Latest in Apple

Image credit:

Security breach may be reason for Gatekeeper app signing changes (Updated)

Share
Tweet
Share

Sponsored Links

A discussion has been brewing on Twitter today regarding the recent app signing changes that could leave some apps blocked by Gatekeeper if developers don't re-sign the apps. Apple had let developers know that "With the release of OS X Mavericks 10.9.5, the way that OS X recognizes signed apps will change." According to Twitter user @SomebodySW, the change may actually be a response to a security breach in the Developer Portal, not just a change in the method of recognizing signed apps.

Update 11:54 AM 08/19/2014: TUAW received separate confirmation of the breach from a second source via IRC, stating that Apple's certificates may have been compromised and that the company's changes to Gatekeeper are in part intended to mitigate the risks of those breaches. We have still not received any confirmation or denial of the Dev Portal breaches from Apple.

How plausible is a security breach that resulted in the theft of not only Gatekeeper's keys but "many other keys for many other things"? Plausible enough that we reached out to Apple for confirmation. At this point, no response has been received. Ben Doernberg, a security and bitcoin expert, has also pinged Apple, saying in a recent tweet that:

According to @SomebodySW, "Other keys were stolen too: The Enterprise Signing Key, a key that could be used (and was) used to sign Activation Tickets (bypassing iCloud locks) and several developer ID related keys also some keys iPhone 4/4s/5 hardware 'knows', used to authenticate the OS installed as being from Apple/unmodified".

@SomebodySW notes that he received an offer to buy the device signing keys from the person who performed the breach of the Apple Dev Portal shortly after the theft occurred. While this still isn't definitive proof that the Gatekeeper and other security keys were stolen, TUAW received separate confirmation from a second source.

We'll keep on top of this story and let you know how it develops.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
Tweet
Share

Popular on Engadget

Dell XPS 13 review (2020): Tweaked to near-perfection

Dell XPS 13 review (2020): Tweaked to near-perfection

View
Sony debuts $200 headphones with powerful ANC and long battery life

Sony debuts $200 headphones with powerful ANC and long battery life

View
SpaceX aborts Falcon 9 launch with rare 'Liftoff! Disregard' sequence

SpaceX aborts Falcon 9 launch with rare 'Liftoff! Disregard' sequence

View
Apple lets Amazon rent movies inside Prime Video's iPhone app

Apple lets Amazon rent movies inside Prime Video's iPhone app

View
Sony's latest true wireless earbuds have more bass and a lower price

Sony's latest true wireless earbuds have more bass and a lower price

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr