Home of internet privacy

OS X Yosemite: Are security and privacy the first thought or an afterthought?

Mac OS X Yosemite (10.10) has arrived and, according to Apple, it comes with safety. Built right in.

The company’s claim that security was “The first thought. Not an afterthought,” is both interesting and welcome and it is great to see user safety being considered from the outset. Or at least that’s what Apple is saying.

So what features does OS X Yosemite offer you the consumer?

Firewall

OS X Yosemite comes with a firewall that allows the user to accept or deny incoming connections to their Mac by application. Functionally very basic, it does not provide outbound protection so you may want to look out for a more robust alternative.

Gatekeeper

Are you worried about accidentally downloading malicious software on your Mac? If so, Gatekeeper can help keep you safer.

Apple recommends its App Store as being the safest place from which to download apps and, given the risks associated with using third party sites, its assertion is a fair one. If the company spots any issues with an app on its store it can move quickly to remove it, thus keeping users safe.

The company does realise that users do go elsewhere though and that is where Gatekeeper comes in. By getting app developers to use a unique ID from Apple, the company can block potentially malicious apps from unknown developers who are lacking a Developer ID.

FileVault 2

With this tool you can encrypt your entire hard drive with XTS-AES 128 encryption. Apple says that the initial encryption is both fast and unobtrusive and it can also be used with removable drives, making it an ideal choice for securing Time Machine backups and other external data storage solutions.

FileVault 2 also offers up an easy two-step process to delete all the data on a drive should the user wish to start afresh or sell their Mac.

It works by firstly killing the encryption keys on the Mac – which Apple claims will make the data “completely inaccessible” – and, secondly, by then thoroughly wiping all the data from the disk.

Passwords

With the number of data breaches we’ve seen recently it is more apparent than ever that many users are making do with poor passwords and reusing them across a range of sites.

Fortunately, the Safari browser is equipped with its own password generator that can create complex passwords for every account you use.

iCloud Keychain will then store those passwords and other login credentials, as well as credit card data, all under the protection of 256-bit AES encryption. Via iCloud, the user can then share all of their usernames and passwords across each of their Apple-produced devices.

One drawback worth mentioning here though is the fact that physical access to your Mac could leave your credentials at risk, so make sure you always disable automatic login via the security and privacy settings.

Sandboxing

The App Sandbox, which debuted in Mac OS X Lion 10.7, is designed to ensure that apps can only do what they are designed to.

By creating an isolated environment, OS X ensures that compromised apps do not gain access to critical system components, data or other applications.

Sandboxing protection is found in Safari which sandboxes what you might call the usual suspects: Adobe Flash player, Silverlight, Quicktime and Java.

OS X also sandboxes apps such as the Mac App Store, Messages, Calendar, Contacts, Dictionary, Font Book, Photo Booth, Quick Look Previews, Notes, Reminders, Game Center, Mail, and FaceTime to ensure that no skulduggery can occur.

Runtime protection

OS X also offers runtime protection built into the core level. Built into the processor, the XD (execute disable) feature “creates a strong wall between memory used for data and memory used for executable instructions” which, according to Apple, “protects against malware that attempts to trick the Mac into treating data the same way it treats a program in order to compromise your system.”

The operating system also uses Address Space Layout Randomization (ASLR) for the memory used by the kernel to change the memory locations where different parts of an app are stored. This technique makes it difficult for an attacker to find and reorder parts of an app and mitigates certain types of attack such as buffer overflows.

Privacy

Given the recent launch of Apple’s new privacy website and the accompanying letter from CEO Tim Cook in which he made it clear how the company is different from other tech firms which see user data as a product, it is interesting to see how Yosemite tackles this area.

The privacy controls give the user the option to allow or disallow certain apps the ability to request location data and control how they can interact with the computer, choosing which can “control your computer” in much the same way as Windows uses the “Run as an Administrator” function.

It’s not all good news for Apple and users of its latest operating system though, especially in terms of privacy, despite the company’s assertion that it is committed to protecting yours.

It looks like Spotlight on Yosemite reports user locations by default (disable Spotlight Suggestions and Bing Web Searches in System Preferences > Spotlight > Search Results and Spotlight Suggestions in Safari settings to prevent that from happening).

But that is not all. Security researcher Jeffrey Paul claims that the latest iteration of OS X secretly uploads unsaved documents and email addresses to Apple servers without consent and a Swedish hacker says he has found a vulnerability that could allow an attacker to remotely take control of your Mac via privilege escalation.

So, while the features listed above clearly show how Apple is indeed taking security and privacy seriously, recent news stories suggest that the company still has some way to go in making their operating system and privacy promises as bullet proof as it, and us, would like.