Apple will soon make a code review mandatory for all applications distributed outside its own Mac App Store by new developers, a first step towards requiring all Mac software to pass similar reviews.
The Cupertino, Calif. company argued that the process, which it calls “notarization,” would build a more secure macOS environment. “We’re working with developers to create a safer Mac user experience through a process where all software, whether distributed on the [Mac] App Store or outside of it, is signed or notarized by Apple,” the company stated in an April 10 message on its developer portal.
Applications delivered through the Mac App Store have long been reviewed by Apple for malicious code, and since September 2012 checked for an Apple-provided digital signature prior to installation. Notarization adds the App Store’s review – or a form of it – to programs distributed elsewhere, direct from a publisher’s website, say.
Apple made notarization sound, if not perfunctory, then certainly brief. “Notarization is not App Review,” Apple told developers, referring to the process App Store software goes through. “The Apple notary service is an automated system that scans your software for malicious content, checks for code-signing issues, and returns the results to you quickly.”
When users start to install a notarized application, Gatekeeper will intervene with a message stating that Apple has “checked it for malicious software and none was detected.” From there, the user can either cancel the install or proceed. Gatekeeper is the OS X/macOS utility that for the last seven years has blocked installation of unsigned code, and depending on how it’s set, allowed all software or only App Store-acquired programs to be installed.
Apple has not shared more than that about what users will see related to notarization. It was unclear whether there will be broad or granular settings to mitigate or disable the notarization requirement in System Preferences.
With the appearance of macOS 10.14.5 – the latest update for Mojave, now in preview – notarization will be required for software created by developers new to distributing Apple apps, as well as for all new or updated kernel extensions. “In a future version of macOS, notarization will be required by default for all software,” Apple said in its documentation.
That “future version” could be as close as this year’s macOS 10.15, which if Apple hews to custom, will be introduced in June at the company’s Worldwide Developers Conference (WWDC) and released in September.
When Gatekeeper debuted in 2012 as part of OS X Mountain Lion, some Mac users criticized the restrictions, arguing that they should be allowed to install whatever they wanted on their machines, from whatever source. The appearance of the Mac App Store the year before had raised similar concerns. It wouldn’t be surprising if Apple’s notarization scheme gets some pushback as well.
“To a degree,” said Chet Wisniewski, a principal research scientist at security vendor Sophos, when asked whether code reviews and installation controls make users safer. “It’s not a perfect process, but without [such safeguards] the criminals don’t have to try very hard.” In other words, practices like Apple’s, whether the Gatekeeper model or notarization, are valuable because they force malicious actors to work for their ill-gotten gains.
“And people do have a choice,” Wisniewski added. If they don’t like the additional controls Apple puts in place, users have options. “They can go to Windows. Or Linux.”
He doubted that would happen, pointing to Apple’s even-more-restrictive rules on iOS, where all apps must originate from the App Store. “People seem to like their iPhones,” said Wisniewski. “The model of the App Store shows just how effective this can be.”