Mac Privacy: Sandboxed Mac apps can record your screen at any time without you knowing
Facts
Any Mac app, sandboxed or not sandboxed can:
- Take screenshots of your Mac silently without you knowning
- Access every pixel, even if the Mac app is in the background
- Use basic OCR software to read the text on the screen
- Access all connected monitors
What’s the worst that could happen?
- Read password and keys from password managers
- Detect what web services you use (e.g. email provider)
- Read all emails and messages you open on your Mac
- When a developer is targeted, this allows the attacker to potentially access sensitive source code, API keys or similar data
- Learn personal information about the user, like their bank details, salary, address, etc.
Disclaimer
This project is a proof of concept and should not be used in production. The goal is to highlight a privacy loophole that can be abused by Mac apps.
How can I protect myself as a user?
To my knowledge there is no way to protect yourself as of now.
Proposal
There are lots of valid use-cases for Mac apps to record the screen, e.g. 1Password 2fA support or screen recording software, however there must be some kind of control.
- The App Store review process could verify the Sandbox entitlements for accessing the screen
- Put the user in charge with a permission dialog
- Additionally the user should be notified whenever an app accesses the screen.
Of course, I also filed a radar (rdar://37423927) to notify Apple about this issue.
How does it work?
A developer just needs to use CGWindowListCreateImage to generate a capture of the complete screen within an instant:
CGImageRef screenshot = CGWindowListCreateImage(
CGRectInfinite,
kCGWindowListOptionOnScreenOnly,
kCGNullWindowID,
kCGWindowImageDefault);
NSBitmapImageRep *bitmapRep = [[NSBitmapImageRep alloc] initWithCGImage:screenshot];
In my experiments, I piped the generated image over to a OCR library and was able to get all text that was rendered on the user’s machine.
Unless otherwise mentioned in the post, those projects are side projects which I work on on weekends and evenings, and are not affiliated with my work or employer.
Tags: mac, screenshot, privacy | Fork on GitHub