Gatekeeper in OS X Mountain Lion—why it has me worried

Sections: Apple Software, Features, Lion, Mac OS X, Mac Software, Operating Systems, Opinions and Editorials, Originals, System Utilities

Print Friendly

Gatekeeper settingsIf you’ve kept up with the new features to be included in OS X Mountain Lion when it makes its public debut this summer, you know about Gatekeeper, the new security system that prevents users from unintentionally installing malware. This new system basically keeps apps that weren’t downloaded from the Mac App Store or an “identified developer” outside of it from launching on users’ Macs, unless they change Mountain Lion’s default settings to allow them to.

This move by Apple puts increased emphasis on having OS X apps distributed more within the Mac App Store rather than through outside sources, even though it is being done in the name of security. To become an “identified developer” and avoid having Mountain Lion disable users’ ability to launch your apps, you’ll still have to register with Apple in order to receive a personalized certificate to sign your apps with. Apple will use this new certificate system to track developers who are spreading malware and disable their certificates in order to protect users.

Apple will be imposing these limitations (and your ability to change them) within System Preferences under Security & Privacy, in which you’ll be able to manage all of Gatekeeper’s settings. Within the “General” tab, you’ll see the following three options under the setting “Allow applications downloaded from”: Anywhere, Mac App Store, and Mac App Store and identified developers. The Anywhere option allows Mountain Lion to function like every previous version of OS X; if the app you’re trying to launch isn’t confirmed malware and you opt to allow it to open, it will. The Mac App Store option will only allow apps downloaded from the Mac App Store to launch, and the Mac App Store and identified developers (default) option allows apps from the Mac App Store and identified developers only.

Users on the default setting can bypass the Gatekeeper check (for now, at least, as Mountain Lion is only in developer preview and Apple can easily fix this) by right clicking the first unsigned third-party app they wish to launch and selecting “Open,” after which Gatekeeper will no longer have control over it.

Mountain Lion will also check with Apple’s servers on a daily basis for developer signatures that have been blacklisted due to malicious activity, and if a user attempts to launch an app with a blacklisted signature, it will not open. The good thing about the certificate system is that they are issued freely upon request and don’t impose any limitations on developers (other than, obviously, against malware). The certificates simply link developers to the apps that they create, and allow Gatekeeper to manage the ability of said apps to function in case they do contain any malware.

While I appreciate that Apple is doing more to fight against malware in OS X, I do wish they’d take a different approach. Telling users that they want them to only go through Apple’s approved channels for their software is a pretty scary move, as easy as it is to get around it. While the rest of Mountain Lion’s features have me pretty excited for this summer, this is one thing that’s got me a bit worried as well.

Read [MacRumors]

Print Friendly
  • JC

    There are so many “trusting” users out there that some form of gate keeping seems inevitable. This seems like a step in the right direction, as long as they leave the back door with an owner removable lock on it. Another thing I’d like to see it Apple giving the option for third party CAs, at least the ones that do a reasonable job of identity validation. That, IMHO, is the most important part of this, preventing anonymous code modification.