Spook is a network traffic monitor that displays per-application network activity. This document describes the security model, data handling, and potential concerns.
Spook uses three system utilities to gather network data:
| Command | Path | Purpose |
|---|---|---|
netstat |
/usr/sbin/netstat |
Total network interface statistics |
nettop |
/usr/bin/nettop |
Per-process network traffic |
lsof |
/usr/sbin/lsof |
Active network connections |
Security notes:
- All executable paths are hardcoded (no PATH lookup)
- No user input is passed to these commands
- Commands run with the same privileges as the app (user-level, no root required)
Spook does not require:
- Administrator/root access
- System Integrity Protection (SIP) modifications
- Kernel extensions
- Network extensions or content filters
| Data Type | Purpose | Storage |
|---|---|---|
| Process names | Display in app list | Memory only (not persisted) |
| Process IDs | Match traffic to apps | Memory only |
| Remote IP addresses | Show connection details | Memory only |
| DNS-resolved hostnames | Show friendly names | In-memory cache (5 min TTL) |
| Byte counts (total/per-app) | Historical graphs | SQLite database |
| Daily/hourly aggregates | Usage trends | SQLite database |
- Packet contents or payloads
- URLs or HTTP request data
- Authentication credentials
- Personal identifiable information
- Any data transmitted off-device
Historical data is stored in:
~/Library/Application Support/Spook/history.sqlite
- Data is stored locally only
- No cloud sync or network transmission
- Automatic pruning after 30 days
- User can clear all history via Settings
Spook does not:
- Phone home or check for updates
- Collect analytics or usage metrics
- Transmit any data over the network
- Include any third-party analytics SDKs
All monitoring data stays on your Mac. The app has no network communication of its own.
The app displays:
- Which applications are using the network
- Remote IP addresses and ports
- Resolved hostnames
This information could be sensitive in shared environments. Consider:
- Closing the detail window when screen sharing
- Not pinning the window when others can see your screen
Process names come from system tools and are displayed as-is. While this is safe for display, the code uses parameterized SQL queries to prevent any injection if process names contain special characters.
For distribution, the app should be properly code signed:
# Ad-hoc signing (current)
codesign --force --sign - Spook.app
# For distribution, use a Developer ID
codesign --force --sign "Developer ID Application: Your Name" Spook.appIf you discover a security vulnerability, please:
- Do not open a public issue
- Email the maintainer directly with details
- Allow reasonable time for a fix before disclosure
| Date | Auditor | Findings |
|---|---|---|
| Jan 2026 | Initial development | SQL injection in pruneOldData (fixed) |