Under The Microscope

Archive for June, 2016

Sierra and Gatekeeper Path Randomization

At their recent Worldwide Developers Conference, Apple announced macOS 10.12 (Sierra), the next major version of the Mac operating system. Sierra is scheduled for official release in the fall, and we’re hard at work on getting our software ready for it. For now, however, we recommend that if you can’t live without our software — which we love to hear! — you should stick with 10.11 (El Capitan) or lower. We’ll be releasing fully compatible updates for 10.12 as soon as possible. For more detailed information, please see our Status page.

I’d like to take a few minutes now to talk directly to fellow software developers about Sierra, specifically about a new Sierra security feature called “Gatekeeper Path Randomization” (GPR) that has serious implications for software delivered outside of the Mac App Store. GPR is explained in the WWDC session video “What’s New in Security”, which you can view at https://developer.apple.com/videos/play/wwdc2016/706/.1

As you’re likely aware, Gatekeeper is a security feature that has already been in place for several years. When enabled, Gatekeeper checks whether an app downloaded from the internet has been signed with a Developer ID certificate, which third-party developers such as Rogue Amoeba purchase from Apple. If the app is Developer ID-signed, then Gatekeeper allows the app to launch. If the app is not signed, then Gatekeeper will refuse to launch the app.

Last year, security researcher Patrick Wardle discovered a vulnerability in Gatekeeper called dylib hijacking. Wardle determined that if a Developer ID-signed app loads resources external to its app bundle via a relative file path, an attacker could package the app together with malicious external resources in order to work around the Gatekeeper protection. The app would pass the Gatekeeper check and be allowed to launch, after which it would load the malicious external resources. Wardle found that a number of popular apps, including some of Apple’s own apps, could be used as a vector for such an attack.

Gatekeeper Path Randomization is an attempt to avoid this vulnerability. It works by mounting a read-only disk image in a temporary path in the file system, copying the app onto that disk image, then launching the app from there. With the app bundle’s path thus changed, it will no longer find any external resources where it was expecting them, and thus the loading of malicious resources is prevented. For a more detailed technical analysis of GPR, as well as an investigation into some possible flaws in its implementation, see this series of more detailed blog posts I wrote elsewhere: App Translocation, Zero Day?, Undo.

The problem with Gatekeeper Path Randomization is that copying applications to a read-only disk image will break functionality in many, if not most, existing applications. Perhaps most notable, features like automatic software updates (via Sparkle or similar mechanisms) will no longer work. Apple may not view this as an issue, given that GPR will be disabled once the user moves the application out of the Downloads folder. However, many users run applications from the Downloads folder, never moving them. This is especially common when a user is trying out an application prior to purchasing it, and an app that doesn’t work as expected due to GPR seems certain to lead to lost sales. Worse, even if the customer moves your app to their Applications folder, it may continue to be broken, depending on how your app is packaged.2

We hope that Apple will make some small changes to avoid this unwelcome situation for our mutual customers. Because the vast majority of apps do not load external resources relative to the app bundle path, only a very small percentage of apps are vulnerable to the attack that Gatekeeper Path Randomization is attempting to prevent. Nevertheless, Apple’s current implementation for GPR affects all apps outside the Mac App Store, and the negative impacts will be felt far and wide. While we believe there are several changes Apple can and should make, a simple workaround would be to allow software developers to opt out of Gatekeeper Path Randomization. If an app does not load external app-relative resources, GPR provides no benefit. The app should thus be able to put a key in its Info.plist specifying that GPR should not apply to the app.3 We have filed a request with Apple to provide such a key (Radar #27018815 – “10.12 (16A201w) Apps need an Info.plist key to avoid Gatekeeper Path Randomization”), and encourage other developers to duplicate this Radar.

We support Apple’s efforts to increase security for all users on MacOS. However, this specific change will have a great deal of negative impact, while providing no security gain for the vast majority of apps. Users will be stuck with apps that don’t work (or update) as expected. The simple change we’ve proposed would still provide Apple with the desired security benefits, while removing the downside this will cause for users. We encourage you to test your software on 10.12 for possible problems, then file your own Radar with Apple detailing how Gatekeeper Path Randomization impacts your software.


  1. No login or developer account is required to watch the video; the information is available to the public. ↩︎

  2. For example, we ship Airfoil in a folder together with Airfoil Satellite. If you move that folder from Downloads to Applications, Gatekeeper Path Randomization will still be active. ↩︎

  3. The standard code-signing required for Gatekeeper would of course ensure that this flag couldn’t be tampered with. ↩︎

An Update on Chromecast Support in Airfoil

Update (October 28th, 2016): Airfoil for Mac 5.5 and higher now offer support for Google Chromecast! Read all about it in the Airfoil for Mac 5.5 blog post.

Back in March, we announced that we were working on updating Airfoil with support for sending audio to Chromecast devices. We’ve since been hard at work on achieving that goal, and we’re delighted to show off our progress. We now have Airfoil talking to all models of Chromecast (that’s the current Chromecast Audio, Chromecast Video, and even the original Chromecast Video version 1).

As previously mentioned, this functionality will be part of a free update to Airfoil 5. It’s admittedly not much to see just yet, but I can assure you that it sounds great! There’s still more work to be done, and we don’t yet have a planned release date, but it’s definitely something we plan to release before the year is out. For now, just stay tuned for more information!

19 Terrific Tips for Audio Hijack 3

We recently released Audio Hijack 3.3, and it includes several great new features. In addition to incorporating new functionality, a great deal of effort has gone into making Audio Hijack 3 easier to use than ever before, and we’ve been pleased to hear from many users who are thrilled with how approachable it is. Still, there are more than a few secrets and tips you might not know about, so give this post a quick read to learn something new about Audio Hijack.

Tip #1: Quickly Get a New Blank Session

To immediately get a new blank Session to work with, hold option as you click the “New Session” button. You can also press option-command-N on your keyboard. You’ll bypass the Template Chooser and get an blank Session to configure.

Tip #2: Schedule Your Recordings

From the Schedule tab of the Home window, you can configure a Session to automatically run at a specific time. Add the direct URL for a radio stream to the “Open URL” field of an Application Source block and you can even do timed recording of audio, much like a DVR.

Tip #3: Don’t Forget to Mute Those Timers!

If you schedule a recording for the middle of the night, you probably won’t want it to make noise while it’s recording. Remove the Output block from your audio chain, and audio will be recorded without being heard.

Delete the Output block to mute the timer.

As well, be sure to turn on the “Quit Sources” checkbox in the Schedule tab. That way, when the timer is finished (and Audio Hijack stops capturing audio), the audio-producing source application will be shut down.

Tip #4: A Musical Alarm Clock

The Schedule tab can be used for more than timed recordings. It can also help you use your computer as a musical alarm clock. Start by putting a radio stream in the “Open URL” field of an Application Source block, and hook it up to an Output Device block set to your speakers. Then, set a timer for when you want to wake up, right in the Schedule tab. At the appointed time, Audio Hijack will pop open and your audio will play.

Tip #5: Share Your Sessions

It’s possible to create complex and powerful Sessions in Audio Hijack to do just about anything you might need. It’s also possible to share those Sessions, by exporting them to distribute to others for use in their own copies of Audio Hijack. When you’re in the Session you wish to share, just select “Export…” from the Session menu, and save. You can then email your Session to a friend, or even post it on your website.

An exported Session in the Finder

Tip #6: Share Your Sessions Faster

If you want to quickly export one or many sessions, as explained in Tip #5 above, do it from the Home window. Click to the Sessions tab, then select one or more Sessions you want to export by clicking (and shift-clicking). Once you’ve got the desired Sessions selected, just drag them to your Desktop, and they’ll be exported instantly.

Tip #7: Tear Off Your Popovers

Nearly all blocks in Audio Hijack feature a popover which provides access to the block’s settings. When you click on a block, its popover appears. When you click away, that popover disappears. What if you want those controls to remain available? Just click the popover and drag it away from the block to tear it off. Now, the settings will stay open for easy access.

Tearing off a popover

Tip #8: Pin Popovers To Make Them Float

If you need to work in other applications while you record, but still want access to some of Audio Hijack’s controls, you can! First, tear off the popover for the relevant blocks (see Tip #7, above). Then, click the Pin button. When its pinned, the popover will float above all other windows on your system, and it’ll be accessible from within any application.

A pinned popover

See the “Popover Features” page of the Audio Hijack manual for more details on popovers.

Tip #9: Use Arrows on Effects Sliders

If you want to make a minute adjustment to a slider, you can do so with your keyboard. First, click the slider you wish to adjust, and you’ll see the slider’s knob highlight blue. Now, use the left/right or up/down keys on your keyboard, and the slider will move in its smallest interval. Need a bigger jump? Hold shift and hit left/right or up/down to move in larger jumps.

Tip #10: Use the Number Keys Too

You can also use the number keys on your keyboard to move an effects slider to an exact location. Click a slider’s knob to highlight it, then type a number and hit Return. The slider will be moved to the exact location you specify.

Tip #11: Block Presets!

Block presets let you save your settings for a particular block type, then use those settings again in other instances of the same block, in any Session. Block presets are a major feature of Audio Hijack, and one we hope many users take advantage of. However, they’re a bit hidden, so they’re worth noting here.

A simple example can be seen with the 10 Band Equalizer block. Create a custom EQ setting, then choose “Save as Preset…” from the Presets menu at the bottom of the popover. Give your preset a name, and you’re set. The preset will now appear in the “User Presets” section, in all 10 Band Equalizer blocks throughout Audio Hijack.

Equalizer Presets

The power of presets is extended to all blocks that feature popovers, from the Application Source block to the Recorder block and more. Save your detailed configurations once, then access them in any Session with just a few clicks. They’re a tremendous time-saver!

Recorder Presets

Tip #12: Turn Blocks Off

When you no longer need a block in your Session, you can highlight it, then choose Delete from the Edit menu to remove it. However, you may want a block in your Session to be active only some of the time. In that case, you can turn the block off temporarily. To do this, click the On/Off switch in the block’s popover. The switch will turn off, and you’ll see the block dim. You can also right-click a block and choose “Turn Off This Block” to toggle it off.

A disabled Equalizer block

While a block is off, audio will pass it without being affected, but it will be available for use instantly by simply turning it back on.

Tip #13: Monitor Without Recording

The old Audio Hijack Pro 2 had two distinct stages of audio capture: Hijacking and Recording. We simplified this in Audio Hijack 3, and now Sessions are either running or not. While this has proven much clearer overall, a few long-time Audio Hijack users have had difficulty determining how to monitor audio without recording it in Audio Hijack 3. Fear not!

If you just want to adjust audio with effects, just make a Session that doesn’t include any Recorder blocks (or delete any Recorder blocks currently in your Session). The Sweeten template provides an example of this. If you do plan to record audio, but wish to monitor audio first, just turn your Recorder block off as described in Tip #12. When the Recorder block is off, audio will flow through the session, but no recording will be made. When the audio sounds just right, turn the Recorder block back on to begin recording.

A disabled Recorder block

Tip #14: Control Your Recorder Blocks

Look inside the Control menu to see several ways you can control any and all Recorder blocks in a Session. The “Turn All Recordings Off/On” toggle is helpful for monitoring audio, as discussed in Tip #13. You can use “Pause All Recordings” to temporarily suspend recording, so no additional audio will be saved until you resume. Finally, if you select “Split All Recordings”, the Recorder blocks will stop recording to the current files, and begin recording to new files.

Audio Hijack’s Control menu

Tip #15: Record to Multiple Formats at Once

Thanks to the new audio grid, you can now record to multiple formats in sync. For instance, you can save audio to both compressed and lossless formats together, with just a single click. When you run your session, all Recorder blocks will activate at the same time.

Multiple recorders at once

Tip #16: Add Features with Audio Unit Effects

Audio Hijack comes with over a dozen of our own custom audio effects, but it also supports modern (64-bit Cocoa) Audio Unit plugins. We automatically load the Audio Units built-in to Mac OS X by Apple, but there’s a wealth of third-party Audio Units out there too.

The Graphic EQ built in to Mac OS X

If you’re looking to add audio effects or meters, just place your new Audio Units in one of the standard locations on your system (/Library/Audio/Plug-Ins/Components or ~/Library/Audio/Plug-Ins/Components), and they’ll appear in Audio Hijack’s Library.

Tip #17: Generic UI for AU Effects

Speaking of third-party Audio Units, some of them sure have some…interesting interfaces, don’t they? If you’d rather these effects showed a simpler look, right-click on the block’s face and select “Use Generic Audio Unit Interface” from the pop-up menu. Now the effect’s controls will appear with a generic look, which may be easier to use.

A generic interface

Interestingly, this feature was originally added to make more audio effects accessible to users with vision impairments. We’ve since found that many users prefer the generic UIs to the custom ones.

Tip #18: Use the Time Shift Effect for Transcribing Audio

The Time Shift Effect was added in Audio Hijack 3, but we really refined it in Audio Hijack 3.2. It’s found a devoted following of folks transcribing audio to text, and we worked to make that even easier. Time Shift now features a powerful popover that enables you to jump forward or back in 3, 10, or 30 second increments. You can tear off and pin that popover (as described in Tips #7 and #8) for easy access from anywhere.

The Time Shift block

As well, Time Shift’s controls are now accessible via global keyboard shortcuts. Open up Audio Hijack’s preferences to set hotkeys for Time Shift’s controls. Now your hands won’t even have to leave the keyboard when transcribing audio to text.

Time Shift’s global shortcuts

Tip #19: Make Your Own Keyboard Shortcuts

Audio Hijack offers built-in keyboard shortcuts for some of the most frequent actions, like starting a Session. However, you can also add your own keyboard shortcut for any menu item! This feature is actually built in to Mac OS X itself, and it’s incredibly handy. Just open System Preferences (under the Apple menu), then click Keyboard, and go to the Shortcuts tab. From the “App Shortcuts” section, you can add a shortcut for any menu option you like.

For more details on using this powerful OS feature, see this link.

That’s It!

I hope you found something useful to enhance your use of Audio Hijack! If you’ve got your own great tip to share, let us know via email, or with a comment below.

Take Control ArtworkIf you’re looking for additional tips, Kirk McElhearn’s Take Control of Audio Hijack eBook is worth your while. It’s just been updated for Audio Hijack version 3.3, and it contains a wealth of information to help you make the most of our software. Just click for more information on Take Control of Audio Hijack.

Finally, if you’re new to Audio Hijack, you can get $5 off your purchase through the end of June. Just head over to our store and enter coupon code TIPSFIVE before July 1st to save!

Audio Hijack 3.3 Brings Updates Big and Small

Audio Hijack IconLast year was a big one for our recording application Audio Hijack. We released Audio Hijack 3 in January, then followed that up with major updates to versions 3.1 and 3.2 later in the year. In fact, Audio Hijack 3 was so well-liked that iMore named it their “Mac App of the Year” for 2015. Not bad!

Of course, there’s always more to be done, and we’re not standing still. Today, we’re pleased to release Audio Hijack 3.3. This update includes several important enhancements, as well as dozens of smaller improvements to the application. It’s free for current owners of Audio Hijack 3, and you can get it by choosing “Check for Update” from the Audio Hijack menu.

Read on for more information on what’s new.

Major Updates in Audio Hijack 3.3

Perhaps the biggest change in the new version is one we expect folks won’t even notice: simpler, safer recording for the AAC and Apple Lossless formats. Audio Hijack now avoids the need for finalization at the end of recording with these formats, by saving them as so-called “fragmented” MP4s. These files are internally consistent at all times, which means there’s no processing delay at the end of long recordings and ensures that even a power outage won’t cause lost audio. With this change, Audio Hijack’s recordings are more bullet-proof than ever before.

We’ve also added a new preference to Audio Hijack, one that’s intended for our most advanced users. The new Latency slider can be used to reduce the time Audio Hijack takes to process audio, which helps in situations where a slight echo is heard while monitoring live. While Audio Hijack does its best to minimize latency by default, advanced users who wish to lower it further are now able to do so. The default setting (“More Reliable”) is recommended for most users1, but users like podcasters and musicians doing live monitoring can now reduce latency to the absolute minimum.

Our last major change is the addition of full support for capturing audio from Slack. If you use this wildly popular team communication tool like we do, you may know that Slack’s new Calls feature is rolling out to all users now. With it, you can make voice calls to other members of your Slack team. Now Audio Hijack 3.3 lets you capture and record that audio for later reference.

AH Capturing Slack

Many Smaller Improvements as Well

We receive a great deal of feedback on all of our products, and we work hard to prioritize updates based on it. For Audio Hijack 3.3, we knocked off several dozen of the smaller items we’ve had on our list for some time. These improvements aren’t as eye-catching as a major new feature, but they’re an important part of developing top-notch software nonetheless. Here’s a list of many of these updates:

  • The Menu Bar Meters block now shows proper Retina art in the menu bar. Our long, blurry nightmare is finally over. As well, the desired meter type is now correctly saved.

  • The Instant On component, which enables the capture of audio from all System Audio, running applications, as well as certain difficult-to-capture apps, has been updated to version 8.2.6. This update includes many small fixes and improvements.

  • Files in the Recordings tab can now be right-clicked to access a contextual menu, offering controls for manipulating the recording.

  • The Schedule area of the Home window will now visually indicate when conflicts exist between timers.

  • The Time Shift block has been improved in several ways, fixing a display issue with large jumps, providing a better VoiceOver value, and improving the explanatory text.

  • Presets for several blocks have been improved to save additional settings, including saving album art as part of Recorder block presets, saving all settings in the Application source block, and saving the specified channels in an Output block.

  • When an audio device’s name changes, Audio Hijack will immediately reflect the new name. This is especially relevant if you’re using our audio routing tool Loopback in conjunction with Audio Hijack.

  • Improvements have been made for visually impaired users using VoiceOver. When VoiceOver is active, a “Pin Popover Open” option is added to contextual menus for blocks. The popover window’s role has also been adjusted, so popovers appear in VoiceOver’s “Window Chooser”. Finally, labels for the “Close” and “Pin” buttons in popovers have been improved.

  • AirPlay output device name changes are now better recognized, and a better title (“No AirPlay Receiver Selected”) is shown if AirPlay doesn’t have a destination set.

  • The display of app names for background processes (accessible by holding option while clicking the Source selector in an Application block) has been improved.

  • Many additional smaller problems, rare crashes, and other issues have been corrected.

By making many small updates and fixes, we’ve polished Audio Hijack for the best user experience yet.

Update Now

You can get the latest Audio Hijack by selecting “Check for Update” from the Audio Hijack menu, or by downloading it from our site. This is a free update for all current owners of Audio Hijack 3. If you’re still using an older version of Audio Hijack or Audio Hijack Pro, we strongly urge you to take advantage of the discounted upgrade to version 3!

If you’ve never used Audio Hijack, today’s a great day to change that! Get started recording audio by downloading the free trial from our site.

P.S. Don’t Forget the Take Control eBook!

Take Control ArtworkLast year, we worked with the folks over at Take Control Books to help them create an in-depth guide to Audio Hijack. Audio expert Kirk McElhearn produced the Take Control of Audio Hijack eBook, and since then, it’s helped thousands of users make the most of Audio Hijack. Today, the book has received an update for the changes in Audio Hijack 3.3, so if you already have the book, be sure to download the just-released 1.1 edition.2

If you haven’t yet checked out this helpful eBook, just click for more information on Take Control of Audio Hijack. It’s a great way to learn how to make the most of Audio Hijack. Happy reading!


  1. Reducing latency increases the possibility that you’ll hear audio skips, particularly on slower or over-loaded Macs. Because of this, we recommend that most users leave this preference in its default state. The latency heard when this slider is set to “More Reliable” is already quite low and sufficient for nearly all uses. ↩︎

  2. To get the newest version of the book, just open your existing copy and click the link in the “About This Book” section. You’ll be taken to a page where you can download the newest version in any format. ↩︎

Our Software