Apple is Pouring on The Coals With macOS Security

| Analysis

Apple's recent dispute with the FBI combined with the older architecture of OS X/macOS compared to iOS means that Apple is likely to place new emphasis on Macintosh security. It's been an evolving process, but it's likely to accelerate from now on.

There are several notable signals coming out of WWDC that Apple is doubling down on Mac security, starting with macOS Sierra and beyond. Here's a list of what I"ve found so far. I'm betting there will be more.

1. APFS. Apple's new file system, to be used by all devices, is scheduled to appear in public next year. The testing of a new file system is easiest and most accessible on a Mac, and so that's where the action will be for awhile. The new file system, called APFS, has many new features that will make security more fundamental to macOS. Here's some great background reading.

The new APFS appears to solve a long-standing technical issue with Time Machine, and it's currently thought that Snapshots in APFS will solve that problem. We won't see APFS, however, until at least macOS 10.13 in 2017.

2. Changes to Gatekeeper. Currently, if you look at Gatekeeper in System Preferences > Security & Privacy > General, at the bottom, you'll see the settings for Gatekeeper, though they're not called out as such. In macOS Sierra, the "Anywhere" option will be visibly gone. (However, expert users can still download unsigned apps.)

The net result is that the casual user will only see options to download apps that come from the Mac App Store or those that come from identified developers who have digitally signed their app. That means, in short, that if the developer's app misbehaves, in the sense of malware or security, Apple can tell macOS to not honor the app's credentials. It won't launch.

This will gently put a stop to casual users who, with glee and abandon, may not be aware of the possible dangers of unsigned apps.

3. Adobe Flash and HTML5. Currently, Safari communicates to websites which plug-ins are installed. In Safari 10, which will ship with Sierra,  will no longer do that. Any website that wants to deliver content via either a plug-in or HTML5 will be forced to use HTML5.

If Flash is the only available option (and for heaven's sake, why would there be any sites like that left?), there will be a trigger for the user to download Flash from Adobe, and the user will have the option to run it just one time (or every time).

Other plug-ins like Java and Silverlight will be treated similarly. If I were to guess, I'd say that this is a precursor to Apple not even allowing Flash to run the version of macOS after Sierra. That's how Apple seems to roll. It may come to that.

You can read more of the details in this missive from the Webkit organization.

4. Touch ID or Apple Watch Authentication. We saw in the WWDC keynote how Apple plans to allow Apple Watch users to log in to their Macs, securely. However, not everyone has an Apple Watch. An additional tidbit, a (very good) rumor, also suggests that new MacBook Pros will have a touch-sensitive area for Touch ID, allowing this user to directly login with a fingerprint. This rumor comes from a reliable source, KGI Securities analyst Ming-Chi Kuo, and is detailed by Digital Trends.

No more yellow stickies with passwords!

Future Trends

The Mac, its operating system and how it's used were born in an era when a supremely heightened need for advanced security just wasn't there. Over the years, Apple has added security features, such as the Keychain, FileVault, Encrypted DMG files, Gatekeeper, XProtect, and other under the hood changes that have allowed us to evolve over the years without too much discomfort. Developers have had time to go with the flow.

Given the modern-day emphasis on security and customer privacy and the continuing assaults by the bad guys, I would expect that we'll see even more focus by Apple on macOS security, some of which may not yet be known about widely. Or will be implemented as a byproduct of APFS in 2017. It may well be that some of these improvements, brought on by a sense of urgency, will cause mild consumer pain here and there, over the next few years. But if there's any company on the planet that knows how to move us forward gracefully, with a minimum of annoyance, it's Apple.

That's a mindset we should probably be preparing for.

Popular TMO Stories



The net result is that the casual user will only see options to download apps that come from the Mac App Store or those that come from identified developers who have digitally signed their app.

Which is cool. I like that. BUT Apple better get their *** in gear and repair the MacAppStore so developers come back. Right now it’s not where I usually end up going to get software. Too many things are just not there.


I love that they tightened Gatekeeper, too many idiots just disabled it without understanding the possible consequences (not that right-clicking is a power user super complicated way to launch a non-signed app).

To me (as a developer), I have no idea why anyone would release an unsigned app at this point in time. It’s not like it was years ago when the cost was $500 and up.


I find it increasingly annoying every time sites like this (rightfully) blast Flash, while serving up flash ads. Yes, I have a Flash blocker. But you know.. dogfooding….

John Martellaro

Yep, we’re aware of this. Some sponsors just insist on Flash ads.

Log in to comment (TMO, Twitter or Facebook) or Register for a TMO account