Mirror

Product Introduction

1. Definition: Mirror is a macOS security utility (technical category: stealth process detection tool) that identifies and terminates background applications deliberately engineered to evade standard monitoring tools like Activity Monitor.
2. Core Value Proposition: It provides granular visibility into hidden processes (e.g., Interview Coder, Cluely, Hiding AI), countering macOS surveillance tools and cheating software by exposing cloaked applications that compromise system security or user privacy.

Main Features

1. Intelligent Detection Engine:

   • How it works: Scans active windows via macOS Core Graphics (CGWindowListCopyWindowInfo), applying a risk-scoring algorithm. Scores processes based on window layer (≥20 = +3 pts), transparency (alpha <1.0 = +1 pt), and missing titles (+1 pt).
   • Technology: Swift-based heuristics with real-time window enumeration.

2. Risk-Tiered Classification:

   • How it works: Auto-categorizes threats: High Risk (score ≥5), Medium Risk (2–4), Low Risk (<2). Excludes Apple-signed apps (com.apple.*) and system binaries (/System/, /Library/).
   • Technology: Bundle ID validation and directory whitelisting.

3. One-Click Neutralization:

   • How it works: Terminates processes using SIGTERM, escalating to SIGKILL if unresponsive. Confirms kills via "Neutralized" status updates.
   • Technology: POSIX signal dispatch with PID targeting.

Problems Solved

1. Pain Point: Covert surveillance tools (e.g., employee monitoring apps, exam cheating software) that bypass Activity Monitor, leaving users vulnerable to undetected spying or integrity breaches.
2. Target Audience:
   • Security Researchers: Auditing macOS for advanced persistent threats (APTs).
   • Enterprise IT Teams: Enforcing compliance by detecting unauthorized monitoring tools.
   • Educators: Preventing cheating during remote exams via hidden overlay apps.
   • Privacy-Conscious Users: Identifying stalkerware or commercial spyware.
3. Use Cases:
   • Verifying system integrity during high-stakes remote interviews.
   • Auditing corporate Macs for illicit employee surveillance software.
   • Neutralizing cheating tools in academic environments.

Unique Advantages

1. Differentiation: Unlike network-based tools (e.g., Little Snitch) or Activity Monitor, Mirror targets GUI-level evasion tactics—detecting apps manipulating window layers/transparency to avoid traditional process lists.
2. Key Innovation: Proprietary risk-scoring algorithm combining window-layer analysis, transparency checks, and title heuristics—unmatched in open-source macOS security tools.

Frequently Asked Questions (FAQ)

1. Does Mirror work on all macOS versions?
   Requires macOS Ventura (13.0+) or later due to SwiftUI and SwiftData dependencies.

2. Why does Mirror need Screen Recording permissions?
   To access window properties (layer, alpha) via Core Graphics—mandated by macOS sandboxing for security tools analyzing GUI elements.

3. Can Mirror accidentally terminate critical system processes?
   No. It excludes Apple-signed apps and system paths, and requires manual user confirmation before termination.

4. How does Mirror compare to Terminal commands like ps or lsof?
   Unlike command-line tools, Mirror detects GUI-based stealth tactics (e.g., hidden layers) invisible to process lists.

5. Is Mirror effective against kernel-level rootkits?
   No. It targets userland applications with GUI stealth features, not kernel exploits. Pair with endpoint detection tools for full coverage.