Max Inspect shows you a lot of information about an application. This information is broken up into 5 sections, 1 panel at the top and 4 tabs.

Identity Panel


The top section (the identity panel) shows you brief information about the application's identity. This is where it all begins, when you select or drag and drop an app onto the "Application" file selector. It shows you the following information:

  • Bundle ID to uniquely identify the application.
  • Team ID to identify which individual or company produced the application.
  • App Sandbox Enabled tells you if the application conforms to the "Mac App Sandbox", most common on the Mac App Store.
  • Gatekeeper tells you if you send this application to somebody else (on the same version of macOS as you) if Gatekeeper is going to allow or reject launching the application. If it is going to allow launching, it will also tell you why it is permitted. Since the Gatekeeper check can take up to 10 minutes on large applications this is not ran by default.
  • In Quarantine tells you if the application will run under "App Translocation". This makes it difficult for the application to update its self or persist its installed state on the system.

Entitlements Tab


The entitlements tab shows you all the capabilities an application declares it wants access to. This may include file system access, printer access, USB access, CloudKit, photos access and more.

If the application does not use the App Sandbox (see App Sandbox Enabled above) then it likely has access to all these capabilities and more without having to declare them in the entitlements.

Code Signatures Tab


Code signatures are the digital signatures that tell you who the developer of an application is and let you verify the application wasn't tampered with since the developer created this version of the application. Digital signatures are made in a 'chain', where the upper level verifies the identity of the lower level and issues a valid certificate.

Click on a level in the chain to see a popover with all the information of the certificate. You can click and drag on the icon of the certificate to export the certificate to a file on your desktop. You can compare the certificate files issue date, expiry date, fingerprint and other metadata between updates to see when the developer has changed signing certificates.

Screen Shot 2019-06-06 at 12.26.16 pm

Most Mac applications have 3 levels in this chain. The first level is usually Apple's Root CA, the root of trust. They issue a certificate known as "Apple Worldwide Developer Relations Certification Authority" which is known commonly as the "intermediate certificate". Then when application developers have their identity verified they may be issued "Developer ID" certificates which contain their company / entity name and Team ID.

If you find an application that is signed an unexpected entity then it may contain malware. For example, if you find Max Inspect on the internet signed by somebody other than Apple or Max Technology Labs PTY LTD then somebody may of downloaded Max Inspect, injected malware then re-signed it with their own certificate (since they shouldn't have a copy of the Max Technology Labs PTY LTD signing certificates).

On the other hand, if you find an application that contains malware signed by the correct developer certificate then somebody may of stole their signing certificate.

Both of these issues can be reported to Apple and they can revoke the certificates in question so the application won't launch anymore. See "Compromised Certificates" on https://developer.apple.com/support/certificates/ for more information.

Info.plist Tab


This tab tells you everything in the Info.plist of the application. Here you can see things such as the version number, what privacy requests it makes and for what reason, what documents the application can open, what the minimum version of macOS the application supports and more.

DYLD Libraries Tab


This tab tells you what libraries the application links at launch time, but the application may link against more at runtime. This is a good indication of how an application performs a task or what 3rd party libraries it uses without having to run it, though it is not a complete picture.