Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: tc8213
tc8213 Author
User level: Level 1
0 points

What "security vulnerability" will be opened by using this signing technique?

Regarding article: HT202802

OS X: Using AppleScript with Accessibility and Security features in Mavericks - Apple Support


The article says:


Important: Signing an applet using the following method introduces a security vulnerability that could allow malicious software to use Accessibility without user permission.


1. What "security vulnerability" will be opened by using this signing technique?

2. Does signing this way only make the App its applied to vulnerable only? and then the whole computer vulnerable depending on how extensive the app's reach is to the rest of the computer?

3. More information: My app only relates to the Reminders app and bunch of Finder items....nothing internet based, etc. That being said, is this still a vulnerability to my computer?

"Note:If you have your own signing identity, you may use that identity in place of “-” for the -s option."

1. What is "my own signing identity?" and if I don't have one, would it add security to get one and use it here?


Thanks for the help in advance!

MacBook Pro (13-inch Mid 2012), OS X Mavericks (10.9.5), null

Posted on Mar 29, 2015 8:29 PM

Reply
2 replies
User profile for user: etresoft
etresoft
User level: Level 8
46,176 points

Mar 30, 2015 5:30 AM in response to tc8213

1) There are a few system features, including accessibility, that will override any and all other security protections on you machine. This is the vulnerability. In giving the script the ability to control your machine, you give control of your machine to the script.

2) By signing the script, that control is permanent. If the app doesn't do anything malicious, there is no problem. But malicious apps sometimes don't manifest until later.

3) Did you write the app? If so, then there is nothing to worry about. If not, then how much do you trust the author of the app?


Generally, this isn't too big a deal. Apple is very protective, but most people generally hand over their passwords to anyone. They shouldn't, of course, but generally they do. They don't realize the extent to which they have handed over control of their machine and all of their data. Apple is trying to point that out.

Reply

What "security vulnerability" will be opened by using this signing technique?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up