One of the best tools in my OS X toolbox is Little Snitch, a program that monitors and blocks outbound network connections. Little Snitch is great because it prevents apps from "phoning home" when I don't really want them to. It also gives me comfort knowing that if a rogue application is installed, Little Snitch will tell me if it tries to make an outbound connection.
Recently, I found another application that takes this one step further. Metakine's Hands Off! is a tool very much like Little Snitch in that it will alert you on outbound network connections, prompting you as to whether or not the connection should be permitted.
Hands Off!, however, goes further than that. Not only does it intercept outbound traffic, but it also protects on inbound network traffic. Yes, this largely reproduces the built-in OS X firewall protections, but with Hands Off! you can easily identify what applications are enabled, or blocked, within one tool. Beyond that, Hands Off! also alerts when applications want to do simple things like DNS resolution — you can allow DNS resolution to specific domains and keep an app in the dark about other domains.
Click thumbnail to enlarge Rules page in Hands Off!
Another area that Hands Off! helps to protect is file access. While Little Snitch only protects the network, Hands Off! also protects the file system. It intercepts when an application is attempting to read or write to files on the system, allowing you to build a flexible policy of what an application can access. This is particularly welcome for risky applications like web browsers — web browsers should only access their own preferences and caches unless you explicitly want them to access something else (such as saving a file or uploading one).
Hands Off! access alert
If a rogue application is installed, Hands Off! will prevent it from phoning home, listening on any ports for incoming traffic, and prevent it from reading to or writing any files. This is welcome protection, especially in an age where applications make network connections behind your back all the time, and read from and write to files they probably shouldn't have access to.
Hands Off! costs about $25USD and that is pretty good value for something like this. Initially running it will be an exercise in frustration, however, because the initial configuration is pretty sparse. So every application you run will get interrupted by Hands Off! at least once. However, taking the time to read what it is telling you, to ensure you are allowing access that you want, is essential; you can set legitimate connections to be allowed forever and you will never be asked again to confirm what an application should be doing, only when it's doing something you defined it shouldn't be doing.
Each application has a default security preset, which allows you to define the defaults for network usage and file writing. Typically, and for the sake of simplicity, you might set a default "Allow" preset for file writing for trusted applications, and a default "Ask" for network usage, which will then allow you to exactly specify what ports and domains the application can connect to.
Define defaults for applications
On each alert, you can hit Enter to allow, and Esc to deny. This will allow, or deny, the operation until the application quits and is restarted. This allows you to avoid making permanent changes to your policy if you haven't decided on what policy you want, or if it's an application that you would probably allow, but want to know what it's doing before it does it.
Hands Off! is pretty impressive. I've been using Little Snitch for years, but with the feature set that Hands Off! is sporting, it is now the default "watchdog" on my laptop (which has higher security requirements) and will soon be the default on my other systems.
If you currently use Little Snitch, you owe it to yourself to give Hands Off! a try.
Vincent Danen works on the Red Hat Security Response Team and lives in Canada. He has been writing about and developing on Linux for over 10 years and is a veteran Mac user.