First, I want to start by saying I love apple's products. I haven't used anything since windows 98' that made me feel this good. With that being said, apple's megalithic status is making them become jaded, similar to microsoft during the height of that era. Apple has secret schools, secret labs, they rarely opensource anything, instead prefer to go 'old school' announcing the next line of products at hyped events. I kinda like it - but in the modern era, it doesn't matter how much money or talent you have, if your software isn't opensource - it will decline in quality, become vulnerable, and that's happening today.
More malware / viruses have been discovered for iOS / OSX this year than like the last 10 years combined. The inner workings of the OS, dubbed SIP, estranges itself away from UNIX and classical linux behavior. It's easy to assume that because of it's command line and interoperability with linux programs that it behaves like OpenBSD - which is what the source code is based on. In reality, like in the movie Steve Jobs, there's locks, not just on the outside, but the inside, that cannot be opened by anyone. When you agree to license statement - they are RENTING you the software. You don't own it, you can't control it, and it's a tricky illusion to believe you can.
With that being said, I believe Apple to be a benign dictator. When their ads chief quit because they wouldn't collect enough user data - and recent fight with the FBI - I think it's safe to say that they have no incentive to market YOU. Unlike google, Apple doesn't need to sell you as product, they make enough money, for now. There's also some amazing projects that have been built independently, open sourced, which can help protect your identity while enjoying the luxury.Monitoringobjective-see
They currently have 7 apps, user friendly, great for any user.
KnockKnock, TaskExplorer, DylibHyjak Scaner, and Kext Viewer enable you to see all the processes running on your computer and then they can (optionally) scan a virus database to see if any weird shit is installed. They go down to the kernel / root level, unlike the shitty anti-virus products you might find - these are minimal apps - they won't fuck with you - trust me (or read their blog and use the apps to see for yourself).
Ostarius and blockblock will download stuff into the kernel to watch for weird behavior. Ostarius is another layer of protection on top of gatekeeper which has known vulnerabilities, and blockblock let you stop unsigned code from being downloaded deeper in the system. It's common for malware to be discovered and deleted, just to reinstall install itself (Google Chrome does this actually). It lets you know, and maybe stop it. Firewalllittlesnitch
is the usual goto app for firewalls in OSX. I'd recommend it, but it only touches the surface level. It'll work for 3rd party apps you download - but it won't do much to stop anything deeper in the OS.Murus
is a gui on top of OpenBSD's PF (firewall)
. Apple left pf in the OS for some reason. It's not really used for much, but it's one of the most powerful firewalls built for any linux system. It's a bitch to control, but the GUI helps. It's lower lever, more powerful than littlesnitch, and I'm sure people more clever than myself could figure out how to combine it with proxies and tunnels to really do crazy shit. But they also just released a new firewall app Murus as competition to littlesnitch. Unlike littlesnitch, murus detects almost everything, and it's easier to use. Not available now (unless you purchase murus pro) but i think it's going to be released soon. In combination with VPN, you can set paramaters in Murus / Vallum to change quickly, or only use traffic over the tun0 / tun1 interface or block icloud or whatever. It's pretty cool.Hardcore
For those looking for something more powerful and have some computer knowledge - this is the holy grail: OS-X-Security-and-Privacy-Guide
It covers everything from how to install OSX properly to using DNSMASQ/DNSCRYPT GPG VPN's PF TOR and links to tons of resources and blogs and other libraries.
For the paranoid, do everything this guy says here: osxparanoia
. It works. you kill all the social widgets and bullshit, and it goes quiet. Stops phoning home. The traffic just drops. Also spoof you mac address on all the reloads - maybe the hostname? I dunno. It uses Mavericks, anything above Mavericks cannot be quieted to this degree.
El Capitan now logs everything. All the commands. All the downloads. All the wifi. And the log won't die. It will preserve itself across boots, even if the nvram is flushed. Even if you disable sip. They keep it. I don't think they care -they're doing it with good intention, just be warned.
Love and Peace