The Evolution of macOS Gatekeeper
The history of Mac endpoint security is like the history of Apple itself: a sprawling tale full of elegant innovations and memorable missteps. That story is too big for a single blog article (or even a single book), but within the larger security narrative, thereâs a fascinating tale about one of its key components: Gatekeeper.
Gatekeeper is the central component of a Modern Macâs famous âscan at launchâ style of security which includes technologies like File Quarantine and XProtect. Itâs a technology that feels uniquely Apple: simple, (mostly) effective, and at times feels nearly invisible to users.
To understand Gatekeeper is to understand Appleâs attitudes about security and IT. So letâs take a look at where Gatekeeper came from, where itâs going, and the role it plays in guarding the door to techâs most fiercely-defended walled garden.
Part 1: âMacs Donât Get PC Virusesâ
In 2005, Apple was riding high with the release of OS X Tiger. With Steve Jobsâ return, they had avoided financial ruin and successfully transitioned to a new, modern OS. They also had their first blockbuster product since the Macâthe iPod. The irresistible (and expertly marketed) music player had a halo effect on Macs, prompting more and more users to switch over from their PCs.
At that time, Macs were coasting on the strong security story theyâd inherited from their Unix-based OS, which was primarily based on Jobsâ previous venture at NeXT.
That year, Steve Jobs gave a revealing interview that touched on Macâs relationship to security. Jobs acknowledged an internal battle over forcing users to authenticate in order to install applications.
âAvie Tevanian, the person that was running software at the time, showed us OS X and every time you wanted to load an application into OS X, whether it was off the internet or even off a disc, you had to type your name and passwordâyou had to authenticate. And we gave him incredible shit for that. We said âAvie, are you nuts? This is the Mac!â And he said, âtrust me.â And so we deferred to Avie on that after trying to twist his arm for a year. And boy, was he ahead of his time.â
It was a battle that security ultimately won, despite the added user friction.
Still, though Jobs claimed to be proud of Mac security, he wasnât ready to make it a pillar of Appleâs messaging. âWe donât market this because thatâs like the red cape and the bull,â he said, with the âbullâ being hackers. Hubris aside, 2005 Jobs seemed to think trumpeting security would be bad form. âI donât think it should be used as a competitive weapon,â he claimed.
Nevertheless, by 2006 Apple did exactly that. One of its first âGet a Macâ commercials was a shot across the bow at PC security, and implied that Macs were immune to PC viruses.
What those commercials didnât acknowledge (but Jobs clearly knew) was that Macs werenât impervious to viruses; theyâd simply escaped the attention of hackers by virtue of their comparatively small user base. But with this ad, theyâd waved the red cape at the bull, and the bull was about to charge.
Part 2: Introduction of File Quarantine
2007 marked the end of Macâs security honeymoon. Suddenly, malware emerged that was written specifically for OS X, starting with the OSX/Leap-A (aka Oompa-A), which spread via iChat. Soon, Mac users started to experience the same problems with performance issues, freezes, and crashes theyâd had with their PCs.
Appleâs first major action in its war with viruses was File Quarantine, which
debuted in OS X Leopard (10.5). This feature attaches an extended attribute
(com.apple.quarantine
) to files downloaded from the internet (and later,
copied using Airdrop). This tag prevents a user from executing a file until
they have verified in a popup warning that they are aware of its contents.
File Quarantine attempted to take a light touch with users by letting them choose whether to proceed. Unfortunately, this approach didnât do much to stem the tide of infected Macs for two reasons:
Since Macs stuck the quarantine tag on every downloaded file (not just applications), users quickly developed quarantine fatigue and grew accustomed to just breezing past the popup.
The warning failed to explain the potential consequences of opening applications or provide any instruction on how users could differentiate between trustworthy and untrustworthy sources.
The first issue, at least, is understandable since Apple was trying to protect users from malware disguising itself as harmless documents. As Eclectic Light explains, â[Malware] might install an innocent-looking document but set its OpenWith xattr to ensure that itâs processed (installed or run in some way) using a third-party tool instead.â
But the second problem is emblematic of a larger tendency in Mac security to withhold important information from users, presumably out of fear of bogging them down with tedious, technical information.
From a security practitionerâs perspective, however, the File Quarantine system is extremely valuable. When the warning dialog is shown to a user and the file is opened, Apple records this event in an on-disk database. Security tools like osquery can read these databases across all the Macs in your fleet giving you insight into the external files users are downloading and executing from the Internet.
Introducing XProtect
Macâs next OS, Snow Leopard, significantly improved File Quarantine. Instead of simply issuing a blanket warning to all downloaded files, it introduced XProtect, which would compare downloaded files against a database of known malware.
While modest at firstâthe original list only contained a handful of Trojan horsesâXProtect has since become the unsung hero of Macâs malware fight. As weâve written before, âXProtect updates itself automatically, silently, and separately from manually installed security updates.â
Like many of Appleâs security enhancements, Apple never mentioned the inclusion of XProtect in the Snow Leopard Release Notes or marketing materials. After Snow Leopard was released, this functionality was discovered by security vendor Intego.
XProtect was a valuable update to File Quarantine, but even if a file was deemed dangerous, all it could do was issue a more ominous-looking warning to users and advise them to move the offending file to the trash. But Apple was about to exert much stricter control over its ecosystem, wresting it from users and developers alike.
Thereâs an App for That
For Apple, the big news in 2007 wasnât about Macs at all; that year, executives were preoccupied with the birth of the companyâs beloved youngest child: the iPhone.
The advent of the iPhone is important to our story for two reasons:
When people suddenly started carrying around their private data in their back pockets, that data was exposed to vastly more risk than when it lived on a desktop or laptop. This change altered the balance of power between security and user experience in Appleâs design. It began a slow progression toward security and privacy taking center stage as Apple values instead of operating quietly in the background.
Hot on the heels of the iPhone came the App Store, a marketplace that invited third-party developersâŠif they played by Appleâs rules. (And even this level of access was apparently a tough sell for Steve Jobs.)
The App Store was an immediate success on iOS (it helped that it was the only game in town), and Apple hoped its popularity would cross over to Macs. If that theory had panned out, it would have been a coup for security since every app that users downloaded would have Appleâs seal of approval.
But, as every Mac user already knows, Appleâs dreams for the Mac App Store never came to fruition. The available apps were granted such limited permissions that users felt like theyâd been stuck in the kiddy pool. And since users were already accustomed to downloading much more robust apps from the web, they had no motivation to change.
Despite the Mac App Storeâs failure, it was clear the companyâs bifurcated approach to security wasnât working. Macs still needed a tool that ensured every app users downloaded met its standards, regardless of where it came from.
Part 3: The Walled Garden Gets a Gatekeeper
Apple included a sneak preview of Gatekeeper in Lion, to enable developer testing, and then rolled out the full version with Mountain Lion, in 2012.
The simplest description of Gatekeeperâs function comes from Objective See, and we wonât try to improve on it. âGatekeeper checks the code signing information of downloaded items and blocks those that do not adhere to system policies. (For example, it checks that items are signed with a valid developer ID).â
Gatekeeper was designed to give the existing malware protections, File Quarantine and XProtect, some teeth1. Whereas those earlier features would only recommend that users refrain from code that falls outside local system policies, Gatekeeper doesnât give them the option to run it.
Like many of the other protections mentioned here, determined users can work around Gatekeeperâs strongly worded prompts. Luckily, like File Quarantine, tools like osquery and Kolide can list the questionable and unsigned software users ran anyway despite the warning.
Part 4: Notarization and The Future of Mac Security
The relationship between hackers and developers is an endless game of cat and mouse, in which there will never be a definitive winner, only a series of moves and countermoves.
Since introducing Gatekeeper, Apple has continued to improve its malware posture by exercising more and more control. In 2019, they introduced Application Notarization requirements, which ensure that no piece of software can run unless it has been scanned and approved.
In Ventura, Gatekeeperâs power was enhanced to check that apps have not been wrongfully modified after installation. However, SentinelOne reports that âthe Gatekeeper check here is overridable by users. When an unauthorized modification is attempted, Gatekeeper throws a warning and asks the user if they want to allow it in System Settings.â This would seem to mark a (slight) return to user control, which hackers will inevitably seek to exploit.
Closing Thoughts
Itâs easy to snipe at Apple, and thereâs a fine line between knee-jerk snark and good faith attempts to hold the tech giant accountable. But the reality is there are no simple solutions that resolve the tension between preserving a userâs autonomy and safeguarding their security.
So, since there will never be a silver bullet that satisfies developers, security professionals, end users, and Apple itself, the best question we can ask is: does Appleâs approach to malware actually work?
In terms of public perception of Mac security, the answer is clearly: yes. In 2020, Jamf ran a survey of IT and security professionals, in which 77% of all respondents reported that they considered Mac to have the best out-of-the-box security. And 79% of professionals at Mac-first companies âsaid the perceived security of macOS influenced their purchasing decision.â
But does that perception mean that Macs actually get less Malware than PCs? Thatâs a much harder question to answer, given their wildly disproportionate market shares, and the fact that itâs tough to find an expert who doesnât either love Apple or love to hate it.
One thing we can all agree on is that neither Macs nor PCs are immune from malware, especially the kind that stems from good old fashioned user error. And we can probably also agree that Macs have done a better job of facing those threats while still preserving the user experience of their platform.
Still, itâs fair to say that Appleâs habit of not wanting to âburdenâ users with technical information has become a liability. As Eclectic Light writes in their critique of the document quarantine issue, âdetermining document behaviours like this through opaque metadata prevents the user from making judgements of their own on which documents to trust.â And SentinelOne blames Mac OSâ âlack of transparencyâ for inadvertent data breaches committed by users (and admins) without a full understanding of what theyâre doing.
As Apple continues to navigate these issues, they would do well to remember the lesson hiding in their own companyâs name: people donât want to be protected from knowledge or from choice, no matter how lovely the garden is.
For more original Mac and cybersecurity content, subscribe to our bi-weekly newsletter!
-
Contrary to a common misconception, Gatekeeper did not replace File Quarantine and XProtect, and both features are still running to this day. â©