on 2006-05-07 5:44 PM, Laurence Harris at email@hidden wrote:
> What's the downside of turning on access for assistive devices?
The folks at Apple have informally conveyed the view that they see it as a
relatively minor security risk, but a risk nonetheless. Better safe than
sorry.
My own view is that the risk is no more serious than that posed by
AppleScript, which does not require any special advance permission to read
and manipulate other applications on your own computer. AppleScript and the
accessibility API have vaguely similar capabilities with respect to reading
and manipulating other processes, so a case could be made that they should
be treated the same in this regard.
AppleScript does require the recipient of remote commands across a network
to turn on remote access. And of course the GUI Scripting subcategory of
AppleScript is based on the accessibility API and therefore requires that
access for assistive devices be enabled.
Starting with Tiger, developers of assistive applications have another
option. Your assistive application can ask for authorization, typically at
install time, and make itself a "trusted process" that will work even if the
global accessibility setting is turned off. This option is presumably more
secure, since it allows somebody who wants to use a specific assistive
application to limit the risk to that one application without opening up the
computer globally.
--
Bill Cheeseman - email@hidden
Quechee Software, Quechee, Vermont, USA
http://www.quecheesoftware.com
PreFab Software - http://www.prefab.com/scripting.html
The AppleScript Sourcebook - http://www.AppleScriptSourcebook.com
Vermont Recipes - http://www.stepwise.com/Articles/VermontRecipes
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Carbon-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/carbon-dev/email@hidden
This email sent to email@hidden
