When security researcher Jonathan Zdziarski took a job at Apple a few weeks ago, I heard from many people concerned about the future of his macOS app, Little Flocker, a tool that restricts apps and system processes access to files without permission. He was unable to talk details, but recently F-Secure, a leading security developer and analysis company, announced its purchase of Little Flocker, which it’s rebranded as Xfence.
I spoke to Sean Sullivan, security advisor at F-Secure, about the changeover and the general current set of risks to Mac users. He said Xfence, which was in release form as Little Flocker, will shift into a free beta mode for the foreseeable future. (Those who paid for a Little Flocker license will get some currently unspecified benefit as future pricing for Xfence and its inclusion in other products isn’t yet set. “Their license will carry through when there’s a paid product,” Sullivan said.)
The littleflocker.com domain remains up showing a maintenance page and the Check for Updates link, which queries that domain, currently doesn’t work. That should change when the new beta is released with Xfence branding.
For those who haven’t read about Little Flocker in the past, it was designed to combat ransomware, which is the greatest new scourge in the Windows world. Ransomware overwrites your documents with encrypted versions and the attackers demand payment, typically in Bitcoin, to release a decryption key. A few feeble attempts have been made to infect Macs, but because ransomware has such a low threshold to cause harm and such a high reward-to-cost ratio, you can be sure attackers are hard at work.
Little Flocker observes every time an app tries to open, write, execute, or otherwise modify any file or folder, and lets you set one-time, short-term, or permanent exceptions. It also has rulesets that it offers to add when it recognizes an app. Because Apple has its registered developers sign released apps with cryptographic signatures, the monitoring system isn’t fooled by malicious programs with the same name trying to inherit file privileges. Later updates added monitoring and blocking of audio or video input activation.
Sullivan said part of F-Secure’s goal to move Xfence forward will make it more accessible to a greater number of users. He’s right that that’s needed. While Little Flocker is invaluable if you want to know how apps are interacting with files and folders on your Mac, even the simplified mode requires too much system knowledge for the majority of users. It’s a tool for veteran Mac owners and system administrators.
Little Flocker also didn’t provide great help for people who use a macOS account without administrative privileges. Some people prefer to work at a lower-privilege level, as it reduces the impact of a security breach; others are users on a computer (family, work, or school) for which they don’t have administrative access. Ostensibly, Xfence will need to let an administrative user approve apps or delegate certain approval privileges, similar to parental controls.
The current release also requires a lot of interaction, though it decreases over time. As an experienced user wanting to see all the interaction, I don’t mind when new software or a software update requires I approve a number of requests. But a less-interested or less-advanced Mac owner might prefer to only have dubious actions highlighted.
Sullivan said Xfence will benefit from F-Secure’s broader array of products and malware monitoring. For instance, the company’s Security Cloud system anonymously gathers information from users of its security products that let it note emerging threats and push a response back out. That same system, Sullivan said, could automatically whitelist apps for Xfence, reducing the number of times a user has to respond to queries.
The intent with the Xfence release is to make it part of a multi-pronged method of helping users by making smarter deductions about what normal activity is. For instance, a network firewall might take note, Sullivan said, that “we’ve never seen you connect to Bulgaria before. “Do we want to let you make that connection?” Instead of alerting about anything, outlying behavior prompts notification, removing some of the warning fatigue that otherwise kicks in.
Sullivan, like many security professionals and yours truly, worries about Mac users’ attitudes about malware due to the paucity of strong attacks. But, he noted, “The Mac is more secure from turning your Mac into a bot, but if it deletes all your files, do you care that your Mac is more secure?”
He says improved security across operating systems and service operators is part of what’s led to the rise of ransomware and other user-side attacks. For instance, banks have improved the detection of illegitimate transactions, so even if an attacker can insert themselves between a user and the bank, the bank might reject the transaction. Criminals thus shift their effort: “You can’t pick my pocket, so you extort me.”
Zdziarski did remarkable work as a one-man band on this app, relying on beta testers and release testers like me to provide usability and functional feedback. F-Secure has over 1,000 employees, and its developers have just started to get their hands deep into the Little Flocker codebase.
Little Flocker was and Xfence now becomes the only Mac product focused prospectively on a massive malware category that’s taken in millions of people and organizations worldwide. I hope F-Secure’s attention leads to other developers—maybe even Apple—adding this kind of better file-access monitoring and control to their products.
While I’ve been down on anti-virus products in the past, a comprehensive suite of network monitoring, file-access monitoring, and system change behavior tools that’s tied together for a single installation and supported with continuous updates from a company with eyes and ears around the globe would be a great boon in keeping Mac users safe.
Right now, you have to install Little Snitch, Xfence, and BlockBlock to achieve those results. Here’s hoping F-Secure builds such a tool and inspires competitors to do the same.