What sorts of apps should I grant Keychain access to?

Some apps ask me for Keychain access when installing them, configuring them, and/or using them. As with anything related to computer access, permissions and security, giving the app access could be a great convenience to me or a security hole. Unfortunately, I don't know enough about the process to give informed consent. I don't want to grant an application more permission/access than it absolutely needs.

Assuming that I'm installing software that is not overtly suspicious, how can I evaluate whether or not I should grant an application's request to access Keychain?

Solution 1:

First off - I strongly prefer apps that securely store secrets, therefore it's almost always a sign of quality that an App even knows what the keychain is. Rarely is it a sign they are there to loot your passwords, but if you grant unlimited access, that can happen. It's commendable to use proper coding practices, so spending time to learn specifics of Keychain Access is your next challenge:

• What sort of app requests keychain access?
• Have you audited that they only store their secrets there and don't access other items?

Worst case, just say no. Then see what breaks in the app or work out the specifics of how it stores items and ensure you can use Keychain Access to see that the app is only accessing items it should in the granular permissions settings.

• https://support.apple.com/guide/mac-help/MCHLF375F392/10.15/mac/10.15.4

The help guides on macOS are very good for learning how to get to the basics.