Gatekeeper (macOS)

Last updated

Gatekeeper
Developer(s) Apple Inc.
Initial releaseJuly 25, 2012 (2012-07-25)
Operating system macOS

Gatekeeper is a security feature of the macOS operating system by Apple. [1] [2] It enforces code signing and verifies downloaded applications before allowing them to run, thereby reducing the likelihood of inadvertently executing malware. Gatekeeper builds upon File Quarantine, which was introduced in Mac OS X Leopard and expanded in Mac OS X Snow Leopard. [3] [4] The feature originated in version 10.7.3 of Mac OS X Lion as the command-line utility spctl. [5] [6] A graphical user interface was originally added in OS X Mountain Lion (10.8) but was backported to Lion with the 10.7.5 update. [7]

Contents

Functions

Configuration

Gatekeeper options in the System Preferences application. Since macOS Sierra, the "Anywhere" option is hidden by default. Gatekeeper.png
Gatekeeper options in the System Preferences application. Since macOS Sierra, the "Anywhere" option is hidden by default.

In the security & privacy panel of System Preferences, the user has three options, allowing apps downloaded from:

Mac App Store
Allows only applications downloaded from the Mac App Store to be launched.
Mac App Store and identified developers
Allows applications downloaded from the Mac App Store and applications signed by certified Apple developers to be launched. This is the default setting since Mountain Lion.
Anywhere
Allows all applications to be launched. This effectively turns Gatekeeper off. This is the default setting in Lion. Since macOS Sierra, this option is hidden by default. [8] [9]
However, this option can be re-enabled by using the 'sudo spctl --master-disable' command from the Terminal and authenticating with an admin password.

The command-line utility spctl provides granular controls, such as custom rules and individual or blanket permissions, as well as an option to turn Gatekeeper off. [6]

Quarantine

Upon download of an application, a particular extended file attribute ("quarantine flag") can be added to the downloaded file. [10] This attribute is added by the application that downloads the file, such as a web browser or email client, but is not usually added by common BitTorrent client software, such as Transmission, and application developers will need to implement this feature into their applications and is not implemented by the system. The system can also force this behavior upon individual applications using a signature-based system named Xprotect. [11]

Execution

Screenshot of a system alert that appears when Gatekeeper prevents an application from running, because it was not signed by an Apple certified developer Gatekeeper alert.png
Screenshot of a system alert that appears when Gatekeeper prevents an application from running, because it was not signed by an Apple certified developer

When the user attempts to open an application with such an attribute, the system will postpone the execution and verify whether it:

Since Mac OS X Snow Leopard, the system keeps two blacklists to identify known malware or insecure software. The blacklists are updated periodically. If the application is blacklisted, then File Quarantine will refuse to open it and recommend to the user that they drag it to Trash. [11] [12]

Gatekeeper will refuse to open the application if the code-signing requirements are not met. Apple can revoke the developer's certificate with which the application was signed and prevent further distribution. [1] [3]

Once an application has passed File Quarantine or Gatekeeper, it will be allowed to run normally and will not be verified again. [1] [3]

Override

To override Gatekeeper, the user (acting as an administrator) either has to switch to a more lenient policy from the security & privacy panel of System Preferences or authorize a manual override for a particular application, either by opening the application from the context menu or by adding it with spctl. [1]

Path randomization

Developers can sign disk images that can be verified as a unit by the system. In macOS Sierra, this allows developers to guarantee the integrity of all bundled files and prevent attackers from infecting and subsequently redistributing them. In addition, "path randomization" executes application bundles from a random, hidden path and prevents them from accessing external files relative to their location. This feature is turned off if the application bundle originated from a signed installer package or disk image or if the user manually moved the application without any other files to another directory. [8]

Implications

The effectiveness and rationale of Gatekeeper in combating malware have been acknowledged, [3] but been met with reservations. Security researcher Chris Miller noted that Gatekeeper will verify the developer certificate and consult the known-malware list only when the application is first opened. Malware that already passed Gatekeeper will not be stopped. [13] In addition, Gatekeeper will only verify applications that have the quarantine flag. As this flag is added by other applications and not by the system, any neglect or failure to do so does not trigger Gatekeeper. According to security blogger Thomas Reed, BitTorrent clients are frequent offenders of this. The flag is also not added if the application came from a different source, like network shares and USB flash drives. [10] [13] Questions have also been raised about the registration process to acquire a developer certificate and the prospect of certificate theft. [14]

In September 2015, security researcher Patrick Wardle wrote about another shortcoming that concerns applications that are distributed with external files, such as libraries or even HTML files that can contain JavaScript. [8] An attacker can manipulate those files and through them exploit a vulnerability in the signed application. The application and its external files can then be redistributed, while leaving the original signature of the application bundle itself intact. As Gatekeeper does not verify such individual files, the security can be compromised. [15] With path randomization and signed disk images, Apple provided mechanisms to mitigate this issue in macOS Sierra. [8]

In 2021, a vulnerability was discovered where putting #! on the first line (without the path of the interpreter) of a file bypassed Gatekeeper. [16]

In 2022, a Microsoft researcher shared a vulnerability that abuses the AppleDouble format to set an arbitrary Access-control list to bypass Gatekeeper. [17]

See also

Related Research Articles

macOS Operating system for Apple computers

macOS (;), originally Mac OS X, previously shortened as OS X, is an operating system developed and marketed by Apple Inc. since 2001. It is the primary operating system for Apple's Mac computers. Within the market of desktop and laptop computers, it is the second most widely used desktop OS, after Microsoft Windows and ahead of all Linux distributions, including ChromeOS.

<span class="mw-page-title-main">Mac OS X Server</span> Server software for macOS

Mac OS X Server is a series of discontinued Unix-like server operating systems developed by Apple Inc. based on macOS. It provided server functionality and system administration tools, and tools to manage both macOS-based computers and iOS-based devices, network services such as a mail transfer agent, AFP and SMB servers, an LDAP server, and a domain name server, as well as server applications including a Web server, database, and calendar server.

The history of macOS, Apple's current Mac operating system formerly named Mac OS X until 2011 and then OS X until 2016, began with the company's project to replace its "classic" Mac OS. That system, up to and including its final release Mac OS 9, was a direct descendant of the operating system Apple had used in its Mac computers since their introduction in 1984. However, the current macOS is a UNIX operating system built on technology that had been developed at NeXT from the 1980s until Apple purchased the company in early 1997.

<span class="mw-page-title-main">Contacts (Apple)</span> Address book software by Apple

Contacts is a computerized address book included with the Apple operating systems iOS, iPadOS, watchOS and macOS, previously Mac OS X and OS X. It includes various cloud synchronization capabilities and integrates with other Apple applications and features, including iMessage, FaceTime and the iCloud service.

<span class="mw-page-title-main">Unsanity</span>

Unsanity was a macOS shareware software developer founded in May 2000, notable for coining the term "haxie". Unsanity produced Mac utilities that relied on their own Application Enhancer, a utility that modified the system and other applications. Software incompatibility with Mac OS X Leopard, Snow Leopard, and Lion ended Unsanity's offerings.

<span class="mw-page-title-main">Mac OS X Snow Leopard</span> Seventh major version of macOS, released in 2009

Mac OS X Snow Leopard is the seventh major release of macOS, Apple's desktop and server operating system for Macintosh computers.

<span class="mw-page-title-main">OS X Lion</span> Eighth major release of Mac OS X

OS X Lion, also known as Mac OS X Lion, is the eighth major release of macOS, Apple's desktop and server operating system for Mac computers.

<span class="mw-page-title-main">OS X Mountain Lion</span> Ninth major release of OS X

OS X Mountain Lion is the ninth major release of macOS, Apple Inc.'s desktop and server operating system for Macintosh computers. OS X Mountain Lion was released on July 25, 2012, for purchase and download through the Mac App Store, as part of a switch to releasing OS X versions online and every year, rather than every two years. Named to signify its status as a refinement of the previous OS X version, Lion, Apple's stated aims in developing Mountain Lion were to allow users to more easily manage and synchronise content between multiple Apple devices and to make the operating system more familiar.

The Java platform provides a number of features designed for improving the security of Java applications. This includes enforcing runtime constraints through the use of the Java Virtual Machine (JVM), a security manager that sandboxes untrusted code from the rest of the operating system, and a suite of security APIs that Java developers can utilise. Despite this, criticism has been directed at the programming language, and Oracle, due to an increase in malicious programs that revealed security vulnerabilities in the JVM, which were subsequently not properly addressed by Oracle in a timely manner.

<span class="mw-page-title-main">OS X Mavericks</span> Tenth major release of OS X

OS X Mavericks is the 10th major release of macOS, Apple Inc.'s desktop and server operating system for Macintosh computers. OS X Mavericks was announced on June 10, 2013, at WWDC 2013, and was released on October 22, 2013, worldwide.

<span class="mw-page-title-main">OS X El Capitan</span> Twelfth major release of macOS

OS X El Capitan is the twelfth major release of macOS, Apple Inc.'s desktop and server operating system for Macintosh. It focuses mainly on performance, stability, and security. Following the California location-based naming scheme introduced with OS X Mavericks, El Capitan was named after a rock formation in Yosemite National Park. El Capitan is the final version to be released under the name OS X. OS X El Capitan received far better reviews than Yosemite.

<span class="mw-page-title-main">System Integrity Protection</span> Security feature by Apple

System Integrity Protection is a security feature of Apple's macOS operating system introduced in OS X El Capitan (2015). It comprises a number of mechanisms that are enforced by the kernel. A centerpiece is the protection of system-owned files and directories against modifications by processes without a specific "entitlement", even when executed by the root user or a user with root privileges (sudo).

XcodeGhost are modified versions of Apple's Xcode development environment that are considered malware. The software first gained widespread attention in September 2015, when a number of apps originating from China harbored the malicious code. It was thought to be the "first large-scale attack on Apple's App Store", according to the BBC. The problems were first identified by researchers at Alibaba, a leading e-commerce firm in China. Over 4000 apps are infected, according to FireEye, far more than the 25 initially acknowledged by Apple, including apps from authors outside China.

macOS malware includes viruses, trojan horses, worms and other types of malware that affect macOS, Apple's current operating system for Macintosh computers. macOS is said to rarely suffer malware or virus attacks, and has been considered less vulnerable than Windows. There is a frequent release of system software updates to resolve vulnerabilities. Utilities are also available to find and remove malware.

macOS Sierra Thirteenth major release of macOS

macOS Sierra is the thirteenth major release of macOS, Apple Inc.'s desktop and server operating system for Macintosh computers. The name "macOS" stems from the intention to unify the operating system's name with that of iOS, watchOS and tvOS. Sierra is named after the Sierra Nevada mountain range in California and Nevada. Its major new features concern Continuity, iCloud, and windowing, as well as support for Apple Pay and Siri.

OSX.Keydnap is a MacOS X based Trojan horse that steals passwords from the iCloud Keychain of the infected machine. It uses a dropper to establish a permanent backdoor while exploiting MacOS vulnerabilities and security features like Gatekeeper, iCloud Keychain and the file naming system. It was first detected in early July 2016 by ESET researchers, who also found it being distributed through a compromised version of Transmission Bit Torrent Client.

macOS Catalina 16th major version of the macOS operating system

macOS Catalina is the sixteenth major release of macOS, Apple Inc.'s desktop operating system for Macintosh computers. It is the successor to macOS Mojave and was announced at WWDC 2019 on June 3, 2019 and released to the public on October 7, 2019. Catalina is the first version of macOS to support only 64-bit applications and the first to include Activation Lock. It is also the last version of macOS to have the major version number of 10; its successor, Big Sur, released on November 12, 2020, is version 11. In order to increase web compatibility, Safari, Chromium and Firefox have frozen the OS in the user agent running in subsequent releases of macOS at 10.15.7 Catalina.

macOS Big Sur 17th major version of the macOS operating system

macOS Big Sur is the seventeenth major release of macOS, Apple Inc.'s operating system for Macintosh computers. It was announced at Apple's Worldwide Developers Conference (WWDC) on June 22, 2020, and was released to the public on November 12, 2020.

macOS Ventura 19th major version of the macOS operating system

macOS Ventura is the nineteenth major release of macOS, Apple's operating system for Macintosh computers. The successor to macOS Monterey, it was announced at WWDC 2022 on June 6, 2022, and launched on October 24, 2022. macOS Ventura is succeeded by macOS Sonoma, which was released on September 26, 2023.

References

  1. 1 2 3 4 "OS X: About Gatekeeper". Apple . February 13, 2015. Retrieved June 18, 2015.
  2. Siegler, MG (February 16, 2012). "Surprise! OS X Mountain Lion Roars Into Existence (For Developers Today, Everyone This Summer)". TechCrunch . AOL Inc. Retrieved March 3, 2012.
  3. 1 2 3 4 Siracusa, John (July 25, 2012). "OS X 10.8 Mountain Lion: the Ars Technica review". Ars Technica . pp. 14–15. Archived from the original on March 14, 2016. Retrieved June 17, 2016.
  4. Reed, Thomas (April 25, 2014). "Mac Malware Guide : How does Mac OS X protect me?". The Safe Mac. Retrieved October 6, 2016.
  5. Ullrich, Johannes (February 22, 2012). "How to test OS X Mountain Lion's Gatekeeper in Lion". Internet Storm Center. Retrieved July 27, 2012.
  6. 1 2 "spctl(8)". Mac Developer Library. Apple. Retrieved July 27, 2012.
  7. "About the OS X Lion v10.7.5 Update". Apple. February 13, 2015. Retrieved June 18, 2015.
  8. 1 2 3 4 "What's New in Security". Apple Developer (Video). June 15, 2016. At 21:45. Retrieved June 17, 2016.
  9. Cunningham, Andrew (June 15, 2016). "Some nerdy changes in macOS and iOS 10: RAW shooting, a harsher Gatekeeper, more". Ars Technica UK . Archived from the original on June 16, 2016. Retrieved June 17, 2016.
  10. 1 2 Reed, Thomas (October 6, 2015). "Bypassing Apple's Gatekeeper". Malwarebytes Labs . Retrieved June 17, 2016.
  11. 1 2 Moren, Dan (August 26, 2009). "Inside Snow Leopard's hidden malware protection". Macworld . Retrieved September 30, 2016.
  12. "About the 'Are you sure you want to open it?' alert (File Quarantine / Known Malware Detection) in OS X". Apple Support. March 22, 2016. Archived from the original on June 17, 2016. Retrieved September 30, 2016.
  13. 1 2 Foresman, Chris (February 17, 2012). "Mac developers: Gatekeeper is a concern, but still gives power users control". Ars Technica . Retrieved June 18, 2015.
  14. Chatterjee, Surojit (February 21, 2012). "OS X Mountain Lion Gatekeeper: Can it Really Keep Malware Out?". International Business Times . Retrieved March 3, 2012.
  15. Goodin, Dan (September 30, 2015). "Drop-dead simple exploit completely bypasses Mac's malware Gatekeeper". Ars Technica. Archived from the original on March 20, 2016. Retrieved June 17, 2016.
  16. Gatlan, Sergiu (December 23, 2021). "Apple fixes macOS security flaw behind Gatekeeper bypass". Bleeping Computer . Retrieved May 6, 2022.
  17. Gatlan, Sergiu (December 19, 2022). "Microsoft: Achilles macOS bug lets hackers bypass Gatekeeper". Bleeping Computer . Retrieved December 19, 2022.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.