If you discover a security vulnerability in Fabar, please do not open a public GitHub issue. Instead:
-
Email: contact@gigaptera.com
-
Include:
- Vulnerability description
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
-
Allow 7–14 days for a response and patch before public disclosure
Fabar requires the "Audio Recording" permission (macOS TCC) to use Core Audio Process Tap. This is:
- ✅ Legitimate: Required by Core Audio's process-tap API (public API since macOS 14.2)
- ✅ Isolated: Fabar only reads audio data, does not transmit or store it
- ✅ Transparent: Permission request is explicit (System Settings → Privacy & Security)
Users grant this permission themselves; Fabar cannot request it silently.
Prebuilt Releases:
- Code-signed with Developer ID Application
- Notarized by Apple (verified via
xcrun stapler validate)
Self-Built Binaries:
- Sign with your own Developer ID or ad-hoc signing
- macOS may require security exemptions; follow Apple's guidelines
No Network Access:
- Fabar never connects to the internet
- No telemetry, no analytics, no tracking
- Audio is not recorded, stored, or transmitted
Settings Storage:
- Per-app volume preferences stored in
~/Library/Preferences/app.gigaptera.macsoundmixer.plist - Settings are plaintext (currently not encrypted)
- User has full read/write access to this file
Logs:
- Diagnostic logs written to
~/Library/Logs/Fabar/Fabar.log - Logs may contain app names and sample rates
- The log file is cleared when it exceeds 2 MB
- Exported logs are user-controlled
How Process Tap Works:
- Fabar requests a tap on a specific app's audio process
- Core Audio intercepts that app's output
- Fabar reads the audio data (in-memory only)
- Fabar re-renders at adjusted gain to the output device
Implications:
- ✅ Fabar can read audio from any app (requires audio-recording permission)
⚠️ Fabar has visibility into that audio stream (not other processes)- ✅ Fabar does not capture audio to disk (unless user explicitly exports logs)
- ✅ Fabar cannot modify audio from apps it hasn't tapped
Fabar is built with:
- ✅ Hardened Runtime enabled (
ENABLE_HARDENED_RUNTIME = YES) - ✅ Code signing with Developer ID
- ✅ Minimal entitlements (only
com.apple.security.device.audio-input)
| Risk | Mitigation |
|---|---|
| Memory corruption in render callback | Callback uses unsafe pointers intentionally (required for realtime safety: no locks, no allocation); it only touches preallocated ring-buffer memory |
| Buffer overflows in ring buffer | Power-of-two capacity with index masking; reads/writes cannot leave the buffer |
| Stale reads in gain ramping | Acknowledged in code comment; impact is inaudible |
| Process Tap permissions denial | Handled gracefully; UI shows permission hint |
| Orphaned taps on crash | Cleaned up on next launch via destroyOrphanedAggregateDevices() |
Fabar has zero runtime dependencies beyond Apple frameworks:
- No third-party libraries
- No package managers (no Carthage, SPM)
- Built entirely with Swift + AppKit + Core Audio
This minimizes supply chain risk.
| Version | Status | Support Ends |
|---|---|---|
| 1.0+ | Current | Ongoing |
| 0.x | Archive | Historical only |
Security updates are released as minor/patch versions when applicable.
Example (hypothetical):
- 2026-06-15: Vulnerability reported via email
- 2026-06-16: Acknowledgment sent
- 2026-06-22: Patch developed and tested
- 2026-06-23: Version 1.0.1 released (includes fix)
- 2026-06-24: Security advisory published (post-patch)
Questions? Contact via GitHub Discussions or email.