I am trying to understand the mechanics of how iOS/iPadOS apps work on macs with Apple Silicon.
In particular, I'd like to understand the runtime environment of these apps.
I installed one to test it on a mac. I ran codesign --entitlements on a mac, on an iOS app downloaded form the mac app store.
I was very surprised to see the sandbox entitement was NOT present.
On iOS all apps are sandboxed, so I was very surprised to see that the macOS translation was not sandbox. This seems like a significant weakening of the security.
Can anyone shed some light on that?
Post
Replies
Boosts
Views
Activity
I want to troubleshoot entitlements to icloud drive.
An app downloaded on the macOS app store has no entitlements related to icloud.
Its entitlements look like this (removing the irrelevant ones):
[Key] com.apple.developer.maps
[Value]
[Bool] true
[Key] com.apple.security.app-sandbox
[Value]
[Bool] true
[Key] com.apple.security.files.user-selected.read-write
[Value]
[Bool] true
[Key] com.apple.security.network.client
[Value]
[Bool] true
[Key] com.apple.security.network.server
[Value]
[Bool] true
[Key] com.apple.security.personal-information.addressbook
[Value]
[Bool] true
[Key] com.apple.security.personal-information.calendars
[Value]
[Bool] true
[Key] com.apple.security.personal-information.location
[Value]
[Bool] true
I have not manually given it access to the icloud drive.
This app does not appear in the list of app appearing in Settings / iCloud Drive / options.
And yet, this app is able to create its directory inside iCloud drive.
My understanding is that it should not have access to iCloud drive without a specific entitlement.
Is my understanding off, or is this is security bug?
I have a simple 3d avatar in the form of an FBX file. I can convert that to a scene file for SceneKit.
I need to make it talk, at runtime. So I need a way to go from audio to movements of the mouse.
How can I do that? Any pointer appreciated, thanks!
I am engaged in warfare with code signing on macOS. I am on the losing side.
I simply need to sign apps for local development and usage for now.
Here's what my process used to look like:
I check what signing identity is available on the mac via security find-identity -v -p codesigning
if I see a string like 5412365ERRHG12 in the command above, I can then resign any app, and change its entitlements via the following command :
codesign -s 5412365ERRHG12 -f --options runtime --entitlements entitlements_file /path/to/app_to_resign.app
However, the app I am battling with is an Electron app. I am unable to sign properly its helper, even though I read all that I could on the internet.
I use this as entitlements for the main bundle :
<key>com.apple.security.app-sandbox</key>
<true/>
<key>com.apple.security.application-groups</key>
<array>
<string>***</string>
</array>
And this for the helper app :
<key>com.apple.security.app-sandbox</key>
<true/>
<key>com.apple.security.inherit</key>
<true/>
However when doing so, the system keeps preventing the helper app from being launch, with the following error message :
deny(1) forbidden-sandbox-reinit
I've tried everything I saw online. The one thing left to try, was a guide mentioning I should embed a provisioning profile.
So I've created a provisioning profile on apple's developer portal, and added it on /path/to/app_to_resign.app/embedded.provisionprofile
However, I am not sure what to specify after the -s flag of codesign.
I installed the provisioning profile on the mac by double clicking on it, I expected this to add a new entry to security find-identity -v -p codesigning, but it did not.
What am I missing? How can I feed to codesign the identity linked to the provisioning profile that I have just downloaded from the apple developer's portal?
Thanks!
I have an app that runs on macOS Monterey.
For various reasons, I have to externally add a sandbox entitlement (externally, as in using codesign, rather than rebuilding it)
After adding the sandbox entitlement, and resigning appropriately, the app crashes on launch with the following error :
ERROR:process_singleton_posix.cc(1186)] Failed to bind() /var/folders/s2/j0z79krx321qg318das1r95_zc0000gn/T/com.funkyapp/S/SingletonSocket
So I assumed I needed to give access to this file.
So I added the following entitlements to the app, via codesign :
<key>com.apple.security.temporary-exception.files.absolute-path.read-write</key> <array> <string>/var</string> <string>/var/folders/s2/j0z79krx321qg318das1r95_zc0000gn/T/com.funkyapp/S/SingletonSocket</string> </array>
and also
<key>com.apple.security.network.client</key> <true/>
<key>com.apple.security.network.server</key> <true/>
Unfortunately, it still crashes on load, with the same error.
Does anyone know why that is? From my perspective, I gave the appropriate entitlements to bind a socket at that path, what am I missing?
Thanks !
How can I exchange information easily and securely between 2 apps on macOS?
1 of the app will infrequently request a short amount of data from the other one.
Here are the options that I can see:
DistributedNotificationCenter : very easy to implement. However, the notifications are broadcast to any apps that wants to listen to it, and apple's documentation clearly states that it's not secure. I would ideally like a mechanism that is as simple as this, but with a secure communication between 2 aps
Apple Events. I am not sure how to make an app respond to apple event. And I think it would be the same problem : any other app could talk to these 2 apps and get information from them. I ideally want this to be more secure.
XPC, this seems overly complex for what I want to do, as my understanding is that this essentially involves creating a third process that will regulate communication.
Implementing IPC via sockets. It seems reasonable I think, as I can probably secure the communication better. However it feels over-enigneered to set up sockets that always listen for incoming connections, etc
Am I missing a simple mechanism on macOS that could help me in that use case?
Or am I looking at things incorrectly for one of these options?
Thanks!
Hello,
we use XCTest to run test on our macOS apps.
It is good, but it prevents the use of the mac in the meantime, since it actually moves the mouse and perform click, rather than simulate them.
Is there a way to send mouse movements and clicks to the app, rather than actually moving the mouse?
Can I run the test inside a macOS simulator?
How do XCTest work under the hood? I can see the testing framework has access to a very detailed view of what's inside the macOS app, even though we have not done anything special. Is it using something like Apple Script under the hood?
I need to embed a shell command inside an app.
They way I am currently solving this is by using Automator.app.
It runs well enough except that it feels wrong security-wise because the resulting app has no hardened runtime, no sandbox.
I tried to emulate what Automator.app does directly in xcode, by selecting the proejct template "Command line tool". However, as soon as I enable the app sandbox, it crashes. I can still get the hardened runtime though.
So a few quick questions:
Are sandbox only to protect against the app itself (in which case I should not worry because I trust my own code), or - similarly to hardened runtime - it also protects against attacks on the app ?
I tried using the template "app". That obviously allows sandboxes, but that is not what I want because there is a GUI
any thoughts on the best way to solve my original goal?
Thanks!
When an app is running on a Mac, it can add a helper app to its bundle, in the Contents/Library/LoginItems.
This app can launch this helper app by running SMLoginItemSetEnabled.
This helper app is then always open by macOS after restarts.
What bothers me is that there is no visibility on all these apps. They do not appear in any of the LaunchDaemons/LaunchAgents directories, nor in the System Preferences/Users/LoginItem list.
So I have a few questions :
are strictly all apps started in such a way XPC services ?
how can I list all such helper apps? Running "launchctl list" seems to list all processes, not simply all such processes, in spite of the help description "Lists information about services". This description therefore appears incorrect to me, am I missing something?
How can I prevent these apps from being launched at login/startup? Is "launch unloads" the right way to go about it?
Thanks
Hi all,
I am trying to strengthen the security of a mac. I noticed that several applications do not have the sandbox capability, or they use a lot of the sandbox permission-adding entitlements.
For example pycharm on macOS adds the entitlement com.apple.security.cs.allow-unsigned-executable-memory which adds a security risk.
Is it a reasonable approach to modify the entitlements of a third party app to add the com.apple.security.app-sandbox entitlements and remove some permission-adding entitlements in the app? I am planning to modify the entitlements and then resign the app (I think the later step is necessary ).
Is that approach reasonable? I see that as a way to sandbox apps that the developer originally did not sandbox.
Thanks!
I am trying to understand better entitlements. When reading Apple's documentation, my understanding was that sandbox entitlements like com.apple.security.device.camera were useful when the app was sandbox, by allowing this specific capability.
If that understanding is correct, then I am confused when looking at the entitlements of the app visual studio code :
<dict>
<key>com.apple.security.cs.allow-jit</key>
<true/>
<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
<true/>
<key>com.apple.security.cs.allow-dyld-environment-variables</key>
<true/>
<key>com.apple.security.cs.disable-library-validation</key>
<true/>
<key>com.apple.security.device.audio-input</key>
<true/>
<key>com.apple.security.device.camera</key>
<true/>
<key>com.apple.security.automation.apple-events</key>
<true/>
</dict>
Indeed, this app is NOT sandboxed (it does not have the com.apple.security.app-sandbox entitlement), and yet it has these sandbox entitlements that give permission.
Are these entitlements effectively useless in that case? Or is my understanding off?
In addition, if an app has a certain entitlements, does it mean the app can use that capability and it will not prompt the user? Or does the entitlement simply allow the app to prompt the user for permission?
Several hours after the start of a mac with macOS BigSur, I am unable to access www apple com. Thid creates a lot of problems.
I spent a lot of time exploring what the cause could be.
DNS state when the problem does not manifest itself
Whenever I restart the mac, the problem disappears. Looking as dscacheutil, I can see both IPv4 and IPv6 are being populated.
$dscacheutil -q host -a name www.apple.com
name: e6858.dscx.akamaiedge.net
alias: www.apple.com www.apple.com.edgekey.net www.apple.com.edgekey.net.globalredir.akadns.net
ipv6_address: 2a02:26f0:7400:1ac::1aca
ipv6_address: 2a02:26f0:7400:1ad::1aca
name: e6858.dscx.akamaiedge.net
alias: www.apple.com www.apple.com.edgekey.net www.apple.com.edgekey.net.globalredir.akadns.net
ip_address: 2.21.169.157
DNS state when the problem does manifest itself
After a few hours and a sleep of the mac, I cannot access www apple com in any way.
$dscacheutil -q host -a name www.apple.com
name: e6858.dscx.akamaiedge.net
alias: www.apple.com www.apple.com.edgekey.net www.apple.com.edgekey.net.globalredir.akadns.net
ipv6_address: 2a02:26f0:7400:1ac::1aca
ipv6_address: 2a02:26f0:7400:1ad::1aca
So IPv4 addresses are not populated at that point.
I noticed that apple com itself (without the www) can be pinged. And indeed the dns resolution has IPv4 populated :
$ dscacheutil -q host -a name apple.com
name: apple.com
ip_address: 17.253.144.10
This is on a network that supports only IPv4, not IPv6.
Running “sudo dscacheutil -flushcache ; sudo killall -HUP mDNSResponder” or rebooting the router does not fix the issue. - Only rebooting the mac fixes the issue.
dig correctly returns both IPv4 and IPv6 addresses.
Can anyone help me in any way understand the problem?
I have noticed this issue on BigSur that did not happen on Catalina:
An app is attempting to establish a network connection, despite the following entitlements:
<key>com.apple.security.app-sandbox</key> <true/> <key>com.apple.security.network.client</key> <false/>
An outbound firewall is preventing it, but my understanding is that these entitlements should prevent entirely the app from making connections.
Has this changed under BigSur?
I run a script from a mac, from macOS's terminal, to run a test on an iOS device connected to the mac via USB.
How can I programatically check that the device is unlocked? Also, how can I wake the iOS device from the mac?
The command "xcrun xctrace list devices" is very close to what I want, as it gives me the list of connected devices. However it does not tell me if the device is unlocked or not.
Thanks in advance.
Can I access my own reminders programmatically? Those who appear on https://www.icloud.com/reminders/ ?
Is CloudKit the right way to do this?
Any pointer to do it? When I read ClouKit documentation, it seems aimed at making an app with many users. I just want to access my own data.
Thanks