Gatekeeper
Latest
Apple assures Mac users its anti-malware feature isn't spying on them
Gatekeeper is a MacOS component designed to stop you running malware. A server outage, however, made security researchers look at what it does more closely.
Apple's Gatekeeper issues might have slowed down your Mac earlier
Apple server issues might have slowed down apps on your Mac at about 4PM ET.
Mac security hole reportedly lets attackers bypass app safeguards
Apple may have another Gatekeeper security flaw on its hands. Researcher Filippo Cavallarin has detailed a macOS vulnerability that he said would let attackers install malware without the usual permission request. As Gatekeeper considers network shares to be 'safe' locations that don't require permission checks, an intruder just has to trick the user into mounting one of those shares to run the apps they like. A maliciously crafted ZIP file with the right symbolic link could automatically steer you to an attacker-owned site, for example, and it would be easy to trick someone into launching a hostile app -- say, a virus masquerading as a document folder.
Unofficial BitTorrent app once again linked to Mac malware
The developers of Transmission can't catch a break. Just months after their BitTorrent app was linked to the first known instance of Mac ransomware, security researchers at ESET have pinpointed another form of malware taking advantage of Transmission to infect Mac users. Keydnap, as it's called, takes advantage of a modified version of Transmission (planted on the developer's site without its knowledge) to attack your computer. It's similar to the ransomware's approach in more ways than just its choice of host app -- it even uses a signing key to trick Apple's Gatekeeper safeguard into letting it through.
Apple's Gatekeeper vulnerability still needs to be fixed
Back in September, Synack security researcher Patrick Wardle disclosed a nasty issue with Apple's nefarious-app stopping Gatekeeper system in OS X. While the software is great at stopping malware-infected apps that users have downloaded from the bowels of the internet, it did have a flaw: a signed app could, upon launch, initiate an unsigned program if it resided in the same directory. Because the end user is never aware that this second application is launching, it's a great way to infect a computer. As a responsible researcher, Wardle informed Apple and got a security update as a result. That should have been the end of it, right? Yeah, not so much.
Mac exploit dodges Apple's anti-malware app check
If you've used a Mac running OS X Mountain Lion or later, you're well-acquainted with Gatekeeper: it's the security measure that prevents unsigned apps from running unless you want them to. Unfortunately, it turns out that this first line of defense isn't quite as secure as it's supposed to be. Synack security researcher Patrick Wardle has discovered a flaw that lets malware get around Gatekeeper and do what it wants with your system. The trick 'hijacks' a signed app to pretend that it's legit, and uses clever file packaging to launch hostile code once OS X declares the host app safe. Wardle only used one app in a proof of concept demonstration, but other apps should work. You could even use malicious plugins (say, Photoshop add-ons) to bypass Gatekeeper.
Security breach may be reason for Gatekeeper app signing changes (Updated)
A discussion has been brewing on Twitter today regarding the recent app signing changes that could leave some apps blocked by Gatekeeper if developers don't re-sign the apps. Apple had let developers know that "With the release of OS X Mavericks 10.9.5, the way that OS X recognizes signed apps will change." According to Twitter user @SomebodySW, the change may actually be a response to a security breach in the Developer Portal, not just a change in the method of recognizing signed apps. Update 11:54 AM 08/19/2014: TUAW received separate confirmation of the breach from a second source via IRC, stating that Apple's certificates may have been compromised and that the company's changes to Gatekeeper are in part intended to mitigate the risks of those breaches. We have still not received any confirmation or denial of the Dev Portal breaches from Apple. @marczak @cabel @danielpunkass @mikeash The keys used for Gatekeeper* were stolen in that Developer Portal breach a while back. Consider thi - Somebody Somewhere (@SomebodySW) August 18, 2014 @marczak @cabel @danielpunkass @mikeash s your heads up. *and many other keys for many other things - Somebody Somewhere (@SomebodySW) August 18, 2014 How plausible is a security breach that resulted in the theft of not only Gatekeeper's keys but "many other keys for many other things"? Plausible enough that we reached out to Apple for confirmation. At this point, no response has been received. Ben Doernberg, a security and bitcoin expert, has also pinged Apple, saying in a recent tweet that: Just talked with Ryan James at Apple, says he'll look look into if device signing keys were stolen last year, no confirm or deny @SomebodySW - Ben Doernberg (@BenDoernberg) August 18, 2014 According to @SomebodySW, "Other keys were stolen too: The Enterprise Signing Key, a key that could be used (and was) used to sign Activation Tickets (bypassing iCloud locks) and several developer ID related keys also some keys iPhone 4/4s/5 hardware 'knows', used to authenticate the OS installed as being from Apple/unmodified". @SomebodySW notes that he received an offer to buy the device signing keys from the person who performed the breach of the Apple Dev Portal shortly after the theft occurred. While this still isn't definitive proof that the Gatekeeper and other security keys were stolen, TUAW received separate confirmation from a second source. We'll keep on top of this story and let you know how it develops.
Chaos Theory: Every game needs a Gatekeeper like The Secret World
It finally happened. I've been playing The Secret World since launch, wading through lots of lore, wracking my brains on investigations missions, collecting clothes, and soaking up the amazing atmosphere, among other things. But there is one activity that I have successfully dodged participating in that entire time until the moment came when I could no longer justify evading it. I'm talking about the Gatekeeper. For those who aren't familiar with TSW's Gatekeeper, here' the scoop: He's the giant golden golem that stands between you and the PvE endgame. He's the feature that all players who want to participate in the hardest mode of dungeons and acquire the best purple PvE gear must prove themselves against before being allowed to move their play to that next level. Consequently, he prevents those who are completely unprepared for that level of challenge from getting in over their heads and dragging down their groups in the process. Golden boy is a powerful (and merciless) teacher who can humble those not ready for the fight as well as those who are by really testing their knowledge about the game's combat system and forcing all to face up to their inadequacies. So I finally faced this Agarthan nemesis, and he was all I expected him to be. And yes, I was initially schooled. But I did end up laying the smack down on him, learning a few important things in the process. And one of the top lessons? I think every single game should have a Gatekeeper!
CES 2013: Cobra adds to iRadar lineup and more
Radar detector manufacturer Cobra is back at CES again this year, and the company is showing off two new additions to its smartphone-powered lineup. The iRadar S-Series is the new high-end model -- it's available right now in Europe, but won't be here in the States until around August. Unlike most of Cobra's other models, the S-Series is designed to be installed in your car under the hood, with the only interface on it being through the iPhone app via Bluetooth. That explains the higher price of US$299 as well: since it needs to be installed under the hood, this is a more premium model than your standard "stick-it-on-the-dash" radar detector. The iRadar Atom is the other new model -- it'll be out in May at a lower price of $199. This is a more traditional radar detector, but with some nicely updated stats: the device itself is about 30 percent smaller than the previous iRadar models, and the performance has been doubled. Both of these iRadar units work together with the company's app, which has reached 1 million downloads so far. The app itself has gotten some updates over the past year, and now has some mapping features included, though the maps used are just whatever's native on the platform (so Apple's Maps for iOS and Google Maps for Android) rather than any other third-party system. Cobra is also working with JVC to provide another head unit option for the iRadar line, and the company also told us that it was "talking to a bunch of companies" about possibly making the iRadar's output available to other app developers via licensing or an API. Outside of the iRadar line, Cobra was also showing off two brand-new devices that connect up to smartphones like the iPhone. The Cobra Airwave is a Bluetooth music bridge unit that will be available in February for $39.95, and will work (in a car or at home) to connect up streaming music from your iPhone to any speakers you want to connect it to. The unit is relatively simple, but Cobra sees it as a test balloon in the home audio market, and hopes to have other similar kinds of devices along this line available soon. Finally, the Cobra Gatekeeper is another test balloon of sorts -- it's a Bluetooth-enabled garage door opener that's designed to plug into your current garage door opening system. All you'll need to do is snap the Gatekeeper into the wires coming out of your garage door opening switch, and then you can activate the door opener directly from your iPhone whenever it comes into Bluetooth range. The included app can also be set to send out notifications whenever the door is opened -- if, for example, you want to be notified when another family member arrives home. The Gatekeeper will be available later this year for $59, and Cobra is hoping it's the beginning of a brand-new line for them. "We want to get into home automation," the company's rep told us, so the Gatekeeper may be only the beginning of a much bigger push for Cobra in 2013.
iOS and OS X teams joined under Craig Federighi
Today, Apple announced that their iOS and OS X teams would join together as Scott Forstall leaves Apple. Craig Federighi (photo at right) will take over, leading the joined teams. Apple's press release stated, "This move brings together the OS teams to make it even easier to deliver the best technology and user experience innovations to both platforms." At the October 2010 Back to the Mac event, Steve Jobs first discussed what would later be known as the "Post PC" world. He talked about including lessons from iOS in the new operating system, and highlighted how consumer-centered products were the future. Today's developments follow on from that initial road map, bringing the two operating systems under a single team. Developer reaction to this change has been mixed. Some, speaking off the record, stated they do not feel that Apple's recent push towards bringing iOS features and design patterns has been a positive change for OS X. OS X Mountain Lion introduced iOS-like application sandboxing and GateKeeper along with other iOS-originated features like Notification Center and Reminders. Sandboxing curtails OS X application development in very iOS-like ways. Applications must request specific "entitlements" that provide exemptions to OS-imposed barriers. Forstall was notably not part of the October Event last week that introduced the fourth generation iPad, the iPad mini, and a revamped line of Macintoshes. The former VP of iOS, Forstall sold off 95 percent of his Apple shares this past May.
OS X Lion hits 10.7.5 with most recent update, brings improved security with Gatekeeper
While the latest software for OS X Lion isn't nearly as exciting as a couple of other updates that Apple released today, Lion users will find a few worthwhile improvements within the new OS X 10.7.5 update. Most importantly, the latest software introduces Gatekeeper, a security feature from Mountain Lion that makes it more difficult to inadvertently install malicious software. The update also brings improved WiFi reliability for the iMac (late 2009 and newer) and squashes a bug that'd caused Launchpad icons to become rearranged. You'll find an even greater number of fixes / improvements after the break, and it's also worth a mention that even Snow Leopard users have received a bit of love today in the form of a security update. Want to prove you're a good cat owner? Go ahead and check for new updates right away.
Mountain Lion 101: Gatekeeper controls app launches for security's sake
Gatekeeper isn't the most obvious feature of the new OS X Mountain Lion system that you probably downloaded and installed yesterday, but it might be one of the most important. Gatekeeper essentially oversees a list of verified developers who have applied for and received a Developer ID from Apple. It also allows you to specify whether your Mac will install apps only from the App Store, from the App Store and this list, or from anywhere you want. If you choose the Mac App Store only, you'll be able to make sure that everything you install has gone through Apple's approval process, which is about as protected from malware as you can get. When you installed Mountain Lion, every app that was already on your Mac got a free pass as far as Gatekeeper is concerned. The apps were grandfathered in as already having been run and cleared; since Gatekeeper works by preventing the first launch of an app, those apps are OK. In fact, you can keep the "Mac App Store and identified developers" setting turned on for safety while still installing and running non-signed apps; just right-click (or control-click) the unsigned app and choose Open. Gatekeeper will prompt you for a single-app exemption and if you're OK with it, the app will launch from then on. Now, not everybody appreciates Apple's "walled garden." Some developers take issue with the fact that they need to be "verified" by Apple before releasing and running software on the Mac. Gatekeeper is also responsible for "sandboxing" applications, which means keeping applications from changing files on parts of your computer that they don't usually interact with (though this does cause problems for apps that do want to dip into your personal system files, usually just to make things easier on you). At any rate, sandboxing and Gatekeeper are a reality for now. If you want to tweak your Gatekeeper settings, you can find them in the System Preferences screen under Security and Privacy. #next_pages_container { width: 5px; hight: 5px; position: absolute; top: -100px; left: -100px; z-index: 2147483647 !important; }
Office 2011: Mountain Lion-ready, says Microsoft
Nothing but love for the lightly-updated iWork, but millions of Macs in SOHO, business and enterprise settings depend on Microsoft's Office 2011 suite for productivity mojo every day. The Office for Mac team noted on its official blog that Office 2011 is Mountain Lion-ready and fully supported, as is (somewhat surprisingly) Office 2008. The O4M team offers up two quick tips for making sure Office 2011 is current. First, check that the AutoUpdate feature is enabled & run any available updates; you can find AutoUpdate by going to the Help menu in any Office app and choosing Check for Updates. Second, it looks like the standalone Office updater packages you can download from the O4M site will not play nicely with Mountain Lion's Gatekeeper binary signing, at least not with the default security settings in place. The recommendation is to use AutoUpdate (which is signed) to run any necessary Office patches. Regarding Gatekeeper (which we'll talk about more later today), two quick reminders: Any application that is on your Mac at upgrade time is automatically marked as OK to run under Gatekeeper and does not need to be a signed binary. Also, you can bypass the Gatekeeper settings on an app by app basis -- without switching your whole system to the less-secure mode -- if you right-click/control-click an application icon and choose Open, that opens a dialog for "whitelisting" that particular app. Once you launch it once, it will be OK in perpetuity. [hat tip Macgasm & SlashGear]
Office for Mac 2011 and 2008 ready for OS X Mountain Lion, procrastinators groan
So you updated to OS X Mountain Lion and, gosh darn it, you're not sure that Office for Mac 2011 (or Office 2008 for Mac) will be in perfect harmony. Time to put off finishing that accounts receivable spreadsheet until IT sorts it all out, right? Unfortunately for anyone looking to catch a break, Microsoft just certified that the two most recent Mac versions of Office will purr with Apple's latest big cat. About the only hiccup remaining is the inability to manually download and install future updates as long as Gatekeeper is on full lockdown. If you've been spending all day making paper planes, it's time to knuckle down and get back to work.
Kaspersky Lab: Macs not invulnerable to malware
The writing is on the wall. Our time of innocence is gone. Researchers from Kaspersky Labs claim Mac market share has finally reached the critical point, and the platform is now an attractive target for online criminals. Kaspersky told Ars Technica and other press on Thursday that, "Mac users can expect "more drive-by downloads, more Mac OS X mass-malware, and more cross-platform exploit kits with Mac-specific exploits." It's not all doom and gloom. Infections in the wild are still sparse, and Apple may slow the spread of future threats with the introduction of Gatekeeper in Mac OS X Mountain Lion. Among other things, Gatekeeper will prevent users from "unknowingly downloading and installing malicious software." If you don't want to wait for Gatekeeper, there's also several good antivirus solutions like Avast and Sophos that are available now for Mac users to download.
Apple introduces Developer ID, laying groundwork for Gatekeeper
Apple sent out an email today asking developers in its various programs to go ahead and get their applications ready with the Developer ID program, which is basically a new form of certifying apps that run on your Mac or iOS device. Developers can request a certificate through the tools included in Xcode, and then when Mountain Lion arrives and Gatekeeper is running on your Mac, developers can include that certificate and install and run their apps without issue. You will still be able to run apps without a Developer ID included (for now), but Apple says you will get a warning when doing so. Apple's pitching Gatekeeper as a way to keep users from running malware on their Macs, but of course a program like this also helps keep the app ecosystem more closed, allowing Apple just a little more control over what runs on your Mac. Most developers, however, will probably want to go ahead and sign up for this, so that when Mountain Lion arrives, their apps don't face any issues. Apple's also posted a guide to getting started with Developer ID, so if you have any other questions, you can sign in with your login over there and read through it.
Switched On: Mountain Lion brings iOS apps, malware traps
Each week Ross Rubin contributes Switched On, a column about consumer technology. According to Wikipedia, the mountain lion, also known as the cougar, is distinguished by having the greatest range of any large wild terrestrial animal in the Western Hemisphere. Indeed, from what we've seen so far of Apple's forthcoming Mac operating system, its new features will likely find favor with a broader range of Apple users than Lion.
App-ocalypse soon: Apple extends sandboxing deadlines, but restrictions loom
Image: Shutterstock Apple issued a three month extension on application sandboxing today, giving devs a little more breathing room before new rules take over. June 1 2012 is now the enforcement date. We've been having many discussions about Mac development in the TUAW backchannel over the last week. The introduction of GateKeeper and the notion of signed apps, sandboxing, and developer IDs have us talking about where Apple is taking the Mac, and will be moving Mac development in general. Overall, we think things are moving towards a win for consumers and better opportunities for devs. Read on to learn more about these technologies, and how they affect developers and App Store. GateKeeper is Apple's new approach to making your Mac safer by giving you control over which applications may download and run on your computer. With GateKeeper, developers sign apps to authenticate them with the OS -- both apps that you purchase from the Mac App Store and, at the developer's option, also apps you purchase elsewhere. With Mountain Lion, you choose which apps are allowed to run. You'll be able to disable GateKeeper and run apps from anywhere if you like, although this is not the default setting. The thing is this: Apple continues moving towards a more controlled, less open, more appliance-like concept of what a Mac means. That redefinition is causing ripples, affecting app development more and more. Applications can do fewer things, access fewer system resources, and control other apps less than they did in the past. Developers who choose to enroll in the Mac development program pay a $99/year fee just as those who enroll in the iOS development program do. Once enrolled, they can sign their apps as identified developers -- as well as gain access to early beta versions of unreleased operating systems. When the iPhone SDK first debuted, many people including yours truly complained about what couldn't be done with the APIs: what files could be accessed, what routines could be called, and so forth. Coming from a general computing background, one learns to expect to build whatever one can imagine. If the building blocks are there, then why not build whatever tools you need? That all ties into a background of fully open computing. Apple's policy split the dev community into the jailbreak world and the App Store world, with many people crossing over depending on what they were building. Under jailbreak, developers gain full access to the entire iOS file system and run apps in a fully privileged mode. This gives devs a much broader development vocabulary to work with. The jailbreak world became known for its innovation, with Apple mining those forward-looking ideas and free R&D and bringing them into successive iterations of their operating system. At the same time, developers had to change. If they wanted to market through App Store, they had to relinquish product ideas that wouldn't work within the more closed-off system that App Store submission required and look instead for opportunities of development that were allowed. No one can look at App Store today, with its countless apps, and say that Apple denied developers opportunity. It's just a somewhat different opportunity than many developers expected. It's an opportunity that restricted certain kinds of applications, most typically OS enhancements and utilities (which have flourished on other mobile platforms with less oversight of developer access). Overall, Apple has provided better tools, better marketing, and better sales avenues than had existed before. The end result has been apps that are significantly better than previous generations. And now, Apple is doing the same thing for the Mac. This is emotionally hard for some long-term devs like me. We want Linux-y freedom for whatever we want to build and distribute. Now, with sandboxing (a technique that restricts application access to full system files; all apps that are not sandboxed will be removed from the Mac App Store starting June 1st [Update: Older apps will still be on the store and allowed bug fixes- Ed.]) and GateKeeper (limiting apps to those that are signed and authenticated), Apple is setting a new default: software consumers will expect to be protected, and will expect that any item being delivered to them will comply with Apple policies. We developers have two choices: either opt in to Apple's signing (developer IS) and/or distribution system (App Store), or limit ourselves to only those customers savvy enough to opt out to the "all's fair" system. It's essentially a Mac jailbreak--just without all the pain of waiting for the next untethered release. (Speaking of which, yes, it would be lovely if this idea goes exactly back to the iPhone, so we don't have to wait on those exploits and releases.) Apple's brave new world for the Mac gets that there are "power" users and "consumers." And it also gets that the latter category vastly outnumbers the former. As it builds new and better operating systems that retain desktop functionality, it is shaping computing to match consumer needs and wants, not developers. Not everything is roses. Some devs are complaining--with good reason--that Apple's approach to proprietary technologies will prevent them from selling off the App Store for iCloud features, for example. If you want to tie into those APIs, you won't be able to go to third party merchandising storefronts to sell your software. App Store-exclusive features will tie developers further into Mac App Store and to Apple's 30% cut. Those Apple-specific technologies will continue to grow over time. What's more, developers must continue putting pressure on Apple to extend entitlements, allowing apps to grow the kinds of resource access they are allowed under Apple's sandbox system. The current set of entitlement restrictions seems unnaturally limited. Just as iOS's App Store has responded to developer requests, the Mac environment will have to soften restrictive rough edges over time. A passionate and involved developer community will help those changes happen. Community-sourced advocacy such as Tim Burks' Open Radar project allow developers to cooperatively brainstorm and strategize about which access issues are the most important to them. In the end, this is going to be an amazing end-point for consumers. You can talk about "what has existed for a generation," but that means things like Microsoft Word. There is no way anyone can argue that MS Word was an amazing end-point for general consumers. It's a wake-up call for devs who have stuck with Apple through the dark years. Apple is changing up the game. Devs have to change it up too. And if Apple's success with iOS App Store is any indication there will be more opportunity and better chances at creating a living than ever before. Thanks, Remy "Psy" Demerest, Kyle Kinkade, |Agent
Mountain Lion's Gatekeeper adds additional security options to OS X
With the many updates and new features announced for the upcoming OS X release of Mountain Lion, one may have slipped by, but it's an important feature. It's also likely to become controversial. Gatekeeper gives users some extra security when running third party software. Apple says Gatekeeper will help prevent users from "unknowingly downloading and installing malicious software." The system preference has three levels of security. One only allows you to install apps from the Mac App Store. A second level allows installation of apps from what Apple calls "identified developers." Apple is starting up a program that basically allows developers to have digital signing of their apps. The lowest level of security allows apps to be installed from any source, but OS X will warn you if the app is not digitally signed. What Gatekeeper doesn't do is protect you against malware and viruses, which admittedly have not been a big problem on the Mac platform. Apple does have some built in tools to identify potentially harmful programs, but sometimes the problems can get ahead of Apple implementing a solution. Of course, Windows faces similar challenges, but on a much larger scale. Gatekeeper is in the recently released developer preview, but it is not activated. AppleInsider reports that it can be turned on by using the new OS X system policy control command-line tool "spctl(8)". It will be interesting to see if Gatekeeper matures and adds features by the time Mountain Lion is released in late summer. We'll do a deeper dive on Gatekeeper and its possible implications for the Mac platform later on.
Next OS X update blocks unsigned apps by default, unless security adjusted [update]
[Update: The original version of this article incorrectly conveyed the restrictiveness of the default security in this OS X update, and has been edited to reflect the scope of software affected. Joystiq apologizes for the error.]Apple OS X 10.8 Mountain Lion, which just started its "Developer Preview" period and will be released to the populous sometime this year, features a security protocol called Gatekeeper, which prevents unsigned applications from running, depending on user preferences. Gamasutra reports Gatekeeper is set to only allow applications from the Mac App Store and from developer who've registered with Apple.This means that, for any games and apps made by designers who have not registered with Apple, you will have to adjust Gatekeeper's initial restrictions.Since you can allow content from unidentified/non-App Store sources, it doesn't seem like the system itself is inherently malicious or anti-gaming. It is, however, prohibitive, and may affect off-store apps downloaded by users unfamiliar with Gatekeeper.
