First look: Little Flocker and BlockBlock help monitor your Mac’s security

Glenn Fleishman
4 November, 2016
View more articles fromthe author

Two factor, security, macworld australiaRecently, I noted a couple of new kinds of tools that would be available for macOS that go beyond Apple’s built-in support to block malicious activity and protect your files. Since then, I’ve tested one of the packages extensively, Little Flocker, and am taking a delighted hard look at another, BlockBlock.

Apple errs on the side of reducing problems for the majority of its customers, who don’t want to manage a computer: they want to use it. For instance, across several releases of Mac OS X, Apple had a series of three radio buttons in the Security & Privacy system preference pane that control which apps could launch by default. You could limit to App Store apps only, good for inexperienced users, children and perhaps parents; App Store and Identified Developers, which added software that had a registered Apple developer attached who had used Apple’s processes to sign the app cryptographically to show it hadn’t been tampered with and identify its origins; and Anywhere, which allowed all unsigned software to run.

littleflocker screen

In macOS Sierra, Apple removed Anywhere from the list. You can still select an app and right-click, and then click Open, get a warning, and click to bypass it. But for average users who don’t know that workaround, this prevents them accidentally installing software of unknown provenance.

Does it take some control away from a user? Yes. Does it enhance security overall for many users? Also, yes.

Little Flocker and BlockBlock go far beyond that, but anyone reading this column likely wants more assurances about what’s running on their Mac than what Apple provides and controls, especially if you need to install unsigned software, as I do. Some programmers find Apple’s oversight and control insufferable, or prefer to not pay the US$99 a year membership fee and hop through the hoops.

A pun with a purpose

I described Little Flocker in a previous column, noted above, at which point the software was still in its alpha stage of development, and I was too nervous to run it routinely. As it went into beta and now into version 1.0, I’ve been running it full time on my main office Mac (which I updated to Sierra just before Apple dropped the official release), and providing feedback to its developer, security expert Jonathan Zdziarski. (He’s been a guest on the Macworld podcast and we plan to invite him back soon.)

Little Flocker is to apps opening files what the network-watching utility Little Snitch (from Objective Development) is to apps accessing the local network and the Internet. Now that I’ve used its stable 1.0 version for a while, I can more generally recommend it to those willing to go through the training stage and learning curve. (It’s just US$10 for five-computer personal licence and US$20 for a single-computer business licence.)

The app isn’t designed like anti-malware software to prevent ransomware and other local-file manipulating horrors from infecting your computer. There are so many potential vectors for that, and the barn door is always shut after the cow is out. Instead, it restricts apps to modifying only specific file paths, or accessing particular extension types (like .mp3).

After installation, which requires a restart, Little Flocker launches in Learning Mode, where it watches what apps try to open during your normal startup process. I lobbied Zdziarski to change the default behaviour from 30 seconds in this mode to a dialogue that alerts users and which can be dismissed after startup is done – because my startup isn’t minutes long before my system is usable, but it seems to take two to four minutes before every menubar utility and all the background gewgaws have fired up.

privatei flash little flocker warning

Once you’re satisfied everything as it should be, you disable Learning Mode, and the app presents a list of rules it has intuited. You can review and import these rules, then modify them. It comes with a default set of system rules that allow macOS to carry out its known activities. I found that Learning Mode creates dozens and dozens of rules for some apps, like System Information and Finder, because it accesses many different deep subdirectories. At Zdziarski’s directions, I collapsed those to a single rule that lets both programs access anything from the root directory on down.

In normal operations, you’ll be prompted when an app tries to access a directory that it doesn’t yet have permission for. If you wound up with ransomware on your Mac, for example—something experts increasingly worry will happen with the rich pickings of Apple’s user base—Little Flocker should prevent a newly installed app from being able to manipulate any of the files needed for it to encrypt your documents and hold them captive for a fee.

The longer you run Little Flocker, the fewer times you will have to approve any actions, because most apps are well behaved, and stick to your Documents folders, their Application Support folder, and the like. Ransomware also sticks out like a sore thumb because it tries to access all sorts of folders and file types: most apps restrict themselves to one place and a small handful of file types, like Word with mostly DOC, DOCX, and RTF.

Like any software of this kind that extends the system at the kernel level – with Apple’s permission, as Zdziarski had to apply for and receive a special signing privilege – you should make sure you have good backups and the time to read the manual and train it up.

In my testing, I kept confounding Zdziarski with the edge cases my system threw up, but I didn’t lose any data. I just had to restart a few times, and now I have a stable bit of protection that makes me more confident about my Mac’s resistance against future threats.

BlockBlock tackles persistent installations

BlockBlock (donationware) carves out a different aspect of unwanted app installation and execution. (Little Flocker had the original name of FlockFlock in tribute, but it was clearly too confusing.) Rather than monitor for file accesses, it looks for software that’s installing itself in such a way that it will always be running and will fire up again after a system reboot.

littleflocker simplemode

Malware wants to always start up again when you reboot, even if you’ve managed to kill or delete some part of it. So monitoring persistent installations makes a lot of sense. Most of the time, unless you’re explicitly installing software you know about, macOS won’t modify the list of things it executes at start time. This should make it easier to spot something else.

I haven’t yet installed BlockBlock: one bit of kernel-modifying, system-monitoring software is enough for me! But now that Little Flocker is out of beta, BlockBlock is next on my list to add.

Watchful waiting

The best thing about both of these tools would be to have 100 percent normal alerts: that every popup reflected desirable and expected behaviour. That would mean you’d avoided malware – or even adware and other not-fully-evil nonsense. But for those who have the patience to interact with these advisories, you’ll also get the benefit of more peace of mind.

There’s a related bit of generosity, too. With many advanced users installing BlockBlock, Little Flocker and other similar software, the moment a piece of malware enters the Mac world, thousands or more individuals will know about it, report it to Apple and anti-malware vendors, and perhaps halt the spread before it can even get started.

In other cases, something that’s not widespread in the wild but infects one person’s Mac, like the package of exploits that tried to hit UAE human-rights activist Ahmed Mansoor’s iPhone, could allow an early response before it reaches anyone else.

Leave a Comment

Please keep your comments friendly on the topic.

Contact us