Gatekeeper

Of the Mountain Lion announcements, Gatekeeper has been one of the most discussed. Apple has touted OS X as being a safer, more secure environment than Windows, offering its customers a relatively malware-free experience. In the early days this was often discounted by saying that OS X wasn't a likely target for malware simply because no one used it. Today Apple claims to have a Mac installed base of 63 million users. While there are far more Windows users, that's not an insignificant number. And it's growing.

As the likelihood for significant malware targeting OS X increases, Apple must do whatever it can to maintain its pristine image. In a sense, Apple made its bed by promising a more secure, virus/malware-free experience, and now it has to sleep in it. It's not a bad thing, but it's something that is going to require a lot of work.

The easiest and most obvious solution to the problem is the Mac App Store. Every app distributed through the Mac App Store is certified by Apple and thus no malware/viruses should ever make their way to a customer's Mac if they only run apps from the Store. That's a step in the wrong direction unfortunately. Companies like Adobe and Microsoft don't make their applications available in the Mac App Store (paying Apple 30% for every copy of Photoshop sold seems unlikely to happen), not to mention the tons of useful open source or other programs that aren't distributed through the MAS. While the iPhone can sell just fine as a platform that's more of an appliance, Macs (at least today) cannot.

The alternative is to heavily warn users that what they're running isn't exactly safe but allow applications, regardless of origin, to be run. This is what's done today in Lion. The first time you run an application that you downloaded you'll get a message that looks like this:

It's the everlasting debate between freedom and security. Give up one to get the other, but what's the right balance?

The compromise in Mountain Lion comes in the form of a tool called Gatekeeper. An innocuous little radio selection in the Security preference pane, Gatekeeper lets you choose what applications can be run on your Mac.

You can choose to only allow applications from the Mac App Store, allow all (the two extremes we discussed above) or pick an in-between option: allow anything downloaded from the MAS or anything by an identified developer.

This in-between setting is the compromise.

If a developer joins the Mac developer program ($99/year) it can become an officially identified developer with Apple. The developer can then sign its applications with a unique cryptographic key that Apple recognizes, without requiring that the apps be distributed through the Mac App Store. Unlike the Mac App Store, there's no approval process that the developer's signed apps need to go through. There's only one stipulation that goes along with the identified developer label: the apps distributed with that key cannot be malware.

Apps from identified developers will communicate with Apple's servers to verify the digital signature is intact and correct only upon install or the first run of the application. Subsequent runs do not phone home and there's no remote kill switch for these applications. Should Apple find out that a developer has been distributing malware Apple can revoke the developer's key, but that would only render those apps that have yet to be installed/run from working. Without a certification process for non-MAS apps there's still a degree of risk associated with this compromise. I don't believe the ideal solution is to force everyone to buy through the MAS, but Gatekeeper's compromise isn't an impervious solution.

Apple tells us the default Gatekeeper setting in Mountain Lion will be to allow apps from the Mac App Store or from identified developers to run. Hopefully by the time Mountain Lion ships many third party developers will be on-board and identified making the transition mostly seamless. If you don't change the default Gatekeeper setting there's another way around the protection: simply control-click (or right click) on the app you're trying to run and select open. Doing so will override the Gatekeeper setting and let you run an unsigned app.

General Impressions & New Safari Software Updates & Moving Toward the Mac App Store
POST A COMMENT

96 Comments

View All Comments

  • B3an - Sunday, February 19, 2012 - link

    Completely agree. I develop apps for other platforms but will never develop for OSX, it's obvious where things are heading here. And jumping through Apples hoops to get your app on iOS is a nightmare, so i've stopped that too.

    MS will have an App Store for Win 8 but thats just for Metro, and atleast it's easier to deal with and get your app on there, plus i cant ever see MS doing anything like this to desktop apps. If anything it gives MS even more reason not to, so developers and people have an alternative and a better option. Theres always Linux, but we all know that wont be going anywhere even near to 5% market share any time soon.
    Reply
  • ex2bot - Monday, February 20, 2012 - link

    I think you misunderstand the signed applications option. They don't have to be in the Mac App Store, the developer just needs to pay Apple $100 for an ID.

    I love Apple! There awsome!

    Who do you love, microsoft? There awsom to! And much less evil than apple.

    And, by the way, this really is . . . the end.

    Ex2bot
    Mac Fanbot
    Reply
  • GotThumbs - Monday, February 20, 2012 - link

    Love? You appear to live outside of reality. An OS is a tool for accessing applications for work and entertainment, It's NOT a relationship. Either you prefer one OS over the other. That's your choice. Don't be disillusioned about what Apple and MS are...They are companies in the business to make money....and they are very good at marketing to consumers. Just don't drink the Cool-Aid.

    Best wishes
    Reply
  • MobiusStrip - Tuesday, February 21, 2012 - link

    Not to mention that it's ANOTHER $100, even if you've already paid for your developer membership for iOS. Lame. Reply
  • ex2bot - Tuesday, February 28, 2012 - link

    They send me all that stuff for free. You know, inner circle (shhh!). Reply
  • ex2bot - Tuesday, February 28, 2012 - link

    No, I prefer iced green tea. Slightly sweetened. Yum. Reply
  • KoolAidMan1 - Monday, February 20, 2012 - link

    The problem with your post is that developers don't need to sell through the App Store to benefit from Gatekeeper.

    Any applications that are from the App Store or signed with a developer certificate (the free one you get for registering with Apple) can be launched without any warning with Gatekeeper's default settings. If you want to launch an app that hasn't been signed then you either get a UAC style warning, or you can just turn Gatekeeper off globally.

    The entire point is that Apple wants to be able to blacklist developers who write malware. Mountain Lion does a check of that blacklist once a day. Without this security method, Apple can only blacklist app identifiers, which take 5 seconds to change, and even malware can adapt to work around that (simply hijack safe identifiers). But there is no easy way for malware to hijack other developer's certificates because they are encrypted like any other security certificate is.

    In one fell swoop Apple gains control of easily blocking malware, all while making it brain-dead simple for developers since they can be whitelisted without even needing to release their software through the App Store (your concern).

    If a developer chooses not to get on the whitelist, they can still release their software and users (the same ones technically savvy enough to turn off Gatekeeper or manually dismiss it per application) can install it themselves. They'd just get a UAC style warning like they do right now if they want to manually dismiss it.

    Lots of worry about nothing.
    Reply
  • repoman27 - Monday, February 20, 2012 - link

    "...If your non-Mac app store app doesn't have access APIs reserved only for those who distribute through the App Store than you are at a serious disadvantage thus you need to make a version for the app store.

    Doing so you basically scar your customers who buy directly, basically forcing you to give Apple 30% and go through the app store."

    The API's that require Mac App Store distribution are the ones that use Apple's servers. I don't think it's a mystery as to why they want a bit of the action in return for this privilege.

    As was noted in the article, the developer can just produce a small add-on module for the Mac App Store if they want to leverage the reserved API's. If they make the add-on free, they only have to pay Apple $99 annually. No one gets "scarred" in the process.

    Gatekeeper is merely an attempt at protecting users from their own actions. It's not much different than Windows User Account Control—just another way to deal with the age old problem of giving administrative privileges to the accounts that many people use 100% of the time. If Apple came out with an OS that didn't allow the end user to have elevated privileges at all, that would be much more sinister (like iOS).
    Reply
  • kmmatney - Tuesday, February 21, 2012 - link

    The App store is good for a majority of people. I have to admit that when I try Linux, I always have trouble installing Apps, and the "App Store", or Software Center is by far the easiest way to get Apps installed. I remember trying to run Linux without centralized application management, and it was a nightmare for me, as least for a Linux noob like me. Reply
  • MobiusStrip - Tuesday, February 21, 2012 - link

    Holding Linux software installation out as any kind of comparison is ludicrous. A much better example would be Windows, which has had excellent installers for many years. It has also had UNINSTALLERS, which OS X inexplicably still lacks after a decade.

    Double-clicking to launch an installer is plenty "elegant" and has been understood even by noobs for many years. Ignoring that fact is a weak strawman.
    Reply

Log in

Don't have an account? Sign up now