Skip Links

Apple's Gatekeeper: A low cost for partial security

Gatekeeper functionality in OS X Mountain Lion provides somewhat enhanced security with only a potential downside

'Net Insider By Scott Bradner, Network World
February 21, 2012 10:37 AM ET
Scott Bradner

Network World - Out of the blue, Apple just announced Mountain Lion, the next generation of its OS X operating system. By the time Mountain Lion ships sometime next summer, Apple says it will have lots of new features, some transported from its iOS environment of the iPhone, iPad and iPod Touch world. This column will examine just one of the new features, one that, while good, has not yet included all the functions of its iOS prototype.

BACKGROUND: Apple counts down to 25 billion apps

Apple iOS performs a validity check on each application before the app runs. The check verifies that the application came from a trusted source and has not been modified. In the case of iOS, the trusted source must be the Apple iOS App Store. This check makes it much harder for the iOS device to be corrupted by a rogue application introduced by a computer virus. But it also locks the iOS device to only get new or updated applications from the Apple-run store. In this way, Apple controls what you, the titular owner of an iOS device, are permitted to run. With a collection of a half million applications in the App Store, this control over the user has been more of a theoretical than a practical problem.

Apple is now adding a poor man's version of this validity check to OS X in the form of Gatekeeper. Gatekeeper does the same validity check as the iOS system but only does it when an app is first installed, and then only if the application is downloaded over the Internet. As described, Gatekeeper will be able to be run in three modes. The default mode will permit applications to be installed from the OS X App Store (not to be confused with the iOS App Store) and from developers who have registered with Apple as long as the applications have not been modified since they were created. Gatekeeper will also be able to be run in a stricter mode where it will only permit applications from the OS X App Store to be installed or an open mode in which applications are not checked before installation. The last mode is equivalent to the way OS X currently operates -- you can install applications from anyone, including applications from developers that Apple has never heard of.

The reaction to Apple's announcement has been decidedly mixed. On the security side, some pundits seem to be from the branch of computer security that feels security is worthless unless it is perfect. These pundits dismiss Gatekeeper as almost worse than worthless because it only does the validity check when the software is installed. Checking only at the time of installation will not discover software that gets modified after installation and does not deal with the case where an application's bad behavior is only discovered later. Performing the validity check every time the application is run will catch modified applications and, because Apple can distribute a list of bad software developers in real time, it can block applications newly discovered to be bad.

I think the security provided by Gatekeeper is worthwhile but do hope that Apple changes to a check-before-running from the current check-when-installing operation before Mountain Lion is distributed.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News