Thursday ’s surprise proclamation of the next version of Mac OS X had developers across the Mac community perking up their auricle , thanks in no small part to a new feature in Mountain Lioncalled Gatekeeper .
“ My takeout food on Gatekeeper is it ’s a lightweight introduction of the notion of registered developers outside the App Store , ” Daniel Jalkut , owner of Red Sweater Software , explain toMacworld .
Gatekeeper relies on a proficiency telephone code - signing , in which software developer are provided with a cryptographic certificate from an authority — in this cause , Apple — which they can then apply to digitally “ sign ” their app . It ’s like to the cognitive operation that consumer encounter when they buy thing via the vane , in which they ’ve been trained to expect for the padlock icon that indicates a safe dealing .
“ Security based on digital signatures has been a long sentence coming , so it should n’t be much of a surprise to developer , ” aver Ecamm connection co - owner Glen Aspeslagh . “ As the Mac gains in popularity , Apple ’s approach will be a herculean and much needful weapon system against malware . ”
While our Windows - using compatriots have been plagued by malware of all shapes and flavors , Mac users have remain mostly whole , although the argument continues to ramp over whether that ’s because of unconditioned transcendence in the Mac operating system or the Mac ’s smaller market percentage presenting a less tantalizing prey for writers of malicious software .
Certificate of authenticity
Apple ’s new coming relies on the estimate of what it calls “ identified developers , ” which is to say developer to whom the company has issue a digital credentials . That certificate becomes linked with the developer ’s identity and subsequently with their applications . If Apple finds that a software maker is disperse an app that contains some sort of malicious computer code , it can revoke the certificate , which — depending on how a user has Mountain Lion put up — may prevent the app from launch . presumptively , Apple could even revoke all the apps from a single developer with the flip of a switch .
This is n’t really a newfangled concept for Apple ; code - signing as an option has been around since 2007 , when it was innovate as part of Mac OS X 10.5 Leopard . And the company has employed it as a requirement for programs distributed in both the App Store for iOS and the Mac App Store .
“ We ’ve been in the Mac App Store for a while ( since the very get-go ) , ” Bare Bones Software ’s Rich Siegel toldMacworld , “ and as far as I can say , if you ’re shipping a Mac App Store product today , you ’re an ‘ identify developer . ’ ”
But , of course , not all Mac developers enter in the Mac App Store . So while developer can signalise their own codification to certify , for example , that the table of contents of their apps have not been altered since dispersion , they ca n’t glean all the potential benefit that codification - signing has to offer . for do that , the credentials would necessitate to be come forth by a hope potency — to card , Apple .
So last November , Delicious Monster chief administrator Wil Shipleyproposed in a blog postthat Apple issue certificate that would take into account developers to unloosen ego - signed apps outside of the app store environment as a way to help combat malware without go to the complexity of other proposed solutions , like sandboxing ( more on which later ) .
“ My proffer , ” Shipley compose on his blog , “ is for Apple to provide certificates directly to developers and allow the developers to signal their own code . And , by doing this , Apple can then sanely say , ‘ Ok , now we ’re going to , by default , not allow the user to run any codification whose security was n’t issued by us and signalize by a real third - company developer ( except the stuff the user checkout in the control panel ) . ’ ”
That seems to be more or less the approach that Apple has embraced with Mountain Lion , which allows users to choose which applications they ’d like to take to the woods : any apps at all , only apps from the Mac App Storeandidentified developer , or just apps from the Mac App Store .
“ What ’s most exciting for us as non - App Store developer is this fresh de - coupler of app signing security measure and the Mac App Store , ” said Ecamm ’s Glen Aspeslagh . “ The subject matter I ’m getting here from Apple is ‘ Non - MAS apps are active and well for the time being . But we know where you last . ’ ”
“ I conceive this is a wonderful approach , ” tot Ken Aspeslagh , Ecamm ’s other co - possessor . “ Apple could have gone all or none , so this middle of the road option is great word . ”
Indeed , the introduction of Gatekeeper would seem to assuage one popular concern , that Apple would eventually go the same route with Mac apps as it has with iOS apps , mandating thatonlythose purchased from its storefronts can run on the platform .
“ That is a reassuring substance , consecrate late care that [ Apple ] may have an eye on locking thing down , ” pronounce Jalkut . Of course , he adds , it may be nothing more then an intermediary tone in bringing those identified developers into the fold as full Mac App Store citizen .
In fact , some developers would care to see that very same approach expand to Apple ’s other weapons platform .
“ experience the option to put in sign apps from outside iOS App Store would n’t make it any less secure , specially if the signing physical process still act as a kill switch , ” said Paul Kafasis , chief operating officer of Rogue Amoeba .
That ’s an overture that Google has long taken with its Android fluid operating scheme , which admit exploiter to check out a box to install apps from outside of the Android Market . But Apple has stuck to its gun , only permit users to download apps through the App Store .
And that precedent still makes some worry about the future of the Mac OS , as Bare Bones Software ’s Siegel pointed out . “ In a big sense , though , I reckon we may be watching an inexorable move toward a Mac OS X that is lock down by default option , such that you wo n’t be able-bodied to move software that was n’t purchased from the Mac App Store . ”
It look , he says , on which of Mountain Lion ’s three options is the default option . “ A default which allows App Store apps or Apple - signed product would certainly fall upon a good Libra for today ’s developer and customers , ” he said . According to Apple , this is indeed what Mountain Lion ’s default will be .
Siegel warned that next changes to that default could risk devaluing the power of the Mac platform . “ If … the manufactory circumstance is such that only App Store apps can be run by default , then customers are denied approach to the sort of ‘ power pecker ’ that empower them to create depicted object and craft answer ( include computer software production ) using Macs . I believe that would undermine the fundamental core character of what the Mac has always been . ”
Sandbox rules
The Mac App Store represents an even gamy level of security than just becoming an identified developer . Most recently , there ’s been much discussion over a surety technique yell “ sandboxing , ” which will , as of March 1 , become a requirement for apps state to the Mac App Store .
Sandboxing , which has been a part of Io since its release , restricts apps from interacting with other apps , their datum , and certain parts of the OS itself . While few deny the security benefits of a sandboxed organisation , many developer have been interest that it will make certain feature impossible to implement — and may even render entire classes of software persona non grata .
“ What I ’m most curious about is whether Gatekeeper , as a newfangled tool in Apple ’s security knock , deepen their attitude at all about app sandboxing , ” order Jalkut , “ and whether the design March 1 App Store sandboxing deadline will be revised . ”
While sandboxing and certificates have similar objective , to keep the drug user safe , they accomplish that goal in unlike ways . Sandboxing is an implementation think to forestall an app from doing anything that it shouldn’t — certificates , on the other helping hand , are more just a affair of answerability ; those apps can still violate the rules , but if they do , they ’ll have their authorization revoked .
“ If an app is signed by an Apple - issued developer security , this creates a chain of accountability , ” excuse Siegel . “ If your product misconduct or proves to be malware , Apple can detect you ( as the developer ) and overturn your certificate ; at that point , your intersection will no longer function when the OS is locked down . That ’s surely not a high-risk thing for consumer . ”
But although sandboxing has garnered most of the criticism from developers about its likely handcuffing of app ’s capabilities , the exercise of certificate is not without its own vexation .
For one thing , certificates are n’t a panacea for security issues . While they do allow Apple to rapidly oppose to cases of malware by revoking credentials , the Gatekeeper organisation has its limitations . It does n’t train apps loaded on from a disk or USB parkway , only those download from the Internet . And it can still be overriden by users manually . So , there ’s a concern that it could guide exploiter to a sense of infallible surety that is n’t naturalistic .
“ If the OS turn away to break away software program with a missing or invalid computer code signature , that ply a measuring rod of tamper resistance , ” pronounce Siegel . “ On the other hand , computer code signing is no guaranty of dependableness or quality : that still has to come from the developer ; so there ’s a fortune that an impose code signing necessity can make a false anticipation in the customer ’s head . ”
Another business concern that might not be evident to most user is that certification of this kind normally have an exhalation date , after which they must be renewed . For the most part , that ’s not an subject , but it can conceivably have problems .
“ What [ user ] may not realize is it also think that if a developer decide to move on , their ‘ sign ’ apps may halt working a year later , since their certificate wo n’t be valid any more , ” said Dave Nanian , proprietor of Shirt Pocket Software . “ It wo n’t be a matter of ‘ hunky-dory - ing ’ them — they’ll just stop work . ”
Mac App Store front
There ’s also a slippery gradient argument , Nanian points out , in footing of the kind of confidence that Apple wields over developer ’ applications : “ In gain to the ‘ your software perish ’ problem , it also hands ‘ veto world power ’ over to Apple , who can revoke your certification at will . ”
Siegel concur , calling the discover developer organisation a “ two - adjoin sword . ”
“ As the issuing potency for your developer credentials , Apple may revoke your certificate at any time , for any ground , and there wo n’t be anything that you may do about it , ” he tell . “ If that occur , customers will be deny the usage of your product . ”
“ Down the route we could see the canonic construct of registered developers being stretch to support more OK - grained , or more draconian protection touchstone , ” said Red Sweater ’s Jalkut .
“ Even that middle option [ of only allowing apps from the Mac App Store and identified developers ] is render Apple with more ascendancy than they have now — that may not work out severely , but it ’s something to look at , ” added Rogue Amoeba ’s Kafasis .
While Apple has , to date , not show a disposition to freakishly revoke certificates of this variety , fear about the increasingly locked - down nature of software package have been widespread among developer , and some exploiter , since the first appearance of iOS .
That said , Apple is adjudicate to make the mental process of espouse its Modern surety procedures something that developerswantto do , specially when it comes to the Mac App Store . presently , it appears that sure features — such as the ability to add full - fledged support for iCloud , or support for Mountain Lion ’s Notification Center — are only available to those who go the distance and posit their apps to the Mac App Store .
“ The App Store - only genus Apis [ app programming interfaces ] continue to proliferate , which mean we ’re being march , slowly - but - for sure , to a time to come that ’s increasingly locked down , ” say Shirt Pocket ’s Nanian .
“ On the one script , this may be seen as ‘ encouragement ’ to go App Store - only , ” read Siegel . “ On the other hand , it has a clean ‘ provide you ca n’t reject ’ finger to it . Today , those APIs could reasonably be considered nonessential to sure product ; but there ’s absolutely nothing to break Apple from bring in sum - functional genus Apis that take App Store involvement . ”
Of course , some developer , such as Red Sweater ’s Jalkut , have hope that Apple might expand thing : “ What would be really interesting is if Apple decided to lease identified developer certificates entitle apps to access thing like iCloud that are currently limited to App Store apps . ”
The devil is in the details
developer do seem inclined to embrace Apple ’s Modern certificate system , largely because it ’s not a peculiarly taxing undertaking on their part , and it can do good users .
“ Indeed , even as a developer I ’m reassured to have intercourse that I wo n’t be by chance bleed thing from sources that are not at least jolly vet , ” said Jalkut .
And many developer have been code - signing their own software for years now , ever since the prick to do so have been available .
“ We adopted code - signing somewhat promptly back when it was first supported by the OS , back in 2007 , ” commented Siegel . “ At the time it seemed jolly open to us that some day , code sign language was go to be a requirement for Mac software .
“ From a developer ’s perspective , signing is n’t a big deal , and the tools for that have better over the years , ” Nanian added .
“ Hopefully , this program is specifically made for companies like us — to show we ’re not malware , but not thrust out any apps that Apple wo n’t O.K. for the Mac App Store , ” said Kafasis . “ We ’ve been code - signing our software program for years . We have no problem with that . But it will all depend on the terms required for the ‘ identified developer ’ program . Until we see those , we ca n’t know for sure what our next step will be . offer those are not onerous , we ’ll certainly sign up for it . ”
As to whether or not it will actually improve thing for users , many developers seem to be adopting a wait - and - see attack .
“ It certainly seems to have estimable intentions . security system is obviously a good thing , ” enjoin Kafasis . “ Time will tell if it in reality enhances surety , or just provides the illusion of surety . ”
“ The bottom argument is that security measure and accountability are always a unspoilt affair for consumers , ” said Siegel . “ Our concerns rise around how the mechanics could be misused to the hurt of the developer community ; or uncollectible , to disempower the computing capabilities of reciprocally shared customers . The potential drop is clearly there ; how it will all play out between now and when Mountain Lion ships remains to be seen . ”
Shirt Pocket ’s Dave Nanian concord . “ Do I think it ’s a good thing for users ? It may give them a false sense of security department . We ’ll have to see if that hereafter is all pup and kitty or whether , like the anuran - in - the - goat god , everything seemed fair until we got to the ending of the operation . ”
[ update 4:21 PST to elucidate Apple ’s program line about what Gatekeeper ’s default setting will be when Mountain Lion ships . ]
