back to article Apple's privacy pledges: We sent dev checks over plain HTTP, logged IP addresses. We bypass firewall apps

Apple plans to revise the way it checks the trustworthiness of Mac applications when they're run – after server problems last week during the launch of macOS Big Sur prevented people's desktop apps from starting. On Monday, Apple modified its Gatekeeper support page to address privacy concerns raised in the wake of the …

  1. Mike 137 Silver badge

    Is this really about "security"?

    Seems more like tethering both application developers and users ever more tightly to the Cupertino mother ship.

    The best way they could serve the cause of security would be exhaustive security testing of mac applications. Merely certifying developers seems a rather less effective option, and bypassing users' security measures seems somewhat contrary to the stated purpose.

    1. el kabong

      This is all about security!

      Security of income, that is.

    2. Marty McFly Silver badge
      Facepalm

      Re: Is this really about "security"?

      Using hash values to determine reputation is exactly what endpoint security vendors have been doing for years. How old is the code? How widespread is it? The overt purpose is to block new & emerging code from running (ie: polymorphic malware).

      The difference is endpoint security vendors tell you what they are doing and why. Apple, on the other hand, is taking the approach of "oh, damn, you weren't supposed to notice". That betrays their privacy marketing message and undermines the trust of their brand.

  2. Dan 55 Silver badge

    This is what XProtect was supposed to do

    If you suddenly can't print to your HP Printer from your Mac, you're not alone: Code security cert snafu blamed

    So if XProtect contains a list of revoked developer certificates, what on earth is the point of having OCSP validation? What's it going to tell your computer that it doesn't already know?

  3. mmm_yeah

    He understands. He repeatedly expressed sympathy. He endorsed. He was happily running Big Sur.

    It's like he's trying to avoid offending Apple or something.

    But it's good to know he's real happy.

  4. sw guy

    Rasberry Pie ?

    Thus, beside your Mac you know need a small device running the actual network control, tailored to *your* need.

    TBH, this kind of box could please Windows 10 users, too.

  5. shd

    This reads as if you can't run the program if you're not connected to the internet. If so, that's surely a bad thing - not everyone has a permanent umbilical cord connecting them?

    1. tip pc Silver badge

      The issue is that the machine was connected to the internet, just couldn’t connect to the apple ocsp service which caused the security system to fail to launch the app.

      1. DS999 Silver badge

        Being connected to the internet but having some parts of it unreachable isn't an unusual situation.

        As I understand it, what happened here was that the servers were reachable but weren't responding correctly and the software kept retrying for a proper response instead of gracefully giving up like it does when you aren't connected or are connected but the servers are unreachable.

      2. fidodogbreath Silver badge

        Yep. Unanticipated failure mode.

  6. Robert Helpmann??
    Childcatcher

    Check This Out...

    Finding out what is happening in a target's environment is a typical first step in most hacking attempts. Having a setup that makes known what applications you use and when you are apt to be using them seems like a way to make a hacker's life easier. It really doesn't take much imagination to figure out how to use this against a target.

    1. doublelayer Silver badge

      Re: Check This Out...

      Exactly. And the sad part is that it would be very simple to cut out the privacy problems and internet requirement in one update. In fact, if Apple's listening, here's a fix on me:

      1. Run up a new service which offers a database of revoked certificates. Put it at the end of an HTTPS API.

      2. Write a little tool which downloads this every day.

      3. On running any program, check your offline database.

      That's not hard, is it? If you want to go for the ultra-sophisticated model, we can add the following extra steps:

      1A. Sign the database with a private key you store.

      2A. Make sure your tool has the public key corresponding to that so you can verify your database hasn't been messed with. I mean you're already using HTTPS for it so it's not as hideously easy as it would be under your earlier HTTP solution, but still...

      1B. Make an extra facility of the API to download incremental database updates.

      2B. Update the database every hour now, using the incremental update to keep data consumption low.

      I hope this solution works for you, Apple. The next time you need me to suggest something obvious, I'll charge more.

      1. Falmari Silver badge
        Joke

        Re: Check This Out...

        Not acceptable you must continually report back what you are doing.

        Seriously, seems to me Apple like every other large IT tech company wants you to report back every minute with what you are doing.

  7. Falmari Silver badge
    Big Brother

    Who owns your Mac?

    So, Apple decide what software you can run on your Mac and whenever they feel like it stop software that did run from running. Also, Apple are allowed to bypass security you have put in place like firewalls.

    I own a PC and I write software for personal/work use mainly on my work PC and occasionally on my home PC. If I owned a Mac would I be able to write software for myself or would I need a dev license which Apple could rescind? It looks as if you can’t write software for you own Mac without Apples say-so.

    1. Anonymous Coward
      Anonymous Coward

      Re: Who owns your Mac?

      You can write and run whatever you want, the OS will complain but it’s just a few clicks to get through it. You can get a dev account and publish certificated apps that will just run, (provided stuff is working correctly), it’s up to you.

      Being a complete jerk I’d say that if you write windows apps then you’d expect some changes to get those apps working in red hat and further changes to get them running in SEL.

      Running in OSX requires some adherence to different ways of implementation.

      1. Falmari Silver badge

        Re: Who owns your Mac?

        You can run after the os complains is not the impression the article gave.

        "Gatekeeper is the system utility that checks that an application's developer certificate is valid before it allows the user to run the program."

        Of course I know that software may need changes to work on a different OS/hardware. Some of the software I work on compiles for Windows, AIX, Linux, Sun and zOS (more platforms in the past) though I will admit I have never witten for a Mac.

        1. sev.monster Bronze badge

          Re: Who owns your Mac?

          Gatekeeper will not allow you to run things on Catalina, and apparently they are relaxing this a little in Big Sur.

          However, you can bypass Gatekeeper in both; whether or not that is possible and if so how to do it is rather outside the scope of the article.

          1. Falmari Silver badge

            Re: Who owns your Mac?

            Cheers for info sev.monster

            I see you can disable gatekeeper and run what you like did a bit of searching on the internet :)

            https://www.techjunkie.com/gatekeeper-macos-sierra/

            1. Dan 55 Silver badge

              Re: Who owns your Mac?

              It's a little more complicated since Catalina, a bit of frog boiling took place since Sierra.

              1. sev.monster Bronze badge

                Re: Who owns your Mac?

                Very true. It used to be you could disable Gatekeeper entirely with a single toggle in the Settings app. Now, if you want to disable Gatekeeper in Catalina, you have to run some command I forget in Terminal to change it manually. You can also bypass it per-launch of an app using the method outlined in this article. AFAIK those methods have changed in Big Sur, but I haven't used it yet so I have no further comment there.

                Note that app signature verification was also present in Catalina but was not as restrictive and easier to disable; all the uproar about it during Big Sur is because their servers got overloaded and the old bypass methods no longer worked, like with Gatekeeper. Imagine not being able to open your web browser to Google up how to bypass not being able to open your web browser...

      2. doublelayer Silver badge

        Re: Who owns your Mac?

        "Being a complete jerk I’d say that if you write windows apps then you’d expect some changes to get those apps working in red hat and further changes to get them running in SEL. Running in OSX requires some adherence to different ways of implementation."

        Which misses the point completely. The issue isn't how to write code, it's whether you have to jump through hoops to run it. The answers are:

        On your machine: Not hard. Some warnings will have to be skipped and you'll have to have some free developer tools installed, but otherwise you'll be fine.

        On someone else's machine: Have fun with that. Unless you get a developer certificate from Apple (you pay every year) you'll see warnings with no override option, misleading text that makes it look like your file got corrupted, and even more warnings about anything you try to do. If it's you running it, just on a different machine, you can bypass these by looking up the solutions online. If you sent your application to somebody else, especially if they're nontechnical, expect at least two support calls.

        1. Falmari Silver badge
          Happy

          Re: Who owns your Mac?

          @doublelayer Not only misses the point but also makes assumptions (incorrectly) about what I code, just because I mentioned PC. But hey I don’t care I got a bronze badge. :)

          To be honest the reason I mention PC was, that is what I own (big gamer), and my development machine is a PC. Having read the article, it seemed to me if I owned a Mac or my development machine was a Mac how inconvenient it would be with Gatekeeper. Because when I have to do something that is repetitive or do it regularly, I am sure like many programmers I end up coding a tool to do it which it looked like I could not do on a Mac.

          Having read a couple of articles on Gatekeeper it seems I was wrong it. Much like sudo you can elevate privileges for an individual app or every app you run. If Big Sur works like Sierra when it comes to Gatekeeper, then I would not have a problem. Looks like you can right click on an app to run it, first time you get a warning after that it just runs.

          I do agree that if you develop for a Mac you really do have to pay for a developer certificate as most users if they see a warning will just go WTF. But maybe the security that Gatekeeper gives against malicious apps is an acceptable price to pay, not sure.

          1. Anonymous Coward
            Anonymous Coward

            Re: Who owns your Mac?

            “ Having read a couple of articles on Gatekeeper it seems I was wrong it. Much like sudo you can elevate privileges for an individual app or every app you run. If Big Sur works like Sierra when it comes to Gatekeeper, then I would not have a problem. Looks like you can right click on an app to run it, first time you get a warning after that it just runs.

            I do agree that if you develop for a Mac you really do have to pay for a developer certificate as most users if they see a warning will just go WTF. But maybe the security that Gatekeeper gives against malicious apps is an acceptable price to pay, not sure.”

            So you agree with everything I wrote then.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021