hide a script from appearing in "Get Info" of a File?

Scripting Forums AppleScript | Mac OS X
#1

Is there any way to modify the code within a script, or use a 3rd party application, so that the Mac would not reveal the entire code of script in the preview pane when one chooses to “get info” for the .scpt or .app file?

Reason I ask is because I often share scripts that include various Administrator usernames and passwords, which should not be known by this individuals using the scripts.

Yes, I do realize a savvy user could easily open the script in Script Editor, but the get info preview is more glaring and obvious.

Thanks,
-Jeff

#2

In Script Editor

¢ Choose menu File > Export
¢ In the dialog check Run-only.

Now nobody (not even you) can open the file in any (Script) Editor

#3

CAUTION. Even when a script is saved as Run-only, everybody may read the strings embedded in it.
Just a sample :

do shell script "abcdef " user name "BillyTheKid" password "openTheDoor" with administrator privileges

Export it as run-only script or run-only application.
If you export as script, drop the file onto TextEdit’s icon.
If you export as application, reveal the content of the application them drop, the embedded main.scpt onto TextEdit’s icon.
In both cases you will get:
[format]FasdUAS 1.101.10ˇˇˇ˛ˇˇˇ˛ˇ˝ˇ˝ˇ¸
ˇ¸.aevtoappnullÄêˇ˚ˇ˙ˇ˘ˇ¯Ë‡Ëœ
ˇ˚.aevtoappnullÄêˇ˙ˇ˘ˇ¯Ë‡Ë†Ë‡Ä± ˇÙˇÛˇÚ±

abcdef
ˇˆ
RAun±BillyTheKid
ˇı
RApw ±openTheDoor
ˇÙ
badmˇÛ
ˇÚ.sysoexecTEXTˇˇÄTEXTˇ˜¡·šž°Ã‚eÊascr
˙fifi≠[/format]

As you see the supposed hidden strings are perfectly readable.

Yvan KOENIG running Sierra 10.12.5 in French (VALLAURIS, France) samedi 17 juin 2017 10:48:03

#4

Exporting as run only is excellent and it addresses the primary issue I was trying to solve. Thank you very much Stefan.

Dropping the script file into Text Edit will reveal various code strings, but that is not as much of a concern (for me at least). - Not saying that a solution to this would be interesting.

Thanks,
-Jeff

#5

If you share scripts containing user names and passwords, you deserve do have them discovered. :wink: But if the scripts are to be distributed as run only, you can at least obfuscate the string’s derivations:

local a, b

-- At run time, calculate the ids of "BillyTheKid" and "openTheDoor" and get the equivalent strings.
set a to {20 + 36, 57 + 48, 17 + 91, 34 + 74, 121.997 div 1, 28 * 3, 407 - 303.0, 47 + 54, 200 * 3 / 8, 10 ^ 2 + 5, 37 + 63}
set b to {3 * 37, 28 * 4, 10201 ^ 0.5, 22 * 5, 37 + 47, 2 + 67 + 35, 299 - 198, 17 * 4, 17 * 5 + 26, 10 ^ 2 + 10 ^ 0 + 10 ^ 1, 114}
do shell script "abcdef " user name (string id a) password (string id b) with administrator privileges
#6

Quick and dirty way to hide the username and password.

Run this first script :

set liste1 to my encode("BillyTheKid")
set liste2 to my encode("openTheDoor")
{"userName", liste1, "password", liste2}

on encode(aString)
	set characterIDs to text items of aString
	
	set numberValues to {}
	repeat with aChar in characterIDs
		set itsID to id of aChar
		set itsKey to random number from 50 to 100
		set numberValues to numberValues & {itsID + itsKey, itsID - itsKey}
	end repeat
	return numberValues
end encode

The result will be something like :
[format]{“userName”, {165, -33, 177, 33, 184, 32, 179, 37, 200, 42, 179, -11, 200, 8, 183, 19, 139, 11, 199, 11, 163, 37}, “password”, {199, 23, 191, 33, 162, 40, 192, 28, 176, -8, 192, 16, 171, 31, 150, -14, 199, 23, 176, 46, 209, 19}}
[/format]

Create the real script in a temporary version:

main()

on main()
	do shell script "abcdef " user name my _("username") password my _("password") with administrator privileges
end main
on _(l)
	set s to ""
	repeat with i from 1 to count l by 2
		set s to s & character id (((l's item i) + (l's item (i + 1))) div 2)
	end repeat
	return s
end _

Replace “username” by the first list returned by the first script.
Replace “password” by the second list returned by the first script.

The script will become something like :

main()

on main()
	do shell script "abcdef " user name my _({134, -2, 155, 55, 206, 10, 159, 57, 181, 61, 137, 31, 163, 45, 195, 7, 148, 2, 197, 13, 190, 10}) password my _({184, 38, 177, 47, 168, 34, 206, 14, 162, 6, 162, 46, 192, 10, 153, -17, 209, 13, 167, 55, 185, 43}) with administrator privileges
end main
on _(l)
	set s to ""
	repeat with i from 1 to count l by 2
		set s to s & character id (((l's item i) + (l's item (i + 1))) div 2)
	end repeat
	return s
end _

Save it .
Open it in TextEdit. You will get something like :
[format]FasdUAS 1.101.10ˇˇˇˇ
k
lˇ˛ˇ˝
Iˇ¸Ë‡ËšË‡Ë™Ë‡¸0mainˇ˚ˇ˙ˇ˛ˇ˝
lˇ˘ˇ¯Ë‡ËœË‡Ë˜Ë‡¯Ë‡Ëœ

i

IˇˆˇıˇÙˇˆ0mainˇıˇÙ

IˇÛ
ˇÛ.sysoexecTEXTˇˇÄTEXT
m±abcdef ˇÚ
ˇÚ
RAun
n-
I-ˇÒˇˇÒ0_ˇÔ
J)
mˇÓˇÓÜ
mˇÌˇÌˇ˛
mˇÏˇÏõ
mˇÎˇÎ7 !"
!mˇÍˇÍŒ"#$
#m ˇÈˇÈ
$%&
%m
ˇËˇËü&'(
'm
ˇÁˇÁ9()*
)mˇÊˇÊµ*+,
+m
ˇÂˇÂ=,-.
-m
ˇ°Ë‡°Ã¢./0
/mˇžË‡ž012
1mˇšË‡š£234
3mˇ·Ë‡·-456
5mˇ¡Ë‡¡âˆš678
7mˇflˇfl89:
9mˇfiˇfiî:;<
;mˇºË‡º<=>
=mˇ¹Ë‡¹â‰ˆ>?@
?m!ˇ€ˇ€
@AB
Am!$ˇ⁄ˇ⁄æBCˇŸ
Cm$%ˇÿˇÿ
ˇŸˇÔˇ
fˇ◊DE
ˇ◊
RApw
Dn0uFG
FI1uˇ÷Hˇ'ˇ÷0_HIˇ˜
IJ1qJJKL
Km14ˇ"ˇ"∏LMN
Mm47ˇ“ˇ”&NOP
Om7:ˇ”ˇ”±PQR
Qm:=ˇ“ˇ“/RST
Sm=@ˇœˇœ®TUV
Um@CˇŒˇŒ"VWX
WmCDˇÕˇÕŒXYZ
YmDGˇÃˇÃZ[
[mGJˇÀˇÀ¢]^
]mJMˇ ˇ ^ _mMPˇ.ˇ.¢ab
amPSˇ»Ë‡».bcd
cmSVˇ«Ë‡«¿def
emVWˇ∆ˇ∆
fgh
gmWZˇ≈ˇ≈ôhij
imZ]ˇƒˇƒˇÔjkl
km]ˇ√ˇ√”lmn mmcˇ¬Ë‡¬
nop
omcfˇ¡Ë‡¡ÃŸpqr
qmfgˇ¿Ë‡¿7rst
smgjˇøˇøπtuˇæ
umjmˇΩˇΩ+ˇæˇ˜Ë‡’
Gf01Eˇºvˇª
ˇº
badm
vmxyˇ∫
ˇ∫boovtrueˇªwx
wiyz
yIˇπ{ˇ∏ˇπ0{|ˇ∑
|oˇ∂ˇ∂0lˇ∑ˇ∏
zk/}}~
~rÄÅ
ÄmÇDZÉÉ
Ã…oˇµË‡µ0sÑÖ
ÑY,ܡ¥Ã¡Ã â
Ãœr’äã
äb%åç
åoˇ≥ˇ≥0s
ç5$ˇ≤顱
ˇ≤
cha
él"èˇ∞ˇØ
è_"êë
êl íˇÆˇâ‰
í[ ìî
ìlïˇ¨Ë‡´
ïnñó
ñ4ˇ™ò
ˇ™
cobj
òoˇ©Ë‡©0i
óoˇ®Ë‡®0lˇ¨Ë‡´
îlôˇßˇ¶
ônöõ
ö4ˇ¢Ãº
ˇ¢
cobj
úlùˇ§Ë‡£
ù[ûü
ûoˇ¢Ë‡¢0i
ümˇ°Ë‡°Ë‡§Ë‡£
õoˇ ˇ 0lˇßˇ¶Ë‡Ã†Ë‡â‰
ëm !ˇüˇüˇ∞ˇØ
ˇ±kfrmID
ãoˇûˇû0sˇ¥0i
ámˇùˇù
à I
ˇú ˇõ
ˇú.corecnte********
o ˇöˇö0lˇõ
âm
ˇôˇôְˇò
°L-/¢
¢o-.ˇóˇó0sˇòx£Ë‡Ã±
£lˇïˇîˇìˇïˇîˇìˇñˇí§¢¶ÃŸË‡Ã­§Ë‡Ã«Ë‡ÃªË‡Ã¨Ë‡Ã«0mainˇê0_
ˇè.aevtoappnullÄê¢Ë‡Ã©
ˇçˇå®©Ë‡Ã£Ë‡Ã©0mainˇçˇå®©,ˇäˇâˇà ˇáˇÜˇÖˇÑˇÉˇÇˇÅˇÄˇˇ~ˇ}ˇ|ˇ{ˇzˇyˇxˇwˇvˇuˇtˇsˇrˇqˇpˇoˇnˇmˇlˇkˇjˇiˇhˇgˇfˇeˇdˇcˇbˇaˇ ˇä RAunˇâÜˇà ˇ˛ˇáõˇÜ7ˇÖŒˇÑ ˇÉüˇÇ9ˇÅµË‡Ã„=ˇâˇ~ˇ}£Ë‡|-ˇ{√ˇzˇyîˇx≈ˇw ˇvæˇuˇt0_ ˇs RApwˇr∏ˇq&ˇp±Ë‡o/ˇn®Ë‡m"ˇlˇk¢Ë‡jˇi.ˇh¿Ë‡gôˇfˇÔˇe”ˇdߡcπˇb+ ˇa badm ˇ.sysoexecTEXTˇˇÄTEXTˇãÄ¡·)šž°Ã‚ÊÁËÈÍÎÏÌÓÔaaalaaaÁavk+a)aaaaaaÊaa a!a a"a#Áa$a%a&aa’Âa(a)avk+aea!+¶Ë‡_zˇ^ˇ]â„¢´Ë‡\ˇ_0_ˇ^ˇ[¨Ë‡[¨Ë‡ZˇZ0lˇ]™ˇYˇXˇWˇY0lˇX0sˇW0i´Ã‡Ë‡VˇUˇTˇS
ˇV.corecnte********
ˇU
cha
ˇT
cobj
ˇSkfrmID ˇ\0¡E±O’k jlh°š ž¢/ ž¢k/l"°0%E±[OYˇÂO°ÃŸË‡R≠ˇQˇPÆØˇO
ˇR.aevtoappnullÄê**
≠k∞∞ˇNˇNˇQˇPÆØˇMˇM0mainˇO*j+ascr˙fifi≠[/format]

In which it will not be easy to recognize the username and the password.

Yvan KOENIG running Sierra 10.12.5 in French (VALLAURIS, France) samedi 17 juin 2017 18:54:19

#7

You are correct Nigel, I am not as concerned as it may appear. Nevertheless, these workarounds to mask them with are extremely NICE and I will use test and use them. Thank you all very much.

#8

That’s why you write encryptors. Simple math operators can easily be decrypted so you need an public/private key encoding so that even the same username and password is saved differently. Having a plain text or static code is equally dangerous because the op-code of AppleScript is quite easy to read.

#9

I’m getting a bit off-topic here, but thought this might be useful to someone:

I’m in a situation where it’s extremely practical to store usernames and passwords in Applescripts. And having those usernames and passwords in the hands of a malicious actor could have devastating consequences.

Our solution to the potential security issues is this:

  • Make the scripts containing them accessible via cloud synced folder
  • Have a metascript that automatically opens scripts with usernames and passwords on a regular basis and changes the usernames and passwords to new random ones, changing them on the related system at the same time.

Thus people can extract the usernames and passwords if they want, but they’re not useful for anything nefarious. If they had access to the script to get the username and password, then they already had access to the resource that username and password go to, because the script connects them. (We’re only using this for things like connecting to remote volumes where there are not greater privileges to be abused with the username and password than the script itself makes use of.)

When we need to revoke someone’s access, then we just revoke folder syncing for the script’s folder. It doesn’t matter if the user copied the folder and thus still has the script, or if they extracted the username/password, because these things change regularly and the newly changed credentials won’t sync to them.

Also, it isn’t annoying that the usernames and passwords are constantly changing, because they’re only used by the scripts, which sync, so nobody ever has to actually know them / keep track of them.