OS X 10.8 'Mountain Lion' Gatekeeper - A disappointment, rather than a serious security tool

OS X 10.8 'Mountain Lion' Gatekeeper - A disappointment, rather than a serious security tool

Summary: Gatekeeper is really little more than a tool that restricts what the user an runs, rather than a security tool that sorts the wheat from the toxic chaff.

SHARE:

Earlier, Apple made a preview of OS X 10.8 'Mountain Lion' available to developers. One new feature present in the OS (along with a lot of iOS integration) is a security tool called Gatekeeper. However, a quick hands-on with this tool reveals that it is more of a novelty feature than a serious security tool.

Image credit: Apple

Image credit: Apple

Initially I understood that Gatekeeper was an anti-malware tool built into the OS, but a quick look at it reveals that it is little more than a cursory addition to the Quarantine tool. The Quarantine tool in OS X kicks in when you try to run a file downloaded from the Internet, and it asks you to confirm that you do indeed want to run the file.

Gatekeeper adds three more options to Quarantine:

  • Anywhere Quarantine works just as before, and as long as the app isn't identified as malware, it'll run when you approve it.
  • Mac App Store Any applications not downloaded from the Mac App Store will be blocked from running.
  • Mac App Store and identified developers Along with apps from the Mac App Store apps, it will also allow third-party apps that have been signed by an 'identified developer' to run (developers registered with Apple - hey get a certificate to sign the application with, and any tinkering with the code once signed will prevent it from running).

I'm not really that impressed with Gatekeeper, and here's why. Like Quarantine, it only scans a download the once, the first time you try to run it. Unless it is known malware, once you OK it, it'll never be checked again.

In other words, it's really little more than a tool that restricts what the user runs, rather than a security tool that sorts the good wheat from the toxic chaff.

However, given that this is a developer preview of 'Mountain Lion,' there's hope for he technology to get better before the final release.

Related:

Topics: Operating Systems, Apple, Apps, Hardware, iOS, Malware, Mobile OS, Security, Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

31 comments
Log in or register to join the discussion
  • RE: OS X 10.8 'Mountain Lion' Gatekeeper - A disappointment, rather than a serious security tool

    Seems like a false sense of security to me.
    bobiroc
    • RE: OS X 10.8 'Mountain Lion' Gatekeeper - A disappointment, rather than a serious security tool

      @bobiroc

      Your right. Sort of like the example where a person starts to walk across the street when the Green "Walk" traffic light indicator is on and not looking both ways to insure that motor vehicles are obeying the traffic lights.

      But a third party software developer might wish to receive an "official sanction" from Apple, non-the-less. And a person who receives a warning "pop up" menu indicating that this third party (non App Store delivered) software has not been approved by Apple might pause and look both ways, so to speak, before committing to the download and installation of this app.
      kenosha77a
    • RE: OS X 10.8 'Mountain Lion' Gatekeeper - A disappointment, rather than a serious security tool

      quality data products was founded on 11.11.11 and has quickly become one of the nation's leading providers of enterprise class information technology hardware and support. Over 15 years of combined experience in IT procurement and supply chain distribution enables qdp to source and deliver the ???hard to find??? products. Visit <a href="http://qdp.com">qdp.com</a> to start saving on New and Refurbished <a href="http://qdp.com/networking/routing">Cisco Routers</a> and <a href="http://qdp.com/networking/switching">Cisco Switches</a>.
      rusimona
  • RE: OS X 10.8 'Mountain Lion' Gatekeeper - A disappointment, rather than a serious security tool

    You forgot to mention how superior Windows 8 will be, once Microsoft releases it. After all ZDNet is in iHate mode.
    Joel-r
    • RE; iHate mode?

      @Joel-r

      I think the hate is equally distributed. Read any of SJVN's blogs lately?
      bobiroc
  • RE: OS X 10.8 'Mountain Lion' Gatekeeper - A disappointment, rather than a serious security tool

    Its just Apple trying to convince users to only use the Mac App Store. If they can convince the users its for their own good, the developers have no choice but to follow, and then Apple gets its hands in everyones wallet. Why force it on someone when you can convince them it was their idea in the first place?
    doh123
  • Seriously?

    "Any applications not downloaded from the Mac App Store will be blocked from running."

    Sure hope this doesn't apply to programs purchased on a CD/DVD disc for installation. This would definitely end my relationship with Apple.
    It'sNotMe
    • Your reading comprehension needs work

      @It'sNotMe that's the most restrictive of the three settings, and, from what I understand, not even the default. The App Store and ID-ed Devs is the default, and it makes sure you're installing an app that can be "killed" if it goes rogue. What's wrong with that?
      matthew_maurice
      • The question is how they're labeling them "identified developers"

        @matthew_maurice

        Is this something where a developer has to apply for it, even if they've been developing for years? And will Gatekeeper be able to tell that an app on an older CD/DVD is the same as an app on the Apple Store? And where is the certificate/signature stored: in the app itself, or on Apple's servers?

        What about developers that never made the transition from physical-disk format to app-store digital-download format: is Apple saying, "Don't worry, you won't see any problems with it", or are they really saying, "We'll support it, but only if you downgrade Gatekeeper's default protection... which is just our way of forcing you to upgrade to a 'newer' version of the app so that we can charge you more money"?
        spdragoo@...
      • RE: OS X 10.8 'Mountain Lion' Gatekeeper - A disappointment, rather than a serious security tool

        @spdragoo@...

        Developers can get the ID for free.
        msalzberg
      • RE: OS X 10.8 'Mountain Lion' Gatekeeper - A disappointment, rather than a serious security tool

        @spdragoo@...
        Any developer that has been publishing Mac software for years alread has a developer I.D. Thy have one because they get it the same time as they get an "ApplicationID" header for any files their apps create. It's been this way for the past 10 years, nothing to do with the new online Mac App Store.
        lelandhendrix@...
      • RE: OS X 10.8 'Mountain Lion' Gatekeeper - A disappointment, rather than a serious security tool

        @lelandhendrix
        @msalzberg

        Thank you, it wasn't clear from the article how that worked.

        Although I guess the question then becomes, will you have to have an active Internet connection now to install all Mac software that's on a CD or DVD, or will the Gatekeeper software store the ID info locally?
        spdragoo@...
    • You have the option

      Set Gatekeeper to anywhere!

      Adrian misses the big feature of Gatekeeper, the ability of those of us looking after family/friends macs to lock them down to known software sources.

      It's a great move!
      Richard Flude
  • RE: OS X 10.8 'Mountain Lion' Gatekeeper - A disappointment, rather than a serious security tool

    Interesting choice of names for that tool. Back in the early 1990s, there was an independent antivirus tool for the Macintosh platform called Gatekeeper. The developer was one Chris Johnson. It has long since been discontinued. An old URL for that site can still be seen here (complete with a "discontinued" snipe across it):
    http://homepage.mac.com/chriswjohnson/gatekeeper/gatekeeper.html

    I guess some sort of statute of limitations ran out and allowed Apple to use the name...or else maybe they just took it.
    DavidPwrMc@...
    • RE: OS X 10.8 'Mountain Lion' Gatekeeper - A disappointment, rather than a serious security tool

      @DavidPwrMc@... I'd guess the latter. Apple just takes what it wants and lets the rightful owner try to fight their army of lawyers to get it back - like 'iCloud'.
      NotMSUser
    • RE: OS X 10.8 'Mountain Lion' Gatekeeper - A disappointment, rather than a serious security tool

      @DavidPwrMc@...

      A trademark must be in use to remain live.
      msalzberg
  • RE: OS X 10.8 'Mountain Lion' Gatekeeper - A disappointment, rather than a serious security tool

    hmmm, 10% market share and they want to make it more painful for me to write apps for their platform. So why would I continue to develop for their platform when my efforts could be better rewarded writing for the dominant platform?
    Madwolf Software
    • RE: OS X 10.8 'Mountain Lion' Gatekeeper - A disappointment, rather than a serious security tool

      @Madwolf Software
      You're not making any sense here. Everything described on this page is customer-facing.
      Furthermore, throughout this preview there have been zero changes to any processes or procedures performed by developers of Mac software.
      If you are a Mac Developer, you already have your Developer ID you got years ago for free.
      lelandhendrix@...
  • RE: OS X 10.8 'Mountain Lion' Gatekeeper - A disappointment, rather than a serious security tool

    It seems pretty clear that you don't understand their use of developer signatures at all. It provides a third way beyond just relying on apps from the Apple-controlled and limited Mac App store and the free and easy install-and-run-anything-from-anywhere at your own risk method. Dev applies for a certificate and otherwise has no interaction with Apple. If a dev's app is tampered with it won't run. If a dev's app is found to contain malware his certificate is revoked and again the app won't run. The app is checked against the sig every time it's opened.

    Frankly I think it's a brilliant approach that shouldn't chafe significantly on developers or users. Don't want to get a certificate from Apple to effectively certify your app to your users? Bully for you; you can still distribute your code. If you can convince users to trust you, and that you have good reasons for avoiding an Apple certificate, you'll not be impacted.
    Boltarus
    • RE: OS X 10.8 'Mountain Lion' Gatekeeper - A disappointment, rather than a serious security tool

      @Boltarus $100 a year, $200 a year if you want to do both OSX and iOS. Which yes is cheap compared to the $500 and up for code cert from verisign etc in the larger general digital signature market.

      So you have your $500 digital cert for your windows and/or linux app, but you have to pay for another one from Apple for their platform? For a minority platform? And again for iOS? At least accept the same cert the rest of the industry does. Otherwise there's a really big WHY in my thinking.
      Madwolf Software