What Do macOS Security and Privacy Permissions Protect You From?

Mac apps often request some kind of “permissions” during their installation. Since Apple expanded macOS Mojave’s Security and Privacy permissions, requests have only increased. What does this mean when an app wants “Accessibility permission?” Should you grant apps these permissions?

macos-security-privacy-permissions-accessibility

This permission is the most commonly requested, so our description starts here.

Accessibility permissions give apps extremely broad access to your Mac. Apps with this permission can access the entire system and control other apps. It’s like Full Disk Access plus Automation.

This was created for apps that help people with disabilities. Soon, other apps started asking for the same access. Some developers treat it as a blanket permission. It means the app will always have the access it needs. The app might not even need broad access, but developers request it to keep macOS from obstructing their app.

macos-security-privacy-permissions-accessibility-request-dialog-box

Malware could exploit this access to log activity or inject attacks. That’s why Accessibility permissions require a special feature. The user must turn on an app’s Accessibility access manually in System Preferences.

Here are some examples of what apps do with their access:

  • TextExpander inserts text, images, and other content into any document.
  • Alfred allows clipboard monitoring, snippet expansion, and simulating key events.
  • BetterSnapTool moves and resizes application windows and reads window data.
  • Dropbox updates the Finder UI with badges and progress icons.

macos-security-privacy-permissions-location

This allows apps to request your current location. Because your Mac lacks a GPS chip, it accesses a database of Wi-Fi router locations. With this, Location Services grabs your location. Your IP address can also help estimate your location.

These permissions are nearly the same. As the name says, they allow access to the FaceTime camera and microphone. System permissions, which also control file access, handle it. This prevents the application from accessing these resources unless explicitly permitted.

macos-security-privacy-permissions-photos

Permits the application to access the Photos database. This is different than accessing the camera. It’s also not as broad as accessing all the photo files on your Mac. It only permits access to the Photos.app database. If you have photos stored outside the Photos.app database, the app will not get permission to access them with this setting.

Like Camera and Microphone, these permissions provide the same control mechanisms over different areas of your Mac.

  • Contacts permission includes any contact information stored in Contacts.app. Typically, messaging and email apps use this to access your contacts to send messages or identify senders.
  • Reminders allows access to the content of the Reminders app. This is used by ToDo apps and task managers to integrate with Apple’s default system.
  • Calendar permits access to the content of events in Calendar.app. Schedule apps use this to view and edit calendar events.

Pro Tip: The effect of these can be affected by selecting which accounts are able to share calendar, contact, and message data in “System Preferences -> Accounts.” If the data isn’t on your Mac, it can’t be shared with an application.

macos-security-privacy-permissions-automation

This allows apps to control other apps. Normally, macOS “sandboxes” applications. This limits what the apps can touch. By default, apps can only access their own data. Automation lowers the sandbox walls slightly, permitting an app to change how other apps work. Automation permissions grant access to specific apps, not every app.

macos-security-privacy-permissions-full-disk-access

This permission allows apps to read, write, and modify files anywhere on your disk. Essentially, this permission provides arbitrary access to files throughout the system. It includes data in Mail, Messages, Time Machine backups, Home, and certain admin settings for all users on the Mac. This access is also included in the Accessibility permissions, so few apps request it.

macos-security-privacy-permissions-analytics

Controls how much data an application sends “home” to its developers. This can include metadata, as well as your Mac’s hardware and software configuration, your location, and iCloud data. The permissions allow you to decide who can get the data.

macos-security-privacy-permissions-advertising

Advertising, on the other hand, explicitly handles advertisements. There’s really just one setting here, which is “Limit Ad Tracking.” With this on, you opt out of targeted ads from Apple. As usual, you don’t get fewer ads, just generic ads.

Permissions allow you to control what happens on your Mac. By requiring a user okay before accessing sensitive data, macOS works with you to keep access limited. Carefully consider what you’re giving up before giving an application permissions on your Mac. You should only allow it with trusted apps.

2 comments

  1. What happens if you DO NOT grant the requested permissions? Does the app throw a hissy fit and refuse to work?

    • I’ve yet to encounter an app that just steadfastly refuses to work, unless the app’s function is completely dependent upon the permissions it requests. An actual accessibility app, like something that changes the appearance of every UI element on the screen, would probably throw up an error message saying it needs accessibility permissions, then shut down—provided it didn’t just crash on launch. Depends on how well it was coded :)

      Most frequently, a specific function of the app fails. For example, in SnagIt, refusing to grant accessibility permissions means you can’t take autoscrolling screenshots of browser contents. Dropbox uses accessibility permissions to draw sync icons in Finder. But even without those features, the rest of the app works as expected. More invasive apps like Automator might have larger parts of their functionality fail.

Leave a Comment

Yeah! You've decided to leave a comment. That's fantastic! Check out our comment policy here. Let's have a personal and meaningful conversation.

Sponsored Stories