Every time I update an app I have to be told I downloaded it from the Internet and do I trust it. Can this app look on the local network?
Constantly being nagged to the point I don't even check/care anymore.
Exactly what Vista used to do.
This isn't what Vista "used to do". Vista had a single elevation popup dialog / shatter attack prevention screen. Any request that required elevation required this popup.
macOS has not only elevation requests but entitlements. Using the local network is an entitlement. What macOS gets very wrong is any denied entitlements will re-prompt next time you perform that action with the app, which may simply be starting the app. It also does one entitlement at a time, i.e. if you have an app that requires screen sharing and camera, you'll get the first entitlement, restart app, go to do action you wanted again, second entitlement.
Both OSes have MoTW, but Apple goes beyond with the notarization warning/block.
macOS users are going to suffer from prompt fatigue. And the /r/macos "secure cus UNIX!" will be wrong on two points.
Technically you're right. From an end-user standpoint, it's irrelevant. Apple's mock vista ad applies just as well to Ventura: they're all annoying and a security theater if the user is just told to input admin password into any random popup.
Quick clarification on terminology. From a developer perspective, entitlements a static dictionary (or a collection of key-value pairs) attached to the app at code-signing time. The entitlements you mentioned don't "entitle" the app to access resources, as user consent is still required.
FWIW, Vista's level of prompts is the only way to run UAC in any kind of secure fashion. The configuration that has been the default since Windows 7 makes it trivial for a low-privilege application to gain UAC privileges.
Microsoft doesn't regard UAC as a security boundary if you're logged in as an admin (https://learn.microsoft.com/en-us/previous-versions/tn-archi...). You can use UAC as one as part of a defence-in-depth approach by logging in as a non-administrator user (like everyone tells you to do but nobody wants to do) and entering a password for every prompt, but for that to work well you'd need to make sure to turn UAC prompts back to max (read: Vista level or worse). I don't think I'd set up a system like that without a fingerprint reader or Windows Hello facial recognition camera, because typing out the password that often is just a massive pain.
Windows, as configured by default, barely runs any downloaded files. You can pay hundreds of euros for a certificate, sign your installer, and still have users get told off by SmartScreen for daring to open an executable file. I don't think Apple's notarization has done anything useful so far, but their security prompts are a lot less scary than Windows'. I think it's a matter of time before unsigned Windows executables with the MotW simply won't open by default like those on macOS.
The local network popup thing is too overdone in my opinion. However, I do think it is a good choice (in some respects) for Apple to have the "this is a program downloaded from the Internet", even if it can be annoying. It might also be a push to get developers to publish on the App Store (where Apple can be more sure (hopefully) that the apps are safe).
It's a double-edged sword in my opinion. I think it's good that the OS is looking out for the user in a lot of cases. I also understand how it can give the users pop-up fatigue.
> It might also be a push to get developers to publish on the App Store (where Apple can be more sure (hopefully) that the apps are safe).
Apps on macOS need to be signed and notarised. Apple has the exact same capability to scan for malicious behaviour and revoke your keys regardless of how you publish. We all know the real reason they want to push apps towards the app store.
"This is a program downloaded from the internet" isn't a push to the app store. It predates the Mac App Store, iirc.
It's another quick security hack (as they often are in any OS). Many years ago someone noticed that apps can pick any icon they want. And, therefore, if you could convince a browser to download a file to ~/Downloads (not hard), the user might look inside and find what appears to be a harmless JPEG or Word document, double click it and are immediately pwnd because back then there was no app sandboxing of any kind, no SIP etc. macOS in that era was a conventional desktop UNIX.
So the quick hack - make apps that download things mark files with extended attributes, and if the Finder sees that, it pops up the warning and then removes them. Now the user realizes (maybe) that the document-looking-thing was actually an app.
That's a fair point. But did Mac have the same issue as Windows where file extensions were not shown by default? That feels like it would have been the core issue.
There is a "show all file name extensions" option in Finder, but I don't recall if it's on by default or not as I haven't had to set up a fresh macOS install in a while and I've always had it turned on.
But, macOS isn't like Windows - the file extension doesn't matter. I can have a "file.txt" but it's actually a .xlsx excel workbook, and Excel will open it just fine (albeit, with a warning that the file extension doesn't match but that's dependent on the application presenting a warning). Windows actually uses the file extension to determine the type, macOS (and other *nixes) don't, they'll use some other file metadata. You can put whatever extension you want on a file, it doesn't matter except for determining what default app will attempt to open it when double clicking it in Finder.
> It might also be a push to get developers to publish on the App Store (where Apple can be more sure (hopefully) that the apps are safe).
This is exploitation of developers, plain and simple. Apple should secure their runtime, not roleplay as a software rent-a-cop that manually (and fallibly) inspects submissions. The App Store is a blatant moneymaking racket, on mobile and desktop alike. "Security" is a fig leaf for the perverse incentive Apple has to corral developers under their thumb.
I think entitlements are the correct direction to move in. I don't like Apple's implementation. But it gives us that fine-grained control of what an app can and cannot do with things outside of the app's "bubble" (or sandbox). We need Discretionary Access Control.
And to NSO Group's delight, they don't review SMS messages or Safari contents either. The "curated security" shtick is a lie, it does not protect anyone and doesn't function reliably in the first place. Both targeted malware and generic scams are rampant and unrestrained on iOS. Many of them are promoted as iPhone Search Ads, or suggested Siri results.
The knock-on effects it has are even worse. By relying on this game of shuffling private entitlements around, Apple has less incentive to actually review what developers are doing with them. Look at the Uber iPhone app's screenrecord permissions, or when TikTok stole iOS clipboards.
Apple uses "secure" review as an excuse to not review apps or secure their runtime.
Apple's review sucks but you are very confused about your "takedown" of their security practices. It's not meant to protect against everything. Even well-made security boundaries can fail against sophisticated attackers, or be too onerous against generic malware.
Honestly, I think you have a fair point there. I personally don't believe that any system could be 100% secure. But I do think there is a point to be made on the efficacy of securing the runtime compared to individual app inspection.
In macOS 15, there is no GUI bypass. Right click -> Open no longer works. xattr is "the way". I'm sure someone has probably created an Automation or something for it.
There's a small section in System Settings that they don't really tell you about that pops up when the OS blocks a file from opening. You can then override the block there. Yes, it's extremely annoying.
> where Apple can be more sure (hopefully) that the apps are safe
Ha, they'd love to capture the 30% Apple tax on macOS too, I'm sure.
I don't think the mark-of-the-web feature is bad, but I am particularly annoyed that I have to open the system settings app to open an application.
Honestly, when I first tried modern macOS, I was surprised how bad the popups and warnings were. This is exactly what Apple (rightfully) made fun of when Vista came around. I've caught myself mindlessly approving prompts because there are so many of them and most of them don't make much sense at all ("do you want to allow iTerm access to your downloads" after I've explicitly dragged the thing to the special "developer tools" setting? what the heck?).
