SIP: A Lesser Known Security Feature Built into Modern Macs

Macs are known to be generally more secure than their PC counterparts and relatively free of virus and malware attacks. But with the rise in popularity of Apple computers in recent years — thanks first to the so-called iPod halo effect and the iPhone, which brought on the dawn of the iOS ecosystem — the Mac has become a target for malicious intrusion from third parties wanting to inflict harm or damage. So what is a Mac user to do?

Go grab a cup of Joe (not this writer) and sip on this bit of information while you drink your beverage at the same time.

Before we begin, a software title that was written about in this column back in June, CleanMyMac 3, was the target of comments made on the Low End Mac Facebook group which were more malicious than the accusations itself saying that the software was actually malware. (You can read those comments in the third edition of The Leo and Mac Reader Roundup published in October.)

System Integration Protection

Keeping that in mind, it seems that worries of malware attacks are unfounded due to the fact that modern Macs are protected through a built-in program in the operating system called System Integration Protection — SIP for short.

This news comes from the Other World Computing (also known as OWC or weekly blog, “The Rocket Yard,” in a post by Tom Nelson on August 7, 2018.

Rocketyard blog

The “Rocket Yard” weekly blog by Other World Computing (OWC).

According to the blog post, SIP is a security feature designed to protect most system locations, system processes, and kernel extensions from being written to, modified, or replaced, and it has been available since the release of Mac OS X  10.11 El Capitan and newer versions up through the recently released macOS Mojave version 10.14.

Nelson writes, “Without a doubt, SIP helps keep your Mac secure by preventing many malware attack vectors from being successfully performed.”

He also writes, “The benefit for all users is that the Mac is a harder platform to take over. Though it is by no means an impossible task. Malware developers will always find new ways to attack a platform.”

Mac Malware Is Still Possible

With that said, it would seem that hackers have already found a way in.

An August 9 report by Wired magazine corroborates that last fact — interestingly enough only two days after Nelson’s blog post — with researchers discovering a security flaw in Mac OS that gives hackers remote access to a brand new Mac freshly out of its box the minute it connects to WiFi, allowing malware to be installed. It appears that this bug is relegated to Macs deployed through the enterprise because of the way they are configured at initial setup.

There is no mention whatsoever in the article of the SIP feature being the system component compromised.

Apple is aware of the problem and issued a fix in macOS High Sierra version 10.13, though that means there may be some risk to users of previous macOS versions who don’t have the latest updates installed for that specific version of the operating system.

Secure Your WiFi Router

Regular consumers should not have to be concerned too much about this issue. However, those researchers say that consumer grade routers can easily be hacked providing a gateway for easier entry into a user’s computer but that is also related to people who use their Macs at home and configure the enterprise deployed machine there. Why this is so is explained in detail in the Wired article.

On that note, a good practice would be to secure your home WiFi network with a good alphanumeric password to prevent any low-level hacking into one’s Mac despite the protections that SIP employs, such as someone taking control of your microphone or iSight camera.

Enabling and Disabling SIP

So what do you have to do to make sure SIP is running on your Mac? Absolutely nothing.

SIP is enabled by default and is not a system preference that you can control. But that does not mean that it can’t be disabled.

Why would you want to do this?

“Most modern apps and their installers have become good SIP citizens and won’t require you to disable SIP to perform an install,” writes Nelson.

“There are of course exceptions, especially with some popular Mac system and file utilities that require changes be made in various system locations that SIP protects. In order to install these types of apps, SIP will need to be disabled, the Mac restarted, the app installed, SIP-enabled, and the Mac restarted.”

And now you know why you have been having trouble installing that third-party app! Because of the security features, SIP provides, some third-party apps are restricted from installing components in certain areas of the system, and in order for the app to install properly, SIP must be disabled using Terminal before that can happen.

Directions for doing this are provided in “The Rocket Yard” blog post if you find that you need to do this.

Nelson provides this important tip:

“If you must install an app that needs SIP disabled, make sure you acquire the app from a safe source; direct from the developer is usually the preferred method. Remember that apps that require SIP to be disabled will be a target for malware distributors to use as a Trojan horse to hide within so they can infect your Mac while SIP is turned off.”

He also points out that you should have a backup copy of your system available just in case. And once the new app is installed, before using it, make sure to re-enable SIP again.

Finally, he warns that updates to Mac OS may cause system files and locations to be restored to the original state, rendering the app you previously and successfully installed to be unsupported and possibly deleted due to not being SIP compliant. In that case, he suggests that you contact the app’s developer to see if there is a newer version that plays nicely with Apple’s security frameworks.

keywords: #malware #macmalware #systemintegrationprotection #sip

short link: