Comment by AlexandrB
5 days ago
I thought you had to give explicit permission for an app to monitor network traffic in macOS? I'm assuming your app asks for this, but it sounds like Notion does not if the GP was surprised by the monitoring.
5 days ago
I thought you had to give explicit permission for an app to monitor network traffic in macOS? I'm assuming your app asks for this, but it sounds like Notion does not if the GP was surprised by the monitoring.
My Notion install (macOS) asked to discover devices on my network. I'm assuming this permission is related to "monitoring network traffic".
No, that’s the new "Local Network" prompt which started appearing since macOS 15. Any app that opens a multicast/broadcast socket (mDNS, SSDP, WebRTC ICE, etc.) now has to ask. Electron apps (including Notion) do this by default, so you see this dialog.
> Electron apps (including Notion) do this by default
Feels like a bad default, it teaches user to ignore and say yes.
3 replies →
I think this has to do with Chromium x MacOS -- https://issues.chromium.org/issues/346505950
https://x.com/rauchg/status/1846590635677004039?s=46&t=kVfjh...
That's interesting. Although I wasn't able to find any confirming info that allowing the "locate local devices" permissions allows for network monitoring. It seems to only allow Bonjour and multicast DNS. Anyone know for sure what it allows?
This would certainly be news to me as well. Packet capture (even local) has historically required superuser perms, but I'm not up to speed on how MacOS permissions work in this regard since the launch of System/Network Extensions.
After writing the above, I've just reviewed [0] - as much as I could in 5 minutes - and as far as I can tell it confirms our understanding. To do packet filtering or interception or reading, you'd need to do [1].
[0]: https://developer.apple.com/documentation/technotes/tn3179-u...
[1]: https://developer.apple.com/documentation/NetworkExtension/c...
Yes, it would be that one
You don't need to give any explicit permissions for the snapshot of current sockets.
Yeah, non-sandboxed apps can iterate over open file descriptors. It's quite useful to detect eg. which app on your local machine is connecting over TCP. I hope they don't lock it down. It doesn't allow intercepting traffic, but you can see what connects where.