Is there a way to password protect individual apps?

Is it possible to password protect a specific Mac application?

For example, I am interested in protecting Mail because even if you cannot retrieve new emails, you still can read all the already received emails.

This is not a question about security. It's about sharing a device within a family. I don't have crucial information. I just want to avoid my girl or son to send accidentally emails from my account or prevent them to read some of them.

Regarding your comment on Paul's answer, wanting to leave your computer for a moment: you have to lock your computer. Period.

Open System Preferences, click Security (top row, second to last option), under the "General" tab, check the box for "Require password [immediately] after sleep or screen saver begins".

Then, when you go to walk away from your computer;

Ctrl ⌃+Shift ⇧+Eject ⏏

(Additional notes: Click the above line.)

Lock your Mac. Walk away. Come back, enter your password to unlock it. Secured console.

It's possible using scripts.

First, you should enable the script menu in the OS X menu bar. Read the "Script Menu" section here: Enable the Script Menu

Now open your Library/Scripts folder and create a file called "run_with_password.rb" with these contents (change "johndoe" to your username):

#!/usr/bin/env ruby
# run an app at lower privilege

require 'etc'
require 'find'

# Note: anyone with sudo access will be able to run as this user. But they could do that anyway.
# run 'id' at the terminal to find out what your username is.
RUN_USER = 'johndoe'

def get_root_info
  root_entry = Etc.getpwnam('root')
  return root_entry.uid, root_entry.gid
end

ROOT_UID, ROOT_GID = get_root_info

def ensure_root
  Process.uid = ROOT_UID
  Process.gid = ROOT_GID
end

def print_user_info
  [
   [:uid, Process.uid],
   [:gid, Process.gid],
   [:euid, Process.euid],
   [:egid, Process.egid],
  ].each do |arr|
    $stderr.puts arr.inspect
  end
end

def set_effective(euid, egid)
  $stderr.puts "setting effective to #{[euid, egid].inspect}"  if $DEBUG
  # must set group first
  Process.egid = egid
  Process.euid = euid
end

def do_privileged(&block)
  orig_euid = Process.euid
  orig_egid = Process.egid
  begin
    $stderr.puts "raising privileges"  if $DEBUG
    set_effective(ROOT_UID, ROOT_GID)
    yield orig_euid, orig_egid
  ensure
    $stderr.puts "lowering privileges"  if $DEBUG
    set_effective(orig_euid, orig_egid)
  end
end

# must be called after ROOT_UID, ROOT_GID are set
def chmod_files_in_dir(mode, dir)
  mode_str = nil
  case mode
  when Integer
    mode_str = '%o' % mode
  when String
    mode_str = mode
  else
    raise TypeError
  end
  chmod_proc = proc do
    Find.find(dir) {|entry|
      if File.directory?(entry) and entry != dir
        Find.prune  # don't recurse into subdirs
      elsif File.file?(entry)
        $stderr.puts "chmod #{mode_str} #{entry}"  if $DEBUG
        system 'chmod', mode_str, entry
      end
    }
  end
  # assume that if dir is owned by root, the executables are also.
  if File.stat(dir).uid == ROOT_UID
    do_privileged(&chmod_proc)
  else
    chmod_proc.call
  end
end

def main(argv)
  # Important: this is to abort if we're not running as root.
  ensure_root

  app_path = argv.shift or raise "Need path to .app file, e.g. /Applications/Mail.app"
  app_macos_dir = File.join(app_path, 'Contents/MacOS')
  File.directory?(app_path) or raise "#{app_path} is not an app bundle"
  File.directory?(app_macos_dir) or raise "#{app_path} bundle doesn't have expected MacOS structure"

  pw_entry = Etc.getpwnam(RUN_USER)
  run_uid = pw_entry.uid
  run_gid = pw_entry.gid


  if $DEBUG
    $stderr.puts [:run_uid, run_uid].inspect
    $stderr.puts [:run_gid, run_gid].inspect
    print_user_info
  end

  # Effectively become RUN_USER
  set_effective(run_uid, run_gid)

  if $DEBUG
    print_user_info
  end

  begin
    chmod_files_in_dir('+x', app_macos_dir)
    # 'open' is asynchronous, so the ensure will run immediately after, and before the app exits.
    $stderr.puts "Running app: #{app_path}"  if $DEBUG
    system 'open', app_path
  ensure
    chmod_files_in_dir('-x', app_macos_dir)
  end
end

if __FILE__ == $0
  $DEBUG = false
  main(ARGV)
end

Next, start Script Editor and paste in this code (again changing johndoe to your username):

do shell script "ruby /Users/johndoe/Library/Scripts/run_with_password.rb /Applications/Mail.app" with administrator privileges

Save the file into Library/Scripts as "mail_with_password", making sure the File Format is "Script".

Now "mail_with_password" will appear in your script menu. Every time you run it, it will ask you for your password (just like some installers do). After it's done running, it will disable access to the regular Mail application. So run the script once, then try running the Mail app. It won't run. Note that it means ALL users on your machine will be prevented from running Mail directly, not just your user.

If you ever want to allow Mail to run normally again, run this command at the Terminal:

sudo chmod +x /Applications/Mail.app/Contents/MacOS/Mail

You might be able to omit the "sudo". Use sudo if you get "Operation not permitted". Note that sudo will ask you for your password to allow privileged operation.

Caveats

1. If you didn't need the "sudo" command above to do the chmod, that means a savvy user might be able to figure out how to enable the Mail app again. You can tighten up security by changing the owner of the MacOS/Mail file to root. That's left as an exercise for the reader.
2. If someone is able to copy the Mail app to your computer (e.g. via USB drive) they can still get access to your mail.
3. The ruby script is meant to work for most OS X application bundles. I don't recommended tweaking the ruby script unless you really know what you're doing because it's doing certain things as root (the privileged user). Tweaking the applescript code should be harmless; but you should know how to adjust the chmod command to make your app directly runnable again.
4. If the path to the app in the applescript file has spaces or other special characters, you'll have to do something like putting single quotes around the whole path.
5. Edit: User Austin suggested that this procedure doesn't protect the .emlx files. I actually don't use the Mail app so I'm not familiar with the data storage. Similar issues apply to all apps - because this solution does not hide user data.

Paranoia

If someone who knows ruby get access to your logged in user, they could modify the ruby script in a way that wreaks all sorts of havoc when you run the script, since it runs as root for part of the time. If you think this might happen, you should make the script only writable by root. You'll also have to make sure someone doesn't replace the script with their own - they can do this if the folder is writable by you. If you're starting to get scared by these warnings and don't know how to protect yourself, you probably should forget about this solution and just remember to lock your screen when you leave the computer.

You can just set parental controls on the account and then determine which apps can be used.

Alternatively you could set a password on your screen saver and also define a suitable "hot corner" to activate the screen saver - that way when you step away from your computer you can just move the mouse into the hot corner to effectively lock the screen such that it require a password to gain access.

Yes - several ways to password protect your mail are practical. Since you are concerned about children/family members, the easiest might be to just restrict those apps using Parental Controls on your account. At some point they can have their own accounts, and you can lock your whole account.

Here are the options I see as workable for the general case of locking apps or the data apps can access.

1. Make your account a protected parental account and white list the apps you want to allow. You will know the separate admin user/password to allow launch of prohibited apps. Voila - any app you want is now password protected.

2. Move the app into a password protected disk image and then make an alias to store in the Applications folder. (deleting the original app first) When any program tries to access the app, you get a chance to enter a password and finder will mount the disk image. You can also script permission changes and other technical trickery to require a password before running the script to make the app runnable again.

3. Store the application data in a password protected encrypted disk image. Here are some common apps and the folders where they store user data.

4. Store your mail app on a removable drive - there is a cottage industry about making standalone app packages to run apps from USB drives.

Keep in mind things like spotlight and other apps using frameworks within apps won't work so well until the images are mounted. If your user password is secure (from the people you don't want seeing the data) then you can store the disk image passwords in the keychain.

Also - unless you protect the data files - it's only security by obscurity and someone could copy your data elsewhere or just look at it from spotlight or other apps like text edit. They also could bring a copy of the mail (or whatever other) app from another computer. Apps can run from anywhere and not just the Applications folder once an admin user blesses them for the first run on that system.

Therefore #3 is the only way to go. Lock up your data and don't worry about the apps.