How Check iOS and Mac OS For Spyware

Randy B. Singer · Feb 9, 2025

MacInWin said:
macOS also sandboxes applications, by default...

Actually it doesn't. The Mac OS allows developers to create sandboxed apps. But only apps sold via the Mac App Store are REQUIRED to be sandboxed. Apps sold direct from the developer may not be sandboxed, or they may instruct the user to set the app up with full disk access.

In some cases developers offer two versions of their app. One for sale via the Mac App Store, and one that they sell directly, usually through a Web site. Often the one sold direct isn't sandboxed and has additional functionality.

If you look, you will find that certain categories of app are notoriously absent from the Mac App Store. Programs such as fully interactive anti-virus software, and backup utilities, can't do their job and meet Apple's requirement that they be sandboxed.

MacInWin · Feb 9, 2025

Randy B. Singer said:
Actually it doesn't. The Mac OS allows developers to create sandboxed apps. But only apps sold via the Mac App Store are REQUIRED to be sandboxed. Apps sold direct from the developer may not be sandboxed, or they may instruct the user to set the app up with full disk access.

In some cases developers offer two versions of their app. One for sale via the Mac App Store, and one that they sell directly, usually through a Web site. Often the one sold direct isn't sandboxed and has additional functionality.

If you look, you will find that certain categories of app are notoriously absent from the Mac App Store. Programs such as fully interactive anti-virus software, and backup utilities, can't do their job and meet Apple's requirement that they be sandboxed.

Thanks, Randy. More research has discovered that what I was referring to with macOS is "quarantine," (now called "provenance"), a process that blocks any non-App Store app from running until it is thoroughly vetted. Here are a few good articles to explain the process:

App first run, quarantine and translocation

There’s more to the quarantine flag, as it’s not binary on/off, and app translocation can trap even notarized applications if you don’t move them right.

eclecticlight.co

Ventura has changed app quarantine with a new xattr

Ventura introduces a new extended attribute com.apple.provenance, used to mark successful clearance of quarantine. It’s protected by SIP too.

eclecticlight.co

Last Week on My Mac: Providence and provenance

Is provenance tracking intended to make app launch times shorter despite new Gatekeeper checks, or is it trying to make it harder to cheat?

eclecticlight.co

A search at eclecticlight.co for "provenance" and "quarantine" will yield a treasury of articles on how Apple blocks un-vetted applications from taking significant actions without being thoroughly checked by the system and then permitted by the user.

Personal experience for me is that every app I have recently installed has required me to grant access to them in Settings. I guess that's part of "provenance" and not "sandboxing."

PGB1 · Feb 9, 2025

This discussion about the hijacked card number, safety on the Mac and sandboxing is quite interesting and I enjoy learning about these things. (And wish to thank everyone for the information)

I'm wondering if any of you have an idea of where the card information became available for the crook(s). Realizing it might be impossible to pinpoint, is the more likely weakness the vendor where I used the card (AT&T), the card issuer (Tremendous) or my device?

I believe it was before the Etsy transaction because there were many failed transactions at Walmart, Amazon, eBay and the like before the successful ones at Etsy (now there are two successes for the crook).

Why I'm concerned: Income tax time is here and I've concern about entering sensitive data, account numbers, Social Security number, etc. if the computer "leaks".

Randy B. Singer · Feb 9, 2025

PGB1 said:
I'm wondering if any of you have an idea of where the card information became available for the crook(s). ...

Why I'm concerned: Income tax time is here and I've concern about entering sensitive data, account numbers, Social Security number, etc. if the computer "leaks".

I can't answer your question. I CAN tell you that the answer is almost never that your Macintosh is insecure or that it has malware. If you've followed the discussion, you've picked up that Apple really goes out of its way to secure the Macintosh. Mac-Forums has, literally, hundreds of thousands of subscribers. Look through all the posts. How many of them are complaining (legitimately, not just blind paranoia) of having been hacked or having been devastated by malware? I haven't found any.

Modern Web browsers have all of their communications encrypted from end to end. (That's what the "https", versus the old "http", means at the begining of recent Web addresses.) Bad guys aren't intercepting and stealing your Web communications, even when you use public networks, such as in a coffee shop.

I think that you almost certainly delt with a sketchy vendor of some type, and that's where things went wrong. Most scams these days involve social engineering, very few involve highly technologically minded hackers. Your Mac is safe. The people that you deal with may not be.

Randy B. Singer · Feb 10, 2025

There are a bunch of scams going on right now involving gift cards:

https://disb.dc.gov/page/beware-gift-card-scams

The magstripe scam has even been reported in my neighborhood at a nearby Kohls. In the magstripe scam, the bad guys shoplift gift cards from the store, take them and read their information using magnetic strip readers, and then return them to the rack in the store. Then, when the gift card is sold, the bad guys make purchases on the now-active card.

PGB1 · Feb 10, 2025

"I think that you almost certainly delt with a sketchy vendor of some type, and that's where things went wrong."
I'd bet is isn't s sketchy vendor. The only vendor with whom I used the card was AT&T on their https:// site. I doubt they stole the data. (Been going there for years to pay the invoice.) Instantly after that transaction, the thief started trying transactions with my card number on Amazon, Walmart, etc.

"I CAN tell you that the answer is almost never that your Macintosh is insecure or that it has malware."
That is good to know. I wrote my original question to ask if I can check for such things, but apparently it isn't needed.

"In the magstripe scam, the bad guys shoplift gift cards from the store, take them and read their information using magnetic strip readers, and then return them to the rack in the store."
There is no stripe on this card. It was sent to me digitally.

I still wonder where the leak was. I guess there is no way to know.

Randy B. Singer · Feb 10, 2025

PGB1 said:
That is good to know. I wrote my original question to ask if I can check for such things, but apparently it isn't needed.

It definitely isn't needed for your iPad. You can scan your Macintosh with VirusBarrier Scanner and/or DetectX Swift, but I'd bet money that neither will find anything that was really a threat.

PGB1 · Feb 14, 2025

Randy B. Singer said:
It definitely isn't needed for your iPad. You can scan your Macintosh with VirusBarrier Scanner and/or DetectX Swift, but I'd bet money that neither will find anything that was really a threat.

You won that bet, Randy! DetectX Swift showed nothing wrong.
After learning about the situation from all of you, I'm blaming whatever service AT&T uses to process the payment for having a "leak". Maybe (don't know if this is possible) someone intercepts the browser communication, but it is HTTPS.

Thanks Again Everyone!
Paul