3
1
I want to use an app from the mac app store (window tidy) but it wants me to give it control "over the computer". This setting is found under security & privacy > accessibility
This seems like a very big umbrella permission, and I can't seem to find out what this actually means in terms of what permissions it grants to apps.
What is the worst that can happen? Can it read my files? Can it make network calls to transfer my files, encrypted files, etc? Can it access contacts, and send emails as me?
I've looked online and this seems quite hard to answer. Does anyone know?
Thanks...
Update based on @teppic's comment below:
$ codesign -d --entitlements :- /Applications/Window\ Tidy.app
Executable=/Applications/Window Tidy.app/Contents/MacOS/Window Tidy
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.application-identifier</key>
<string>34U5SFK3WS.com.lightpillar.Window-Tidy</string>
<key>com.apple.developer.team-identifier</key>
<string>34U5SFK3WS</string>
</dict>
</plist
Update 2
Continuing my curiosity, I installed the network monitoring tool Little Snitch to block and monitor outgoing communications. And in less than 1.5 hrs, Window Tidy (which is a simple app meant to resize windows) has reached out to connect over the network 3564 times. Definitely seems dangerous to have this app have access to read my files and control other apps...
how do I know if an app is unsandboxed? – pixelearth – 2016-11-27T19:20:31.840
In the terminal
codesign -d --entitlements :- /Applications/ExampleApp.app/
will list the entitlements an app is signed with. If it isn't sandboxed you'll just seeExecutable=blah
. – teppic – 2016-11-27T19:39:08.850I've added the output of this to the orig question, but I'm still not sure what privs it has. – pixelearth – 2016-11-27T19:55:40.180
No
com.apple.security.app-sandbox
key, so it's not sandboxed. Sandboxing on MacOS is not like iOS, it's there to protect the user if the app is compromised. It's not on by default, and developers are lazy, so it's not often used properly. – teppic – 2016-11-27T20:01:08.733Sandbox key reference. – teppic – 2016-11-27T20:01:42.400