This app (Macky) showed up on Hacker News as a supposedly easy way to connect from your iPhone to your Mac command line without something as old-fashioned (or secure) like SSH.
-
This app (Macky) showed up on Hacker News as a supposedly easy way to connect from your iPhone to your Mac command line without something as old-fashioned (or secure) like SSH. It uses WebRTC instead for ... reasons.
Immediate first question: why should I trust this closed source app from an unknown source with remote access to my Mac?
I had a play with it using mitmproxy and one thing is for sure, it doesn't implement certificate pinning. It happily connected to my self-signed certificate. When you set a master password for access to your Mac it's sent to their server (a Cloudflare Worker) as plaintext (albeit over TLS) rather than using it as input to a key derivation function. That makes me think it's probably stored server-side with little to no security. All in all, there ain't a bargepole long enough for me to touch this with.
#security #remoteaccess #infosec #mac #macos #ios #apple #cybersecurity
-
This app (Macky) showed up on Hacker News as a supposedly easy way to connect from your iPhone to your Mac command line without something as old-fashioned (or secure) like SSH. It uses WebRTC instead for ... reasons.
Immediate first question: why should I trust this closed source app from an unknown source with remote access to my Mac?
I had a play with it using mitmproxy and one thing is for sure, it doesn't implement certificate pinning. It happily connected to my self-signed certificate. When you set a master password for access to your Mac it's sent to their server (a Cloudflare Worker) as plaintext (albeit over TLS) rather than using it as input to a key derivation function. That makes me think it's probably stored server-side with little to no security. All in all, there ain't a bargepole long enough for me to touch this with.
#security #remoteaccess #infosec #mac #macos #ios #apple #cybersecurity
@spzb i can’t even think of a valuable use case for it.
-
@spzb i can’t even think of a valuable use case for it.
@mmatute_us certainly nothing that you can't achieve with an ssh client and either Tailscale, Wireguard or Zerotier.
-
R relay@relay.infosec.exchange shared this topic
