Mac OS X Gatekeeper and the Apple Developer ID

Apple has introduced Gatekeeper to a select handful of developers recently, and given I like research I couldn’t help but notice that over 20 years ago the Mac had an antivirus software called, yes you’ve guessed it – Gatekeeper. It’s moved on a bit since then though – Macs don’t really need AV at the system/kernel level, but it’s still useful to have an added layer of protection at the application and user levels – which is where this new rendition of Gatekeeper will sit.

Apple is pushing it’s Developer ID programme which aims to provide a unique Developer ID for digitally signing Mac OS X apps. This digital signature allows the Gatekeeper software to verify that their app isn’t malicious or hasn’t been tampered with. If the app has no Developer ID then Gatekeeper will let you know with a user prompt before the app is installed.

Here are some interesting pointers I’ve managed to find/use on Gatekeeper:

  • Gatekeeper is hidden in Mac OS X 10.7.3 (the latest OS X build but can be enabled for developers using the following Terminal command “sudo spctl –enable”). If you want to disable this function just replace the word ‘enable’ with ‘disable’. Developers can now take a peek 🙂
  • Executable files (.exe) dependent – app code digital signing by developers for example does not protect from PDFs, shell scripts, USB, CD (auto runs) and ZIP file infection paths 🙁
  • Uses a white/black listing database – no intelligent scanning (it is based on XProtect technology which is no bad thing)
  • Only works with Mac App Store and the app (file) is only checked by Gatekeeper on installation not on download
  • Addendum – Doesn’t check apps loaded from a disk or a USB drive, only those downloaded from the Internet

Gatekeeper does provide an additional layer of protection, however it is dependent on the user having full confidence that the app they are downloading and installing doesn’t contain any malicious code. There is too much emphasis placed on the end-user to make the final decision here. Most of my security colleagues will agree this isn’t the solution, but it does continue to drive awareness and education to the Mac OS X population.

This decision process in my mind should be removed from the user experience for only one reason – lack of understanding of why a user should allow/block the app. Unless you work in security, how would an end-user be expected to know how to action a prompt? I suspect the app developers might have a role to play here.

Developers can use Gatekeeper from the 10.7.3 latest build (see above) to test the latest Developer ID functionality. Worth noting, BlackBerry binned the idea of developer IDs last year, mainly due to the fact this became a pain point (and was replaced with a driving license verification process), so I’m not so sure how this will take with the Mac OS X developer community. Only time will tell.

Safe surfing folks!

This entry was posted in apple and tagged . Bookmark the permalink.

One Response to Mac OS X Gatekeeper and the Apple Developer ID

  1. Pingback: Mac OS X Gatekeeper and the Apple Developer ID | News | IT Security Magazine - Hakin9

Leave a Reply

Your email address will not be published. Required fields are marked *