The following piece of code works all fine if I disable the sandbox, but it fails if I enable the sandbox: // Get a code reference. var codeOpt: SecCode? = nil var err = SecCodeCopyGuestWithAttributes(nil, [kSecGuestAttributeAudit : sourceAppAuditToken] as NSDictionary, [], &codeOpt) guard err == errSecSuccess, let code = codeOpt else { return nil } // Check the validity of the signature var errorDescription : Unmanaged? = nil err = SecCodeCheckValidityWithErrors(code, [], nil, &errorDescription) guard err == errSecSuccess else { return nil }What entitlement do I need on the sandbox to allow this ?

When loading a network extension, I see the following error, raised by the trustd process, in the console :Entitlement com.apple.application-identifier=RUXT127L01.com.team.AppName.NetworkExtension is ignored because of invalid application signature or incorrect provisioning profile Entitlement com.apple.security.application-groups=( "RUXT127L01.com.team.AppName" ) is ignored because of invalid application signature or incorrect provisioning profileHowever, I believe my appGroups and bundle identifiers are correctly set in the Entitlements :com.apple.application-identifier RUXT127L01.com.team.AppName.NetworkExtension com.apple.developer.team-identifier RUXT127L01 com.apple.security.application-groups RUXT127L01.com.team.AppName com.apple.security.get-task-allowAlso, when I run "codesign -d -vvvv" or "codesign -d --entitlements" on the systemextension, everything looks fine.Does anyone have any idea what could be off? Or any suggesting of where to look?Note that the system extension seems to work fine anyway, and allows XPC communications.

I need to have data persistence between runs of my UI tests (for an iOS app). I know this might seem an anti-pattern, but I have to work with that for reasons beyond my control. I use XCTest / XCUITest in Xcode, to run the test on an iOS app on a real device (not a simulator). Several devices will be used, but not simultaneously, and should start with the state the previous one finished on. I have explored a few options, but none work. The simplest thing for me to have would be to save the state in a file on my mac and for this file to be modified directly by the test. However, as far as I can tell, this is not possible. The test cannot access files on the mac itself during the test, but only the files on the device. I can have a file in the test directory on my mac, copy it (via a build copy phase) to the real device. Access it from the device, modify it. And lastly, copy it back at the end of the test to the computer. I’ve managed to do all this l, except the last phase. I have looked into XCTAttachements. The problem is that some tests can be stopped manually (via the square DONE button in xcode, and in that case "tearDown" will not be called). Unless someone has a better idea, what is the safest, most resilient way to copy back a file from the device to the mac, at the end of each test run (regardless of success or failure)? Is there a way to intercept the calls to the square Done button? Thanks!

I have an 120 GB encrypted sparsebundle on a USB Key. I access it via a recent mac book pro with latest os. The USB Key is a good brand, USB 3, 128 GB. When mounting the sparsebundle from the USB Key, access to it is extremely slow. Is it expected ? Can I do something about it (change file system ? Not use sparsebundle, but encrypt key instead - if that's possible) ? Thanks !

Can I access my own reminders programmatically? Those who appear on https://www.icloud.com/reminders/ ? Is CloudKit the right way to do this? Any pointer to do it? When I read ClouKit documentation, it seems aimed at making an app with many users. I just want to access my own data. Thanks

I run a script from a mac, from macOS's terminal, to run a test on an iOS device connected to the mac via USB. How can I programatically check that the device is unlocked? Also, how can I wake the iOS device from the mac? The command "xcrun xctrace list devices" is very close to what I want, as it gives me the list of connected devices. However it does not tell me if the device is unlocked or not. Thanks in advance.

I have noticed this issue on BigSur that did not happen on Catalina: An app is attempting to establish a network connection, despite the following entitlements: <key>com.apple.security.app-sandbox</key> <true/> <key>com.apple.security.network.client</key> <false/> An outbound firewall is preventing it, but my understanding is that these entitlements should prevent entirely the app from making connections. Has this changed under BigSur?

Several hours after the start of a mac with macOS BigSur, I am unable to access www apple com. Thid creates a lot of problems. I spent a lot of time exploring what the cause could be. DNS state when the problem does not manifest itself Whenever I restart the mac, the problem disappears. Looking as dscacheutil, I can see both IPv4 and IPv6 are being populated. $dscacheutil -q host -a name www.apple.com name: e6858.dscx.akamaiedge.net alias: www.apple.com www.apple.com.edgekey.net www.apple.com.edgekey.net.globalredir.akadns.net ipv6_address: 2a02:26f0:7400:1ac::1aca ipv6_address: 2a02:26f0:7400:1ad::1aca name: e6858.dscx.akamaiedge.net alias: www.apple.com www.apple.com.edgekey.net www.apple.com.edgekey.net.globalredir.akadns.net ip_address: 2.21.169.157 DNS state when the problem does manifest itself After a few hours and a sleep of the mac, I cannot access www apple com in any way. $dscacheutil -q host -a name www.apple.com name: e6858.dscx.akamaiedge.net alias: www.apple.com www.apple.com.edgekey.net www.apple.com.edgekey.net.globalredir.akadns.net ipv6_address: 2a02:26f0:7400:1ac::1aca ipv6_address: 2a02:26f0:7400:1ad::1aca So IPv4 addresses are not populated at that point. I noticed that apple com itself (without the www) can be pinged. And indeed the dns resolution has IPv4 populated : $ dscacheutil -q host -a name apple.com name: apple.com ip_address: 17.253.144.10 This is on a network that supports only IPv4, not IPv6. Running “sudo dscacheutil -flushcache ; sudo killall -HUP mDNSResponder” or rebooting the router does not fix the issue. - Only rebooting the mac fixes the issue. dig correctly returns both IPv4 and IPv6 addresses. Can anyone help me in any way understand the problem?

I am trying to understand better entitlements. When reading Apple's documentation, my understanding was that sandbox entitlements like com.apple.security.device.camera were useful when the app was sandbox, by allowing this specific capability. If that understanding is correct, then I am confused when looking at the entitlements of the app visual studio code : <dict> <key>com.apple.security.cs.allow-jit</key> <true/> <key>com.apple.security.cs.allow-unsigned-executable-memory</key> <true/> <key>com.apple.security.cs.allow-dyld-environment-variables</key> <true/> <key>com.apple.security.cs.disable-library-validation</key> <true/> <key>com.apple.security.device.audio-input</key> <true/> <key>com.apple.security.device.camera</key> <true/> <key>com.apple.security.automation.apple-events</key> <true/> </dict> Indeed, this app is NOT sandboxed (it does not have the com.apple.security.app-sandbox entitlement), and yet it has these sandbox entitlements that give permission. Are these entitlements effectively useless in that case? Or is my understanding off? In addition, if an app has a certain entitlements, does it mean the app can use that capability and it will not prompt the user? Or does the entitlement simply allow the app to prompt the user for permission?

Hi all, I am trying to strengthen the security of a mac. I noticed that several applications do not have the sandbox capability, or they use a lot of the sandbox permission-adding entitlements. For example pycharm on macOS adds the entitlement com.apple.security.cs.allow-unsigned-executable-memory which adds a security risk. Is it a reasonable approach to modify the entitlements of a third party app to add the com.apple.security.app-sandbox entitlements and remove some permission-adding entitlements in the app? I am planning to modify the entitlements and then resign the app (I think the later step is necessary ). Is that approach reasonable? I see that as a way to sandbox apps that the developer originally did not sandbox. Thanks!

When an app is running on a Mac, it can add a helper app to its bundle, in the Contents/Library/LoginItems. This app can launch this helper app by running SMLoginItemSetEnabled. This helper app is then always open by macOS after restarts. What bothers me is that there is no visibility on all these apps. They do not appear in any of the LaunchDaemons/LaunchAgents directories, nor in the System Preferences/Users/LoginItem list. So I have a few questions : are strictly all apps started in such a way XPC services ? how can I list all such helper apps? Running "launchctl list" seems to list all processes, not simply all such processes, in spite of the help description "Lists information about services". This description therefore appears incorrect to me, am I missing something? How can I prevent these apps from being launched at login/startup? Is "launch unloads" the right way to go about it? Thanks

I need to embed a shell command inside an app. They way I am currently solving this is by using Automator.app. It runs well enough except that it feels wrong security-wise because the resulting app has no hardened runtime, no sandbox. I tried to emulate what Automator.app does directly in xcode, by selecting the proejct template "Command line tool". However, as soon as I enable the app sandbox, it crashes. I can still get the hardened runtime though. So a few quick questions: Are sandbox only to protect against the app itself (in which case I should not worry because I trust my own code), or - similarly to hardened runtime - it also protects against attacks on the app ? I tried using the template "app". That obviously allows sandboxes, but that is not what I want because there is a GUI any thoughts on the best way to solve my original goal? Thanks!

Hello, we use XCTest to run test on our macOS apps. It is good, but it prevents the use of the mac in the meantime, since it actually moves the mouse and perform click, rather than simulate them. Is there a way to send mouse movements and clicks to the app, rather than actually moving the mouse? Can I run the test inside a macOS simulator? How do XCTest work under the hood? I can see the testing framework has access to a very detailed view of what's inside the macOS app, even though we have not done anything special. Is it using something like Apple Script under the hood?

How can I exchange information easily and securely between 2 apps on macOS? 1 of the app will infrequently request a short amount of data from the other one. Here are the options that I can see: DistributedNotificationCenter : very easy to implement. However, the notifications are broadcast to any apps that wants to listen to it, and apple's documentation clearly states that it's not secure. I would ideally like a mechanism that is as simple as this, but with a secure communication between 2 aps Apple Events. I am not sure how to make an app respond to apple event. And I think it would be the same problem : any other app could talk to these 2 apps and get information from them. I ideally want this to be more secure. XPC, this seems overly complex for what I want to do, as my understanding is that this essentially involves creating a third process that will regulate communication. Implementing IPC via sockets. It seems reasonable I think, as I can probably secure the communication better. However it feels over-enigneered to set up sockets that always listen for incoming connections, etc Am I missing a simple mechanism on macOS that could help me in that use case? Or am I looking at things incorrectly for one of these options? Thanks!

I have an app that runs on macOS Monterey. For various reasons, I have to externally add a sandbox entitlement (externally, as in using codesign, rather than rebuilding it) After adding the sandbox entitlement, and resigning appropriately, the app crashes on launch with the following error : ERROR:process_singleton_posix.cc(1186)] Failed to bind() /var/folders/s2/j0z79krx321qg318das1r95_zc0000gn/T/com.funkyapp/S/SingletonSocket So I assumed I needed to give access to this file. So I added the following entitlements to the app, via codesign : &lt;key&gt;com.apple.security.temporary-exception.files.absolute-path.read-write&lt;/key&gt; &lt;array&gt; &lt;string&gt;/var&lt;/string&gt; &lt;string&gt;/var/folders/s2/j0z79krx321qg318das1r95_zc0000gn/T/com.funkyapp/S/SingletonSocket&lt;/string&gt; &lt;/array&gt; and also &lt;key&gt;com.apple.security.network.client&lt;/key&gt; &lt;true/&gt; &lt;key&gt;com.apple.security.network.server&lt;/key&gt; &lt;true/&gt; Unfortunately, it still crashes on load, with the same error. Does anyone know why that is? From my perspective, I gave the appropriate entitlements to bind a socket at that path, what am I missing? Thanks !