Start

The Security Policy of Bresink Software Updater

Security Architecture

When you launch Bresink Software Updater for the first time, it will automatically integrate into the security model of macOS. This is necessary because the application can be used to replace copies of our applications owned by other users. Only responsible system administrators who manage the respective computer should be allowed to perform such actions.

To guarantee a high security level, Bresink Software Updater works in two parts: The normal main application with the graphical user interface is coordinating all operations. It also executes all tasks that don’t require any special permissions. However, as soon as a privileged operation has to be executed, for example overwriting an outdated program which is stored in a protected folder, the application stops, makes you aware of the pending task, and checks whether the current user can identify herself as system administrator. If yes, the task will continue and the privileged operation can start.

If you only update copies of our applications that you have previously transferred to the Mac yourself, no special privileges will be necessary, because in that particular case, you will have write permission for all affected files. Only if you like to install an update for an application which has been copied to your Mac by a different user account, you will need administrative rights. Further details are given in the next section.

A privileged job is not executed by the main application. A second component, the so-called privileged helper does this work by receiving the request of the main application via a secure, tap-proof channel. Even if an unauthorized attacker would manage to manipulate the main program, it could not trigger any malicious functions in the computer, because it could not get permission to do that. Only the privileged component, which is monitored and specially protected by macOS has this technical capability. This means we have a separation of user rights in this setup. The privileged helper will also be called security component in this context.

In case the current user cannot identify as system administrator, the privileged operation will be rejected, denying its execution. You receive a notice in the graphical user interface that the pending task could not be continued due to security reasons.

Confirming a privileged operation

To create the aforementioned monitored link between main application and privileged component, macOS asks for permission to setup the helper program during the first start of Bresink Software Updater. After this special trust relationship has been established between main application and privileged component, Bresink Software Updater will begin to control the special permissions from there on. The following rules apply when verifying the right to execute a protected operation which could change data:

For security reasons, only those users can initiate a privileged operation in Bresink Software Updater for which the option Allow user to administer this computer is enabled in the account management of macOS. Such users are called administrators. This special option is the default for the user who owns the computer and has set it up.

The application cannot read your password: Neither the main application, nor its privileged component are involved in the password entry and verification of credentials. Both tasks are exclusively handled by macOS, so that your password cannot be seen by the programs. Only after macOS has checked your identity, the result will be sent to the application.

On computers with Touch ID, the confirmation can also be done by fingerprint: If your computer contains Apple’s fingerprint reader Touch ID, the verification of your identity can also be done by fingerprint. To check the pending operation, there will also be an additional short description in the Touch Bar, like that in the depicted example. As usual in macOS, you can choose whether to identify by password or by fingerprint.

On computers with Touch ID, the confirmation is also possible by fingerprint. The Touch Bar shows a notification in this case.
On computers with Touch ID, the confirmation is also possible by fingerprint. The Touch Bar shows a notification in this case.

A confirmation is valid for the pending operation, and for further operations in the next five (5) minutes: In some cases, Bresink Software Updater has to execute multiple privileged operations in rapid succession to achieve a certain process, for example, updating several applications at the same time. The application is designed to handle such a composite operation as single event, even if the operations are internally considered separate actions requiring different permissions. You only have to authenticate once, not twice in this example. But even operations which don’t belong together don’t necessarily lead to a renewed password entry: If a time of less than five minutes has passed between a privileged operation and your last authorization, another check of your identity will be avoided.

An authorization won’t be shared with other applications: When you have confirmed your identity to Bresink Software Updater to execute a privileged operation, this authorization will only be valid for the application itself, but not for other programs. This is also stricter than the usual guidelines of macOS, which would permit to avoid another password entry within five minutes for all applications running in the same login session.

The paragraphs below contain information for experienced system administrators. You can skip them during first reading.

Technical Details for Advanced Users

The security component will be installed into the folder /Library/PrivilegedHelperTools which is Apple’s recommended folder to be used for such utility programs. The name of the component is BresinkSoftwareUpdater-PrivilegedTool. macOS will automatically launch and quit this program as needed, avoiding to let it run as a background service for an extended period of time.

You can choose to remove the security tool at any time without any traces. In this case Bresink Software Updater will lose its capability to access privileged system areas, so the program will be forced to shut down either. Perform the following steps to remove the component:

  1. Launch Bresink Software Updater if it is not running yet.
  2. Select the menu item Application > Remove Security Component….
  3. Follow the instructions the program is giving. The program will quit itself as last step of this operation.

Enabling stricter policies for administrator authorization

In older versions of the application, there were special cases for authorizing privileged operations where a login of a user with administrative rights was not allowed for security reasons. If desired, administrators can reinstate this previous, more restricted behavior.

Authorization in the current login session of a user who does not have administrative privileges

A user who is not currently logged in to macOS as an administrator can still perform privileged operations if they know the administrator credentials. The current login session does not need to be interrupted. If this option is not desired for security reasons, an administrator can block this by entering the following command on the affected computer:

sudo defaults write /Library/Preferences/com.bresink.system.softwareupdater.plist MBSBlockAuthForNonAdminLogin -bool true

Fallback from local user identification to administrator authorization with name and password

To recognize users as authorized for a privileged operation, the application uses a feature of macOS known as local user authentication. macOS checks the user’s identity through a dialog window that asks for their credentials. Alternatively, it is also possible to use security hardware, e.g. reading a fingerprint via Touch ID or using a smart card.

There are special cases where macOS rejects local user authentication, considering the user as unauthorized:

In such cases, the program automatically switches to the traditional login of an administrator using name and password. If this option is not desired for security reasons, an administrator can block this by entering the following command on the affected computer:

sudo defaults write /Library/Preferences/com.bresink.system.softwareupdater.plist MBSBlockLocalAuthFallback -bool true

Additional notes on changing security policies

Both policies mentioned above can be turned on or off independently. As a rule, the change takes effect the next time you start the application. However, there may be special operating situations in which macOS delays activation. If you want to ensure that the change takes effect in any case, it is recommended to restart the computer.

The return key may only be pressed at the end of the command, even if a command may be shown on several lines for reasons of space. After command entry, macOS will ask for the password of the currently logged-in administrator. It is entered covertly, so it does not appear on screen.

To switch the behavior back to default, the following commands can be used:

sudo defaults delete /Library/Preferences/com.bresink.system.softwareupdater.plist MBSBlockAuthForNonAdminLogin

or respectively

sudo defaults delete /Library/Preferences/com.bresink.system.softwareupdater.plist MBSBlockLocalAuthFallback