Sandboxed app has access to icloud drive without entitlements

I want to troubleshoot entitlements to icloud drive.

An app downloaded on the macOS app store has no entitlements related to icloud.

Its entitlements look like this (removing the irrelevant ones):

[Key] com.apple.developer.maps
[Value]
	[Bool] true
[Key] com.apple.security.app-sandbox
[Value]
	[Bool] true
[Key] com.apple.security.files.user-selected.read-write
[Value]
	[Bool] true
[Key] com.apple.security.network.client
[Value]
	[Bool] true
[Key] com.apple.security.network.server
[Value]
	[Bool] true
[Key] com.apple.security.personal-information.addressbook
[Value]
	[Bool] true
[Key] com.apple.security.personal-information.calendars
[Value]
	[Bool] true
[Key] com.apple.security.personal-information.location
[Value]
	[Bool] true

I have not manually given it access to the icloud drive. This app does not appear in the list of app appearing in Settings / iCloud Drive / options.

And yet, this app is able to create its directory inside iCloud drive.

My understanding is that it should not have access to iCloud drive without a specific entitlement.

Is my understanding off, or is this is security bug?

My understanding is that it should not have access to iCloud drive without a specific entitlement.

That’s incorrect. From the perspective of a sandboxed app, iCloud Drive is like any other external volume. Access to it is mediated by sandbox extensions. So, if the app brings up a open panel and the user selects an item on iCloud Drive, the app will have access to it.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Understood. But in this case, I have never selected the iCloud drive in an open panel. The sandboxed app is able to store files in iCloud drive without any user interaction.

Can you be more precise about how you came to this conclusion?

I tried this here in my office and it worked… well… failed… as I expected. Specifically:

  1. On macOS 13.2.1, I put a test.txt file at the root of my iCloud Drive.

  2. In Xcode 14.3, I created a new project with App Sandbox enabled.

  3. I wired up a button to this code:

    do {
        print("will read")
        let u = URL(fileURLWithPath: "/Users/quinn/Library/Mobile Documents/com~apple~CloudDocs/test.text")
        let s = try String(contentsOf: u, encoding: .utf8)
        print("did read, contents: \(s)")
    } catch {
        print("did not read, error: \(error)")
    }
    
  4. I ran the app and clicked the button.

The app printed:

will read
did not read, error: Error Domain=NSCocoaErrorDomain Code=257 "The file “test.text” couldn’t be opened because you don’t have permission to view it." UserInfo={NSFilePath=/Users/quinn/Library/Mobile Documents/com~apple~CloudDocs/test.text, NSUnderlyingError=0x6000005f6910 {Error Domain=NSPOSIXErrorDomain Code=1 "Operation not permitted"}}

The underlying error, EPERM, is exactly what I’d expect for a request blocked by the sandbox.

I then removed the App Sandbox capability and tried again. This time it printed:

will read
did read, contents: Hello Cruel World!

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Sure :

  1. I downloaded an app on the macOS app store
  2. this app had the entitlements I copy pasted above. In particular, this app was sandbox (as per macOS app store requirement)
  3. I never gave permission to the app myself to access iCloud drive. I did not select icloud drive in any way in any panel.
  4. In spite of 3), I noticed that the app was able to create a directory for itself in iCloud drive, and store file there

To be clear, I am not claiming the app is able to access other directories in iCloud drive (which is what your code above is testing for).

Thanks

Hi, I am still struggling with this issue. I never gave permission to the sandboxed app to access iCloud drive and yet, it merely adds files to it.

Is there a way maybe to reset icloud access permission to the app? (though I never gave it, the OS might have incorrectly given it).

Sandboxed app has access to icloud drive without entitlements
 
 
Q