All geek questions in one place

How can I show that my application is not a keylogger?

I created a simple Mac app that gives you statistics on your working behavior over time. For example, your average words per minute, what language you enter, the use of the delete key, etc. Interesting things! However, some testing users said they would not use the application if they did not know me personally, since it collects keystrokes, for example, a keylogger.

Is there any kind of certification that I can show that I am not doing anything mean? (I never leave more than one word in my memory!) Or will it be enough for my application to sign? Or open source, what is part of the code? (The other parts that I know, I cannot open source.)

+4
source share
3 answers

I would think that the gatekeeper would be adequate for most users. If it turns out that the application does not work well, then Apple may pull the plug on the malware developer. In order for this, and possibly some time live, you should set your program as β€œsafe” for those who are not technically inclined (for example, cannot understand your source).

Just distributing it in yours or the name of your company can do a lot to build trust in the application (unless, of course, your other products / programs have violated the trust of users).

+2
source

Distribution through the Mac App Store will help, as users can see that Apple has tried your application and found nothing vile in it. [Added:] In addition, the sandbox of your application means that your application is limited by an explicit set of capabilities that can be tested by technically qualified users. You cannot do anything that is not listed, so this will be an easy way to prove that you are not sending anything over the Internet.

Another thing is to save all the data in files readable by the user. No binary disks, no Core Data storage, etc. (Whether the XML variants of any of these are considered readable by the user is more controversial, but for this purpose I think that at least the XML layer will be readable enough. About the main data.)

If the user can read all the raw data stored using applications that they trust (for example, TextEdit), and not just your usual idea of ​​the application in the application, then they can check themselves and, ultimately, trust that you do not store nothing that you would not like.

If interested potential users inform you that you are reporting your keystrokes to your own server via the Internet and suggest that you are not connected to Internet connections at all (even checking for updates), you can recommend Little Snitch should be installed in which displays a warning message at any time when any application is trying to connect to something. When they do not see such a warning about your application, they know that you are not calling home.

You can also provide a link to a technical profile on the product web page. Here's an Jesper article offering them , and here is one example of such a document, for one of its products .

+3
source

If you can get the app from the Apple App Store, then they checked it out for such problems. There is no way they would consciously allow the application to register keys. In addition, signing up for an Apple certificate app ensures that if it was downloaded from the App Store and later turned out to be dishonest, they can list it in black.

Open-sourcing code would also be a good idea. I assume that you cannot fully open the source code because it does not belong to you? If so, then let me know what technologies it uses and how they openly and honestly talk about what the application does and how it is done.

0
source

Source: https://habr.com/ru/post/1482106/

More articles:


All Articles