Application Sandboxing: Address Book access should be more granular
| Originator: | jbrayton | ||
| Number: | rdar://9712427 | Date Originated: | 01-Jul-2011 |
| Status: | Duplicate | Resolved: | |
| Product: | Mac OS X | Product Version: | 10.7 |
| Classification: | Reproducible: |
01-Jul-2011 02:45 PM John Brayton: Summary: There is one entitlement key that grants an app full access to the address book: com.apple.security.personal-information.addressbook My app, CloudPull, uses the address book in a very limited fashion. Specifically, it retrieves the customer's own email addresses from the address book. It uses those to populate default values in a feedback reporter window and in a mailing list subscription window. I am able to do what I need with this entitlement, but this is far more access than my app needs. An entitlement that only provides access to "My Card" (the individual user's address book entry) would be more secure. My specific concerns are: * My app does not need access to the customer's entire address book, therefore my app really should not have it. * I am concerned that my app could be rejected from the Mac App Store for making such limited use of an important entitlement. * I am concerned that a future version of the Mac App Store or OS X could tell customers that my app needs access to the entire address book, even though it really only wants the customer's email address. Steps to Reproduce: N/A Expected Results: N/A Actual Results: N/A Regression: N/A Notes: N/A
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!