Are there any security concerns with Incoggo?

Incoggo is currently a very early-stage application (with a tiny development team), so there are still some rough edges. In order to provide the best user experience possible, there are a few imperfect solutions (that we’re hoping to replace / upgrade in the near future) we’ve implemented to assist with things like not requiring your system password each time you launch the app, pause the app, or the app performs an automatic update.

If you’re a very security-minded individual (or you use your computer for very sensitive tasks), before using Incoggo you may want to be aware that the application does the following:

  • Upon installation, Incoggo adds a file to your system’s sudoers.d folder that whitelists specific commands from requiring a sudo password to perform. (This allows Incoggo to manage your system proxy settings, kill certain processes on shutdown / restart, and perform tasks related to Incoggo’s auto-updating feature without requiring that a sudo password be prompted each time.)

  • Incoggo loads external Javascript files when you visit specific domains (i.e. those we filter paywalls / clear cookies on / clear storage on / etc.).

  • Incoggo overwrites a few system defaults (re: open page / process limits) at runtime for performance reasons.

  • Upon installation, Incoggo also installs a trusted root certificate in your system keystore. This is required for Incoggo’s advanced filtering functionality to work (unlike the issues above – which we intend to clean up shortly – this one is a hard requirement for the app to work).

If these are show-stopper issues for you, but you’d still like to use Incoggo, we’d recommend signing up for our mailing list at incoggo.com. We send out regular updates announcing product changes and new features there, so we’ll be sure to send out an update to the list once these have been cleaned up.

Thanks for this post. Could you elaborate how the changes Incoggo does on macOS are undone if a user decides to uninstall. Clearly removing the app from the applications folder will not be sufficient to undo installation of trusted root certificate. And leaving it can pose a serious threat.

Also what about the other changes (adding file to sudoers.d folder) etc?

Would be really thankful for a response providing exact steps to take to get back to clean state as things were pre Incoggo install.

If the install process is never finished, simply removing the app from the applications folder (i.e. deleting the .app and .dmg files) should fully delete the app and all related resources from the computer.

If the install process has been finished, the correct way to fully remove the application from a computer is to run the uninstall script as detailed here: How do I uninstall Incoggo?

Running the uninstall script will fully remove the app, all related resources, and undo any system modifications (including sudoers changes, etc.), reverting the system to its ‘original state’. There is a small bug where the script won’t remove the root certificate completely right now, (this will be fixed in an upcoming patch, likely next week - I’ll update this reply), but it does delete the certificate’s .key file, which is only ever generated / available locally. For the time being, the certificate itself can be manually found & removed via the Keychain Access application, it’s named incoggo_ca. EDIT: The uninstall tool will now also remove the certificate; running the tool completely removes any & all changes made by the application.

1 Like