Endpoint Security: Apple secures TCC framework better
Until now, it has been difficult for security programs to determine whether a user has granted permissions to problematic apps. This changes with macOS 15.4.
Mac mini with Apple keyboard: TCC is supposed to help, but can leave gaps.
With the update to macOS 15.4, which was released on Monday, Apple has added an important security function that should be of interest to administrators: In the future, so-called TCC events can also be recorded by endpoint security tools. The latter are used in companies in particular to prevent users from installing malware or establishing risky connections. TCC stands for "Transparency, Consent and Control" and is always used when apps request certain rights. Apple then displays consent dialogs. However, endpoint security applications were previously only aware of these when they looked at log files – and there was no official way to transmit them.
Dialogs are transmitted
In recent years, Apple has integrated TCC dialogs into more and more areas – from access to the camera and microphone to remote computer control via the accessibility function and opening certain files and folders. If malware wants to gain access, a TCC dialog must be displayed and, if necessary, approved by the user. However, an endpoint security application should at best be aware of this so that it can intervene if necessary. "It would therefore be incredibly helpful for any security tool to be able to detect this", writes security expert Patrick Wardle, who discovered the new feature.
The feature has been active since the macOS 15.4 beta. Wardle has also already published code on how the query can be implemented. According to him, security experts and developers have been asking Apple for "many, many, many years" to pass TCC events to endpoint security applications. "Now comes the answer to our prayers."
Videos by heise
Relatively limited
According to Wardle, however, the implementation is not yet perfect. Currently, there is only one event type: "ES_EVENT_TYPE_NOTIFY_TCC_MODIFY". "That seems a bit incomplete to me, or at least quite nuanced." In his code, he shows how this can still be used to good effect. However, Wardle hopes that other processes will also be transferred in the future, including "ES_EVENT_TYPE_AUTH_TCC_" in different variants. It is currently unclear whether Apple has already implemented any of this in the final version of macOS 15.4; Wardle has only looked at the beta so far.
– In addition to malware that explicitly prompts users to share –, TCC is also sometimes problematic from another perspective: bugs and security vulnerabilities in this area occur time and again. Unfortunately, the new function does not (yet) help much here.
Empfohlener redaktioneller Inhalt
Mit Ihrer Zustimmung wird hier ein externer Preisvergleich (heise Preisvergleich) geladen.
Ich bin damit einverstanden, dass mir externe Inhalte angezeigt werden. Damit können personenbezogene Daten an Drittplattformen (heise Preisvergleich) übermittelt werden. Mehr dazu in unserer Datenschutzerklärung.
(bsc)
