
“Google Drive” would like to receive keystrokes from any application - bathtub365
https://i.imgur.com/Gi60T9T.png
======
dortmunder13
Lastpass says: "The app needs this permission to provide a global, system-wide
shortcut to bring up the search field, so that users can quickly locate a
vault entry and copy passwords or launch sites. You can deny this permission
request, as the Mac application will continue to work. It will just disable
this function from working."

I bet it's similar here, they want a system-wide shortcut to get to google
drive. Seems like an oddly named permission.

~~~
mirthflat83
I like how they named it. If you can get permission for systemwide keystrokes
it is also obviously able to see what you’re typing in other apps. More
straightforward for those who are not tech oriented.

~~~
soulofmischief
Sounds like a bad API. There should be a way to register shortcuts and macros
without giving keystroke information to the app.

~~~
tryptophan
Doesn't linux work like this? Where certain input starts at the top (kernel),
and then goes to the first program that "listens" for a certain key/combo?

So you could have a program only listen/capture certain keys?

~~~
jankotek
XWin app can listen to all keystrokes in system. This was fixed in Wayland.

~~~
capableweb
How would you write an application that uses global shortcuts in Wayland?

~~~
ubercow13
Probably through a series of incompatible and as-yet-unimplemented APIs for
each desktop environment and window manager you want to support.

------
djsumdog
So there's no Apple APIs for global shortcuts and apps like Lastpass and
Google Drive have to request all keystrokes to implement one?

Has this problem been fixed on Wayland? Because I remember it having the same
issue.

~~~
jjeaff
That's what I was wondering. I just came across this with the Google calendar
API.

I was annoyed that the Facebook business appointments gcal sync wanted full
access to read all my calendars and any calendars shared with me. All I want
is for it to be able to add appts. But apparently, the gcal api doesn't have
the granularity to even allow full access to a single calendar.

------
dudus
I guess this is some security model on Catalina. I couldn't find any info on
what features of Google drive specifically would not work if you deny but
there are plenty of questions online for different applications. Here's one
for last pass:

[https://forums.lastpass.com/viewtopic.php?f=12&t=349965](https://forums.lastpass.com/viewtopic.php?f=12&t=349965)

------
mistersys
This is really just an example of the impressive security policies of macOS,
if I'm not mistaken as long as you have admin permissions you can trivially
create a keylogger on Windows 10 without any such special permissions.

~~~
Loranubi
Well if you have admin permissions, you should be allowed to do anything.

~~~
acdha
That philosophy has been very helpful to malware authors over the years. The
modern approach has been to make that less of a binary decision and make sure
the user can see it happening and change their mind: e.g. allow you to write
an app which does something privileged but require a prompt and prevent it
from hiding its actions.

------
coding123
History catching up to today's security environment.

This is also how permissions and APIs evolve over time. Apple (and hopefully
other OSes) is likely working on a global hotkey hook system, that has a less
intrusive permission requirement. Unfortunately it will take YEARs before
applications in general start using that.

And this is Absolutely the correct thing for the OS to do.

------
floatingatoll
Using dynamic overriding to intercept and NSLog calls to UIKeyCommand should
be sufficient to find out precisely what key(s) they’re setting listeners for,
but I don’t have the experience to finish this idea. Someone who’s familiar
with dylib injecting would know:

[https://stackoverflow.com/a/27608606](https://stackoverflow.com/a/27608606)

------
therealmarv
I strongly suggest this alternative software for the desktop:

[https://www.insynchq.com/](https://www.insynchq.com/)

Worth every penny and is (for me) the better Desktop client.

------
dorianmariefr
also happened to me on a random game downloaded from the App Store:
[https://i.imgur.com/dr0YVVG.png](https://i.imgur.com/dr0YVVG.png)

~~~
ThePowerOfFuet
You should let Apple know about that at iTunesStoreSupport@apple.com.

------
onreact
Intriguing! Can you please provide a bit more of context?

~~~
bathtub365
I wish I could, I just had the dialog pop up out of nowhere while I was using
my laptop. I have no idea why it wants this access.

------
limeblack
Bad keyboard shortcut or bad drag and drop support maybe?

------
d33
Isn't it just badly implemented shortcut support?

------
teamspirit
I don't understand, I use skhd [0] which uses global shortcuts for things like
window switching and I've never seen such a request. Unless asking for
accessibility permission is the same thing, which I doubt (but admittedly
don't know for certain).

[0] [https://github.com/koekeishiya/skhd](https://github.com/koekeishiya/skhd)

~~~
sukilot
Accessibilty is even more powerful/general control than this.

[https://www.howtogeek.com/297083/why-do-some-mac-apps-
need-t...](https://www.howtogeek.com/297083/why-do-some-mac-apps-need-to-
control-this-computer-using-accessibility-features/)

~~~
teamspirit
Indeed it is. I clearly had it confused. Thanks!

------
rsync
So google drive is also a keylogger ? Not surprising.

I wonder - is there a way to look up app permissions without actually
installing them ?

Which is to say, can I, using my web browser, browse either the apple app
store, or google play store, and research, in advance, what a particular app
is going to request (or demand) access to ?

~~~
dessant
I doubt Google Drive is a keylogger. Apps should be able to register global
shortcuts and get notified when a shortcut is triggered.

There is an open source client app for Google Play called Aurora Store, it
lists declared permissions and known trackers within the app.

The data is provided by Exodus Privacy: [https://reports.exodus-
privacy.eu.org/en/reports/com.google....](https://reports.exodus-
privacy.eu.org/en/reports/com.google.android.apps.docs/latest/)

