Modern macOS security relies on isolation models that promise strong boundaries between applications, yet real-world implementations often fall short. Core mechanisms such as hardened runtime, sandboxing, notarization and privacy controls create assumptions that attackers can exploit when design trade-offs or architectural gaps emerge. Research into widely used password managers across native, Electron-based and browser-centric implementations reveals how low-privileged malware can bypass isolation, abuse runtime exceptions, and intercept trusted workflows to extract credentials without user awareness. These findings expose systemic weaknesses in macOS security assumptions and highlight how distribution models and development choices directly affect application resilience.

In this session, Wojciech Reguła, principal security consultant at SecuRing, will share insights on:

• How runtime exceptions and debugging features enable credential exfiltration;
• Why distribution channels influence application security posture;
• Defensive considerations for macOS-focused blue and red teams.