0

I found that some apps contain a Library named SharedWebCredentials which contains the config json files that seem to always enable linking to iCloud. I am using Sonoma 14.5.

These apps include FindMy, Family, Shortcuts, and the CoreService like AOSUIPrefPaneLauncher, iCloud, iCloud+, Coverage Details, etc.

I am wondering if those are valid and if that implies those apps can always link to iCloud.com. One more question is how we may guarantee there is no cloud access to those apps.

I am a bit worried that someone who has access to iCloud servers may locate and gain some control of my Mac via those apps by poisoning caches. I have that concerns because I observe extra iCloud Keychain databases like xxxx-(null)-xxxxx or xxxTrustPeersxxx in my local keychain folder /User/name/Library/Keychains/UID/. I found key chain items of NetworkProxy that set accounts for Cloudflare, Fastly, etc. And my internet connections get interrupted from time to time.

For example, in the iCloud app, there are four files in that folder: *.iCloud.com.cn.json, *.iCloud.com.json, iCloud.com.cn.json, iCloud.com.json.

Those json files are the same, including the app links for appID com.apple.CloudKit.ShareBear. The json file looks like follows.

{
  "applinks": {
    "details": [
      {
        "appID": "com.apple.CloudKit.ShareBear",
        "components": [
            { "/": "/pages/?*" },
            { "/": "/numbers/?*" },
            { "/": "/keynote/?*" },
            { "/": "/iclouddrive/?*" },
            { "/": "/share/?*" },
            { "/": "/notes/?*" },
            { "/": "/photos/?*" },
            { "/": "/photos_sharing/?*" },
            { "/": "/reminders/template/*", "exclude": true },
            { "/": "/reminders/?*" },
            { "/": "/safari-tab-groups/?*" },
            { "/": "/freeform/?*" },
            { "/": "/v/?*" }
        ],
        "alwaysEnabled": true
      }
    ]
  }
}

The following is the json file in iCloud+/Contents/Library/SharedWebCredentials/icq.icloud.com.json

{
    "applinks": {
        "apps": [],
        "details": [
            {
                "appID": "0000000000.com.apple.icq",
                "components": [
                    { "?": {"context":"?*"} }
                ],
                "alwaysEnabled": true
            }
        ]
    }
}

The following are two screenshots for Shortcuts.app and the AOSUIPrefPaneLauncher.

Screenshot of a Finder window showing 'Shortcuts.app > Contents > Library > ShardWebCredentials > *.workflow.is.json'

Screenshot of a Finder window showing 'AOSUIPrefPaneLauncher > Contents > Library > ShardWebCredentials > setup.icloud.com.json'

Improve this question
6
  • 1
    What do you mean by "someone who has access to iCloud Servers"? A "rogue" Apple employee, or someone logged into your iCloud account? Apple employees do not have access to your data. It's not suspicious for Find My and Shortcuts to be using iCloud.
    – benwiggy
    Commented Jun 8 at 11:57
  • 1
    Please see Shared web credentials documentation on apple developer. They are primarily for better web and app integration. The "paths" you observe are most likely URL schemes.
    – hym3242
    Commented Jun 8 at 13:40
  • Thank you for the info! I have suspicious experience with one staff at apple support. And try to figure out what are possible harassments and what are valid apple processes @benwiggy
    – bing
    Commented Jun 9 at 6:15
  • 1
    Thank you for suggesting the documentation. That is very helpful @hym3242
    – bing
    Commented Jun 9 at 6:16
  • That's nice to hear. Next time you have a similar question you can try searching in Apple Developer documentation & archive, maybe also WWDC sessions.
    – hym3242
    Commented Jun 9 at 6:17

1 Answer 1

Reset to default
0

All of this is how Apple keeps your data separated from my data and to my eyes is designed to protect our private data from apps that sync to iCloud.

Since I don’t have access to your iCloud data without all of your authentication information this seems to be normal for a secure implementation of private and possibly sensitive data stored off device.

You can’t guarantee no cloud access unless you define it in a limited way.

  • you could set up a network proxy or use a network you control to log every connection over a month and assume if no connections are made you are safe.

Otherwise you have to reverse engineer every app. Document which frameworks they call and then reverse engineer them, too. Until you understand every last bit of the entire code base of the OS and the apps, you can’t be sure there are toggles or circumstances to enable a sync that you just haven’t activated yet.

Improve this answer
1
  • Thank you for the clarification! I've been learning about apple os to figure out what are the normal activities and what might be online harassments from an apple support staff. Your answer is very helpful.
    – bing
    Commented Jun 9 at 6:12

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .