Mac: what permissions are granted for "allow the apps below to control your computer"?

3

1

I want to use an app from the mac app store (window tidy) but it wants me to give it control "over the computer". This setting is found under security & privacy > accessibility

This seems like a very big umbrella permission, and I can't seem to find out what this actually means in terms of what permissions it grants to apps.

What is the worst that can happen? Can it read my files? Can it make network calls to transfer my files, encrypted files, etc? Can it access contacts, and send emails as me?

I've looked online and this seems quite hard to answer. Does anyone know?

Thanks...

Update based on @teppic's comment below:

$ codesign -d --entitlements :- /Applications/Window\ Tidy.app 
Executable=/Applications/Window Tidy.app/Contents/MacOS/Window Tidy
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.application-identifier</key>
    <string>34U5SFK3WS.com.lightpillar.Window-Tidy</string>
    <key>com.apple.developer.team-identifier</key>
    <string>34U5SFK3WS</string>
</dict>
</plist

Update 2

Continuing my curiosity, I installed the network monitoring tool Little Snitch to block and monitor outgoing communications. And in less than 1.5 hrs, Window Tidy (which is a simple app meant to resize windows) has reached out to connect over the network 3564 times. Definitely seems dangerous to have this app have access to read my files and control other apps...

enter image description here

pixelearth

Posted 2016-11-25T22:42:51.417

Reputation: 801

Answers

2

Apps with access to the accessibility API are allowed to manipulate the UIs of other applications (presumably window tidy is using this to resize windows). This gives them the ability to inject events into other processes, and allows them do pretty much anything you can. They can also log all your keystrokes.

Any unsandboxed app (most of them) can read all your files and make network calls.

teppic

Posted 2016-11-25T22:42:51.417

Reputation: 346

how do I know if an app is unsandboxed? – pixelearth – 2016-11-27T19:20:31.840

In the terminal codesign -d --entitlements :- /Applications/ExampleApp.app/ will list the entitlements an app is signed with. If it isn't sandboxed you'll just see Executable=blah. – teppic – 2016-11-27T19:39:08.850

I've added the output of this to the orig question, but I'm still not sure what privs it has. – pixelearth – 2016-11-27T19:55:40.180

No com.apple.security.app-sandbox key, so it's not sandboxed. Sandboxing on MacOS is not like iOS, it's there to protect the user if the app is compromised. It's not on by default, and developers are lazy, so it's not often used properly. – teppic – 2016-11-27T20:01:08.733

Sandbox key reference. – teppic – 2016-11-27T20:01:42.400

Asked: 2016-11-25T22:42:51.417

Viewed: 1 905 times

Active: 2016-11-30T07:49:32.573