Monday, November 05, 2012

Mac OS Security: Gatekeeper (2)

I remember that one of WWDC 2010 session videos has a show on this topic with demos. The demo was a quick one, but it is very impressive. I have done some tests on this feature. Here are my hands-on tests.

App Store Only

First, I tried to set up my Security to Mac App Store only. This is the most restrictive option. With this simple setting, I could not download any apps from browser.

Identified Developers

This is the recommended option for most users: Mac App Store and Identified Developers. This means you can download apps from web, but those apps have to have authorized developer IDs. According to Apple, an developers ID certificate can be obtained from none-Apple Agents, such as Google, Microsoft.

I set up this option in my Mac. Then I can download any apps from Web. Only apps with identified developer IDs can be opened. For example, I downloaded a free app, which is an app signed with Apple Developer ID. After downloading, the following warning message is display for the first time to run it:

No Open for None Identified Apps

For example, I tried to download MesaSQLite from CNET downloads. For the time bing, this app has no Apple Developer ID signed. Therefore, I could not run this app on my Mac.

No Open for Other Macs

I tried to copy this app to another Mac. Still I cannot run it. It seems that the Mac OS quarantined the app upon its download.


This is the most open option, as same as previous Mac OS or Windows. You can download any apps from Web and use them. The interesting thing is that I tried to temporally set to this option to get apps which I trust with no harm. Then I reset option to Identified Developers. The file I got from anywhere are free to be copied to another Mac by USB, Airdrop or network shared drivers. Therefore, Gatekeeper is only for web browsers.

Authenticated Developer ID

The key point in Gatekeeper is the concept to sign an app with an authenticated developer ID. In the WWDC demo, one interesting demo is a hijacked app. That is, to modify an app, either signed or none-signed. For those apps, Gatekeeper would identify them as potential malicious apps.

To test this case, I opened the content of the app NetNewWire by Show Package Contents from its context menu. I copied one image to the root of its content. Then I uploaded it to my Dropbox's Public area. From there I downloaded the app again. Here is the image of original app, on the left, and modified app, on the right side, on my Mac:

No matter my Gatekeeper setting is Anywhere or not, I just cannot run this app. This app is quarantined by OS upon its download. Nor I can run this by copy to another Mac (I mean copy the downloaded app).

However, if I modify the app on my Mac, I can still run it and I can copy it to another Mac. Gatekeeper is just a security gate at browser between Mac and Web.

I think Apple's Gatekeeper strategy is an innovation change in OS level. It is a very effective way to protect Mac users from attacks by malicious apps, which most sneaked in, either accidentally or social engineered downloading from web browser.

Gatekeeper is just the forefront tier of Mac OS security layers. For developers, this is a big change and it will be new trend we have to face to. If you sign your app with your ID, your app will be treated as good citizen in binary world, or white list, until you intentionally make crime, attack user computers or steal private information, for example.

This is analogous to the case of border gates of US, Canada or any country in the World, passport is a practical identify as to citizenship when you across border gates. This is by far the most effective and less costly way to protect countries. Just image how you can secure your country if you have to check periodically each one in your country to see if they are not malicious. In theory, the strategy of internally up-to-bottom thoroughly checking periodically may be the most secure method, but impossible in practice.