Hacktricks-skills macos-entitlements-analyzer
Analyze macOS application entitlements for security implications, privilege escalation paths, and dangerous permissions. Use this skill whenever the user needs to audit macOS binaries for entitlements, assess security risks of entitlements, understand what specific entitlements allow, or identify privilege escalation opportunities through entitlement abuse. Trigger on any mention of macOS entitlements, code signing, TCC permissions, SIP bypass, or binary security analysis.
install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest:
skills/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-dangerous-entitlements/SKILL.MDsource content
macOS Entitlements Analyzer
A skill for analyzing macOS application entitlements and their security implications.
When to Use This Skill
Use this skill when:
- Analyzing macOS binaries for dangerous entitlements
- Assessing security risks of code-signed applications
- Investigating privilege escalation paths through entitlements
- Understanding what specific entitlements allow an application to do
- Auditing applications for TCC (TCC database) access
- Checking for SIP (System Integrity Protection) bypass capabilities
- Reviewing entitlements in the context of macOS security research
Quick Reference: Entitlement Severity
🔴 High Severity (Critical Security Impact)
| Entitlement | Impact |
|---|---|
| Bypass SIP |
| Bypass SIP |
| Get task port for any process (except kernel) |
| Allow code injection via debugger |
| Call task_for_pid() on apps with get-task-allow |
| Load unsigned frameworks/libraries |
| Disable library validation via csops |
| Use DYLD injection variables |
| Modify TCC database |
| Install software without user permission |
| Load kernel extensions |
| Access iCloud tokens |
| Full Disk Access |
| Automate/abuse other applications |
| Control UI, approve dialogs |
🟡 Medium Severity (Significant Security Impact)
| Entitlement | Impact |
|---|---|
| Create writable+executable memory |
| Patch C code, use deprecated APIs |
| Modify own executable on disk |
| Mount nullfs filesystem |
| Request all TCC permissions |
How to Extract Entitlements
From a Code-Signed Binary
# Extract entitlements from a binary codesign -d --entitlements :- /path/to/binary > entitlements.xml # Or for an app bundle codesign -d --entitlements :- /path/to/App.app/Contents/MacOS/Executable > entitlements.xml
Parse Entitlements Programmatically
Use the
extract_entitlements.sh- Extract entitlements from a binary
- Check against known dangerous entitlements
- Generate a risk assessment
Analysis Workflow
Step 1: Extract Entitlements
# Run the extraction script ./scripts/extract_entitlements.sh /path/to/binary
Step 2: Review High-Risk Entitlements
Check for these critical entitlements first:
- SIP Bypass:
com.apple.rootless.install* - Process Injection:
,com.apple.system-task-portscom.apple.security.get-task-allow - TCC Manipulation:
,com.apple.private.tcc.managerkTCCService* - Library Loading:
com.apple.security.cs.disable-library-validation - Full Disk Access:
kTCCServiceSystemPolicyAllFiles
Step 3: Assess Privilege Escalation Paths
| Entitlement | Escalation Path |
|---|---|
| Install malicious software silently |
| Load malicious kernel extension |
| Bypass TCC by changing home directory |
| Abuse other apps' permissions |
| Approve security dialogs programmatically |
Step 4: Check for Combined Risks
Some entitlement combinations are especially dangerous:
+com.apple.security.cs.debugger
: Full code injection capabilitycom.apple.security.get-task-allow
+kTCCServiceAccessibility
: Complete UI automation and app controlkTCCServiceAppleEvents
+com.apple.security.cs.disable-library-validation
: Multiple code injection vectorscom.apple.security.cs.allow-dyld-environment-variables
Common Use Cases
Case 1: Auditing a Suspicious Application
# Extract and analyze codesign -d --entitlements :- /Applications/SuspiciousApp.app/Contents/MacOS/SuspiciousApp > /tmp/entitlements.xml ./scripts/extract_entitlements.sh /Applications/SuspiciousApp.app/Contents/MacOS/SuspiciousApp
Case 2: Checking for iCloud Token Access
Look for
com.apple.private.icloud-account-accessCase 3: TCC Database Manipulation
Check for:
com.apple.private.tcc.managercom.apple.rootless.storage.TCCkTCCServiceEndpointSecurityClient
These allow modification of the TCC database, which controls privacy permissions.
Important Notes
Apple-Only Entitlements
Entitlements starting with
com.apple- Enterprise certificates can create custom
entitlementscom.apple.* - This can bypass protections that check for Apple-signed binaries
TCC Services
TCC (Transparency, Consent, and Control) services control privacy permissions:
| Service | Permission |
|---|---|
| Full Disk Access |
| Automate other apps |
| Accessibility/Screen Control |
| Write TCC database |
| Change NFS home directory |
| Modify app bundle contents |
Trustcache/CDhash Bypass
Some entitlements can bypass Trustcache/CDhash protections that prevent execution of downgraded Apple binaries. Research ongoing.
Example Analysis Output
=== Entitlement Analysis === Binary: /Applications/Example.app/Contents/MacOS/Example 🔴 HIGH RISK ENTITLEMENTS FOUND: - com.apple.security.get-task-allow: Allows code injection - kTCCServiceAccessibility: Can control UI and approve dialogs 🟡 MEDIUM RISK ENTITLEMENTS: - com.apple.security.cs.allow-jit: Writable+executable memory ✅ No critical SIP bypass entitlements ✅ No TCC database modification entitlements RECOMMENDATION: Review code injection capabilities and accessibility permissions
Scripts Available
- Extract and analyze entitlements from a binaryscripts/extract_entitlements.sh
- Check for known dangerous entitlementsscripts/check_dangerous_entitlements.sh