Mail Archiver and Security Permissions

My app, Mail Archiver, archives emails directly from the Mail application. The app requires specific permissions in macOS: Automation permissions to access accounts and mailboxes and Full Disk Access (FDA) for the emails themselves. Some versions ago, there was an issue with incorrect Automation permissions. Since then I always make sure to reset both permissions when testing a new version.

To reset Automation permissions, I use tccutil. For Full Disk Access, I revoke access through System Settings.Resetting full disk access in system settings for Mail Archiver

Without Full Disk Access the Mail folder looks empty to Mail Archiver. In this case the app prompts users on how to grant Full Disk Access:

Window to show that app needs full disk access


Uncovering a Security Bug with Full Disk Access

Surprisingly, Mail Archiver was able to archive emails from Mail on Sonoma after revoking FDA. While not a severe issue, it could impact users dealing with potential threats.

I made a simple test app. Here I could not reproduce the behaviour. The app didn't have FDA after revoking the permissions. 

Then I had a developer friend test his own app which also needs FDA. The app showed the same problem I had found in Mail Archiver.

The unexpected behavior seemed linked to updating macOS from an older version to Sonoma.

Reproducing the Bug

  1. Have macOS Ventura installed on your computer. 
  2. Install Mail Archiver
  3. Go to the Setup and add Mail and some mailboxes for archiving.
  4. After starting to archive give Mail Archiver FDA. After quitting and restarting the app should archive emails from Mail.
  5. Update from Ventura to Sonoma.
  6. Revoke the permission for FDA for Mail Archiver.
  7. Archive emails from Mail with Mail Archiver again.

It is still possible to access the Mail folder even though FDA has been revoked. This also happens for other apps like Find Any File. I revoked FDA for Find Any File and was still able to search for emails in the Mail folder.

Reporting a Security Bug 

On 21-Sep-2023, I reported the bug to Apple as a security issue. Apple requested videos demonstrating the problem, code snippets, and screenshots. This took place over several weeks in November. At some point between the end of November 2023 and February 2024 the case was closed. Apple stated that they were not able to identify a security issue:

We reviewed your report and were unable to identify a security issue. If you have new information that you didn’t include in your report, providing it now may allow us to review your report further.

I knew before I reported the problem that the experience could be a frustrating one. It took the Apple people 6 weeks to react at all. I found the need for videos baffling. But to have a bug related to FDA closed as not being a security problem was unexpected. Of course, I could reset FDA with tccutil to get rid of the problem. But the majority of users will update their computers.