Thoughts on the Mac OS X Mountain Lion Developer Preview
by Andrew Cunningham & Anand Lal Shimpi on February 19, 2012 7:40 PM EST- Posted in
- Mountain Lion
- Mac
- macOS
Gatekeeper
Of the Mountain Lion announcements, Gatekeeper has been one of the most discussed. Apple has touted OS X as being a safer, more secure environment than Windows, offering its customers a relatively malware-free experience. In the early days this was often discounted by saying that OS X wasn't a likely target for malware simply because no one used it. Today Apple claims to have a Mac installed base of 63 million users. While there are far more Windows users, that's not an insignificant number. And it's growing.
As the likelihood for significant malware targeting OS X increases, Apple must do whatever it can to maintain its pristine image. In a sense, Apple made its bed by promising a more secure, virus/malware-free experience, and now it has to sleep in it. It's not a bad thing, but it's something that is going to require a lot of work.
The easiest and most obvious solution to the problem is the Mac App Store. Every app distributed through the Mac App Store is certified by Apple and thus no malware/viruses should ever make their way to a customer's Mac if they only run apps from the Store. That's a step in the wrong direction unfortunately. Companies like Adobe and Microsoft don't make their applications available in the Mac App Store (paying Apple 30% for every copy of Photoshop sold seems unlikely to happen), not to mention the tons of useful open source or other programs that aren't distributed through the MAS. While the iPhone can sell just fine as a platform that's more of an appliance, Macs (at least today) cannot.
The alternative is to heavily warn users that what they're running isn't exactly safe but allow applications, regardless of origin, to be run. This is what's done today in Lion. The first time you run an application that you downloaded you'll get a message that looks like this:
It's the everlasting debate between freedom and security. Give up one to get the other, but what's the right balance?
The compromise in Mountain Lion comes in the form of a tool called Gatekeeper. An innocuous little radio selection in the Security preference pane, Gatekeeper lets you choose what applications can be run on your Mac.
You can choose to only allow applications from the Mac App Store, allow all (the two extremes we discussed above) or pick an in-between option: allow anything downloaded from the MAS or anything by an identified developer.
This in-between setting is the compromise.
If a developer joins the Mac developer program ($99/year) it can become an officially identified developer with Apple. The developer can then sign its applications with a unique cryptographic key that Apple recognizes, without requiring that the apps be distributed through the Mac App Store. Unlike the Mac App Store, there's no approval process that the developer's signed apps need to go through. There's only one stipulation that goes along with the identified developer label: the apps distributed with that key cannot be malware.
Apps from identified developers will communicate with Apple's servers to verify the digital signature is intact and correct only upon install or the first run of the application. Subsequent runs do not phone home and there's no remote kill switch for these applications. Should Apple find out that a developer has been distributing malware Apple can revoke the developer's key, but that would only render those apps that have yet to be installed/run from working. Without a certification process for non-MAS apps there's still a degree of risk associated with this compromise. I don't believe the ideal solution is to force everyone to buy through the MAS, but Gatekeeper's compromise isn't an impervious solution.
Apple tells us the default Gatekeeper setting in Mountain Lion will be to allow apps from the Mac App Store or from identified developers to run. Hopefully by the time Mountain Lion ships many third party developers will be on-board and identified making the transition mostly seamless. If you don't change the default Gatekeeper setting there's another way around the protection: simply control-click (or right click) on the app you're trying to run and select open. Doing so will override the Gatekeeper setting and let you run an unsigned app.
Facebook
Twitter
RSS
96 Comments
View All Comments
suprem1ty - Tuesday, February 21, 2012 - link
Won't Windows 8 ARM be purely for tablets and such anyway though?It's pretty clear Microsoft wants to start fresh with their ARM port, by not allowing x86/x86-64 desktop applications to be run or ported to it.
But yeah cars are another area where I think people should have atleast a fundamental/working understand of the internal workings - even if its basic maintenance (changing oil, sparkplugs, air filters and the like)
Bateluer - Monday, February 20, 2012 - link
Bullspit. Maybe over the entire existence of Apple . . .repoman27 - Monday, February 20, 2012 - link
First of all, "in the wild" does actually refer to anyone still using a Mac that was produced at some time during the course of Apple's existence.Furthermore, Apple sold 17.8m Macs in the past 4 quarters alone, so that number seems pretty reasonable, no?
GotThumbs - Monday, February 20, 2012 - link
"Just as was the case on PCs, I've always grabbed and installed software on my Macs from a multitude of sources and I've never really wished there was a centralized, policed repository of Mac applications. That being said, I do understand and accept that I may be a part of a shrinking minority."I believe that as the general public/consumer becomes better educated and more knowledgeable about what options are available in the market and the web, then they will begin to gravitate towards more individual choice and begin to resent the extreme level of control Apple wields over the newbies still learning.
In the early years of the internet, AOL was the tool for many to wade into the WWW using 'Key Words' to grab their news or information. Now today's WWW users are more and more comfortable using a browser of their choice and surfing the web without training wheels of yesterday. It's just a learning curve...and as people's knowledge grows...they then wish journey beyond the shackles that begin to bind and restrict them. Freedom of choice will always be desired by those who are not followers.
Question regarding this article...can Safari be completely Uninstalled from this OS? Just wondering since MS had to pay big penalties for that kind of situation with IE.
Death666Angel - Monday, February 20, 2012 - link
"Question regarding this article...can Safari be completely Uninstalled from this OS? Just wondering since MS had to pay big penalties for that kind of situation with IE. "Looking at the market share, I doubt any judge would rule that OS X and Windows are comparable in that regard. :-)
repoman27 - Monday, February 20, 2012 - link
"...can Safari be completely Uninstalled from this OS?"Typing "sudo rm -rf /Applications/Safari.app" in Terminal would do the trick, although it's not highly recommended due to the potential dependancies of other programs that are still installed.
"Looking at the market share, I doubt any judge would rule that OS X and Windows are comparable in that regard."
How about when you add iOS and mobile Safari to the mix?
Death666Angel - Tuesday, February 21, 2012 - link
Then Apple still doesn't have dominating market share. Apple is getting nice profits, but not from outselling the competition. They are just having better margins. :-)solipsism - Monday, February 20, 2012 - link
1) You can remove the Safari.app with a drag-n-drop but not the WebKit framework that is used by many apps. So yes, the app is removable.2) You don't understand the antitrust case if you think that Apple could be in some violation here.
Conficio - Tuesday, February 21, 2012 - link
Not sure if we haven't come full circle. How many users live their Internet life on facebook these days, including news and videos!ramuman - Monday, February 20, 2012 - link
...actually AirPlay Mirroring does work, but it requires iOS 5.1 on an Apple TV. I'm running the developer build of ML and my Apple TV shows up, but I don't have iOS 5.1 on it so it says "incompatible hardware"