The Future of Unsigned Apps on the Mac

Applications in the Mac App Store are digitally signed by Apple. That means that without Apple’s digital blessing, the app won’t run on your Mac. However, apps that are available directly from the developer are generally not signed. That’s not typically a problem, but a malicious app, masquerading, could steal information or damage your OS. Will Apple, someday, require all Mac apps to be digitally signed?

The Prospect

Apple has a lot on its hands with curating iOS apps and apps in the Mac App Store (MAS). However, could things ever get to the point where Apple might want to, as a minimum, digitally sign all Mac apps?

Why would Apple want to do that? A digital signature doesn’t add any intrinsic security to an app, but it does authenticate the source of the app. For example, a developer submits the source code to Apple, and Apple uses software tools to ensure that the code meets Apple’s standards. Then the binary is signed with a private key. (If you’d like to learn more, see the Wikipedia articles on digital signatures and Public Key Infrastructure (PKI).)

When you try to run an app purchased from the MAS, your OS verifies that Apple signed it. At least you know that the code has been inspected and blessed by Apple.

Crystal Ball - Lion

Apps that you buy direct from the developer aren’t generally signed. Since OS X 10.5, “Leopard,” the developer has had the ability to sign the app, but all that does is certify the origin of the binary. It doesn’t vouch for the quality of the code. As a result, a software company could spring up in, say, Toledo, sign their apps, put on a good show, but the app could be malicious in some subtle way. For the developer to digitally sign the app is good — if the developer has a sound reputation. You know it hasn’t been tampered with. But it doesn’t provide any confidence if the developer is a relative unknown.

To solve this problem, if indeed it can be considered a problem, Apple might, someday, require all apps to be signed by them. Apple may or may not chose to provide the same level of curation, but at least you know that there has been some modest administrative oversight. The developer had to reveal a lot of personal details and create a business relationship with Apple. The app had to be submitted to Apple and digitally signed. It’s then made available directly from the developer’s Web site. Otherwise, it won’t run on your Mac. That would help eliminate the prospect of renegade developers who sell an app directly to the customer that has hidden malicious attributes. And if Apple missed something bad the first time around, it could trigger a kill switch to stop the app from running globally.

Practical Realities

There are some reasons why Apple may not want to require digital signature on all apps. For starters, it would greatly increase Apple’s workload on apps for which the company doesn’t take 30 percent of the revenues. Second, it would interfere with internally written corporate or personal apps. And finally, and this is just a surmise, it would take away some of the incentive for sticking with MAS apps, apps that the customer has a lot of confidence in.

I asked some developers what they thought of the idea that, someday, all OS X apps may need to be signed by Apple.

Jacob GorbanJacob Gorban, Apparent Software: ”One reason could be that they’ll require all applications to be sandboxed. Sandboxing requires signed applications. At the current state of the sandbox, though, it’s hard to see how Apple can require all applications to be sandboxed. First, it’s a lot of work for developers to convert their apps to sandboxed environment, and more importantly, many applications just won’t work in this environment. I find it hard to believe that Apple will dumb down a desktop OS almost to the functionality of a mobile one.

The other reason could be iCloud. As I understand it, iCloud only works for Mac App Store applications. One of the reasons is that iCloud is tied to Apple ID and applications identity. And to protect the iCloud data, I assume that Apple only allows access to applications signed by Apple, that is, distributed through Mac App Store).

Last, even if Apple wanted to push enforced signing of applications for the Mac at any point, I find it hard to believe that they’ll do it before 10.8, which I don’t think will be released in 2012. Such changes are just too much for one year for developers and even for Apple. Only a month ago they pushed the deadline for sandboxing on the Mac App Store by five months to March. It’s not clear yet if they’ll not push it once again. They are still lots of issues with sandboxing.

It may make sense together with mandatory sandboxing if, god forbid, we come to that. I wonder, though, if Apple will simply allow signing apps with their certificate without reviewing them.”

Daniel JalkutDaniel Jalkut, Red Sweater Software: “I think I agree that this will not be a high area of focus for Apple. If you haven’t read it already though, be sure to check out Wil Shipley’s post recommending wider use of certificates.

[Wil Shipely’s article is thought provoking. Among his proposals are that Apple allow some developers to sign their apps with an Apple certificate. Food for thought. - JM]

I think system-wide requirement for certificates would still make me a bit nervous, because Apple seems to sometime make inexplicable decisions that harm small numbers of developers. But I can definitely see warming up to that, especially if using an Apple certificate entitled me to bring in, for example, non-MAS customers into the proper Apple ecosystem with iCloud, etc.”

Tim Debenedictis, Southern Stars: “My own feeling is that some future version of OS X will require some kind of security for all user-space apps that are being run on a machine other than the developer’s machine. Whether it happens in 2012 or later is the real question.

I suspect Apple’s real motivation for this isn’t technical — it’s financial. The Mac OS X ecosystem is not, now, being overrun by Tim DeBenedictisrogue apps, viruses, trojans, etc. The problem is minimal compared to, for example, Windows or Linux. Yet Apple is still rapidly making it more and more difficult for anyone to play outside its preferred sandboxes (that is, MAS). The real reason is simply that Apple wants 100 percent control of all software that is developed for its platforms, and it wants that 30 percent of app revenue. There’s a reason we’re developing for Android now.”

The Verdict

Apple has already upset a lot of developers with the requirement that MAS apps be sandboxed. Also many users are not all that enthusiastic about the changes in Lion. So it may be awhile before Apple requires all Mac apps to be digitally signed by them. Or all apps to be sandboxed.

In the meantime, Ted Landau, in a conversation we had, put some perspective on it. If you take your car to the dealer for, say, a new alternator, you have a lot of confidence in the factory part and your car’s warranty. But if you elect to take your car to an independent repair shop, you may get a rebuilt or knockoff, lower quality part. It’s your decision and your risk. Apple might let that customer tendency play out.

It could be that the market for apps will settle out naturally without Apple having to do anything draconian. The MAS will make huge strides. Reputable, specialty developers whose apps go deep into the OS, like Parallels Desktop and VMware Fusion, will have to have their apps signed but not sandboxed. Everyone else out there limps along, is viewed skeptically by the Apple customer, and eventually bad apps could just dry up and blow away from lack of attention.

In the long run, if you really want to write your own unsigned apps or buy one from an unvetted developer, Apple, hopefully, won’t stop you.