Post

Replies

Boosts

Views

Activity

Give sandboxed app access to /var directory
I have an app that runs on macOS Monterey. For various reasons, I have to externally add a sandbox entitlement (externally, as in using codesign, rather than rebuilding it) After adding the sandbox entitlement, and resigning appropriately, the app crashes on launch with the following error : ERROR:process_singleton_posix.cc(1186)] Failed to bind() /var/folders/s2/j0z79krx321qg318das1r95_zc0000gn/T/com.funkyapp/S/SingletonSocket So I assumed I needed to give access to this file. So I added the following entitlements to the app, via codesign : <key>com.apple.security.temporary-exception.files.absolute-path.read-write</key> <array> <string>/var</string> <string>/var/folders/s2/j0z79krx321qg318das1r95_zc0000gn/T/com.funkyapp/S/SingletonSocket</string> </array> and also <key>com.apple.security.network.client</key> <true/> <key>com.apple.security.network.server</key> <true/> Unfortunately, it still crashes on load, with the same error. Does anyone know why that is? From my perspective, I gave the appropriate entitlements to bind a socket at that path, what am I missing? Thanks !
6
0
2.3k
Aug ’22
iOS apps on macOS : less secure ?
I am trying to understand the mechanics of how iOS/iPadOS apps work on macs with Apple Silicon. In particular, I'd like to understand the runtime environment of these apps. I installed one to test it on a mac. I ran codesign --entitlements on a mac, on an iOS app downloaded form the mac app store. I was very surprised to see the sandbox entitement was NOT present. On iOS all apps are sandboxed, so I was very surprised to see that the macOS translation was not sandbox. This seems like a significant weakening of the security. Can anyone shed some light on that?
1
0
295
Sep ’24
Sandboxed app has access to icloud drive without entitlements
I want to troubleshoot entitlements to icloud drive. An app downloaded on the macOS app store has no entitlements related to icloud. Its entitlements look like this (removing the irrelevant ones): [Key] com.apple.developer.maps [Value] [Bool] true [Key] com.apple.security.app-sandbox [Value] [Bool] true [Key] com.apple.security.files.user-selected.read-write [Value] [Bool] true [Key] com.apple.security.network.client [Value] [Bool] true [Key] com.apple.security.network.server [Value] [Bool] true [Key] com.apple.security.personal-information.addressbook [Value] [Bool] true [Key] com.apple.security.personal-information.calendars [Value] [Bool] true [Key] com.apple.security.personal-information.location [Value] [Bool] true I have not manually given it access to the icloud drive. This app does not appear in the list of app appearing in Settings / iCloud Drive / options. And yet, this app is able to create its directory inside iCloud drive. My understanding is that it should not have access to iCloud drive without a specific entitlement. Is my understanding off, or is this is security bug?
5
0
1.4k
Apr ’23
Help with code signing
I am engaged in warfare with code signing on macOS. I am on the losing side. I simply need to sign apps for local development and usage for now. Here's what my process used to look like: I check what signing identity is available on the mac via security find-identity -v -p codesigning if I see a string like 5412365ERRHG12 in the command above, I can then resign any app, and change its entitlements via the following command : codesign -s 5412365ERRHG12 -f --options runtime --entitlements entitlements_file /path/to/app_to_resign.app However, the app I am battling with is an Electron app. I am unable to sign properly its helper, even though I read all that I could on the internet. I use this as entitlements for the main bundle : <key>com.apple.security.app-sandbox</key> <true/> <key>com.apple.security.application-groups</key> <array> <string>***</string> </array> And this for the helper app : <key>com.apple.security.app-sandbox</key> <true/> <key>com.apple.security.inherit</key> <true/> However when doing so, the system keeps preventing the helper app from being launch, with the following error message : deny(1) forbidden-sandbox-reinit I've tried everything I saw online. The one thing left to try, was a guide mentioning I should embed a provisioning profile. So I've created a provisioning profile on apple's developer portal, and added it on /path/to/app_to_resign.app/embedded.provisionprofile However, I am not sure what to specify after the -s flag of codesign. I installed the provisioning profile on the mac by double clicking on it, I expected this to add a new entry to security find-identity -v -p codesigning, but it did not. What am I missing? How can I feed to codesign the identity linked to the provisioning profile that I have just downloaded from the apple developer's portal? Thanks!
2
0
1.5k
Aug ’22
Entitlement issues with network extension
When loading a network extension, I see the following error, raised by the trustd process, in the console :Entitlement com.apple.application-identifier=RUXT127L01.com.team.AppName.NetworkExtension is ignored because of invalid application signature or incorrect provisioning profile Entitlement com.apple.security.application-groups=( "RUXT127L01.com.team.AppName" ) is ignored because of invalid application signature or incorrect provisioning profileHowever, I believe my appGroups and bundle identifiers are correctly set in the Entitlements :com.apple.application-identifier RUXT127L01.com.team.AppName.NetworkExtension com.apple.developer.team-identifier RUXT127L01 com.apple.security.application-groups RUXT127L01.com.team.AppName com.apple.security.get-task-allowAlso, when I run "codesign -d -vvvv" or "codesign -d --entitlements" on the systemextension, everything looks fine.Does anyone have any idea what could be off? Or any suggesting of where to look?Note that the system extension seems to work fine anyway, and allows XPC communications.
14
0
7.5k
Feb ’20
Sandbox app wrapping shell command
I need to embed a shell command inside an app. They way I am currently solving this is by using Automator.app. It runs well enough except that it feels wrong security-wise because the resulting app has no hardened runtime, no sandbox. I tried to emulate what Automator.app does directly in xcode, by selecting the proejct template "Command line tool". However, as soon as I enable the app sandbox, it crashes. I can still get the hardened runtime though. So a few quick questions: Are sandbox only to protect against the app itself (in which case I should not worry because I trust my own code), or - similarly to hardened runtime - it also protects against attacks on the app ? I tried using the template "app". That obviously allows sandboxes, but that is not what I want because there is a GUI any thoughts on the best way to solve my original goal? Thanks!
4
0
1.9k
Jun ’22
Easy and secure way to communicate between processes on macOS
How can I exchange information easily and securely between 2 apps on macOS? 1 of the app will infrequently request a short amount of data from the other one. Here are the options that I can see: DistributedNotificationCenter : very easy to implement. However, the notifications are broadcast to any apps that wants to listen to it, and apple's documentation clearly states that it's not secure. I would ideally like a mechanism that is as simple as this, but with a secure communication between 2 aps Apple Events. I am not sure how to make an app respond to apple event. And I think it would be the same problem : any other app could talk to these 2 apps and get information from them. I ideally want this to be more secure. XPC, this seems overly complex for what I want to do, as my understanding is that this essentially involves creating a third process that will regulate communication. Implementing IPC via sockets. It seems reasonable I think, as I can probably secure the communication better. However it feels over-enigneered to set up sockets that always listen for incoming connections, etc Am I missing a simple mechanism on macOS that could help me in that use case? Or am I looking at things incorrectly for one of these options? Thanks!
0
0
883
Jun ’22
XCTest on macOS - streamline process
Hello, we use XCTest to run test on our macOS apps. It is good, but it prevents the use of the mac in the meantime, since it actually moves the mouse and perform click, rather than simulate them. Is there a way to send mouse movements and clicks to the app, rather than actually moving the mouse? Can I run the test inside a macOS simulator? How do XCTest work under the hood? I can see the testing framework has access to a very detailed view of what's inside the macOS app, even though we have not done anything special. Is it using something like Apple Script under the hood?
1
0
939
Jun ’22
How to list all XPC services/ how to kill them
When an app is running on a Mac, it can add a helper app to its bundle, in the Contents/Library/LoginItems. This app can launch this helper app by running SMLoginItemSetEnabled. This helper app is then always open by macOS after restarts. What bothers me is that there is no visibility on all these apps. They do not appear in any of the LaunchDaemons/LaunchAgents directories, nor in the System Preferences/Users/LoginItem list. So I have a few questions : are strictly all apps started in such a way XPC services ? how can I list all such helper apps? Running "launchctl list" seems to list all processes, not simply all such processes, in spite of the help description "Lists information about services". This description therefore appears incorrect to me, am I missing something? How can I prevent these apps from being launched at login/startup? Is "launch unloads" the right way to go about it? Thanks
3
0
3.0k
Jan ’22
Changing entitlements of an app
Hi all, I am trying to strengthen the security of a mac. I noticed that several applications do not have the sandbox capability, or they use a lot of the sandbox permission-adding entitlements. For example pycharm on macOS adds the entitlement com.apple.security.cs.allow-unsigned-executable-memory which adds a security risk. Is it a reasonable approach to modify the entitlements of a third party app to add the com.apple.security.app-sandbox entitlements and remove some permission-adding entitlements in the app? I am planning to modify the entitlements and then resign the app (I think the later step is necessary ). Is that approach reasonable? I see that as a way to sandbox apps that the developer originally did not sandbox. Thanks!
4
0
2.6k
Jan ’22
sandbox entitlement with no sandbox
I am trying to understand better entitlements. When reading Apple's documentation, my understanding was that sandbox entitlements like com.apple.security.device.camera were useful when the app was sandbox, by allowing this specific capability. If that understanding is correct, then I am confused when looking at the entitlements of the app visual studio code : <dict> <key>com.apple.security.cs.allow-jit</key> <true/> <key>com.apple.security.cs.allow-unsigned-executable-memory</key> <true/> <key>com.apple.security.cs.allow-dyld-environment-variables</key> <true/> <key>com.apple.security.cs.disable-library-validation</key> <true/> <key>com.apple.security.device.audio-input</key> <true/> <key>com.apple.security.device.camera</key> <true/> <key>com.apple.security.automation.apple-events</key> <true/> </dict> Indeed, this app is NOT sandboxed (it does not have the com.apple.security.app-sandbox entitlement), and yet it has these sandbox entitlements that give permission. Are these entitlements effectively useless in that case? Or is my understanding off? In addition, if an app has a certain entitlements, does it mean the app can use that capability and it will not prompt the user? Or does the entitlement simply allow the app to prompt the user for permission?
2
1
1.4k
Jan ’22
DNS problems on BigSur
Several hours after the start of a mac with macOS BigSur, I am unable to access www apple com. Thid creates a lot of problems. I spent a lot of time exploring what the cause could be. DNS state when the problem does not manifest itself Whenever I restart the mac, the problem disappears. Looking as dscacheutil, I can see both IPv4 and IPv6 are being populated. $dscacheutil -q host -a name www.apple.com name: e6858.dscx.akamaiedge.net alias: www.apple.com www.apple.com.edgekey.net www.apple.com.edgekey.net.globalredir.akadns.net ipv6_address: 2a02:26f0:7400:1ac::1aca ipv6_address: 2a02:26f0:7400:1ad::1aca name: e6858.dscx.akamaiedge.net alias: www.apple.com www.apple.com.edgekey.net www.apple.com.edgekey.net.globalredir.akadns.net ip_address: 2.21.169.157 DNS state when the problem does manifest itself After a few hours and a sleep of the mac, I cannot access www apple com in any way. $dscacheutil -q host -a name www.apple.com name: e6858.dscx.akamaiedge.net alias: www.apple.com www.apple.com.edgekey.net www.apple.com.edgekey.net.globalredir.akadns.net ipv6_address: 2a02:26f0:7400:1ac::1aca ipv6_address: 2a02:26f0:7400:1ad::1aca So IPv4 addresses are not populated at that point. I noticed that apple com itself (without the www) can be pinged. And indeed the dns resolution has IPv4 populated : $ dscacheutil -q host -a name apple.com name: apple.com ip_address: 17.253.144.10 This is on a network that supports only IPv4, not IPv6. Running “sudo dscacheutil -flushcache ; sudo killall -HUP mDNSResponder” or rebooting the router does not fix the issue. - Only rebooting the mac fixes the issue. dig correctly returns both IPv4 and IPv6 addresses. Can anyone help me in any way understand the problem?
0
0
905
Oct ’21
App makes network connection despite entitlements
I have noticed this issue on BigSur that did not happen on Catalina: An app is attempting to establish a network connection, despite the following entitlements: &lt;key&gt;com.apple.security.app-sandbox&lt;/key&gt; &lt;true/&gt; &lt;key&gt;com.apple.security.network.client&lt;/key&gt; &lt;false/&gt; An outbound firewall is preventing it, but my understanding is that these entitlements should prevent entirely the app from making connections. Has this changed under BigSur?
5
0
1.3k
Aug ’21
check iOS device is unlocked from macOS
I run a script from a mac, from macOS's terminal, to run a test on an iOS device connected to the mac via USB. How can I programatically check that the device is unlocked? Also, how can I wake the iOS device from the mac? The command "xcrun xctrace list devices" is very close to what I want, as it gives me the list of connected devices. However it does not tell me if the device is unlocked or not. Thanks in advance.
0
0
1k
Apr ’21