A safety net

[tperry2x]

Can extract the scripts of every object in a stack without normal opening of a binary stack? That way the scripts could be reviewed before loading the stack normally?

I'm currently doing this by reading the stack as a binary file, but this gives garbled output when you encounter an object. It's easy enough to see the gist of the script, but not ideal.

The main subroutine for actually reading the stack format and interpreting it, is buried deep in the engine somewhere. I'm yet to find that.

[tperry2x]

/system/applications/ is not the same as /applications/
You can't (normally) write to /system/applications/ only Apple can, right? I'm not 100% since this is fairly recent change in macOS.

I was wearing my anti-mac hat a bit there, and you are right - they aren't the same. Even if to the user they appear to be the same place now. (without revealing their actual location via the terminal).

It would be enough to be able to run something from /Applications, enough to gain a substantial foothold in the system though. Even running something nasty from ~/Applications is bad enough.

[tperry2x]

Save the script and copy it to another mac. It'll run unchallenged because it's a signed application...

Are you sure? I mean I thought AppleScript applets were ad-hoc signed for the user that saved it as an app, so it shouldn't work if you move it to another mac unless you signed it using a certificate that is also installed on the other mac's keychain. If not i would think that would trigger 'Gatekeeper' or it would at least ask the user permission to run. I could be wrong though.

Only as far as I can test here. I have about 6 macs - all on either MacOS 11 and MacOS 14.
4 of those are in a fairly 'vanilla' state - no gatekeeper mods and such, and as long as I don't transfer the script via the web (avoiding 'mark of the web' being set) - then it runs unchallenged on them.
Perhaps Applescript apps are automatically 'signed' with an ad-hoc cert or an apple dev cert???
Not sure what MacOS 15 does, but I don't have the motivation to try it quite frankly.

With any development tool, you could create and run malicious code. Which is allegedly the reason Apple wants people to use XCode (and not VSCode or similar), plus code-signing with dev's certificate, submited for review, notarized, stapled (not kidding), and in triplicate

All that (emphasis mine to show the 'that') - it's a real shame to see the hole that Apple have currently dug themselves into. (...and are still trying to dig themselves out of...)

Despite all these steps Apple have embedded into the OS, the tools already exist within it to attack it from within. With system integrity protection, that does harden the underlying core of the OS, but does absolutely nothing to stop anything in a user's ~/ home folder (and anything running with inherited permissions within that context) to also do anything inside of ~/ too. Yes, you might not be able to take down the entire system, but you can lose all the data from that account, and even render the account incapable of being logged into. Kind of makes a mockery of all their security measures - you will never save users from themselves.

I can quite easily write a malicious C application from xCode, sign it for development, and the rest is just persuading the user to run it. Surely that's a huge issue?

So although Apple are doing their best to batten down the hatches, what they are doing in the process is gradually making their OS unusable. It will be so tightly sandboxed that is may as well be iOS, where nothing can be sideloaded. That's the only way you'd stop these kind of things running. At which point, development of anything that's not going via the Mac App Store won't be possible.

[richmond62]

you will never save users from themselves

Short of living in some sort of totalitarian police state you can't.

But I don't want to live in some sort of totalitarian police state: and even the over-regulated "United" Kingdom makes me pause for thought about where to retire to.

People should take their own chances, and be prepared to accept responsibility for those actions: and the fact that
Apple, Microsoft, ar anyone else can not protect themselves from their own stupidity is just the way the world is.

And Apple should be well aware that if they batten down the hatches to the extent that everything but everything has to go through their thought-police they will be shafting themselves.

[tperry2x]

...even the over-regulated "United" Kingdom makes me pause for thought about where to retire to.

I don't think we've ever been a united kingdom.

People should take their own chances...

True, but if I can at least provide an option where they can do a cursory check, it's better than nothing.

[richmond62]

a cursory check, it's better than nothing

Indeed: all for that: although the buck still stops with the end-user.

Personally both words in 'United Kingdom' worry me, and I could give you a long,fairly tedious lecture on what they are: but as the sun is shining outside and the birds are singing, a half-an-hour stroll seems a far better idea.

[OpenXTalkPaul]

I can at least provide an option where they can do a cursory check, it's better than nothing.

Yes, that would be good. Perhaps a mechanism that can be enabled that scans the scripts of a stack for relevant things like file system access, screen capturing, internet downloading, etc and then leaves it up to the user if they want to open the stack anyway.

just persuading the user to run it. Surely that's a huge issue?

That's maybe 90% of malicious attacks right there, 'social engineering" attacks, which is convincing some secretary that you're someone important that needs some account info in a hurry, and AI is helping to enable those sorts of attacks even more.

It is a real shame that Apple has effectively become what they claimed to be different from in that Ridley Scott produced 1984 mac commercial. Despite all of their sand boxing hackers will still find security flaws to exploit. Some of those will be unpatchable hardware flaws (see 'CoreTrust' exploit). They've given their users a sense of security that IMO is unwarranted, while also chasing away long-time indy mac developers (I've seen notes about quitting Apple in a lot of GitHub repos).