back to article Apple macOS so secure some apps can't be easily deleted

An Apple macOS security process called System Integrity Protection can prevent certain apps from being easily uninstalled, which isn't ideal when the code may be vulnerable or malware. System Integrity Protection, or SIP, has clear benefits for macOS security. Introduced in OS X El Capitan (10.11) in 2015, it applied a new …

Silver badge

Right, security

How much of this is for security and how much of it is Apple protecting their rigid branding and customer lock-in? I started using Apple products from DOS 3.2 but quit after MacOS 10.6.8. For how much money Apple is charging, I need to feel like I actually own the computer after I buy it.

25
2

This post has been deleted by its author

Silver badge

"Apple macOS so secure some apps can't be easily deleted"

iTunes, for one. Shame that.

26
1

Java 9 is another example

I installed java 9 just to find out that it did not work with a Eclipse based IDE. Only solution to get rid of it was to disable SIP, because there are no uninstaller. You could blame evil Oracle for the later.

I haven't enable SIP. I want to be able to delete my software.

5
1
Silver badge

Re: Java 9 is another example

Presumably it makes updating kexts difficult too. They are just a folder containing a few more folders and files and some of them would need to be deleted in an update.

So putting SIP on the 3rd party kext folder just seems to be a way of locking in kext bugs.

0
0
Silver badge

Re: Java 9 is another example

You need to jump through the hoop, and know that it is there to even see the folder in question in Finder. That sort of stuff is hidden. I've unhidden it because I know what I'm doing and recently had to go in and take something out. This is a hand-me-down machine from my daughter and it is running a load of stuff in the background that I don't need. She is in Bioinformatics so installed a pile of custom software packages and had server connections galore which all wanted a bite.

That's right, the virus checker found something, not dangerous or active and the infected file was not something I needed. But I could not find it in Finder to delete it.

As for not being able to delete things, welcome to Android. I neither need, use or want a whole slew of the Google apps on my phone but I cannot delete them without rooting it. So why pick on Apple?

3
0
Silver badge

Re: Java 9 is another example

Why pick on Apple? Desktop OSes have been considered open for a long time, Apple's reasons for locking down parts of the filesystem are not very convincing and it has been shown to inconvenience people.

3
1
Silver badge

Broken OS

I normally resist OS major version updates on Apple until the .1 release (much like I used to on Windows) in order for all the beta testers to find the main issues in the OS. I then take a view on whether the issues that occur justify updating the OS major version using the .1 release or adopting a further wait and see approach given they usually go up to a .5 release.

In this case I think High Sierra is just utterly fucked and I'll miss the whole thing. I'm sure, if he were alive, Jobs would have disembowelled someone with magic mouse by now over the shitty quality control that now seems to pervade everything Apple do.

26
2

Re: Broken OS

I have always waited until the .3 release but with a new file system as well I was going to wait for .4 at least. Now with the Intel issue having only been patched in 10.13.2 may have to think about this again.

3
2

Re: Broken OS

Apple have become far too focused on the iPhone, everything else is falling by the side of the road in varying states of disrepair. The focus is off their PC offerings, has been for years and they are coasting, knowing that some will continue to buy whatever nonsense they release. I say that as someone who was repairing PowerPC logic boards back in the 90s and who hasn't owned a Mac laptop or desktop for over 20 years now but still have plenty of hands on experience of repairing friend's ones.

The iPhone is the cash cow these days.

11
0
Silver badge
Joke

Re: Broken OS

I normally resist OS major version updates on Apple until the .1 release

I have some good news for you, OSX10.1 was released in 2001 so you've been OK for 17 years

3
1

This post has been deleted by its author

Anonymous Coward

It is my personal belief that such boo-boos wouldn't have happened under Steve Jobs

Tim Cook = Steve Ballmer.

Inherits the business from a visionary, maintains the status quo, eventual complacency and decline.

https://steveblank.com/2016/10/24/why-tim-cook-is-steve-ballmer-and-why-he-still-has-his-job-at-apple/

A lack of vision portends death of a business. Especially in the tech industry.

8
0

Re: It is my personal belief that such boo-boos wouldn't have happened under Steve Jobs

Oh god it’s another “death of Apple” prediction.

8
5
Silver badge

Re: Death of apple

If they die then who will the commentards here turn their hate onto? Google? Microsoft?

Who?

2
1
Silver badge

Re: It is my personal belief that such boo-boos wouldn't have happened under Steve Jobs

I don't know if it wouldn't have happened under Jobs, but it certainly wouldn't have happened under Bertrand Serlet (OS X boss, left after Snow Leopard).

7
0
Silver badge

Re: Death of apple

Who?

We will finally go back to writing Good Software and systemd replacements.

1
0
Silver badge

Re: Death of apple

Google and Microsoft (as well as Facebook) will certainly continue to get their fair share of deserved angry comments regardless of what does or does not happen with Apple.

1
0

Optional

Well remember SIP can be turned off simply enough, troublesome Kext's removed, and either left off, or re-enabled, no biggie for most, if you need to, but for many, they will just leave it all 'as is'

for me, I *always* remove iTunes, messages, all that photo, maps, social media and cloud crap, and the rest of the included shovl-ware.. but admittedly, i'm not exactly a regular type of user however..

2
2
Silver badge

Re: Optional

Yes, SIP can be disabled but Apple tries to make this as dfficult as possible. The real beef with SIP is that it promises more than it can really deliver while making perfectly reasonable stuff harder to do. The thinking might be about reducing Apple's potential liability because, in general, users have to disable the protection.

1
1
Silver badge

Re: Optional

If a buggy or malware kext were to be installed, SIP doesn't stop it from being installed, it just keeps it there.

Someone at Apple needs to sit down and think about what they want to achieve with SIP apart from it being a cool idea.

0
0
Silver badge

Re: Optional or Opt In for Who Dares Care Share Win Wins

Key Apple Operating Systems try to keep it there, Dan 55. And that is nowhere near as easy as it once was, is it, in these ages of SMARTR Analytical Systems Operations on Underground Missions with Communications Overhead.

0
1
Silver badge
Stop

Deja vu ...

Didn't Windows have a similar idea with Win2000 ?

Any attempt to replace system DLLs (and OCXs as I recall) resulted in the imposter being zapped back to the official version.

And kids wonder why it was called DLL Hell .....

0
0
Anonymous Coward

Re: Deja vu ...

system files are still protected. Haven't had dll hell for years now.

dll was nothing compared to trying to sort out resources for your ECP printer, moden and NIC.

0
0
FAIL

BitDefender is another

I ran BitDefender for 12 months on my corporate Mac. Then the company mandated a different AV product. Cue 12 hours of frustration, reboots, and eventually a reinstall of MacOS to get rid of every last remaining part of BitDefender. And I am a technical person.

Imagine what happened at the main board level?

3
0
Silver badge
Holmes

no longer a computing company

Apple is now a consumer company... Tim is milking the company. What are Vegas odds that he will be parachuting onto his private island by 2020?

1
1
Silver badge

Re: no longer a computing company

To be fair, Tim Cook has said many times that he will give away all his money during his lifetime.

So someone will benefit. I can only hope that his gifts don't have the same sort of strings attached as those of other more well known ex IT company CEO's have.

Tim Cook does not strike me as being as personally money hungry as Mr Big Boats over at Oracle but I could always be wrong. But he was until recently not flying on private jets but commercial services. Isn't a private jet (and a white cat) all part of the things you need to get you to your private island?

2
1

Move along, nothing to see here.

Seriously.

It's about KEXTs. They're a boon of Mac security since I can remember. There was a time when Apple refused to service Macs if certain KEXTs were present.

The point is: I, and Apple, and others, firmly believe the average user does not need to install KEXTs, ever. If you don't understand why, I'll give you a hint: It's in the first letter.

Now, there's a small subset of (non-average) users, who need to install software that cannot, technically, be run without KEXTs. For these users, the way to install KEXTs easily is kept open. At the same time, those small subset of users are experienced enough to jump through the hoops to uninstall (it is not that hard as the article implies). A point could be made that making installing KEXTs should have a bigger hurdle than it does now, with KEXTs being lumped into the same category as unsigned, but safe for most users, software.

The bigger problem here is the exampled application, BlueStacks, installing a KEXT. Because its purpose -- running Android apps -- does NOT require KEXTs. A quick google gives me at least two more software packages that can do that, without KEXTs. So it's either a lazy developer (using KEXTs is easier to program than not), or it's on the track to being malware.

5
0
Silver badge

Re: Move along, nothing to see here.

Bluestacks' kext is a hypervisor, maybe running Android in an ARM VM gives better results than writing an apk interpreter from scratch, especially with Google Play dependencies getting greater with every release.

Or there's repartitioning your Mac and adding Android x86 as an OS which it could boot up from which I don't think anyone would want.

0
0

Re: Move along, nothing to see here.

@dan 55

It's not that easy to install non-Apple OS'es because SIP prevents you from modifying bootstuff. See http://www.rodsbooks.com/refind/sip.html

On my 2012 MBP I managed to disable SIP, but I'm not sure if Apple will still allow you to disable it on new products. I'm not taking the risk anyway, next laptop won't be an Apple for me.

0
0
FAIL

Re: Move along, nothing to see here.

> I, and Apple, and others, firmly believe the average user does

> not need to install KEXTs, ever.

Then, add frigging touchscreen support to Mac OS Already. Or at least allow one to be recognized and operated as a generic mouse.

I have a Dell ST2220T display hooked up to my Mac Mini. Can't even operate the touchscreen without installing an expensive KEXT from Touch Base. Linux can use the touch portion of the screen upfront without any need to install anything.

And to top it off, Apple wants to merge iOS and Mac OS apps. That's a bad enough idea as is, but explain to me how I'm going to use iOS apps without pinch-to-zoom gestures?

1
2

Re: Move along, nothing to see here.

Here's another thing: There's only so much PEBCAK that you can protect from.

What's Apple supposed to do?

– If they change the rules for installing apps so that KEXTs need another hurdle, people complain that they do not have control over their own machine.

– As seen, if they protect the kernel (including installed KEXTs), people complain they do not have control over their own machine.

So what is it? You either have high security or full, easy control. Apple needs to balance, and they will step on someone's toes any which way they do it. Currently, you HAVE full control. Just a few hurdles to jump over. Just not where some people expect them.

Do the rules make sense. Maybe. Maybe not. Can they?

0
0
Silver badge

Re: Move along, nothing to see here.

Kexts are signed anyway, so why shouldn't they be writable by the administrator?

0
0

csrutil disable

The Protected apps or components that can't be removed such as itunes, photos or whatever you have to switch rootless off, then you can remove what you need and switch it back on again.

2
0
Anonymous Coward

Classic Reg!

Awesome combination of article Title and Tagline, gave me a good chuckle ;-)

0
0
Silver badge
Pint

"...apps can't be easily deleted."

So, precisely the same as Apple's iOS, Google's Android, Blackberry's Playbook, etc. etc. then.

Note: "...*easily*..." Nearly everything is possible.

1
1

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018