←back to thread

How Dropbox Hacks Your Mac

(applehelpwriter.com)
1037 points 8bitben | 2 comments | 09 Sep 16 15:52 UTC | HN request time: 0s | source
Show context
bahoom ◴[09 Sep 16 17:20 UTC] No.12464238[source]
I'm using the same techniques for my apps to enable accessibility access (which is needed for window management), although I'm asking users for confirmation before doing so.

It's kind of hacky, but the standard Apple way (click the tiny lock icon on the bottom left, find the app in the list, click the checkbox) is way to cumbersome for users.

Why not displaying a simple yes/no popup similar to the "allow access to contacts / calendar items" dialog?

replies(1): >>12464321 #
eridius ◴[09 Sep 16 17:29 UTC] No.12464321[source]
> Why not displaying a simple yes/no popup

Because granting accessibility access is far more dangerous than granting access to contacts / calendar. The latter just exposes some of your user data. The former gives the app a huge amount of control over your computer.

replies(1): >>12464396 #
bahoom ◴[09 Sep 16 17:39 UTC] No.12464396[source]
What exactly is so dangerous? Any app can take screenshots , listen to keyboard entries, send keys, move the mouse pointer and upload stuff to a server without any AXApi permission.

Forbidding window movement doesn't add any security at all.

Anyways, all I want a simple prompt explaining what the Accessibility API does and yes/no buttons.

replies(1): >>12464894 #
elmigranto ◴[09 Sep 16 18:36 UTC] No.12464894[source]
One example that comes to my mind, is that you won't be able to copy any data from keychain. In fact, no one can access protected keychain data, if any app that is not in Accessibility "listens to keyboard".

http://apple.stackexchange.com/questions/212622/keychain-won...

replies(3): >>12467255 #>>12467256 #>>12468459 #
1. kuon ◴[10 Sep 16 01:49 UTC] No.12467255[source]
Pure speculations: Wouldn't it be possible for an app without accessibility access to just kill and relaunch another app in a wrapper? This wrapper having hooks into system APIs?
replies(1): >>12467545 #
2. elmigranto ◴[10 Sep 16 03:32 UTC] No.12467545[source]
I don't see why not, but what's the point. You either in, and can do X, or not. Can you clarify, please?