Checklist 207: Privacy and Security in macOS Big Sur
The big day has finally arrived! macOS Big Sur is now available to the general public. On this episode of the Checklist, we run down what the new OS means for security and privacy, covering:
- What’s new under the hood
- What you’ll notice right away
- What changes are truly personal
What’s inside (and what’s not)
Apple has made two big changes to the inner workings of macOS. Here’s what you need to know:
Cryptographic protection for system files
In macOS Big Sur, Apple is introducing a protection known as Signed System Volume (SSV). In many ways, this is just a continuation of Apple’s attempts to protect critical OS files from tampering, which was the goal of the separate, read-only system volume in Catalina. In Big Sur, all system files will be cryptographically hashed, and the resulting hash values will be stored in the filesystem metadata. These hashes will then be checked against what’s currently on the system volume during updates and reboots. The upshot is that your Mac will be able to tell if its system files have been altered, whether through data corruption or malicious activity. If an unexpected change is detected, your Mac won’t boot, and will instead prompt you to reinstall the OS or restore a valid copy from a backup. To learn more about how cryptographic hashing works, listen to this podcast, or check out our discussion of hashing for password storage.
Fewer kexts than ever before
Kexts are kernel extensions, code which extends the functionality of the macOS kernel (the core of the operating system). For years, they have been used by developers and device manufacturers for networking, endpoint security, and to build device drivers. But programming for the kernel is notoriously difficult, and little mistakes can result in big problems for the end user, which is why Apple has long viewed kexts as a potential threat to OS stability. In addition, there are real security ramifications to letting developers write code that runs with kernel privileges, which is another reason that Apple has been wary of kexts for some time. Apple has been moving to phase out kexts for a while now, replacing them with something called system extensions (which have the same basic functionality as kexts, but don’t run in the kernel). In Big Sur, this phase-out process is being expedited: a large number of kernel extensions have now been fully deprecated, and macOS Big Sur won’t even load them if they have a system extension alternative.
The Big Sur experience
Moving from the nuts and bolts of macOS to the shiny exterior, we’ll take a look at some security and privacy upgrades that Mac users should notice right away.
Access control for Safari extensions
In Safari 14 (which ships with macOS Big Sur), users will be able to control how much data they share with Safari web browser extensions. This is important, because browser extensions often have pretty significant permissions to access user data: they can read and alter webpage content; access the microphone and camera; pinpoint the user’s geographic location; and view web and search history. Of course, much of that is totally legitimate: depending on an extension’s function, it may truly need that sort of access in order to work — just as iOS apps often need extensive permissions on a device. But as with mobile apps, some extensions abuse their permissions to collect excessive amounts of user data, and there have also been cases of malicious browser extensions as well.
In Safari 14, you’ll be able to limit an extension’s access quickly and easily: When you land on a webpage for the first time, you’ll be asked if you want to allow the extension to work on the page, and you’ll have options to grant access for a single use, for a full day, or all the time. This feature should go a long way to helping users limit the reach of browser extensions, and will be especially helpful if you have extensions that you only use once in a while, or only on a handful of sites. If you aren’t sure what kind of access your installed extensions already have, you can check this by going to Safari in the menu bar, then heading to Preferences > Extensions to see a list of all installed Safari extensions and their permissions.
Privacy Report for websites
We know that website tracking is a major privacy issue. Safari 14 will stop much of this tracking before it can even happen, while at the same time giving us better insight into how websites are attempting to track and profile us. Safari does this by blocking trackers on websites, and then consolidating the results of its work into something called Privacy Report. Privacy Report is basically a summary of the tracking activity of all the sites you’ve visited in the past 30 days. To use this tool, go to Safari in the menu bar and click on Privacy Report. You’ll see two tabs: the Websites tab lets you see a report that reveals which sites have tried to track you along with the number of trackers they used; the Trackers tab lets you see which trackers were most frequently seen across all of the sites you visited.
App Store privacy information
This important new Mac feature isn’t here quite yet, but Apple says it should arrive before the end of the year (presumably in one of the macOS 11 updates that we’ll see in the coming weeks). Starting soon, app developers will have to provide information about how their apps collect user data — and how they share this data with third parties. In the Mac App Store, each app’s page will have a special Privacy section that you can use to check out an app’s privacy practices before you download it. Apple compares these privacy disclosures to the nutrition labels on the side of food packaging: concise, easy-to-understand, and designed to empower consumers to make their own choices.
Last but not least, Big Sur introduces some changes that help us stay safe in those areas of our digital lives that are downright personal. Here’s what’s in store:
If you use Safari to store passwords for websites and accounts, you’ll now have some extra help when it comes to making sure that these are good, safe passwords. If you go to Safari > Preferences > Passwords, you’ll see a list of all of the passwords you’ve stored so far, and you’ll also see a warning if there’s a problem with any of these passwords. Click on that warning and you’ll get more information about the issue: e.g. if you’re using credentials that have appeared in a known data breach, if you’re using weak passwords, if you’re reusing passwords, and so on. You’ll also get some recommendations for how to make yourself safer — recommendations that you’d be wise to follow!
Strong password creation
In addition to monitoring your passwords for signs of trouble, Safari can also help you create strong passwords whenever you set up an account, similar to the functionality of a good password manager. When you’re creating an account, you’ll now see a little key icon in the field where you’re supposed to type in your new password. If you click on this, you’ll be given the Suggest New Password option, which lets Safari generate a strong password for you. If you select Use Strong Password, you’ll confirm the Safari-suggested password and it will be stored for future use.
All in all, Big Sur promises to bring some pretty significant security and privacy enhancements to macOS. Along with the recent announcement of the M1 chip and the first three ARM-based Macs, good things are definitely on the horizon for Mac users.
Want to learn more about security and privacy topics while you wait for our next podcast? Check out the Checklist archives for full audio and notes of every episode we’ve ever done. And as always, if you have a question or suggestion for a future show, be sure to let us know!