MacReacher

Direct sessions, authenticated encryption and an honest trust model.

MacReacher protects content after a signed handshake, pauses for explicit first-connection fingerprint approval and verifies the macOS account before control begins.

Session protection

A viewer and host perform an ephemeral X25519 exchange signed by the host's Ed25519 identity. After that handshake, AES-256-GCM protects credentials, video, audio, input, clipboard, files and control messages with direction/type authentication and replay counters.

First-connection trust

Before any credentials are sent, the viewer pauses and shows a fingerprint to compare with the code in the Host window. The key is stored only after explicit approval; cancelling, timing out or closing the app stores nothing. Later identity changes are refused. A changed key may be legitimate after reinstalling or resetting the host, but investigate and compare the new code before resetting trust.

macOS sign-in and lockout

The host verifies the selected macOS account through OpenDirectory and applies persistent escalating lockout after repeated failures. Saving a password is optional and uses the platform's protected credential store.

No session relay

Remote-session content travels over the route between your devices. The host still makes a limited provider request for licence activation, and the marketing/checkout site is an ordinary internet service; “direct sessions” does not mean the product has no external licensing dependency.

Recommended deployment

Use a LAN or a private VPN such as Tailscale. Do not expose the host's ports directly to the public internet. Keep every device and MacReacher build updated, use a strong macOS password and disable clipboard/file capabilities when they are not needed.

Report a vulnerability

Send a clear report to support@flavrapps.com. The canonical security contact is published at /.well-known/security.txt.