Apple's next version of its desktop operating system, OS X Mountain Lion, promises developers access to hundreds of new APIs to enable new functionality for their apps. While developers we spoke to seem mildly excited about the new functionality, their immediate focus was on the implications of Apple's new Gatekeeper security feature.
Gatekeeper allows users to tightly control which sources apps can be installed from. By default, Gatekeeper will allow apps from the Mac App Store to be installed, as well as other apps that have been signed using a special certificate given to registered OS X developers. Users can also opt to allow apps from any source—the current default on Lion. The latter would remain an option for "power users" who are confident in the source of their apps even if they are not signed, Apple told Ars.
But regardless of the options, Gatekeeper remains a hot topic of conversation among developers, as noted by Rogue Amoeba's Paul Kafasis. "If Apple uses a light touch, there's little downside here. As long as getting to be an 'identified developer' is not onerous for developers, Gatekeeper should provide more security for users, while not hindering developers in any noticeable way."
How it works
Currently, any developer who signs up for Apple's Mac Developer Program and pays the $99 per year fee will get a code signing certificate. All apps sold through the Mac App Store require code signing, and these apps have gone through Apple's review process. For apps sold outside the Mac App Store, code signing is purely optional, though the developers we spoke to say many have begun signing their code already, even for apps distributed independently.
(The developers at Panic have a pretty good in-depth explanation of code signing if you're interested in learning more.)
Effectively, what users are choosing from is the installation of only Mac App Store apps, all signed apps, or all apps regardless of signing. At this stage, Gatekeeper provides users with a warning when installing certain apps depending on the settings, which may give users pause before installing apps from untrusted sources. It also gives them a way to verify that apps haven't been modified between a developer releasing the code and the app getting to a user's machine.
But there are some downsides to the system. For one, Apple doesn't seem to be doing any additional vetting to verify that non-Mac App Store developers are on the up and up. Anyone with a credit card and a working e-mail address can sign up to become a registered developer, so there's no guarantee that a malware developer hasn't created and signed an app.
Furthermore, Gatekeeper seems to be using a modification of the current File Quarantine anti-malware system in Mac OS X. According to developer Wil Shipley, files downloaded via Safari, Mail, and other apps that register with the system have a quarantine bit set on download. In Lion, this brings up the familiar dialog noting the file was downloaded from the Internet, and asks if you're sure you want to open it.
In Mountain Lion, the resulting dialog differs depending on the Gatekeeper setting. If the default "signed apps only" setting is active in Mountain Lion and the app is unsigned, a warning dialog pops up informing the user that the app is not from an identified developer, and it won't offer any option to install it. If it is signed, though, the usual "this file is from the Internet" dialog appears. Users can option-click unsigned files if they so choose, however, and the system will offer the ability to install them anyway. The end result is that inexperienced or average users aren't likely to install apps from unknown sources, and power users will be able to do as they please.
"I think it is a pretty good idea to have it configurable, so that users like me can still download anything they want," security researcher Charlie Miller told Ars, "while we can lock down the computers of our family members!"
Too far, or not far enough?
If a developer's apps are discovered to be malware, the apps will be registered with the known malware list within OS X and will automatically be blocked by File Quarantine. The offending developer's certificate will also be revoked by Apple, meaning they won't be able to sign any new apps. That won't help people who may have installed malware already, but it should prevent major malware from spreading very far while giving users some added security.
Miller doesn't think the system goes far enough, though. "In iOS, code signing is used and is 'always on,' for every program" every time it runs, he told Ars. "File Quarantine [on the Mac] only works with apps downloaded from certain apps, like Safari, and not other ways files get on your system, such as USB drives. Also, File Quarantine only works the first time an app is run. Given that there are easy ways around File Quarantine, I was hoping Apple would implement these checks via code signing like they do in iOS."
In other words, Miller suggests that if Gatekeeper was set to check for signed code every time an app is launched and a developer's certificate had been revoked, it would be possible to keep all the developer's software from running even after it had been installed (similar to a method proposed by Shipley last year). As Gatekeeper appears to be implemented, however, once you have approved an app to run and it is later discovered to be malware, an unaware user could later launch it again, since File Quarantine only checks the app once, on first launch.
Still, developers are generally positive that Apple is thinking about ways to improve security for end users without locking the Mac platform down iOS-style.
"Personally I am happy to see Apple taking a different tack with regard to security, than the app sandboxing stuff they've been talking up over the past year," Red Sweater's Daniel Jalkut told Ars. "Of course it remains to be seen whether Gatekeeper actually changes anything about Apple's sandboxing plans, but I am glad to see evidence that they are experimenting with different security approaches."
As OS X evolves, Apple's code-signing middle ground could encourage more legitimate developers to register with Apple. "Once Apple has encouraged every serious Mac developer, even those who are not interested or qualified for the Mac App Store, to register as developers, it could set a scene for being able to allow more fine-grained security options to users," Jalkut suggested.
Still, developers are nervous that Gatekeeper might simply be another stepping stone toward Mac App Store-only distribution down the line. "Even that middle ground, of App Store plus Apple-certificate signed apps, is providing Apple with more control than they have now," Kafasis said. "That's something worth considering."
The fear is that Apple might not stick with the current default forever. "I fear the day if Apple ever moves that up to 'only allow App Store apps,'" Stand Alone's Ben Gottlieb told Ars. If that were the case, users would get a scary warning every time they tried to install software outside of the Mac App Store, making it increasingly unlikely that users would look for software from any other source. "If they never [change the default], and always leave the current default setting, I'm okay with it, and think it's a very good idea," Gottlieb said.
One parting thought about Gatekeeper came from Kafasis: most users view Gatekeeper as Apple's attempt to bring the idea of signed apps over from iOS to OS X, but perhaps it's worth considering the reverse. iOS power users could potentially go into Settings and flip a switch allowing outside apps on their iPhone, if desired, while accepting the potential security risks. "If Gatekeeper is good enough for the Mac," Kafasis said, "why not for iOS as well?"
Listing image by Photograph by Gerry Balding
reader comments
206