What and how does macOS Mojave implement to restrict applications access to personal data?

As well as many of the other features talked about during macOS Mojave's release like dark mode and the addition of new apps like Home, another key feature of macOS Mojave seems to be it's heightened focus on both privacy and security.

As quoted under the "Camera and Microphone Now Require Your Permission" section of this article:

Apple also announced that other categories of data, such as your Messages history and Mail database, will be protected in a similar manner to macOS Mojave's new camera and microphone permissions.

I understand that after the update, when an app requests to use your camera or microphone, you will receive an alert like the one below:

enter image description here

However, I am more intrigued by the following:

...other categories of data, such as your Messages history and Mail database, will be protected in a similar manner...

I have been unable to find much information about this online and I do not currently have the pre-release version of macOS Mojave installed and am therefore unable to test this new feature but I am curious to know what exactly this feature will mean.

Has Apple publicly documented how this will work?


Solution 1:

How Mojave responds when an application tries to access this sensitive information; will it alert the user, block unsigned apps or what?

When an application attempts to access restricted directory the user will be prompted with a dialog box explaining the following information:

  • What Application
  • What the application is trying to access
  • Option to Allow or to Not Allow access

enter image description here

enter image description here


Many applications will prompt for a folder or file selection. If you attempt to drag a folder from a restricted directory (from a normal finder window) into the choose a file dialog box, the folder will open as a blank folder with the prohibited folder icon. This will not produce a request permission dialog box.

enter image description here

Terminal

The exception to asking for access is Terminal. If certain Terminal commands attempts to access these directories they will be blocked automatically without a dialog box.

$ sudo  cp  -r  ~/Library/Messages/ ~/Desktop/test
cp: /Users/[User]/Library/Messages/: unable to copy extended attributes to /Users/[User]/Desktop/test: Operation not permitted
cp: /Users/[User]/Library/Messages/: Operation not permitted

When attempting to use the zip command the directory is ziped up, recursively, until the blocked directory at which it will appear to be empty.

 $ zip -r  ~/Desktop/imessage.zip ~/Library/Messages/

Screenshot taken of finder after unzipping (~/Desktop/imessage.zip) and opening. As you can see it is empty.

enter image description here

Exceptions

If you would like to add exceptions to give certain apps unrestricted permissions this can be done in System Preferences.

  1. System Preferences>Security & Privacy>Privacy
  2. Unlock if needed
  3. Select type of permission
    • Location Services
    • Contacts
    • Calendars
    • Reminders
    • Photos
    • Camera
    • Microphone
    • Accessibility
    • Application Data (Includes Message data, Mail data, etc.)
    • Automation
    • Analytics
  4. Click the + icon
  5. Select your app
  6. Press Add

Note: The application will have to be restarted for changes to take effect.

Warning: Adding terminal will give all terminal commands access.

enter image description here