Why Do Some Mac Apps Need to “Control This Computer Using Accessibility Features?”
Some apps, like Dropbox and Steam, will ask to “control this computer using accessibility features.” But what the heck does that even mean?
The wording is confusing, to say that least. What does this permission actually grant? Basically, this gives the app in question the ability to control other programs. Apple outlines their advice here:
If you’re familiar with an app, you can authorize it by clicking Open System Preferences in the alert, then selecting the checkbox for the app in the Privacy pane. If you’re unfamiliar with an app or you don’t want to give it access to your Mac at that time, click Deny in the alert.
But that just leaves more questions. Why do you have to give this permission at all? What does giving this permission mean—will such applications really “control this computer”? And why is this called “Accessibility” access, instead of just system access? Let’s break this down.
Why Do I Have to Do This?
The process of enabling Accessibility Settings is a bit convoluted. You need to open System Preferences, then head to Security & Privacy > Privacy > Accessibility. From there you need to click the lock icon in the bottom-left corner, enter you password, and only then can you grant your application access.
So why do you have to do this? The answer, in short, is to protect your security.
By default, Mac apps are self-contained, and can’t change the way you interact with the system or other applications. This is a very good thing. It prevents sketchy things from happening, like games you’ve downloaded logging your keystrokes or malware clicking buttons in your browser.
But some applications need to control other applications to offer particular features. Steam, for example, likes to offer an overlay on top of games; it needs accessibility access to do that. Dropbox likes to overlay a badge over Microsoft Office applications; it needs accessibility access to do that.
Other applications depend on Accessibility access to fulfill their basic premise. Bartender, for example, can re-arrange and remove your Mac menu bar items, but it needs accessibility access to do that. BetterTouchTool can unlock powerful gesture controls in macOS, but it needs accessibility access as well.
You wouldn’t want to live in a world where any application can do these things, without even asking you for permission. Granting accessibility access, though, allows programs you trust to control other applications and your system.
Why Is This Called “Accessibility” Access?
None of our examples so far, you may have noticed, have much of anything to do with “accessibility,” as the term is often used. So why does the feature have this name?
In part, it uses this name because multiple accessibility applications need access to these features in order to function. For example: applications that allow people to control their Mac using only voice commands need accessibility access in order to take control of other applications. Text-to-speech applications need this permission in order to read the text in other applications. Applications that send text to braille readers need this permission in order to function.
For people with disabilities, these applications are all vital to using a Mac. It just so happens that the permissions needed by such programs are also needed by non-accessibility applications like Steam and Dropbox.
Can’t Applications Skip These Steps?
You might be wondering: why don’t applications just skip the unnecessary step of sending users into the System Preferences, and just add themselves to the list while you’re installing?
Well, that’d be a huge security risk. If Dropbox can add itself to the Accessibility access list without asking you, so can any Mac malware that wants to take control of the system. Requiring you to open System Preferences, enter your password, and check the app ensures that access is only granted if that’s what you actually want.
Speaking of Dropbox: they worked around this requirement for a little while, by exploiting an undocumented vulnerability to add themselves to the list. No, seriously: Dropbox briefly acted like malware.
Dropbox claimed there was nothing wrong with all this; security experts disagreed. So did Apple, who eventually patched the loophole Dropbox was using to add themselves to this list.
These days, Dropbox behaves itself, and asks for permission. So should most apps. But there’s always a chance that some program, or even malware, has weaseled it’s way back in, so be sure to check your Accessibility access list from time to time, removing things you don’t recognize.
No comments:
Post a Comment