Saturday, November 23, 2024

Security Bite: Apple addresses privacy concerns around Notification Center database in macOS Sequoia (Update)

9to5Mac Security Bite is exclusively brought to you by Mosyle, the only Apple Unified Platform. Making Apple devices work-ready and enterprise-safe is all we do. Our unique integrated approach to management and security combines state-of-the-art Apple-specific security solutions for fully automated Hardening & Compliance, Next Generation EDR, AI-powered Zero Trust, and exclusive Privilege Management with the most powerful and modern Apple MDM on the market. The result is a totally automated Apple Unified Platform currently trusted by over 45,000 organizations to make millions of Apple devices work-ready with no effort and at an affordable cost. Request your EXTENDED TRIAL today and understand why Mosyle is everything you need to work with Apple.


The privacy implications of Notification Center popups are well-known in the security forensics community. Whether a user likes it or not, macOS temporarily keeps a log of every notification received in a single plaintext database. This can include messages from applications like iMessage, Slack, Teams, and virtually anything else.

However, it now appears Apple has moved the Notification Center database in macOS Sequoia to address concerns.

Update: Csaba Fitzl has shared an easy way to view these notifications stored in plaintext from Terminal. This script on GitHub allows you to read all the notification records from the database.

A couple of notes: Before you can run the .sh script, you may need to make it executable. Use the following commands…

cd /path/to/the/script

chmod +x parse_notificationdb_records.sh

./parse_notificationdb_records.sh /path/to/your/com.apple.notificationcenter/db2/db file

If you’re not on the Sequoia beta, you can find your notificationcenter db path below. After that, the script should begin to execute and display recent notification details.

One of my iMessage records.

If you are not using the macOS Sequoia developer beta, you can find your notifications in an SQLite database located at /private/var/folder. To access this, open Finder, press Shift + CMD + G, and then enter “/var/folder.” Inside, you will see two folders with random letters as their names. Inside each of these folders, you will find directories containing user (0), cache (C), and temporary (T) files. Click through the first two folders, then “0,” and navigate to the com.apple.notificationcenter file. It’s here you’ll find the .db file.

When you double-click to open or run the “strings” command on this file, you’ll discover a heap of information, including binary data and “NS” class names, as well as your iMessages, file paths, Slack, X, Facebook, and any other notifications sent to Notification Center by an app or the system, all visible in plaintext.

If you don’t want to go through all those steps, you can quickly find your last notification from the com.apple.notificationcenter file by punching this command into Terminal:

DA=`getconf DARWIN_USER_DIR`; sqlite3 $DA/com.apple.notificationcenter/db2/db "select hex(data) from record order by delivered_date desc limit 1;" | xxd -r -p - | plutil -p -

The good news? Apple appears to have finally acknowledged that storing iMessage data in a folder without the user’s knowledge or consent isn’t the best practice.

First spotted by security researcher Csaba Fitzl (also known as “theevilbit” in the community), macOS Sequoia moves the Notification Center database within Group Containers. Specifically under ~/Library/Group Containers/group.com.apple.usernoted/db2/db.

Unlike in private/var/folders (the current location), Group Containers are protected by TCC (Transparency, Consent, and Control) prompts. This includes iMessage data, which Apple considers private information. You’ve likely encountered these prompts before. TCC manages permissions related to various resources, such as allowing an application to use your Mac’s microphone or camera. In this case, it enhances privacy by ensuring that sensitive message content isn’t inadvertently exposed.

This is a great step by Apple toward protecting user privacy, especially when it comes to messages. Better [4 years] late than never.

FTC: We use income earning auto affiliate links. More.


Related Articles

Latest Articles