Apple Gatekeeper Moves Mac Into iOS's Walled Garden

It's been obvious for some time that the future for desktop security will include whitelisting of applications, meaning that you will be able to install only those from a pre-cleared list. The next version of OS X, a.k.a. Mountain Lion, will take Mac users there.

It all started with mobile phones: ever since phones could run even the most trivial apps, carriers controlled which apps users could access. Independent software vendors had to submit these apps through contract test labs and pay a decent chunk of change for even the privilege of submitting programs for sale through the carrier.

The iPhone, with its App Store, brought this to the big time. You can only install the apps that Apple will allow you to have. By sheer coincidence, Apple takes a substantial commission on these sales. Of course, when I say you can only install those apps, I mean unless you want to install others. You do this by jailbreaking the phone. Jailbreaking takes you out of Apple's "walled garden" where you are safe, at least as a practical matter, from malicious software.

The walled garden on Mountain Lion is called Gatekeeper. Below are the config settings.

A little background about whitelisting. Current systems work in one of two ways: Through sophisticated hashes of known-good executable files, or through digital signatures. Signatures are a better way. Hashes are used by many whitelisting systems, like those from Lumension, in order to whitelist programs that aren't necessarily signed.

All iOS apps are signed using keys issued through Apple's iOS Developer Program. iOS won't run unsigned apps and a developer's keys can be revoked for violating license terms. Google has a similar program with the Android Marketplace, but it doesn't vet the apps in it to the degree that Apple does.

Apple has a Mac Developer Program, too, and a Mac App Store (see below).

Until now, the Apple Developer Program signature on Mac apps hasn't meant much. In Mountain Lion, the default will be to allow you to run programs from the Mac App Store or other programs with an Apple Developer Program signature, but not other apps, even those with other digital signatures. You can make Gatekeeper more restrictive by only allowing programs from the App Store, or you can disable it and allow all programs. If you only permit programs from the Store you lose access to significant software (Adobe PhotoShop, Microsoft Office, etc.) that is not in the Store and won't be because those companies are not about to give Apple a 30% cut.

It would have been nice for Apple to allow developers to specify other valid signers. But they don't, so in order to reach Apple users in the future developers will, as a practical matter, have to use the Apple Developer Program ($99/year).

Similar things are on the way for Windows 8. For the new Metro-style apps, you will have to go to the Microsoft Store. But Microsoft takes a different approach for conventional apps. Windows 8 will have more powerful versions of Windows Defender and SmartScreen which will block programs and Internet sites with bad reputations. It will also use a file system filter driver to do the same with program files, warning you of known bad ones and those with no reputation at all. See the video below:

Because we're talking about a world-wide Microsoft reputation service, a file with no reputation at all is an inherently suspicious thing. Thus, with the Windows approach, you have the opportunity to download malicious programs, but it's highly likely that Windows will warn you that the file is either known to be malicious or at least suspicious.

The Microsoft approach is less restrictive and controlling of users and developers and doesn't require developers to pay Microsoft a recurring fee in order to gain access to users. But it is a more complicated approach for the user. Some might be happy to put themselves under Apple's control. After all these years it's clear that the supply of users willing to take whatever Apple gives them is a large and profitable one.

I'm a big believer in whitelisting. It's not perfect--nothing really is--but it can provide a very high degree of assurance that users will not see malicious programs. Malware on iOS is theoretically possible; maybe it even exists and we just haven't found it. But as a real-world matter, it's a non-problem. The overwhelmingly dominant risk factor for PC infection is the user clicking on or running something malicious. If users don't have the opportunity to do so anymore, we'll all be better off.