Presented at
DEF CON 33 (2025),
Aug. 8, 2025, 3:30 p.m.
(45 minutes).
Five years after Apple radically empowered third-party security developers on macOS with the introduction of Endpoint Security, most developers grasp its fundamentals, but subtle nuances remain, and advanced features are still underutilized. And as the framework continues to evolve, even experienced developers can struggle to keep pace with its rapidly expanding capabilities.
This talk explores critical areas that frequently trip up developers, such as caching behaviors and authorization deadlines, before diving into Endpoint Security’s more advanced features like mute inversions. We'll also cover recently introduced capabilities—including the long-awaited TCC event monitoring which offer unprecedented visibility into permission-related activity often targeted by malware.
Each topic will include practical code examples, demonstrated and validated against sophisticated macOS malware.
Join us to move beyond the basics and unlock the full power of Apple's Endpoint Security framework.
References:
- [link](https://developer.apple.com/documentation/endpointsecurity)
- "The Art of Mac Malware, Volume 2: Detecting Malicious Software" No Starch Press
Presenters:
-
Patrick Wardle
Patrick Wardle is the founder of the Objective-See Foundation, the CEO/Cofounder of DoubleYou, and the author of "The Art of Mac Malware" book series. Having worked at NASA and the NSA, as well as presenting at countless security conferences, he is intimately familiar with aliens, spies, and talking nerdy. Passionate about macOS security, Patrick spends his days discovering Apple 0days, studying macOS malware, and releasing free open-source security tools to protect Mac users.
Similar Presentations: