The Security Policy of Sync Checker

When you launch Sync Checker for the first time, it will automatically integrate into the security model of macOS. This is necessary because the application can be used to read files owned by other users or owned by the operating system. Only responsible system administrators who manage the respective computer should be allowed to perform such actions.

To guarantee a high security level, Sync Checker works in two parts: The normal main application with the graphical user interface is coordinating all operations. It also executes all tasks that don’t require any special permissions. However, as soon as a privileged operation has to be executed, for example comparing files in protected folders, the application stops, makes you aware of the pending task, and checks whether the current user can identify herself as system administrator. If yes, the task will continue and the privileged operation can start.

If you only like to check your own files, or files for which you always have read permission, you won’t ever need to permit a privileged operation. In this case, the features mentioned in this section won’t really apply to you. However, in the general case, for example when you like to compare entire operating system volumes, Sync Checker may be forced to open specially protected folders in order to perform an accurate check.

A privileged job is not executed by the main application. A second component, the so-called privileged helper does this work by receiving the request of the main application via a secure, tap-proof channel. Even if an unauthorized attacker would manage to manipulate the main program, it could not trigger any malicious functions in the computer, because it could not get permission to do that. Only the privileged component, which is monitored and specially protected by macOS has this technical capability. This means we have a separation of user rights in this setup. The privileged helper will also be called security component in this context.

In case the current user cannot identify as system administrator, the privileged operation will be rejected, denying its execution. You receive a notice in the graphical user interface that the pending task could not be continued due to security reasons.

Confirming a privileged operation

To create the aforementioned monitored link between main application and privileged component, macOS asks for permission to setup the helper program during the first start of Sync Checker. After this special trust relationship has been established between main application and privileged component, Sync Checker will begin to control the special permissions from there on. The following rules apply when verifying the right to execute a protected operation:

The running user session must be owned by an administrator: For security reasons, only those users can initiate a privileged operation in Sync Checker for which the option Allow user to administer this computer is enabled in the account management of macOS. Such users are called administrators. This special option is the default for the user who owns the computer and has set it up. The login session in which Sync Checker is running must have been started by this user, or by a different user who has also been granted administrative rights. This means it won’t be possible to initiate a privileged operation for a user account which has not logged in as administrator. You cannot act as a different user while your identity is being verified by entering that user’s name and password.

This is compliant with the classic security guidelines that were established for the first generations of macOS (called Mac OS X at that time), and is stricter than the guidelines usually in effect for graphical applications running with modern versions of macOS. The policy is similar to that used by macOS and other Unix systems for the sudo command on the command line, which is also responsible for unlocking privileged operations individually.

The login session must run for a user with administrative rights if you intend to check files for which you dont have read permission.
The login session must run for a user with administrative rights if you intend to check files for which you don’t have read permission.

If you are currently working with a user account that has no administrative rights, you won’t need to cancel your running login session in order to use Sync Checker, however. By using System Preferences to activate the option Users & Groups > Login Options > Show fast user switching menu as, you can enable an item at the top right hand side in the graphical user interface of macOS which allows a direct re-registration, starting a second login as system administrator. This way you can work with multiple screen sessions for different users and switch back and forth between them.

The application cannot read your password: Neither the main application, nor its privileged component are involved in the password entry and verification of credentials. Both tasks are exclusively handled by macOS, so that your password cannot be seen by the programs. Only after macOS has checked your identity, the result will be sent to the application.

On computers with Touch ID, the confirmation can also be done by fingerprint: If your computer contains Apple’s fingerprint reader Touch ID, the verification of your identity can also be done by fingerprint. To check the pending operation, there will also be an additional short description in the Touch Bar, like that in the depicted example. As usual in macOS, you can choose whether to identify by password or by fingerprint.

On computers with Touch ID, the confirmation is also possible by fingerprint. The Touch Bar shows a notification in this case.
On computers with Touch ID, the confirmation is also possible by fingerprint. The Touch Bar shows a notification in this case.

A confirmation is valid for the pending operation, and optionally for further operations in the next five (5) minutes: In some cases, Sync Checker has to execute multiple privileged operations in rapid succession to achieve a certain process, for example, files in a protected folder may need to be counted first, then each individual files may need to be opened. The application is designed to handle such a composite operation as single event, even if the operations are internally considered separate actions requiring different permissions. You only have to authenticate once, not twice in this example. But even operations which don’t belong together don’t necessarily lead to a renewed password entry: If a time of less than five minutes has passed between a privileged operation and your last authorization, another check of your identity will be avoided.

An authorization won’t be shared with other applications: When you have confirmed your identity to Sync Checker to execute a privileged operation, this authorization will only be valid for the application itself, but not for other programs. This is also stricter than the usual guidelines of macOS, which would permit to avoid another password entry within five minutes for all applications running in the same login session.

Privacy Policy Settings of your Mac

Background Information

As of version 10.14 of the operating system, Apple has added another level of system protection: Nearly all applications are now running in a sandboxed environment, which means that each and every request an application sends to the operating system is monitored and checked before it will be executed. Not only Apps from the Mac App Store, but all other software as well, including some of Apple’s own applications, are no longer free in executing any command that would otherwise be authorized by user permissions. Access to data that could affect system security or a user’s privacy needs explicit approval by an administrator of the Mac first. This approval is granted per program. For example, the administrator could say “program A has permission to access a user’s Photos database”. Such a privacy definition will then become valid for the entire computer and any user account, for all copies of program A. If program A is running while its privacy settings are changed, the program must be restarted before the new policy takes effect.

The settings for privacy policy are a powerful tool to prevent applications from accessing critical data behind the user’s back, no matter whether intentionally or unintentionally. This is especially true for unwanted applications such as adware, computer viruses, Trojan Horses, or other types of malware. However, this additional protection comes with additional work for administrators. After new software has been installed, it should be checked whether the application needs access to protected parts of the Mac in order to fulfill its duties. If the necessary approval is not granted, the affected application cannot execute specific operations. Such operations may either silently fail, or they are stopped with an error message. The necessary approval must be given by an administrator and the application must be restarted.

Privacy Settings affecting Sync Checker

Sync Checker is designed to compare the contents of files. This may include files that are critical to the users’ privacy, e.g. the Spotlight index, the current Safari settings, or the Photos databases. All these files are protected by macOS. Without prior approval, Sync Checker cannot “see” these files. This means when such files happen to be included in one of the folders you like to check, the results could be incomplete or even wrong.

Sync Checker will give you a warning in red in the main control window if it detects that it may not see all files. The warning is shown right after startup, so you have the chance to fix this issue before you start a check run.

In order not to risk that Sync Checker may omit important files in its checks, the following privacy approvals must be granted:

Changing the privacy settings

If you like to approve full disk access for Sync Checker, perform the following steps:

  1. Launch System Preferences.
  2. Open the pane Security & Privacy.
  3. Go the tab item Privacy.
  4. Click the lock and identify yourself as user with administrative permissions.
  5. Select the item Full Disk Access.
  6. Press the button + below the list of apps.
  7. Navigate to the folder Library > PrivilegedHelperTools on your system volume.
  8. Select the file SyncChecker-PrivilegedTool and press the Open button.
  9. Also add Sync Checker itself to the table.
  10. Relaunch Sync Checker.

This complex procedure has been under a lot of criticism by third-party software companies, but Apple was not willing to change or simplify it.

The paragraphs below contain information for experienced system administrators. You can skip them during first reading.

Technical Details for Advanced Users

The security component will be installed into the folder /Library/PrivilegedHelperTools which is Apple’s recommended folder to be used for such utility programs. The name of the component is SyncChecker-PrivilegedTool. macOS will automatically launch and quit this program as needed, avoiding to let it run as a background service for an extended period of time.

You can choose to remove the security tool at any time without any traces. In this case Sync Checker will lose its capability to access privileged system areas, so the program will be forced to shut down either. Perform the following steps to remove the component:

  1. Launch Sync Checker if it is not running yet.
  2. Select the menu item Tools > Remove Security Component….
  3. Follow the instructions the program is giving. The program will quit itself as last step of this operation.

Removing outdated generations of the security component

Sync Checker has a long history, protecting many generations of the operating system with its security architecture. Because Apple has changed the guidelines and technologies for this aspect of the system many times, it can have been necessary in the past to modify the security component to use a completely new technology. Usually you won’t need to care about this. The application will notify you when an update is due and will perform all necessary steps by itself.

There can be cases however, where an updated security component is so different from its predecessor versions that it will no longer be compatible with them and cannot remove them automatically due to technical reasons. This means an outdated copy of the privileged helper could still be present in the system, even if the main application has been deleted or updated in the meanwhile. This usually doesn’t bother, because macOS only starts these programs when necessary. You may like to delete these old components however, to avoid possible misuse and to clean up your computer.

Sync Checker offers a special maintenance feature to do this. It can search for outdated auxiliary programs and remove them if desired. Perform the following steps:

  1. Launch Sync Checker if it is not running yet.
  2. Select the menu item Tools > Clean old security components….
Outdated copies of the privileged helper can be removed if desired.
Outdated copies of the privileged helper can be removed if desired.

A window like that depicted in the example will open. The table lists all components which could still be installed from old versions of the application. Components marked by bold print are indeed still present and appear with the status removable. You can select one or more of these components and press the button Clean to delete them. If components are still in use unexpectedly, this will be automatically detected. You can only remove such helper programs after quitting their associated main applications.