The below is an off-site archive of all tweets posted by @mjtsai ever

November 6th, 2019

@lapcatsoftware @rosyna The contacts service isn’t getting compromised. GitFinder has separate services for Git, Ke… twitter.com/i/web/status/1…

via Tweetbot for Mac in reply to lapcatsoftware

@lapcatsoftware @rosyna My point is that requiring the app entitlement makes the app less secure than if access wer… twitter.com/i/web/status/1…

via Tweetbot for Mac in reply to lapcatsoftware

@rosyna Yes, my point is I don’t see why the TCC ones are treated differently than network and file access.

via Tweetbot for Mac in reply to rosyna

@rosyna What I mean is that if the user has allowed app B to control app A and allowed app C to control app B, then… twitter.com/i/web/status/1…

via Tweetbot for Mac in reply to rosyna

@rosyna I still conclude from this that: 1. This sort of transitive declaration is completely at odds with privileg… twitter.com/i/web/status/1…

via Tweetbot for Mac in reply to rosyna

@rosyna I’m assuming this doesn’t protect against the AppleScript thing.

via Tweetbot for Mac in reply to rosyna

@rosyna “Never asked for”? Are you thinking of a model where an app embeds a service written by someone else and th… twitter.com/i/web/status/1…

via Tweetbot for Mac in reply to rosyna

@rosyna I mean that the same logic would apply to other entitlements, like network stuff. I’ve isolated network acc… twitter.com/i/web/status/1…

via Tweetbot for Mac in reply to rosyna

@rosyna I thought XPC was supposed to help here. Without the entitlement, GitFinder can only do contacts operations… twitter.com/i/web/status/1…

via Tweetbot for Mac in reply to rosyna

@rosyna But, going with this logic for the moment, why wouldn’t this also apply to other entitlements?

via Tweetbot for Mac in reply to rosyna

@rosyna Whereas if GitFinder has the entitlement and gets compromised, we have the same problem…

via Tweetbot for Mac in reply to rosyna

@rosyna 3. I thought apps weren’t supposed to be able to invoke other apps’ XPC services.

via Tweetbot for Mac in reply to mjtsai

@rosyna This doesn't make sense to me. 1. Isn’t the com.apple.security.personal-information.addressbook entitl… twitter.com/i/web/status/1…

via Tweetbot for Mac in reply to rosyna

Siri Stores Encrypted E-mails in Plain Text: mjtsai.com/blog/2019/11/0…

via IFTTT

Archive Team’s Yahoo Groups Rescue Effort: mjtsai.com/blog/2019/11/0…

via IFTTT

Don’t Interrupt the Installation: mjtsai.com/blog/2019/11/0…

via IFTTT

Hardened XPC Services Don’t Prompt: mjtsai.com/blog/2019/11/0…

via IFTTT

Catalina No Longer Caches Shared Photos Locally: mjtsai.com/blog/2019/11/0…

via IFTTT

Posts updated today:

Perfectly Cropped
mjtsai.com/blog/2019/10/2…

WebView and UIWebView Deprecated in Favor of WKWe… twitter.com/i/web/status/1…

via Tweetbot for Mac