Checklist 111: macOS Mojave

Say goodbye to High Sierra, and hello to Mojave! On September 24, Apple released the latest version of its core operating system, macOS, bringing with it not only many security improvements but also some new additions for online and offline privacy, as well. For those who tuned in to our in-depth look at the latest features in iOS 12, some of these will sound familiar due to the way Apple has harmonized its digital ecosystem. Other features are new and exciting — but not entirely free from problems. Within the first week of Mojave’s release, security researchers identified several potential issues. We’ll be looking at some of those next week, too, but for now, we’re rolling in with the checklist.

What’s new in macOS Mojave?

Before we can look at the issues some researchers have raised with Mojave’s newest features, we should talk about what those features actually are.

First, let’s hit on some of the features that macOS Mojave and iOS 12 share regarding improvements. It’s primarily made up of stuff that we can all take advantage of in our daily activities. For a more in-depth look at the improvements common to both operating systems, you can check out Episode 110 of The Checklist, iOS 12 Arrives, for the details of our discussion. However, let’s run down a quick refresher for those who might’ve missed that episode. First on the list: better password management.

When you browse the web using Safari in Mojave, you’ll now have access to functionality very similar to what you can find in a password manager such as 1Password. With refinements to the Keychain, Safari gains the ability to create and store robust and unique passwords automatically. Whenever you need to create a new account or change your password, use the “Passwords” feature in Safari to generate and save the login. Your Keychain can sync across devices with iCloud, so you never need to worry about remembering a complicated string.

One of the things we circle back to on this show most frequently is the need to keep your passwords secure and unique – otherwise, a single breach can let the bad guys get access to all kinds of your online data. With these improvements to Safari, there’s no excuse left for not taking advantage of the strength that good passwords provide. Since all you really need to remember at this point is your AppleID password, the process is easier than it’s ever been.

Apple’s efforts to crack down on advertiser tracking of users and the data-siphoning methods of social media giants (ahem, Facebook) are a part of these changes, too. Both macOS and iOS 12 received a beefed-up version of Safari that makes it simpler to control your online privacy while also adding in several automatic protections that deliver peace of mind without user intervention. Apple themselves describe it this way:

Remember when you looked at that green mountain bike online? And then saw annoying green mountain bike ads everywhere you browsed? Safari uses machine learning to identify advertisers and others who track your online behavior and removes the cross-site tracking data they leave behind, so your browsing stays your business. And now Safari keeps embedded content such as Like buttons, Share buttons, and Comment widgets from tracking you without your permission.

In other words, Facebook won’t be able to develop a profile of where you go on the web by registering a hit from your account when you visit a website with a like button. We like that! Similar restrictions will be in place to stop “device fingerprinting,” too, using the identifiers unique to your device to build a profile that doesn’t rely on tracking cookies. Combined with the content blockers Safari offers, it’s one of the most private and secure browsing experiences you can have out of the box right now.

However, keep in mind this is only applicable to third-parties, not the websites you visit, from knowing where and when you visited. Likewise, this won’t hide your Internet traffic from your ISP or your VPN provider. Instead, it’s targeted strictly at the ad tracking served through third-party advertisers and social media sites.  By automatically identifying cookies that come from third parties, Safari can immediately stop them from working.

What about new additions that are unique to Mojave? Apple shows its commitment to continuing the anti-malware fight by giving users additional tools for ensuring the safety of the software they use. Alerting users to potentially suspicious software goes a step further in Mojave. You might already be familiar with prompts in macOS that ask for your permission to allow software to access certain parts of the system – this is a fundamental safeguard, but Mojave elevates it to the next level.

Apple has expanded the number of areas of your system that apps can not access directly or indirectly without you explicitly granting permission. These new restrictions include user prompts for:

• Camera
• Microphone
• Mail databases
• Safari data (e.g., browsing history)
• Message histories
• Time Machine or iTunes device backups
• User location data
• System cookies

So, if some program on your Mac wants to start looking at you through your camera – for example, like the old macOS FruitFly malware we’ve discussed previously here on The Checklist – Mojave will warn you about what’s about to happen and ask for your permission. If this isn’t something you expect, then it’s easy to know something is lurking on your Mac that shouldn’t be there. With a limited scope in terms of when these alerts can pop up, Apple is attempting to avoid dialog box fatigue. While you might still encounter more prompts than would be ideal for now, it’s clear they’re working to ensure users always pay attention to these prompts.

In the same type of vein is a new “notarization” effort undertaken by Apple. Even though Apple puts a lot of emphasis on the Mac App Store, there’s still plenty of software you can find outside of it, typically signed with a valid Developer ID. While it’s no guarantee that you aren’t dealing with malware — plenty of malicious developers have used real Developer IDs to hide payloads — Apple wants a Developer ID to be a stronger endorsement of safety.

Notarization is Apple’s way of saying “Hey, we checked this, and we’re reasonably sure it contains no malware.” While it’s not 100% clear how they will handle this process, they note it is not an “app review” approach, but merely a security scan. Perhaps machine learning is involved in identifying problematic elements. Notarization will eventually be a mandatory part of using apps signed with a Developer ID, hopefully closing the door for malware authors to use them as an attack vector. Notarization acts as an extension of the current Developer ID system.

While there are some problems with Mojave, which we’ll discuss in next week’s episode, here’s the bottom line: it’s still worth the upgrade. While there are still a few bugs here and there to iron out, the additional features and security improvements are well worth it – and you know that Apple will have further updates coming down the pipeline in no time.

While you wait on the upgrade to finish, why not check out some of the shows mentioned in today’s episode, like our look at what’s new in iOS 12? You’ll find all the show notes plus the complete audio for every episode in an easy to listen to format right here in our archives; which is the same place where every future show will go, too — so it’s the perfect “home base” for your digital security news.

Have a question you’d like to hear us answer or a story that you think would make for a good topic of discussion? Send your suggestions in an email to Checklist@SecureMac.com and tell us what’s on your mind. You might even find your question turns into the subject of a future episode! In the meantime, we’ll say our goodbyes for this week as we prepare to return in seven days with yet another new episode of The Checklist, brought to you by SecureMac. Thanks for listening.