The Trials and Tribulations of Keeping Up with Apple’s Security Lockdowns

Originally published at: The Trials and Tribulations of Keeping Up with Apple’s Security Lockdowns - TidBITS

At Rogue Ameoeba’s blog Under the Microscope, Paul Kafasis writes:

During this time, Apple placed an emphasis on improving the security of MacOS, continually locking the operating system down further and further. Though their changes weren’t aimed at the legitimate audio capture we provided our users, they nonetheless made that capture increasingly difficult. We labored to keep our tools functioning with each new version of MacOS. Through it all, we lived with a constant fear that Apple would irreparably break our apps.

In 2020, the disaster foreshadowed literally one sentence ago struck. Beta versions of MacOS 11 broke ACE, our then-current audio capture technology, and the damage looked permanent. When we spoke briefly to Apple during WWDC 2020, our appeals for assistance were flatly rejected. We spent weeks attempting to get ACE working again, but eventually we had to admit defeat. ACE as we knew it was dead in the water, and all options for replacing it involved substantial reductions in functionality. Though we did not discuss it publicly at the time, things looked grim for the future of our products.

It took three years of working with Apple, but Rogue Amoeba was eventually able to replace ACE with the next-generation audio capture technology ARK, all in the service of improving the first-run experience. It’s a fascinating story that reveals a bit of what developers go through in keeping up with Apple and its emphasis on platform security.

 

1 Like

There’s an interesting article about why Apple might be getting so paranoid about security:

2 Likes

I would love to hear some inside stories about the kinds of threats that Apple sees. Every now and then we get a glimpse of the severity of these exploits, but seldom any real details. For instance, a security update from a year ago linked to a post with this comment:

Last week, while checking the device of an individual employed by a Washington DC-based civil society organization with international offices, Citizen Lab found an actively exploited zero-click vulnerability being used to deliver NSO Group’s Pegasus mercenary spyware.

1 Like

Me too! I think we see a lot of the stories from the other side (ie, the FBI whining about encryption). It’d be fascinating to see Tim Cook’s daily brief.

(The point I was making was that I think we sometimes lose sight of the issues to the point that we have multiple simultaneous articles that are connected to each other but that everyone is reacting independently to.)

1 Like

I was directly affected by these events, as someone who owns & relies on several Rogue Amoeba apps for the broadcasting & ad-production work I do for a community radio station. I’m super-happy that Paul & his team were able to recover from Apple’s changes! (I’ll note that I recently got a refurbished MacBook Air to replace my old iMac, so I now benefit directly from the considerably smoother installation of ARK versus the hoops required to install the previous ACE tool.)

And watch this space, since there’s going to be another one. :-)

2 Likes

To close the loop, I was referring to my latest article about how bootable backups are on the way out because they pose inherent security risks.

I’ve deleted the off-topic post reiterating complaints about Apple along with the replies.

A post was merged into an existing topic: It’s Time to Move On from Bootable Backups

I’m sure you’re aware of the 2TB custom SSDs that have been reverse-engineered for the M4 Mac Mini – now available on EBay. Ignoring the perils of opening the M4 Mac Mini, the OS must be installed on that SSD through a second Mac on the network while re-booting the Mac Mini in DFU mode.

It would be far easier to have those SSDs come with macOS installed. OTOH, it’s far more secure to have the customer download and install the OS on his machine. My understanding is that the OS image is customized with a tag from the M4 CPU.

Yes, but it can’t be done. In addition to installing macOS, Configurator sets up the cryptographic pairing between the SSD and your motherboard. It (obviously) can’t be done from a different computer.