Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: Frank Nospam
Frank Nospam Author
User level: Level 2
164 points

What is Escrow Security Alert.app?

After upgrading to Mavericks, I ran Activity Monitor and saw some new background daemons. The one that stood out to me was "Escrow Security Alert". Anyone know what this is? Its open files & ports list is:


/

/System/Library/PrivateFrameworks/CloudServices.framework/Versions/A/Resources/E scrowSecurityAlert.app/Contents/MacOS/EscrowSecurityAlert

/System/Library/PrivateFrameworks/AOSUI.framework/Versions/A/AOSUI

/System/Library/ColorSync/Profiles/sRGB Profile.icc

/System/Library/Caches/com.apple.IntlDataCache.le.kbdx

/usr/share/icu/icudt51l.dat

/System/Library/CoreServices/RawCamera.bundle/Contents/MacOS/RawCamera

/System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Resources/AppleKeyboardLayouts-L.d at

/System/Library/PrivateFrameworks/CoreUI.framework/Versions/A/Resources/SArtFile .bin

/usr/lib/dyld

/private/var/run/dyld_shared_cache_x86_64

/dev/null

/dev/null

/dev/null

MacBook Pro (15-inch 2.4/2.2 GHz), OS Xi Spinal Tap (11)

Posted on Oct 29, 2013 3:34 AM

Reply
Question marked as Best reply
User profile for user: tyler8541
tyler8541
User level: Level 1
10 points

Posted on Nov 18, 2013 10:13 AM

I've taken a (very) brief look at the EscrowSecurityAlert application's code and it appears to sync your icloud keychain information. The whole process also looks like it might sync other settings with iCloud as well. If you open a finder window and press shift + Command + G and copy the path: /System/Library/PrivateFrameworks/CloudServices.framework/Versions/A/Resources/

paste it into the open "Go to the folder:" field. Once there you can inspect items by right clicking them and selecting open with>change the "enable" pull down to "all applications"> select text edit> click open.


***IMPORTANT*** close without saving changes (you should not try to make any either).


You will have to scroll a ways down to get to items that you can actually read. Once you have scrolled a ways down, you can see in plain text-ish what items are being sync'd and what the code is doing. Again I took a very brief look at this code, but I am fairly certain it is legitimate.


source: I'm a former Mac Genius and current information security professional for a fortune 100 company.

View in context
7 replies
Question marked as Best reply
User profile for user: tyler8541
tyler8541
User level: Level 1
10 points

Nov 18, 2013 10:13 AM in response to Frank Nospam

I've taken a (very) brief look at the EscrowSecurityAlert application's code and it appears to sync your icloud keychain information. The whole process also looks like it might sync other settings with iCloud as well. If you open a finder window and press shift + Command + G and copy the path: /System/Library/PrivateFrameworks/CloudServices.framework/Versions/A/Resources/

paste it into the open "Go to the folder:" field. Once there you can inspect items by right clicking them and selecting open with>change the "enable" pull down to "all applications"> select text edit> click open.


***IMPORTANT*** close without saving changes (you should not try to make any either).


You will have to scroll a ways down to get to items that you can actually read. Once you have scrolled a ways down, you can see in plain text-ish what items are being sync'd and what the code is doing. Again I took a very brief look at this code, but I am fairly certain it is legitimate.


source: I'm a former Mac Genius and current information security professional for a fortune 100 company.

Reply
User profile for user: andreasbeer1981
andreasbeer1981
User level: Level 1
13 points

Nov 15, 2014 3:47 PM in response to VilleFromFinland

No, you're not. This should be perfectly fine as something like iCloud should be isolatable for exactly these security reasons, and giving the user a switch to toggle iCloud on and off should include _all_ processes that are only necessary for iCloud.


Like I just kill "bird" and "cloudd", which were running all the time on Yosemite even though I don't use iCloud. I think this is yet another dark pattern used by Apple to sneak iCloud into everything. No wonder devices suddenly have undeletable U2-songs appearing.

Reply
User profile for user: username121
username121
User level: Level 1
4 points

Feb 27, 2015 6:15 AM in response to andreasbeer1981

No need to shutdown EscrowSec:

/System/Library/PrivateFrameworks/CloudServices.framework/Versions/A/Resources/

Below is what the code file looks like, simple routine IF THEN what to do with the Keys.

Openssl has been depreciated for tis and custom cryptoLIBS.

-------------------------------------------------------------------------------- -------------------------


<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

<key>CANCEL</key>

<string>Cancel</string>

<key>CREATE</key>

<string>Create</string>

<key>CREATENEWCODE</key>

<string>Create New Code</string>

<key>DETAILS</key>

<string>Details</string>

<key>ESCROW_ELE_ALERT_MESSAGE</key>

<string>A new security code must be created because of a change to iCloud Keychain servers.</string>

<key>ESCROW_ELE_ALERT_MESSAGE_TITLE</key>

<string>Create New iCloud Security Code</string>

<key>ICLOUD_KEYCHAIN_TITLE</key>

<string>iCloud Keychain</string>

<key>KEYCHAIN_BACKUP_ALERT_TITLE</key>

<string>Keychain Backup Alert</string>

<key>LATER</key>

<string>Later</string>

<key>LEARNMORE</key>

<string>Learn More</string>

<key>NOTNOW</key>

<string>Not Now</string>

<key>RECORD_BURNED_ALERT_MESSAGE</key>

<string>Your security code was incorrectly entered too many times on one of your other devices and can no longer be used.</string>

<key>RECORD_BURNED_ALERT_MESSAGE_TITLE</key>

<string>Update Your iCloud Security Code</string>

<key>RESETKEYCHAIN</key>

<string>Reset &amp; Turn Off Keychain</string>

<key>RESET_CONFIRMATION_MESSAGE</key>

<string>All passwords in iCloud Keychain will be deleted, and iCloud Keychain will be turned off on all your devices.</string>

<key>RESET_CONFIRMATION_MESSAGE_TITLE</key>

<string>Reset and Turn Off iCloud Keychain?</string>

<key>UPDATE</key>

<string>Update</string>

<key>UPDATECODE</key>

<string>Update Security Code</string>

<key>kEscrowSecurityAlertRecord</key>

<string>Your previous code was entered incorrectly too many times.</string>

<key>kEscrowSecurityAlertServer</key>

<string>A new iCloud Security Code must be created.</string>

</dict>

</plist>


---------------------------------------------------

IF you want to kill a pid (process) do as the following:

Search------>

lsof (find the agonizing PID # next to the EscrowSec, i.e. 4251)

lsof -n -i | grep 4251

Destroy------>

kill 4251

---------------------------Have a Nice Day------:-)-----------------

Reply

What is Escrow Security Alert.app?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up