Apple moves the Gatekeeper offsite

Mac users live in a wonderful world relatively free of viruses, malware and all manner of other computer security threats. To be sure, they are there but it is very rare to be taken down by a virus. Apple, however, seem to be aware that as their star rises, so does the challenge they present to hackers.

The traditional way these security threats are dealt with is on the computer. Various programs are available to scan what is going on for threats and to block or remove them. The whole activity takes place on your own computer; albiet with the aid of updates that upgrade defences. The problem, of course, that all of this stuff is a big pain — think of the many Windows users subjected to automatics updates by their administrators right in the middle of doing something. This causes users who can to drop defences somewhat.

In its latest software upgrade for the Mac announced yesterday, Apple has taken a new approach. To complement the firewall, Apple will now offer its own verification of the safety of installed programs. It does this already for apps sold through the Mac App Store but its Gatekeeper feature will not restrict users to that. If developers submit their apps to Apple, they can receive a verification signature whose stamp of approval will allow users to install them seamlessly. So users can, therefore, rely on Apple to verify how secure an installed program is.

Now Apple did not put this as a mandatory restriction — in contrast to what they do on mobile devices. It is just a default and that can be changed. So if you want you can install any program you want. It is just then that you take a risk. Apple are guessing that most users will not want to. I suspect they are right about that. If this works, it can shift the battle off people’s computers. Hackers will need to look to a more limited set of options if they want to hack Macs.

But what does this mean for developers? There is some concern. Part of it I’m sure is the spectre of Apple eventually requiring use of the Mac App Store just like with iOS but there is equally the possibility that this may be a precursor to less restrictions on mobile rather than more on Mac. But even without this, there is a very strong incentive to be approved by Apple and this will apply to upgrades as well. That means the cost of distributing to developers may go up. But, that said, for smaller developers, they get, for free, Apple’s assessment on security. Larger developers like Microsoft got that by dint of their reputation. To this end, by rolling it out in this way, Apple is enabling rather than restricting the opportunities for smaller developers. Of course, how it deals with open source options will be interesting.

There is nothing in this that is unique to the Mac. Indeed, when you think about it, establishing a curation function is something that might be more valuable for Microsoft to do. I suspect, therefore, they won’t be far behind on a similar approach to security.

3 Replies to “Apple moves the Gatekeeper offsite”

  1. Where do you get the claim that “If developers submit their apps to Apple, they can receive a verification signature whose stamp of approval will allow users to install them seamlessly.”? So far as I can tell, the intermediate option on Gatekeeper will verify only that the developer has a Developer ID and that the app hasn’t been tampered with by anyone else. I can’t find a source (other than you) who says that Apple will actively verify these apps the way that they verify App Store apps. The closest I have come is here, where Apple claims, “A developer’s digital signature allows Gatekeeper to verify that their app is not known malware and that it hasn’t been tampered with.”

    But surely saying the app isn’t “known malware” just means that it hasn’t previously been identified as malware. If it had previously been so identified, the developer’s Apple ID would have been revoked. If, on the other hand, Apple were actively vetting apps, they wouldn’t have to include the qualification about “known malware”.

    Frankly, Gatekeeper looks to me like a device to push developers into registering with Apple, with minimal security benefits for users. I’d be happy to be proved wrong about that, if you can show me where Apple supports your claim.

  2. @andrew Basically, they receive a Developer ID that means that Apple can delete them if it gets identified as Malware. So you are right, verification will only apply to App Store apps. Nonetheless, it is a shifting of the battleground somewhat.

  3. Josh, Microsoft has actually had this type of service for more than a decade, in a program called logo certification.

    Additionally, two years it started deploying a very successful heuristics-based service that assesses the reputation of applications users download from the internet.

    Reputation assessment

    Logo certification

Leave a Reply to Tony Healy Cancel reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s