Any Mac app – sandboxed or not – can:
- Take screenshots of your Mac without you knowing.
- Use basic OCR software to read the text on the screen.
- Have access all connected monitors.
- Access every single pixel, even if the Mac app is running in the background.
What could happen?
- When a developer is targeted this allows the attacker to potentially access sensitive source code, such as API keys or similar data.
- Learn personal information about the user, such as their bank details or addresses, etc.
- Read password & keys from password managers.
- Detect what internet services you use.
- Read all emails you open on your Macintosh.
There are lots of valid use cases for Mac apps to record the screen, i.e 1Password 2fA support, screen recording software or simple screen sharing via a browser. However, there must be some kind of control here:
- The App Store review process could verify the Sand-box entitlements for access.
- Put the user in charge using a permission dialog.
- Further, the user should be notified whenever an application accesses the screen.
How does this work?
A dev needs to use
CGWindowListCreateImage to generate a capture of the screen within an instant:
CGImageRef screenshot = CGWindowListCreateImage( CGRectInfinite, kCGWindowListOptionOnScreenOnly, kCGNullWindowID, kCGWindowImageDefault); NSBitmapImageRep *bitmapRep = [[NSBitmapImageRep alloc] initWithCGImage:screenshot];