The Future of Unsigned Apps on the Mac

| Analysis

Applications in the Mac App Store are digitally signed by Apple. That means that without Apple’s digital blessing, the app won’t run on your Mac. However, apps that are available directly from the developer are generally not signed. That’s not typically a problem, but a malicious app, masquerading, could steal information or damage your OS. Will Apple, someday, require all Mac apps to be digitally signed?

The Prospect

Apple has a lot on its hands with curating iOS apps and apps in the Mac App Store (MAS). However, could things ever get to the point where Apple might want to, as a minimum, digitally sign all Mac apps?

Why would Apple want to do that? A digital signature doesn’t add any intrinsic security to an app, but it does authenticate the source of the app. For example, a developer submits the source code to Apple, and Apple uses software tools to ensure that the code meets Apple’s standards. Then the binary is signed with a private key. (If you’d like to learn more, see the Wikipedia articles on digital signatures and Public Key Infrastructure (PKI).)

When you try to run an app purchased from the MAS, your OS verifies that Apple signed it. At least you know that the code has been inspected and blessed by Apple.

Crystal Ball - Lion

Apps that you buy direct from the developer aren’t generally signed. Since OS X 10.5, “Leopard,” the developer has had the ability to sign the app, but all that does is certify the origin of the binary. It doesn’t vouch for the quality of the code. As a result, a software company could spring up in, say, Toledo, sign their apps, put on a good show, but the app could be malicious in some subtle way. For the developer to digitally sign the app is good — if the developer has a sound reputation. You know it hasn’t been tampered with. But it doesn’t provide any confidence if the developer is a relative unknown.

To solve this problem, if indeed it can be considered a problem, Apple might, someday, require all apps to be signed by them. Apple may or may not chose to provide the same level of curation, but at least you know that there has been some modest administrative oversight. The developer had to reveal a lot of personal details and create a business relationship with Apple. The app had to be submitted to Apple and digitally signed. It’s then made available directly from the developer’s Web site. Otherwise, it won’t run on your Mac. That would help eliminate the prospect of renegade developers who sell an app directly to the customer that has hidden malicious attributes. And if Apple missed something bad the first time around, it could trigger a kill switch to stop the app from running globally.

Practical Realities

There are some reasons why Apple may not want to require digital signature on all apps. For starters, it would greatly increase Apple’s workload on apps for which the company doesn’t take 30 percent of the revenues. Second, it would interfere with internally written corporate or personal apps. And finally, and this is just a surmise, it would take away some of the incentive for sticking with MAS apps, apps that the customer has a lot of confidence in.

I asked some developers what they thought of the idea that, someday, all OS X apps may need to be signed by Apple.

Jacob GorbanJacob Gorban, Apparent Software: ”One reason could be that they’ll require all applications to be sandboxed. Sandboxing requires signed applications. At the current state of the sandbox, though, it’s hard to see how Apple can require all applications to be sandboxed. First, it’s a lot of work for developers to convert their apps to sandboxed environment, and more importantly, many applications just won’t work in this environment. I find it hard to believe that Apple will dumb down a desktop OS almost to the functionality of a mobile one.

The other reason could be iCloud. As I understand it, iCloud only works for Mac App Store applications. One of the reasons is that iCloud is tied to Apple ID and applications identity. And to protect the iCloud data, I assume that Apple only allows access to applications signed by Apple, that is, distributed through Mac App Store).

Last, even if Apple wanted to push enforced signing of applications for the Mac at any point, I find it hard to believe that they’ll do it before 10.8, which I don’t think will be released in 2012. Such changes are just too much for one year for developers and even for Apple. Only a month ago they pushed the deadline for sandboxing on the Mac App Store by five months to March. It’s not clear yet if they’ll not push it once again. They are still lots of issues with sandboxing.

It may make sense together with mandatory sandboxing if, god forbid, we come to that. I wonder, though, if Apple will simply allow signing apps with their certificate without reviewing them.”

Daniel JalkutDaniel Jalkut, Red Sweater Software: “I think I agree that this will not be a high area of focus for Apple. If you haven’t read it already though, be sure to check out Wil Shipley’s post recommending wider use of certificates.

[Wil Shipely’s article is thought provoking. Among his proposals are that Apple allow some developers to sign their apps with an Apple certificate. Food for thought. - JM]

I think system-wide requirement for certificates would still make me a bit nervous, because Apple seems to sometime make inexplicable decisions that harm small numbers of developers. But I can definitely see warming up to that, especially if using an Apple certificate entitled me to bring in, for example, non-MAS customers into the proper Apple ecosystem with iCloud, etc.”

Tim Debenedictis, Southern Stars: “My own feeling is that some future version of OS X will require some kind of security for all user-space apps that are being run on a machine other than the developer’s machine. Whether it happens in 2012 or later is the real question.

I suspect Apple’s real motivation for this isn’t technical — it’s financial. The Mac OS X ecosystem is not, now, being overrun by Tim DeBenedictisrogue apps, viruses, trojans, etc. The problem is minimal compared to, for example, Windows or Linux. Yet Apple is still rapidly making it more and more difficult for anyone to play outside its preferred sandboxes (that is, MAS). The real reason is simply that Apple wants 100 percent control of all software that is developed for its platforms, and it wants that 30 percent of app revenue. There’s a reason we’re developing for Android now.”

The Verdict

Apple has already upset a lot of developers with the requirement that MAS apps be sandboxed. Also many users are not all that enthusiastic about the changes in Lion. So it may be awhile before Apple requires all Mac apps to be digitally signed by them. Or all apps to be sandboxed.

In the meantime, Ted Landau, in a conversation we had, put some perspective on it. If you take your car to the dealer for, say, a new alternator, you have a lot of confidence in the factory part and your car’s warranty. But if you elect to take your car to an independent repair shop, you may get a rebuilt or knockoff, lower quality part. It’s your decision and your risk. Apple might let that customer tendency play out.

It could be that the market for apps will settle out naturally without Apple having to do anything draconian. The MAS will make huge strides. Reputable, specialty developers whose apps go deep into the OS, like Parallels Desktop and VMware Fusion, will have to have their apps signed but not sandboxed. Everyone else out there limps along, is viewed skeptically by the Apple customer, and eventually bad apps could just dry up and blow away from lack of attention.

In the long run, if you really want to write your own unsigned apps or buy one from an unvetted developer, Apple, hopefully, won’t stop you.

Sign Up for the Newsletter

Join the TMO Express Daily Newsletter to get the latest Mac headlines in your e-mail every weekday.

Comments

mrmwebmax

+

I personally think if Apple restricts all Mac software to Apple-signed-apps-only, that it will be platform suicide. I hope I never see it. It will stifle too much innovation on the platform. Right now users and developers have a choice: MAS apps or non-MAS apps. I thnk that’s the best of both worlds, but I do fear Apple’s control-freak nature might change that someday.

I don’t mind the control on iOS: As an iPhone-is-my-only-phone kind of guy, with no landline backup, I need the kind of reliability that iOS offers. As a Mac professional in web design and graphic design, I need the ability to choose whatever tools I see fit to use on my Macs.

geoduck

I personally think if Apple restricts all Mac software to Apple-signed-apps-only, that it will be platform suicide.

Agreed. I think of all the little one person shops that make really useful tools, places that couldn’t or wouldn’t spend the time involved getting their stuff signed and I know they would just walk away.

I wonder about Open Source Apps. OpenOffice et.al. Who would take responsibility for submitting every little tweak for Apple to sign. The answer is nobody, they would also just drop the Mac platform

d'monder

Unsigned desktop apps have worked since 1977.  It’d be a major mistake to go signed-only.

If Apple wants to make iOS the future, that’s their call.  But as long as there’s a Mac OS, it should run unsigned apps.

TonyT

This Macbook pro is mine.  If I want to risk running malicious code then that’s my problem. A computer should be open to whatever the user wants to run on it.

vpndev

I agree that it would be suicide. I can imagine, though, a scenario where a user would select a preference to disallow non-signed apps.

Gareth Harris

I build distributed control systems: complex applications with many processes that operate on multiple vendors’ platforms over multiple local and remote networks. Stability is a key issue in these settings so I welcome any regimen that enhances security.  Ain’t no free lunch, however, and stability controls often limit and even stop operation.

As Apple moved beyond selling single stand-alone devices, they entered this arena. It doesn’t take much to break distributed systems, so any controls which increase quality and stability are welcome, BUT advanced functions cross boundaries, have to satisfy conflicting requirements on different platforms, etc.

You have to remember your goals here: not just to make a profit but to have large wide ranging systems which do useful things. The most stable system, after all, is the one which is never turned on or connected to the net - but what use is that?

AlanInMadrid

@garethharris

It’s difficult to work out what you are saying here.  However to pick up a couple of points; you build distributed systems - so how would you feel when Apple say that there is a 3 month delay (while they go through your source-code which you gave them) before you can release your next version?  Then how would you feel about giving them your source code when they are selling their own programs that compete with yours (Think Lightroom/Aperture, Pages/Office, etc.)

Another point about stability is that we are considering rolling back from Lion to Snow-Leopard.  We have spaces locking up and losing things, and the occasional complete lock-up of the OS that requires a reboot.  All of this without installing ANY non Apple software.  Apple have already shown me that them holding the keys to what I run doesn’t help anyway, so I would rather have the choice, and be able to buy SW from Adobe or Canon for example.

Alberto

I think the best approach is that signing is optional but strongly recommended.
OS X would run an unisigned apps, but warn the user and let him choose if run it or not.
I find reasonable that only signed apps could access iCloud services.

Pete

It’s interesting that everybody talks about signed or unsigned apps only. Does nobody think about a low cost Mac with signed apps only and without Finder for $199 and the normal product line?

Gareth Harris

It?s difficult to work out what you are saying here.

Point well taken, Alan, I did ramble a bit there. Let me try again:
Apple mainly sells single user applications to the consumer market. By catering to end users rather than us geeks, they have a much larger market, which is enhanced by controlling quality on apps delivered.
On the other hand, I use Apples as process control platforms because they are cheap UNIX machines that someone else maintains. My products are multi user, even multi platform and will not pass some of Apple’s restrictions.
So the questions is: do you cut off your professional computing users for the sake of a larger consumer market. I think the answer should be no - because the technical features you rely on for consumer sales originate with the technical professional community.

Hope I was clearer this time.

AlanInMadrid

Ah, OK,  I thought for a moment that you were saying that signed only was positive for stability.

As for who uses Macs now, I don’t know.  Certainly the brand is a lot better known among the masses because of the iPod/iPhone line, and possibly some consumers are tending that way with their home PCs too.  However I’ve seen a lot of people only buying MBPs because they are developers and need them to develop for iOS.

I’m a very recent convert to Mac, and only did it for the stability of the platform (after Vista), and the mess that is about 50 different versions of Windows 7 in Europe (yes, every country has it’s own set of versions!).  I haven’t even got used to the platform enough to use it 100% and therefor have all the apps I will eventually need (so some of my workflow still hasn’t moved over from windows)

However signed-apps only will see me drop Mac like a hot potato!

Simon B

Our product, VMware Fusion 4 (http://www.vmware.com/products/fusion/overview.html) was released earlier this year. One of the changes we introduced with v4 was code-signing.

Users benefit from signing code today (since the author is always identifiable even if all trace of the rest of the application is gone) and the Apple-provided infrastructure makes it easy to do.

This is a great tool in the Mac developer tool-kit and the barrier to implementing it is quite low. Why wouldn’t you sign your application today?

Kim'e

I think an idea worth exploring is for apple to contract 3rd party security firms for a flat % and create healty competition in the industry. Each 3rd party company would sign the binary with a private key.

Third party companies could compete for the best rate to developers and prevent pending apple signed apps from bottlenecking and making their way into the Mac App Store.

Log-in to comment