MacCast Member #114 - Mountain Lion: Gatekeeper
V Gatekeeper
V Opening
V When Apple announced the pre-release of OS X Mountain Lion this week they highlighted several new features, most of them focused on bringing Apple's iOS and OS X built-in apps and features in sync with each other.
* Mail becomes Mail, no Notes
* iCal becomes Calendar and loses to-dos
* To-dos moves into Reminders
* iChat becomes Messages (beta available for OS X Lion)
* But one of the features that is just under the surface is related to security and has been dubbed Gatekeeper.
* So what is Gatekeeper, why do we need it, and how will it effect how you use the Mac?
V Why a Gatekeeper?
* When Apple introduced the App Store to iOS they created a curated environment and made it a requirement that all iOS apss must be approved and sold through Apple and the App Store. It was required, no exceptions.
* The idea is that all apps must be submitted, reviewed, and approved by Apple.
* The model brings added security and control for Apple, but limits the kinds of apps and software available for iOS devices. Any content not blessed by Apple or meeting their requirements or standards just can't be sold.
V In the early days of the iOS App Store I expressed concerns that if an App Store was ever brought to the Mac that it might not be the best thing for developers or consumers. I don't like the idea of anyone, even Apple, deciding what can or can't be installed on my Mac.
* It was easier to accept with iOS because that is the ONLY model we have ever know (outside Jailbreaking of course)
V Apple did release a Mac App Store and it is curated and we have already seen some of the types of things I was concerned about
* Some apps have to be modified and features removed to meet Apple's requirements
* This creates confusion and fragmentation
* The benefits of the Mac App store are that it is convenient to buy from, keep all your app updates managed in one place, and it's easy for developers to sell and distribute their apps electronically.
V There is also the benefit of the security created from having a curated environment and starting March 1st 2012, all App Store apps must use Sandboxing
* Sandboxing restricts apps and reduces the damage they can do to your Mac if they are malicious or introduce a new security vulnerability.
* Sandboxed apps cannot interact with other apps, their data, or certain parts of the OS itself.
* Apps sold outside the App Store are not required to implement sandboxing.
* Gatekeeper looks to bridge the gap between a locked down OS X that could only run apps from the App Store and a completely open one
* The key? Self policing from developers and users.
V How it works
V Currently OS X (since 10.5 Leopard) uses a system called "File Quarantine"
* This is the pop-up dialog you get when you first launch an app that you have downloaded from the Internet
* The warning comes up fro apps installed from apps downloaded through your browser or Mail
* Apps installed from CD or transferred over a LAN or by USB don't get the warning
V Gatekeeper leverages the "File Quarantine" and extends it with the concept of a Developer ID attached to the Application.
* Any app created by a developer would get signed with their ID before being distributed.
* At launch in Mountain Lion it checks the App to see if it is signed by the developer and matches their ID
* You choose what kinds of Applications you want to allow by adjusting setting in the Security & Privacy preference pane of the System Preferences
V There are three possible settings
V Anywhere: This is how OS X works now. It will run any application as long as it isn;t already know Malware.
* Changing to this setting requires that you enter an administrator’s user name and password.)
* Mac App Store: Will only run applications purchased through the Mac App Store
* Mac App Store and identified developers: This will run any app purchased from the Mac App store or any application from any source that has been signed by an ID'd developer. (this is the default setting in Mountain Lion).
* So in this way you still control what Applications can run on your Mac, but you can now restrict the sources if you choose and have more confidence in knowing when an app comes from a source outside the App Store that is at least one ID'd by Apple.
V After making your selection if you launch an app that violates your choice it will alert you and will not run. There is no click through on the dialog, which also reduces the chance of a "didn't read the dialog" human error occurring.
* That "just click OK" to bypass annoying dialog is one thing malware writers often count on. With Mountain Lion this risk is reduced.
* Still you can manually override the Gatekeeper app launch setting by right or Control+Click on the app and choose Open. When you launch that way it will bypass the Gatekeeper check.
V Developer IDs
* But what does that really mean and can you trust those IDs?
* Apple with Mountain Lion is, in a way, acting like a bouncer, but can IDs be fakes and how hard are they to get?
V The ID is actually really easy to get. Anyone who signs up for Apple's developer program gets one and can use Xcode to sign their app
* This includes free developer accounts, so at first blush it doesn't seem that secure.
* It's not a guarantee that the developer is legit and honest.
* Apple doesn't screen or vet the developers before hand.
* But the key is that now the OS knows at least the ADC account source for every ID'd app that is running on OS X anywhere.
* So Apple knows who the developer is and the operating system can check if it is valid and more importantly make sure the code hasn't been modified since it was signed.
V Apple Police
* So the ID itself won't necessarily prevent a developer from developing a malware app or trojan, but if they want that app to run on systems with the "Mac App Store and Identified Developers" security setting then they have to sign the app.
* If they sign the app then Apple knows what the app is and where it is from. Once they discover the App has malicious code they can revoke the ID and blacklist the app
V Mountain Lion checks once a day for apps that have been certificate blacklisted and and won't allow signed apps on that list to run the first time they are launched after install.
* To be clear though, if you've already run the app and it passed the first time (before it was discovered to be Malware), Gatekeeper won't remove the malware.
* Because Gatekeeper is part of the "File Quarantine" system it only check on first launch and will only check on apps downloaded from a Mac app like a web browser or email.
V After an app has passed initial inspection it is assumed to be safe.
* I assume if you remove and then reinstall an app though it would be checked again on first launch after re-install
* Gatekeeper also only checks executable applications. Flash or Java applets running inside a browser aren't checked, but since these aren't installed by default in OS X again most users are protected.
V Tamper resistant packaging
* The second part of the ID model is perhaps more significant because it means if the code of existing apps are tampered with the OS will know.
* Many Trojan based attacks rely on modifying an existing app, say Photoshop, and adding in the malware code and then distributing it through sharing sites
V What's it mean for developers?
* Developers seem to be generally positive about Gatekeeper.
* It gives them a way to distribute apps that are signed with an Apple issued ID, but do so outside the App Store.
* This is great for developers who want to give their users the security of knowing the source of the app and that the code hasn't been tampered with, but not locking them into the App Store and sandboxing, which for some apps requires removal of basic app features or will render the app to not work at all.
* One thing developers rightly point out is that code signing is no guarantee of reliability or quality and if consumers get that impression it could be the wrong one.
V Another concern not really addressed by Apple yet is that digital signatures often have an expiration date and must be renewed.
* What happens if a developer moves on or stops developing and doesn't renew the signature?
* Apps, could stop working or have annoying alert every time they are launched forcing users to possible reduce the security setting to continue to run their apps.
* Apple is the keeper of the keys, or in this case IDs. They can revoke an ID at anytime and for potentially any reason. Just as we have had false App Store rejections there is a possibility of Apple incorrectly revoking a developer's ID.
V Where's the trust?
* So to me it seems like Apple wants to encourage both users and developers to adopt the "App Store Only" model.
* Apple sees this as the future for App sales and distribution. It put more control in their hand and brings OS X closer in line with the App distribution model and system they have in iOS
* At the same time the recognize that blanket imposing a closed App Store model on the desktop wouldn't work. They met resistance on iOS and there they didn't have to battle a pre-existing open app distribution model.
* Gatekeeper allows Apple to encouragingly push developers and users toward the closed system while avoiding the controversy they would encounter if they forced the issue.
* I personally think this strikes a nice balance between security and choice and while I hope this is one feature that makes it way from OS X to iOS my guess is that Apple will try to force things the other way.