sandbox. When you enable Full Disk Access, you grant the app access to all files on your startup disk at the OS level, not just specific folders or user-selected files.
Full Disk Access is a more general and serious security level, so you should be careful about changing Full Disk Access, as it gives the corresponding application complete freedom of action over your Mac's startup disk.
Full Disk Access for applications in the macOS System Preferences app.
For removable drives, if an app is configured to allow access to removable volumes, an additional toggle will appear for that app in the Files & Folders pane. Not all apps can support removable drives.
You may also see additional toggle switches for each of the user folders mentioned above, and in some cases for the desktop. If an app requires or has Full Disk Access enabled, that title will appear next to the app in the Files & Folders pane, but will be grayed out.
Enable access to removable devices in macOS System Preferences.
Obviously, if you grant an app Full Disk Access, it does not need separate permission switches in the Files & Folders pane.
System Preferences->Security & Privacy->Full Disk Accessallows you to specify which apps are allowed full disk access.
It is possible to turn off full disk access for the Finder and Dock apps. However, it is probably best not to do this, as they are both an integral part of the Finder – and both are created by Apple.
The only reason you might want to turn off access for these apps is if you want your Mac to act like a kiosk, or if you want to restrict file access for children, for example.
Network apps in particular should not be given full disk access, as this poses an increased security risk. One example is a malicious applet or Java extension downloaded through a web browser.
macOS also uses Gatekeeper and Runtime Protection to protect core parts of the operating system and its files from third-party apps. This ensures that the system cannot be hacked.
Gatekeeper also provides a level of assurance that the app comes from its real, registered developer and is not counterfeit.
Gatekeeper apps must be digitally signed by Xcode before they can be distributed to the Mac App Store. If they are compromised, Finder will notify you when you try to launch them.
The Mac App Store also uses notarization and encrypted digital receipt verification to ensure that downloaded Mac apps have not been compromised.
Overall, these security settings help make your Mac more secure, and they mean that malware will have a much harder time getting past your Mac’s defenses. They also help protect your personal files.
You might want to take a look at these settings to make sure all your apps are set to their maximum security. Also, be sure to check out Apple’s platform security guide.
Follow AppleInsider on Google News
