question about security for CoreGraphics event taps

Discussion in 'Mac Programming' started by paddym, Sep 9, 2008.

  1. macrumors newbie

    Joined:
    Sep 9, 2008
    #1
    I was playing around with keyboard mappings and I stumbled upon some behavior that I didn't understand. I wrote it up on my blog at http://paddymullen.com/?p=46 . I'm curious to understand the reasoning behind the api decisions made by Apple
     
  2. macrumors G5

    gnasher729

    Joined:
    Nov 25, 2005
    #2
    The system doesn't allow you to find out which keys are pressed when a password dialog is opened, because that would be a clear security violation (you would be able to detect the user's passwords and do all kinds of horrible things). And the user wouldn't notice, because there is no visible sign that you are reading these keys.

    The system allows you to produce keys when a modifier key is pressed; this can interfere with the operation of the computer, but is no security risk. The user notices it; if it interferes with the operation of the computer, he or she will remove your software. So we would have to assume that this "insert key" behaviour is something that the user wanted, and if he wanted this behaviour in normal text entry, it seems reasonable that he wants it while entering a password as well.
     
  3. macrumors 68040

    iSee

    Joined:
    Oct 25, 2004
    #3
    I can only speculate on Apple's motives but...

    I'd guess that kCGEventKeyUp/Down are protected while CGEventFlagsChanged is not because it didn't seem likely that a snooping program could derive any important information from watching only modifier keys.

    Watching/logging general keystrokes, on the other hand, could yield all kinds of good stuff.
     
  4. macrumors 6502a

    Sayer

    Joined:
    Jan 4, 2002
    Location:
    Austin, TX
    #4
    IIRC password text fields get very special treatment down to the Kernel level in later Mac OS X.

    You can not intercept key events entered into a password text field if your app is not the owner of the password text field.

    Nice try tho.
     

Share This Page