Can malware/virii exist in workflows?

[allandebono]

Hi everyone,

 

I have a question regarding Workflows and security.

 

I am not saying I have malware from workflows

 

and

 

I am not suggesting the authors of the wonderful workflows I usely hourly have or will add malware.

 

I am generally curious as to whether it is possible to download a rogue workflow that can compromise my system.

 

I can't remember if I had to install alfred with system privledges.  If I did install alfred with system privledges would that mean a workflow could, in theory, compromise my system?

 

Thank you kindly

 

Allan

[Andrew]

Hi Allan,

 

Alfred runs as a user level process, not system, so doesn't have elevated rights to your system. As such, workflows have the same level of access to your system as any other "normal" app you may download. I have also made the Alfred Text Service run as a separate process so that the additional accessibility access granted to Alfred Text Service isn't inherited by workflows.

 

When manually installing an Alfred workflow, a number of simple security checks are done along with stripping out things like hotkeys to avoid a workflow from conflicting with current apps or workflows you have installed. Also, if you are currently using Shawn's Packal.org to find and download workflows, this has additional security scanning/checking.

 

The active Alfred community take a close interest in workflows and if there were to be a workflow which isn't operating as advertised, this would be picked up pretty quickly!

 

One thing worth noting is that I'm planning a similar system to Apple's developer certificates for workflows which will allow a further level of protection for workflow creators and users

 

Cheers,

Andrew

[deanishe]

I am generally curious as to whether it is possible to download a rogue workflow that can compromise my system.

 

Workflows can do the same things as any other programs you run, more or less. Under the hood, it's all code being run under your user account.

 

Because a workflow is just another program, it could theoretically do all kinds of things to any of the stuff your user account has access to, deliberately or by accident.

 

But that's the way software has always worked (at least until there was an App Store), and the sky hasn't fallen in yet. This is only not the case for sandboxed, App-Store apps, which do have limited access to your stuff.

 

The thing that worries me isn't malicious workflows, it's well-intentioned, but broken ones. I think it's far more likely for a bug in a workflow to delete the wrong file or similar than for an evil workflow to try to root your box or ransom your data.

 

If you're paranoid (like me), install Little Snitch. That'll let you know very quickly if something shady is happening on your system. Objective-See have some very interesting free security programs, too, to scan/watch for iffy-looking activity.

 

FWIW, I've been running Little Snitch for years, and I've never seen a workflow try to anything even vaguely nefarious. Not even as much as pull in Google Analytics or the like, let alone steal all your data.

 

The worst behaviour I've seen from a workflow (from the view of potential harm to the user) is password generators that generate passwords that aren't very strong without saying that they're not very strong, or storing sensitive data, like API keys or passwords, in plaintext instead of in the Keychain.

[rice.shawn]

As Andrew mentioned, among other things, Packal.org runs a virus scan on every workflow uploaded (using clamscan, and the virus database is updated daily), so I can assure you that there are no viruses in any workflow that clamscan can catch (early on I did test by uploading workflows with viruses, and Packal rejected them).

 

That being said, there can still be malicious activity, but I haven't seen any workflow that has done anything bad since Alfred 2 has been out. By bad, I mean intentionally bad. The problems that Dean mentioned have happened, but the community is pretty good about finding these and then reporting them and getting them changed.

 

S