Ukraine’s MacPaw and the increased threat profile of your favourite Macbook cleaner

February 1, 2024
by

I use MacPaw to clean my Mac. When I noticed the valiant Ukrainian flag on the upper bar of my Mac I wondered if the threat profile had increased for this company that cleans our macs. So I looked at the Privacy Policy to see what they collect:

https://macpaw.com/policy

  • Log data (crash data and other diagnostic reports; cleanup logs: files path and size, system libraries versions, scan/removal duration, device information) – for identifying and fixing defects in Product’s functionality. Logs and entire reports are important to analyze user problems, application misfunctions and crashes. Data is mandatory and is frequently the main source, which helps to understand and resolve application issues.
  • Device information: Operating System (OS) running on your device, Internet Protocol (IP) address, access times, browser type, and language, OS localization, CMM bundle IDs,  CMM version, screen resolution, cid, battery info, RAM usage info, drive info, processor info, GPU info, disk info (type, total, free, backups), files metadata, applications preferences data, installed applications, network names and preferences

According to a cursory glance of their Privacy Policy, it seems that as MacPaw is scanning the entire system its mapping the architecture of your hardrive with logs. Furthermore, the Device Information it is collecting about your system OS, IP, MAC address, etc can therefore fingerprint your system. Normally its not good to use a tool that’s too invasive with logs. This is why people working in Cybersecurity should never click that box that allows “anonymous statistics” to be sent back to an application’s home base.

Cybersecurity is a balance and I must admit this tool also is supremely useful in that it really cleans up the system and scans for malware while flushing the DNS and RAM. I also like spending money on a good cause, and it seems i’m not the only one, with one in five Mac users using the product (the featured image for this post scraped from David Griner’s LinkedIn post liked above). However, considering its a Ukrainian unicorn, there is no doubt the threat profile has increased from threat actors such as Russian state-backed hackers. If MacPaw were to be breached by the Russians, what is not mentioned in the Privacy Policy is how much of that data the company has been collecting on Mac users would then be weaponised by a rogue nation state.

Postscript: as if to sense the concern of their users, some puff pieces have been written about MacPaw’s “renowned” products and new tools in the cybersecurity space. I’ll be monitoring their moves in this field in the future.

jacob

has postgrads in Cyber Law from Deakin Law School; Cyber Crime from Griffith School of Criminology and Criminal Justice; and Cloud Computing and Virtualization from Charles Sturt. After spending the last several years consulting on tech and cybersecurity for newsrooms from México's noticiascancun.mx to South Africa's health-e.org.za he still finds time to write in the age of ChatGPT to keep his pencil sharpened.

Leave a Reply

Your email address will not be published.

Semi-psuedonymous musings on the digital landscape under both Common Law and Moore's Law. This is a personal blog, not a peer reviewed journal or news portal with irascible editors, primarily to keep my pencil skills sharp in the age of ChatGPT. Cheers, Jacob.
Previous Story

Invoking the Incident Response Plan

Consumer Data Right
Next Story

Privacy protections under the Consumer Data Right (CDR) scheme

Latest from Data Security

Go toTop