Wednesday, September 21, 2016

Dropbox Modifies TCC.db to Give Itself Accessibility Access

Phil Stokes (via John Gruber):

If you have Dropbox installed, take a look at System Preferences > Security & Privacy > Accessibility tab (see screenshot above). Notice something? Ever wondered how it got in there? Do you think you might have put that in there yourself after Dropbox asked you for permission to control the computer?

No, I can assure you that your memory isn’t faulty. You don’t remember doing that because Dropbox never presented this dialog to you, as it should have[…]

[…]

Indeed, even with your admin password, it still shouldn’t be able to get into Accessibility. Clearly Dropbox’s coders have been doing some OS X hacking on company time.

Duncan Davidson:

Furthermore, it doesn’t look like they are storing a copy of your password, as some reports have said—and which would be really, really bad. No, they’ve simply been installing things in a way that let’s them retain root privileges so that they don’t have to bug you again when they want to change things up later.

Rosyna Keller:

Dropbox could have saved a lot of pain had they just made a first-run dialog that asks if they want to enable certain features…

Phil Stokes (Hacker News, MacRumors):

After a little digging around in Apple’s vast documentation, it occurred to me to check the authorization database and see if that had been tampered with.

[…]

The string output for dbfseventsd binary didn’t reveal anything much interesting, but with the deliciously named dbaccessperm file, we finally hit gold and the exact proof I was looking for that Dropbox was using a sql attack on the tcc database to circumvent Apple’s authorization policy[…]

[…]

The upshot for me was that I learned a few things about how security and authorisation work on the mac that I didn’t know before investigating what Dropbox was up to. But most of all, I learned that I don’t trust Dropbox at all. Unnecessary privileges and backdooring are what I call untrustworthy behaviour and a clear breach of user trust.

Dropbox:

This is an Apple system dialogue box, not a dialogue from Dropbox. Mac OS X requires password authentication for changes to certain permissions, and this dialogue box is a standard way for a Mac OS X app to ask for your permission.

[…]

Yes, you can choose to click Cancel rather than approving these additional permissions. However, this means that the Dropbox features listed above will not function on your computer. If you don’t give your approval, you will be asked to enter your username and password again the next time you start or restart Dropbox.

[…]

Dropbox uses Apple Mac OS X Accessibility permissions to function properly. Specifically, we use Accessibility APIs for the Dropbox badge (part of Microsoft Office integrations).

[…]

You cannot currently disable Accessibility access for the Dropbox Mac OS X desktop app. We realize this isn’t a great experience, and we’re actively working to make this better.

Phil Stokes (MacRumors):

With the release of the latest version of the Mac operating system, 10.12 macOS Sierra, it’s pleasing to see that Apple have fixed a bug I reported against El Capitan in October of last year, and wrote about on this blog here and here.

The TCC.db is now under SIP, which means hacking the Accessibility preferences is no longer possible.

Surreptitiously modifying the permissions database is a violation of user trust. It seems to be well-intentioned, but I’m surprised that Dropbox would go to such lengths in order to ease the setup of a feature that probably few of its customers use. I do sympathize, however, as a developer who has had to guide customers through the confusing process of manually granting accessibility permissions.

8 Comments RSS · Twitter

If anything is going to be under SIP, it makes sense that TCC.db is. It's unfortunate though, since I write to TCC.db as part of my development workflow. I need to test features that require accessibility access, and it's much faster for me to programmatically grant access than go through the accessibility system pref every time I do a build.

@Michael Yeah, I think SIP makes sense here, but more work is needed. For example, what is the user to do if the database gets messed up? It’s no longer easy to delete it and have the system create a new one. The tccutil command does not seem to have been enhanced to handle this.

Rosyna Keller notes that, although not documented, there are a variety of TCC services that can be reset with tccutil, including “All”.

[…] Previously: Dropbox Modifies TCC.db to Give Itself Accessibility Access. […]

[…] 2: Dropbox ändert TCC.db, dokumentiert mjtsai.com. macOS Sierra schließt diese […]

I've used that same hack before. I didn't used to do it that way (modify TCC.db), but a few releases ago, Apple *really* messed up the UX for requesting accessibility access. It used to be a dialog that a user could either accept/deny the change, but then they changed it so it would just drop the user in the accessibility pane in system preferences and they'd have to find the app/enable it themselves. I'm not sure if they've improved that UX in Sierra, but I really hope they have.

[…] Previously: Dropbox Modifies TCC.db to Give Itself Accessibility Access. […]

[…] some of its recent behavior has been troubling. I just want a basic folder that syncs and doesn’t peg my […]

Leave a Comment