Property List Key

Debugging Tool Entitlement

A Boolean value that indicates whether the app is a debugger and may attach to other processes or get task ports.

Details

Key
com.apple.security.cs.debugger
Type
boolean

Discussion

Apps with the Debugging Tool Entitlement can call task_for_pid() to retrieve a valid task port for unsigned and third-party apps with the Get Task Allow entitlement set to true. However, even with the debugging tool entitlement, a debugger can’t get the task ports of processes that don’t have the Get Task Allow entitlement, and that are therefore protected by System Integrity Protection. See the man page for taskgated(8) for more information about getting task ports.

Xcode automatically adds the Get Task Allow entitlement to apps that you build for debugging, while removing the entitlement before App Store submission. This enables Xcode itself to attach to and debug your app during development.

When a non-root user runs an app with the debugging tool entitlement, the system presents an authorization dialog asking for a system administrator’s credentials. If authorization succeeds, the debugger receives a 10-hour session before authorization expires.

To add this entitlement to your app, first enable the Hardened Runtime capability in Xcode, and then under Runtime Exceptions, select Debugging Tool.

See Also

Hardened Runtime

Apple Events Entitlement

A Boolean value that indicates whether the app may prompt the user for permission to send Apple Events to other apps.

Key: com.apple.security.automation.apple-events
Allow DYLD Environment Variables Entitlement

A Boolean value that indicates whether the app may be affected by dynamic linker environment variables, which you can use to inject code into your app’s process.

Key: com.apple.security.cs.allow-dyld-environment-variables
Allow Execution of JIT-compiled Code Entitlement

A Boolean value that indicates whether the app may create writable and executable memory using the MAP_JIT flag.

Key: com.apple.security.cs.allow-jit
Allow Unsigned Executable Memory Entitlement

A Boolean value that indicates whether the app may create writable and executable memory without the restrictions imposed by using the MAP_JIT flag.

Key: com.apple.security.cs.allow-unsigned-executable-memory
Disable Executable Memory Protection Entitlement

A Boolean value that indicates whether to disable all code signing protections while launching an app, and during its execution.

Key: com.apple.security.cs.disable-executable-page-protection
Disable Library Validation Entitlement

A Boolean value that indicates whether the app may load arbitrary plug-ins or frameworks, without requiring code signing.

Key: com.apple.security.cs.disable-library-validation
Audio Input Entitlement

A Boolean value that indicates whether the app may record audio using the built-in microphone and access audio input using Core Audio.

Key: com.apple.security.device.audio-input
Photos Library Entitlement

A Boolean value that indicates whether the app may have read-write access to the user's Photos library.

Key: com.apple.security.personal-information.photos-library