This excellent article by Paulo Andrade (found via Michael Tsai, of course) got me thinking. It’s titled The Alert Hammer and discusses “the increasing number of security alerts Apple has been adding to macOS, both with Mojave (10.14) and the upcoming Catalina (10.15)”.

I’m still on Mac OS 10.13 High Sierra on both my main Macs, and the more I read about the annoying barrage of security prompts in Catalina, and the amount (and kind) of bugs still present in Mojave, the less I feel the urge to upgrade to either.

I fondly remember a time when I used to upgrade to a new version of Mac OS X as soon as it was released, due to the implicit trust I had in Apple to deliver a better, improved Mac OS X version over the previous one. This went on until 10.9 Mavericks. I skipped 10.10 Yosemite entirely (and I still feel I’ve dodged quite the bullet with that one). Then it was 10.11 El Capitan (but I still waited at least until 10.11.3 before upgrading). Then another jump to 10.13 High Sierra (here I skipped Sierra for technical reasons — my 2009 MacBook Pro didn’t support it, and the new iMac I purchased in 2018 came with 10.13 preinstalled). 

Now I’ve switched to ‘active distrust’ mode towards Apple. I don’t feel 10.14 Mojave brings anything particularly useful to me, and 10.15 Catalina even less so. Nothing really worth leaving High Sierra and its general stability behind. Everything I’m reading about Catalina, the experiences of those valiant people trying out the beta, and the technical observations of the more expert users and Mac developers, gives me the impression that Catalina is perhaps the first version of Mac OS that is more useful to Apple rather than their users, if you get my drift.

But I’m digressing as usual. Back to Andrade’s post, I especially agree with him here:

Apple started adding user consent alerts way back in High Sierra. The first time an app would try to access your location, contacts, calendar, reminders or photos a system alert would prompt the user for consent. Mojave expanded these prompts to automation, camera and microphone. And now Catalina adds screen recording, keyboard input monitoring, access to folders such as Desktop, Documents and Downloads, user notifications and Safari downloads…

These alerts are just another step on a long path Apple has been taking to protect user’s data. Previous steps include code signing, sandbox, gatekeeper, the “curated” Mac App Store and notarization.

But security features are most useful when they’re invisible. All previous steps were mostly invisible. This last one… not so much.

[…]

Note how on one end of the spectrum alerts are useless for users that don’t understand the implications of allowing such access and on the other end experts want to turn them off.

So for the benefit of a few power users in the middle of the spectrum that feel more secure with these, every one else gets to be annoyed.

In short, alerts can be useful but they really must outweigh the cost of having them in the first place. And this is where I think Apple is failing badly. They are so excited with this new found hammer that they can’t help themselves but to hammer on.

This made me think about an alternative concept that could bring back some invisibility when it comes to security features. Before proceeding, a disclaimer: this is just an ‘off-the-top-of-my-head’ idea, and I don’t have enough programming expertise to claim that what I’m suggesting is feasible. At an empirical, logical level it should be. Still, I’m a terrible chess player, and perhaps the tool I’m suggesting could be fooled or circumvented by a malicious-enough software/attack.

Here’s my humble proposition: Security Monitor. It would be an application you find in your Utilities folder, and it would behave in a similar way as Activity Monitor. Maybe its interface could be made a bit more user-friendly, so that it could be readable by non-geek users as well. In its main window, you would see all active processes from a security perspective: what they are accessing in your system and, more importantly, whether their behaviour complies with the permissions they have been given — by the system and by the administrator user account. 

The user would still receive alerts to allow apps to access basic sensitive stuff like location, contacts, photos, camera, microphone, etc. but the system would have a more ‘innocent until proven guilty’ approach with the installed software. When checking the main window of Security Monitor, there could be a semaphore colour-coded way to show problematic behaviour. You would see green dots next to apps and processes that are behaving as they should. A yellow dot could indicate an app or process that is trying to access parts of the system that are off-limits to it (the app is trying to do so without explicitly asking permission to the user, and the system is actively preventing access to it). A red dot would mean a security concern requiring additional action on the user’s part.

Of course, in case of a ‘red dot’ situation, Mac OS would alert the user in a very prominent way, with a persistent notification the user can’t just dismiss by clicking OK. A dialog box would appear saying, for example: Keylogging detected — The app ‘Awesome Markdown Editor’ is recording your keystrokes without your knowledge or permission. The only button the user could click is Open Security Monitor. From the app, the user could see additional clues like Awesome Markdown Editor’s attempts to use the network to contact an external server. Security Monitor could give the user the option to quarantine the app and its documents; to quarantine the app but keep its documents accessible; but also to allow the app to record keystrokes because, say, it’s necessary for a certain feature to work (e.g. the app offers a predictive typing option and needs to ‘see’ what you usually type, etc.). The latter would be a risky choice, and Security Monitor could provide an additional confirmation dialog informing the user about the risks involved. But it ultimately would be the user’s choice, and the user’s intelligence wouldn’t be insulted in the process.

As I said, this is a rough idea, and I’m sure there are all kinds of issues with it. My reasoning is, just like Activity Monitor constantly monitors CPU usage, memory usage, energy impact, etc. in a way that is invisible to the user and that doesn’t burden the user, while alerting the user when something out of the ordinary happens, security in Mac OS could be treated the same way. Instead of the paranoid approach — All this area of the system is read-only! You have to authenticate every time an app wants to write something in a folder! App A can’t talk to App B! Alert, alert, alert! — we could have a more reasonable approach where everything is allowed to work normally (the user still needs to grant specific permissions manually, of course, especially when access to sensible locations is involved) but it’s constantly monitored. The system could deal with those apps and processes subtly trying to stray from expected behaviour in the background (yellow alert), and only interrupt normal operations in case blatant violations are detected (red alert). When the user accesses Security Monitor, they could also have the opportunity to review previously-handled yellow alerts.

I’d love to hear your thoughts about this.