Security & Privacy
MonKey uses macOS Accessibility permission to detect keyboard layout mismatches and correct text. We understand that requires trust. Here's what the app does — and how you can verify it yourself.
App Store & Sandboxing
MonKey is distributed exclusively through the Mac App Store. Every version is reviewed by Apple before release. The app runs in Apple's sandbox with only two entitlements:
- App Sandbox — restricts file and system access to the app's own container
- Network Client — allows outgoing HTTPS connections (used for translation, grammar, and AI Wizard when you trigger them)
No Full Disk Access, no file system access outside the sandbox, no background daemons.
How MonKey Uses Keystrokes
What MonKey does
- Monitors keyboard events via macOS Accessibility to detect when you're typing in the wrong keyboard layout
- Keeps only the current word and a small rolling buffer in memory — nothing more
- Corrects mismatched text when you press a hotkey or automatically on Space (if enabled)
- Learns from corrections you accept (stored locally as word pairs)
What MonKey does NOT do
- Does not log keystrokes to any file
- Does not transmit keystrokes over the network
- Does not capture input in secure text fields (passwords)
- Does not run hidden processes or background daemons
- Does not include analytics, telemetry, or crash reporting
- Does not access camera, microphone, contacts, or location
Network Behavior
| Tier | Network Activity |
|---|---|
| Layout correction | Zero network connections. All processing happens locally on your Mac. |
| Translation & Grammar | HTTPS requests only when you explicitly trigger them (Free: 2/day, PRO: unlimited). No internet — automatic offline fallback to Apple Translation and macOS spellcheck. |
| AI Wizard | HTTPS requests when triggered (PRO only). No background traffic. |
No data is ever sent in the background. No keystrokes or text are transmitted unless you explicitly trigger a translation, grammar check, or AI Wizard on selected text.
Data Flow
| Data | Where It Goes | Stored? |
|---|---|---|
| Keystrokes | In-memory buffer only | No — never written to disk |
| Learned corrections | App sandbox container | Yes — only on your Mac |
| Settings | App sandbox container | Yes — only on your Mac |
| Selected text | AI service over HTTPS | No — processed and discarded |
| Subscription status | Apple (App Store) | Managed by Apple — we don't store payment data |
Verify It Yourself
Don't take our word for it. Here are independent ways to verify MonKey's behavior:
1. Network Monitor — Little Snitch or Lulu
Install Lulu (free, by Objective-See) or Little Snitch to monitor all network connections. On the free tier, MonKey produces zero outgoing connections.
2. Objective-See ReiKey — Keyboard Tap Detection
ReiKey by security researcher Patrick Wardle detects keyboard event taps. It will correctly identify MonKey's keyboard monitoring — this is expected and required for layout autocorrection.
3. Apple App Review
Every version of MonKey passes Apple's App Store review process, which verifies sandboxing compliance, entitlement usage, and absence of private API usage.
4. macOS Permissions
MonKey requests only Accessibility permission. No camera, microphone, contacts, location, or Full Disk Access. Verify in System Settings → Privacy & Security → Accessibility.
The Technology
MonKey uses standard macOS APIs for keyboard monitoring, language detection, and text processing — the same kind of APIs used by other legitimate keyboard and text tools like Karabiner-Elements, TextExpander, Grammarly, and PopClip. Layout autocorrection uses only Apple's built-in frameworks. Translation and grammar connect to cloud AI services over HTTPS when explicitly triggered by the user.
Local Data Storage
All app data is stored inside MonKey's sandbox container:
~/Library/Containers/com.pearproduction.MonKey/Data/Library/Application Support/
Nothing is synced to any cloud. Uninstalling the app from the App Store removes all sandboxed data automatically.
Report a Vulnerability
If you discover a security issue, please report it responsibly:
- Email: hello@getmonkey.cc
- Subject:
[SECURITY] Brief description
We acknowledge reports within 48 hours and aim to fix critical issues within 7 days.
Contact
Questions about security or privacy? hello@getmonkey.cc