SECURITY

Mac Application Security (Part 1)

11/29/2012 3:09:02 PM

How Gatekeeper makes Mountain Lion more resilient against malware

SINCE OS X 10.5 Leopard, when you run an installer for an app that you’ve downloaded, and the first time that you run that installed app, the Finder alerts you to the fact that it was downloaded from the internet, asking you to confirm your actions. This is because the installer and the app that it installs have a hidden flag set in their extended attributes indicating that they’re quarantined. This flag is cleared once you’ve run the app for the first time, so doesn’t trouble you again. However, items that you’ve installed from the Mac App Store don’t show this behaviour, being deemed safe to use without passing through quarantine.

Gatekeeper in Mountain Lion extends this process of quarantine. Most apps should now have code signatures embedded in them: to check this, select Apple’s Mail app in the Finder, for example, and Ctrl-click for the Finder’s contextual menu. When you’re there, select Show Package Contents, so that the app appears as a single folder named Contents: open that and you’ll see a folder named _CodeSignature, which contains Mail’s code signature.

Description: With Gatekeeper set to approve signed apps, you should see the same check dialogs as in Lion when an app is correctly signed

With Gatekeeper set to approve signed apps, you should see the same check dialogs as in Lion when an app is correctly signed

Code signatures are neither new to the Mac, nor a recent innovation. However, left to their own devices, developers have been slow to sign their products, and as a consequence OS X hasn’t been able to use them to enhance security. This was a similar situation to that on Windows, where code signing has had little impact on its malware jungle.

Signatures consist of two parts: a secure certificate that identifies the developer against an approved whitelist (maintained by Apple and kept locally on each Mac), and a hash that verifies the integrity of the contents of the installer or app; if anything tampers with those contents, the hash is invalidated.

Leave Gatekeeper at its default setting, and you’re allowed to install and run apps from the App Store and from elsewhere with valid code signatures; all this does is alter what happens to installers and apps in quarantine. Try to run an installer and Gatekeeper checks whether it has a valid code signature. If it doesn’t, you won’t be able to run the installer normally; if it does, then it works as previously. Once the app is installed, but remains in quarantine, when you try to launch it Gatekeeper checks the app’s code signature. Again, if the signature is missing, you won’t be allowed to run it in the normal way; if it’s present and valid, the app will run as intended and is released from quarantine.

SOME DEVELOPERS HAVEN’T yet started signing their installers and applications. However, you can still install and run these, either by setting Gatekeeper to its off position (allowing all apps to run), or by opening them using the Open command Finder’s contextual menu. In the latter case, you’ll be confronted with a further warning, through which you can click, run the app and bring it out of quarantine.

As of this first release of Mountain Lion, once an installer or app is out of quarantine, Gatekeeper won’t trouble you over it again. Neither will Gatekeeper fret about installers and apps that you haven’t downloaded, but copied across, say, from an optical disc or USB memory stick, as these don’t go into quarantine. Furthermore, at present, Gatekeeper doesn’t keep a watch on plug-ins or other extensions: there’s nothing to stop an app from running an old or dangerous plug-in.

Gatekeeper is capable of a great deal more than this fairly simple and unobtrusive task, though. When read from apps, signatures are added to a new SecurityPolicy database kept in /var/db, and Gatekeeper consults that to help validate code signatures. Individual apps can have different security policies, something that can currently only be set using the ‘spctl’ command in Terminal’s command shell.

FOR THE MOMENT, Mountain Lion is using Gatekeeper to guard against the most obvious threat: that of installing and running Trojans. As the threat landscape changes during the lifetime of OS X 10.8, we should expect security updates to modify Gatekeeper’s rules and behaviour to address these changing threats. If malware authors start pushing out malicious Safari plugins, for instance, it would be relatively simple for Apple to place Gatekeeper in their way. However, Apple has spared us such rigours for the moment, as relatively few of our current plug-ins will have code signatures, so the impact on users would outweigh the benefits right now.

Description: Mountain Lion is using Gatekeeper to guard against the most obvious threat

Mountain Lion is using Gatekeeper to guard against the most obvious threat

Code signing is a requirement for the other main security protection offered by all App Store apps, the App Sandbox, and is often confused with it. Apps that run with the Sandbox are isolated from other apps, protecting them and OS X from interference by malware. They’re limited in the sensitive features of OS X that they access.

This doesn’t mean that they can’t do potentially risky things such as look up passwords and access the internet directly, but that they’re specifically authorised to do what they need to do. The App Sandbox ensures that an app that isn’t licensed to open your keychain or access USB devices can’t do so. Sandboxed apps are also restricted as to which folders they can use for storing preferences and other files.

For the end user, the combination of code signing, the App Sandbox and Mountain Lion’s fastidious security features should bring great assurance that apps that they obtained from the App Store (and third-party sources meeting the same standards) aren’t malicious and can’t be subverted by malware. As long as you only run the current release of OS X and such resilient apps, you should have no fear of Trojans or other types of attack.

However, there remains sufficient flexibility to treat Mac users as grown-ups: you can still install and use software development environments, access Terminal’s shell commands and scripts, and do other powerful but potentially dangerous things. Mountain Lion leaves you in charge; although in some other respects iOS and OS X may be converging, there are no plans to lock down OS X in the way that iOS is nor is there any benefit in doing so.

Some software developers have expressed their fears that Apple is taking complete control of the Mac platform, as it will have the ability to repudiate the authority of code signatures and lock down the functionality of products. This position of power could, they claim, be abused to damage those whose products compete against Apple’s and could disadvantage independent developers who don’t wish to sell through the App Store.

Any allegations of such abuse would, of course, be open to legal action, and in the US at least could put Apple in breach of antitrust legislation, something that would threaten its continuing corporate integrity. However, Apple does need to come up with a robust and fair process for dealing with any disputes with developers.

It’s also inevitable that those who write malicious software will be conducting detailed evaluations of these features, probing for weaknesses that they could exploit. The next couple of years will show whether Gatekeeper and the other security enhancements in Mountain Lion prove to be effective deterrents and let us get on with using our Macs without fear.

Other  
 
Top 10
Review : Sigma 24mm f/1.4 DG HSM Art
Review : Canon EF11-24mm f/4L USM
Review : Creative Sound Blaster Roar 2
Review : Philips Fidelio M2L
Review : Alienware 17 - Dell's Alienware laptops
Review Smartwatch : Wellograph
Review : Xiaomi Redmi 2
Extending LINQ to Objects : Writing a Single Element Operator (part 2) - Building the RandomElement Operator
Extending LINQ to Objects : Writing a Single Element Operator (part 1) - Building Our Own Last Operator
3 Tips for Maintaining Your Cell Phone Battery (part 2) - Discharge Smart, Use Smart
REVIEW
- First look: Apple Watch

- 3 Tips for Maintaining Your Cell Phone Battery (part 1)

- 3 Tips for Maintaining Your Cell Phone Battery (part 2)
VIDEO TUTORIAL
- How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 1)

- How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 2)

- How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 3)
Popular Tags
Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Biztalk Exchange Server Microsoft LynC Server Microsoft Dynamic Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 Adobe Indesign Adobe Flash Professional Dreamweaver Adobe Illustrator Adobe After Effects Adobe Photoshop Adobe Fireworks Adobe Flash Catalyst Corel Painter X CorelDRAW X5 CorelDraw 10 QuarkXPress 8 windows Phone 7 windows Phone 8