HT202802: OS X: Using AppleScript with Accessibility and Security features in Mavericks

Learn about OS X: Using AppleScript with Accessibility and Security features in Mavericks
tc8213

Q: What "security vulnerability" will be opened by using this signing technique?

Regarding article: HT202802


OS X: Using AppleScript with Accessibility and Security features in Mavericks - Apple Support

 

The article says:

 

Important: Signing an applet using the following method introduces a security vulnerability that could allow malicious software to use Accessibility without user permission.

 

1. What "security vulnerability" will be opened by using this signing technique?

2. Does signing this way only make the App its applied to vulnerable only? and then the whole computer vulnerable depending on how extensive the app's reach is to the rest of the computer?


3. More information: My app only relates to the Reminders app and bunch of Finder items....nothing internet based, etc.  That being said, is this still a vulnerability to my computer?


"Note: If you have your own signing identity, you may use that identity in place of “-” for the -s option." 

1. What is "my own signing identity?" and if I don't have one, would it add security to get one and use it here?

 

Thanks for the help in advance!

MacBook Pro (13-inch Mid 2012), OS X Mavericks (10.9.5), null

Posted on Mar 29, 2015 8:32 PM

Close

Q: What "security vulnerability" will be opened by using this signing technique?

  • All replies
  • Helpful answers

  • by etresoft,

    etresoft etresoft Mar 30, 2015 5:30 AM in response to tc8213
    Level 7 (29,056 points)
    Mar 30, 2015 5:30 AM in response to tc8213

    1) There are a few system features, including accessibility, that will override any and all other security protections on you machine. This is the vulnerability. In giving the script the ability to control your machine, you give control of your machine to the script.

    2) By signing the script, that control is permanent. If the app doesn't do anything malicious, there is no problem. But malicious apps sometimes don't manifest until later.

    3) Did you write the app? If so, then there is nothing to worry about. If not, then how much do you trust the author of the app?

     

    Generally, this isn't too big a deal. Apple is very protective, but most people generally hand over their passwords to anyone. They shouldn't, of course, but generally they do. They don't realize the extent to which they have handed over control of their machine and all of their data. Apple is trying to point that out.

  • by tc8213,Solvedanswer

    tc8213 tc8213 Mar 31, 2015 1:25 PM in response to etresoft
    Level 1 (0 points)
    Mar 31, 2015 1:25 PM in response to etresoft

    Thank you etresoft! That helped me rest at ease about doing it...it is one of my own apps I'm making in applescript.


    Thank you again!

    Titus