Basic security for Mac
Updated 30 April 2021
Table of Contents...Loading Table of Contents...
Use the latest version of your device's operating system (OS)
Why? New vulnerabilities in the code that runs your devices and apps are found every day. The developers who write that code cannot predict where they will be found, because the code is so complex. Malicious attackers may exploit these vulnerabilities to get into your devices. _But software developers do regularly release code that fixes those vulnerabilities. That is why it is very important to install updates and use the latest version of the operating system for each device you use. We recommend setting your device to automatically update so you have one less task to remember to do.
- Updating to the latest OS may require you to download software and restart a number of times. You will want to set aside time for this where you do not need to do work on your device. Go through the steps of comparing the latest version to your device's current version below, until your device does not give you additional new updates.
- If the latest version of the OS will not run on your device, it is best to consider buying a new device.
- Make sure you restart your computer once an update has downloaded, to make sure it is fully installed.
- See the most updated version available: https://support.apple.com/HT201222
- Compare it to the version your device has installed: https://support.apple.com/HT201260
- Update your operating system: https://support.apple.com/HT201541
- Set your OS to update on its own. See how here https://support.apple.com/guide/mac-help/mchlpx1065/11.0/mac/11.0
Use apps from trusted sources
Why? Apple, Google, Microsoft, and Amazon have official app stores. Having apps in one place makes it easy for you to find and install the ones you want, and it also makes it easier for these companies to monitor apps for major security violations. Only install apps from app stores or from the websites of the developers themselves. "Mirror" download sites may be untrustworthy, unless you know and trust the people who provide those services. If you decide that the benefit of a particular app outweighs the risk, take additional steps to protect yourself, like planning to keep sensitive or personal information off that device. See why Security in a Box trusts the apps we recommend.
- Find the App Store here https://www.apple.com/app-store/
- Disable "install from unknown sources" https://support.apple.com/en-us/HT202491
- Advanced: confirm that a software update is authentic https://support.apple.com/en-us/HT202369
Remove apps that you do not need and do not use
New vulnerabilities in the code that runs your devices and apps are found every day. The developers who write that code cannot predict where they will be found, because the code is so complex. Malicious attackers may exploit these vulnerabilities to get into your devices.
But software developers do regularly release code that fixes those vulnerabilities. That is why it is very important to install updates and use the latest version of the operating system for each device you use. We recommend setting your device to automatically update so you have one less task to remember to do.
We also recommend removing apps you do not use. Apps you do not use may also transmit information about you that you may not want to share with others, like your location. If you cannot remove apps, you may at least be able to disable them.
- Follow these steps to delete apps https://support.apple.com/HT202235
- Note: It is difficult and slightly risky to uninstall many default apps that your Mac has pre-installed, like Safari or iTunes. However, it is possible; see this article https://www.howtogeek.com/231496/how-to-uninstall-applications-on-a-mac-everything-you-need-to-know/ and this article https://www.howtogeek.com/230424/how-to-disable-system-integrity-protection-on-a-mac-and-why-you-shouldnt/
Check your app permissions
Why? Apps that access sensitive digital details or services--like your location, microphone, camera, or device settings--can also leak that information or be exploited by attackers. So if you do not need an app to use a particular service, turn that permission off.
- Review all permissions one by one. The following permissions are specifically suspicious as they are very regularly used by malicious applications: Location, Contacts, SMS, Microphone, Camera, Call logs, Phone, Modify or change system settings, allowed to download other apps.
- Review the topics in "Control the personal information you share with apps" here https://support.apple.com/guide/mac-help/mh35847/11.0/mac/11.0
Turn off location and wipe history
Why? Many of our devices keep track of where we are, using GPS, cell phone towers, or wifi we use. If your device is keeping a record of your physical location, it makes it possible that someone could find you, or could use that record to demonstrate you have gone to particular places or associated with specific people.
- Get in the habit of turning off location services overall, or when you are not using them, for your whole device as well as for individual apps.
- Regularly check and clear your location history if you have it turned on.
- Turn off location services for specific apps https://support.apple.com/guide/mac-help/mh35873/11.0/mac/11.0
- In Maps app, if you use it https://support.apple.com/guide/maps/mpsf81b66a62/mac
Make separate user accounts on your devices
Why? We strongly recommend not sharing devices you use for sensitive work with anyone else. However, if you must share your devices with co-workers or family, you can better protect sensitive information by setting up separate accounts on your devices in order to keep your sensitive files protected from other people.
- Make more than one account on your device, with one having "admin" (administrative) privileges and the others with "standard" (non-admin) privileges.
- Only you should have access to the admin account.
- Standard accounts should not be allowed to access every app, file, or setting on your device.
- Consider using a standard account for your day-to-day work:
- Use the admin account only when you need to make changes that affect your device security, like installing software.
- Using a standard account daily can limit how much your device is exposed to security threats from malware.
- When you cross borders, having a standard account open could help hide your more sensitive files. Use your judgment: will these border authorities confiscate your device for a thorough search, or will they just open it and give it a quick review? If you expect they won't look too deeply into your device, using a standard account for work that is not sensitive provides you some plausible deniability.
- See how to set up new user accounts https://support.apple.com/guide/mac-help/mtusr001/11.0/mac/11.0
Secure the accounts connected with your device
Why? Most devices have accounts associated with them, like Google accounts for your Android phone, your Chrome laptop, and Google TV, or Apple accounts for your iPad, Apple watch, Mac laptop, and Apple TV. More than one device may be logged in at a time (like your phone, laptop, and maybe your TV). If someone else has access to your account who shouldn't, this is one place you might see and be able to stop that.
- You may want to take a picture or screenshot of the pages showing your account activity if you see suspicious activity, like devices you have disposed of, don't have control of, or don't recognize.
- Also see the section on social media accounts.
- Check your Apple ID device list to see where you're signed in https://support.apple.com/en-us/HT205064
- Follow these steps to check up on your iCloud accounts https://guides.securitywithoutborders.org/guide-to-quick-forensics/ios/icloud.html
Remove unneeded device accounts
Why? When you don't intend for someone else to access your device, it is better to not leave that additional "door" open on your machine (this is called "reducing your attack surface.") Additionally, checking what accounts are set up on your device could reveal accounts that have been put on your device without your knowledge.
- Remove unwanted accounts https://support.apple.com/guide/mac-help/mh15600/mac
Set your screen to sleep and lock
Why? While it may seem like technical attacks are your biggest concern, it is much more likely that your device will be confiscated or stolen and someone will break into it. For this reason, it is smart to set a passphrase screen lock, so that nobody can access your device just by turning it on. We do not recommend screen lock options other than passphrases. You might easily be forced to unlock your device with your face, voice, eyes, or fingerprint if you are arrested, detained, or searched. Someone who has your device in their possession may use software to guess short passwords or PINs. It is also possible to guess "pattern" locks by looking at finger tracks on the screen. Someone who has dusted for your fingerprints can make a fake version of your finger to unlock your device if you set a fingerprint lock; similar hacks have been demonstrated for face unlock. For these reasons, the safest lock to set is a long passphrase.
- Set your screen to lock a short time after you stop using it (5 minutes is good)
- Use a long passphrase (longer than 16 characters), not a short password or PIN
- Making it possible to use your fingerprint, face, eyes, or voice to unlock can be used against you by force; do not use these options unless you have a disability which makes typing impossible
- Remove your fingerprints and face from your device if you have already entered them.
- Follow these instructions to require a password after sleep or screen saver begins and 'Disable Auto Login' https://support.apple.com/en-gb/guide/mac-help/mchlp2270/mac
- (If you have done this before, you may need to click the lock at the bottom and enter your device passphrase to change your settings.)
Control what can be seen when your device is locked
Why? A strong screen lock will give you some protection if your device is stolen or seized--but if you don't turn off notifications that show up on your lock screen, whoever has your device can see information that might leak when your contacts send you messages or you get new email.
- Stop notifications from appearing when your device is locked. Two ways to do this:
- Follow the instructions here for "Pause notifications" using Do Not Disturb https://support.apple.com/en-gb/guide/mac-help/mh40609/11.0/mac/11.0 . Ensure "When the display is sleeping," "When the screen is locked," and "When mirroring to TV and projectors" are selected.
- If your device is older and does not have Do Not Disturb, follow the instructions here for "Stop Notifications," for every app in the list. Be sure "Show notifications on lock screen" is off for every application. You may want to consider whether you want notifications off entirely instead. https://support.apple.com/en-gb/guide/mac-help/mh40609/11.0/mac/11.0
Disable voice controls
Why? When a device is set up so you can speak to it to control it--for example, Siri, Cortana, Google Voice, Echo, or Alexa systems--it is constantly listening while it is on. It may even record what is happening and send it back to companies like Amazon or Microsoft for quality control, and their contractors save and review those recordings. It is also possible someone else could install code on your device that could capture what your device is listening to. If you have a disability that makes it difficult for you to type or use other manual controls, you may find voice controls necessary. See below for instructions on how to set them up more safely. However, if you do not use voice controls for this reason, it is much safer to turn them off.
- If you have decided the benefits to you outweigh the large risks of using a smart speaker like Alexa or Siri, follow these instructions to do so more safely.
- Follow these directions to find your Siri controls https://support.apple.com/HT206993
- Make sure "Enable Ask Siri" is disabled.
- Delete dictation history from Apple server with 'Siri & Dictation History': https://support.apple.com/HT210657
Use a physical privacy filter that prevents others from seeing your screen.
Why? While we often think of attacks on our digital security as highly technical, you might be surprised to learn that some human rights defenders have had their information stolen or their accounts compromised when someone looked over their shoulder at their screen, or used a security camera to do so. A privacy filter makes it less likely someone doing this will succeed. You should be able to find this wherever you find device accessories.
Use a camera cover
Why? Some malicious software will turn on the camera on your device in order to see you, the people around you, or where you are without you knowing it.
- First of all, figure out whether and where your device has cameras. Your computer might have more than one if you use a plug-in camera as well as one built into your device.
- Low-tech camera cover: use a small adhesive bandage over your camera, and peel it off when you need to use the camera. A bandage works better than a sticker because the middle part has no adhesive, so it does not get sticky stuff on your camera lens.
- Or search your preferred store for "webcam cover thin slide." "Thin" is important because some covers are too thick, and your laptop may not close.
Turn off connectivity you're not using
Why? Wifi is a data connection that lets our devices reach other devices on the internet, using radio waves to connect to a router which usually has a wired connection to the broader internet. Cell phone connections also help us access other computers and phones around the world, via a cellular network of towers and repeaters. NFC and Bluetooth connect our devices to other devices near them, also using radio waves. All these connections are vital to communicating with others. But because our devices are connecting to other devices, there is a chance that someone will use this connection maliciously to get to our devices and sensitive information. For this reason, it is a good idea to turn off these connections when you are not using them, particularly wifi and Bluetooth. This limits the time an attacker might have to access your valuables without you noticing that something strange is happening on your device (like it running slowly or overheating when you are not using it heavily).
- Completely power off your devices at night.
- Get into habit of turning wifi, Bluetooth, and/or network sharing off when you are not using them.
- Make sure Bluetooth is off https://support.apple.com/guide/mac-help/blth1008/mac
- Make sure wifi is off https://support.apple.com/guide/mac-help/mh11935/11.0/mac/11.0
- Un-check "Ask to join personal hotspots"
- Un-check "Ask to join new networks"
- Turn on "Show Wi-Fi status in menu bar" to find your wifi status more easily
- View this guide to understanding Mac wifi symbols https://support.apple.com/guide/mac-help/mchlcedc581e/mac
- Follow the instructions to get to the "Sharing" System Preferences window and ensure the "Internet Sharing" checkbox is un-checked https://support.apple.com/en-gb/guide/mac-help/mchlp1540/mac
Turn off sharing you're not using
Why? Many devices give us the option to easily share files or services with others around us--a useful feature. However, if this feature is left on when we are not using it, malicious people may exploit it to get at files on your device.
- Turn AirDrop off, turn Receiving Off, and remove anyone from your list of people you share with who you do not want to be there https://support.apple.com/HT203106
- Follow these instructions to get to the "Sharing" System Preferences window. Un-check services you are not using, and manage those you are (you might be using screen sharing or printer sharing for work, or media sharing to listen to music) https://support.apple.com/guide/mac-help/mchlp1540/mac
Use a firewall
Why? Firewalls are a security option that stops unwanted connections to your device. We recommend turning yours on to prevent malicious code from trying to access your device.
- Follow these instructions https://support.apple.com/en-au/HT201642
- We recommend enabling "stealth" mode as recommended in that article.
Additional protection recommendations
- In System Preferences > Spotlight > Search Results, uncheck at least Contacts, Events & Reminders, Mail & Messages, and Siri Suggestions.
- In System Preferences > Spotlight > Privacy, you may want to add sensitive folders you do not want Spotlight to communicate to Apple about.
- Consider completing the checklist at https://blog.bejarano.io/hardening-macos/
Advanced: figure out whether someone has accessed your device without your permission (basic forensics)
Why? It may not always be obvious when someone has accessed your devices, files, or communications. These additional checklists may give you more insight into whether your devices have been tampered with.
- Follow the steps on the following checklists: https://guides.securitywithoutborders.org/guide-to-quick-forensics/mac.html
- Consider installing 'OverSight', 'BlockBlock', and 'KnockKnock' from https://objective-see.com/products.html
- Their tools 'LuLu', 'DoNotDisturb', 'RansomWhere?', and 'ReiKey' might also be useful.
- Use Stethoscope (https://ragtag.org/stethoscope/) to check for basic security of your system
- In Startup Security Utility, make sure Secure Boot is set to Full Security https://support.apple.com/HT208198