Mountain Lion and Gatekeeper: What you need to know

Mountain Lion’s gold master is with developers, meaning that its arrival on the Mac App Store is looming. With the new operating system comes the entrance of Gatekeeper, Apple’s security feature that is designed to protect Mac OS X users from malicious software. But what does Gatekeeper really mean for Mac owners? Will it make downloading software completely safe? Here’s what you need to know.

What is Gatekeeper?

Mac OS X 10.8 Mountain Lion will automatically default Gatekeeper to only allow users to download software from the Mac App Store, and software that’s certificate has been digitally signed by a developer with an Apple Developer ID. “The Developer ID allows Gatekeeper to block apps created by malware developers and to verify that apps haven’t been tampered with,” says Apple’s website.

Gatekeeper will be able to run in three modes: the aforementioned default mode, a stricter mode in which users will only be able to download applications from the Mac App Store, and a relaxed mode that allows software to be downloaded from any source, including applications from developers Apple has never heard of.

How will Mountain Lion’s Gatekeeper affect OS X users and developers?

When Apple made its surprise Mountain Lion announcement in February, the new version of Mac OS X left developers across the Mac community unsurprised but cautious. 

“The way Gatekeeper will affect Mac OS X users depends on hour it will be implemented and how the developers will adapt to the process of obtaining digital certificates for their applications,” Kaspersky Lab researcher Marta Janus told Macworld. “Some developers may find this process inconvenient, or they just would prefer to pay the fee, so instead of signing into the Mac Developer Program they could simply decide to ask users to temporarily allow installation of unsigned software. If users find out that most of the applications they want to run require such an action, they may change Gatekeeper’s settings permanently, thus cancelling the protection it’s been designed to provide.”

“If everything goes to plan,” said senior security advisor at Sophos Chester Wisniewski, “it shouldn’t have much impact at all.”

“Apple’s choice of allowing signed applications to run, whether from the App Store or not is prudent,” Wisniewski continued. “Most software vendors, like Sophos, have released packages that are properly signed in advance of Mountain Lion’s release.”

Wisniewski pointed out that ‘hacker-ish’ Mac users might experience more issues with Gatekeeper, but also highlights that those users will likely know how to disable the feature and understand the risks of doing so.

Avast! program manager Jan Gahura agreed with Wisniewski. “I believe that part of Mac users are power users who rely on tools outside the App Store,” he said. “These users will probably either disable Gatekeeper or won’t update to Mountain Lion at all for a period of time after the launch date.”

“It will take some time to have all the open source and free tools for Mac properly signed,” Gahura continued. “For the majority of users, though, there will be no negative change at all.”

Is Gatekeeper an anti-virus software substitute?

With the increase in features to protect against malware, Mountain Lion could lead some Mac users into a false sense of security. But it appears that even Apple is admitting that malware for Macs is on the rise, and the company recently adjusted its website to withdraw the claim that Macs don’t get PC virus. Now, Apple’s “Why you’ll love a Mac” webpage reads, “It’s built to be safe.”

Chester Wisniewski said that Gatekeeper isn’t a replacement for anti-virus software. He believes the feature “should make it harder for criminals to trick users into downloading Trojans, but it does not protect against browser exploitation, USB threats etc.”

“Apple claims that misused certificates will be banned,” said Gahura. “I hope they’ll update the Gatekeeper’s list of banned certificates fast enough. We can update avast! virus definitions every five minutes with our Streaming Updates technology.”

“Applications aren’t the only attack vector used to breach your Mac’s security,” Gahura reminds users. “There can be exploitable flaws in popular legitimate software which can be utilised to drop a malware on your disk by bypassing Gatekeeper.”

Janus from Kaspersky Lab said that Gatekeeper “does improve users’ safety to some degree, but it doesn’t eliminate the risk entirely.

“Cybercriminals are used to fighting with constantly growing levels of protection, and so far they proved fairly successful in finding their way around,” Janus warns. “Gatekeeper seems to be yet another security feature, which will increase users safety just as much as it will hamper the development of Mac OS X malware. As it’s still possible to change Gatekeeper’s settings and install un-trusted software, cybercriminals may trick a user to do so, or find an exploit and perform such action themselves.”

“A lot of recent Windows malware is digitally signed,” Janus revealed. “This fact shows that stealing or obtaining valid certificates is not impossible for cybercriminals.”

Will applications signed with Apple Developer IDs be completely safe?

Even if users decide to keep Mountain Lion’s Gatekeeper settings set to the default Mac App Store and Apple approved developers permissions, the signed certificates still can’t be 100 per cent trusted, security experts have revealed.

“I believe there is no such thing as ‘completely safe’ in the IT industry,” said Janus. “Of course it will be more difficult for cybercriminals to get malware signed, but I don’t think it will be entirely impossible.”

“Cybercriminals may steal the certificates from valid users or simply sign into the Mac Developers Program with fake or stolen identities, expecting that they will spread enough malware before being discovered and banned by Apple,” Janus explained.

Chester Wisniewski from Sophos said that Gatekeeper will “suggest that the people behind the software have been validated to be legitimate, but it doesn’t involve any sort of filtering.”

“If a criminal gets a certificate to sign malware, he can sign away,” Wisniewski continued. “These applications also may contain vulnerabilities that could be exploited to load malicious content.”

“The forced code signing moves the security war to another field – the security of certificates,” said Gahura from avast!. “The precious private keys will reside on machines with difficult security levels. Relying blindly on the code signing means a fake feel of security and, in case of a certificate theft, the code signing becomes a weapon against users.”

Apple is on the right path, but Macs can still get malware

Overall, security experts are happy to see that Apple isn’t ignoring security threats, but they want to remind Mac users that it’s still important to be aware of malware risks.

“Recent malware cases – like Flashfake, SapPub and MacControl – confirmed that MacOS X is not as immune to attacks as some people used to think,” said Janus. “The time when there was almost no Mac malware is gone, along with the constantly growing market share we can expect more and more interest from cybercriminals in targeting this platform.”

“It’s really good that Apple has changed its policy and started to focus more on security issues,” said Janus. “There’s a long way to go, however, and digital signatures and daily update checks are just the first steps towards the system security. In the end everything depends on the user, as they may choose not to install security updates and they have the ability to change the Gatekeeper settings.”

 “It’s great that Apple is taking additional steps to make OS X a safer place to be,” agreed Wisniewski. “More frequent update checking and Gatekeeper both set the stage for that to happen, but we shouldn’t let our guard down and assume someone else is going to protect us. Safe surfing, running anti-virus and not clicking links in email attachments still apply.”

“Gatekeeper is definitely a step in the right direction. The code signing generally helps anti-virus software to scan faster,” concluded Gahura. “It also makes it harder for an average bad guy to issue a profitable malware. Just don’t believe in silver bullets.”