Apple's Mountain Lion: more control for you or over you?

Gatekeeper is the new security feature introduced by Apple for the new (Mac) OS X update known as Mountain Lion. The idea is to enforce security for downloaded applications when users try to install them on their Apple PCs, but some critics described the feature as the beginning of the end for the user’s proper ownership of the OS behaviour and functionality on Apple machines.

Pretty ironically, this somewhat harsh criticism comes from a company working in the security field – the same one Apple is trying to cover more than ever within its latest consumer (and consumption) oriented products: on its corporate blog, Finnish antivirus company F-Secure dissects Gatekeeper and exposes some interesting findings about it.

The new OS X security feature restricts installation of Mac “apps” based on their sources, F-Secure explains, allowing applications downloaded “from Mac App Store”, “Mac App Store and identified developers” or “Anywhere”.

Under the new Gatekeeper regime, F-Secure states, Mac software developers will be pushed to sign with Apple ($99 per year) “to reduce friction”. And even if the user allowed installations of software downloaded “Anywhere”, The Developer ID program suggests that Gatekeeper could complain about the install operation anyway.

According to F-Secure, Gatekeeper is beginning “to solidify Mac’s walled garden”: “In the future – the F-Secure blog states – when Apple decides to further close its platform, device drivers could also be required to use Apple Developer IDs. Apple is famous for its focus on user experience, and it isn’t really very difficult to imagine it revoking third-party peripheral drivers in order to ‘secure’ that experience”.

Gatekeeper isn’t as much about more control “for” you, F-Secure concludes, as "more control – over – you".

Report a problem with article
Previous Story

Microsoft: Google bypasses IE9 privacy preferences

Next Story

Danish ISPs to begin blocking Grooveshark

38 Comments

Commenting is disabled on this article.

Gatekeeper looks like Apple is attempting to protect users from themselves... but it's real bad for developers that don't want to be restricted to Apple Rules and want nothing to do with the app store ( can I be sued or banned for writing app store here?... oh damn I did it again ;-) . If Gatekeeper warns the user who in many cases may not know enough to make there own decisions about the safely/security of software they install will more then likely choose not to install some perfectly safe software forcing developers into Apples clutches... assuming gatekeeper nags the users regardless or is enabled by default.

rbrucemtl said,
it's real bad for developers that don't want to be restricted to Apple Rules and want nothing to do with the app store

Like malware writers.


imo, this is a good way to legitimize software sources.

dotf said,

Like malware writers.


imo, this is a good way to legitimize software sources.


Or legit software houses that don't want to pay to genuflect at Apple's App Store.

rbrucemtl said,
Gatekeeper looks like Apple is attempting to protect users from themselves... but it's real bad for developers that don't want to be restricted to Apple Rules and want nothing to do with the app store ( can I be sued or banned for writing app store here?... oh damn I did it again ;-) . If Gatekeeper warns the user who in many cases may not know enough to make there own decisions about the safely/security of software they install will more then likely choose not to install some perfectly safe software forcing developers into Apples clutches... assuming gatekeeper nags the users regardless or is enabled by default.

Jesus Christ.
PLEASE educate yourself about Gatekeeper beforehand.

a) Default "Trusted" OS setting in GK will be "App Store and signed".
b) Signing is independent from the App Store. Also, it's FREE (as in free beer) for the dev.
c) Signing your apps is done by the dev. Your certificate will only become invalid once you - the dev - decide to start writing malicious code and release it to the public with a certificate.
d) Don't get your info from F-Secure. Their interests are greatly in danger with GK, no wonder they will spread FUD. (As if they had any more insight into GK architecture and Apple's policies that aren't already public. Do you really think that any info that would allow serious criticism would be released exclusively to a company that obviously would try to write it on big banners to save its business?)

GS:mac

Apple's Gatekeeper is a step in the right direction. Giving the PC owner the right to choose what security model to choose and run with.

NeoPogo said,
Apple's Gatekeeper is a step in the right direction. Giving the PC owner the right to choose what security model to choose and run with.

This.

Malicious code writers that thought about Mac and it's growing marketshare as an interesting target need to think again, as their targetable share just shrunk a hell lot!

Many will set it to "Anywhere", I know I will and I'll tip all my friends, but many will be running a-ok after some time when devs sign their apps and none of your personal apps are affected of devs too lazy to sign.

I'll always keep it to "Anywhere", simply because I'm an enthusiast and there's too much good I'd pass on, but Average Joe will reach the point quite soon where "App Store and signed" will be alright.
Mac devs usually aren't very lazy and quite quick when it comes to updating to current technologies etc...

Not saying that any other devs are "lazy" or "exceptionally slow", just that Mac devs are usually a little more concerned about such details.

GS:mac

Edited by Glassed Silver, Feb 22 2012, 12:34am :

Gatekeeper sounds like Windows' Software Restriction Policies/AppLocker to me, what's the problem as long as you set it to freely install apps? No need for preemptive complaining for something that may or may not happen.

geeks going to leave os X soon lots of my dev friends use mac os X but they are going to sell it some of them have compatibility problems with new upcoming version and some of them are afraid that apple won't let you develop other platform application ie GTK+ and QT (this is going to happen soon after next few years with two or three upcoming releases ).

alexalex said,
Microsoft is doing the same thing with Windows 8 .
No, only the new "Metro style" apps require Microsoft's authorisation; desktop apps on Windows 8 run without any input from Microsoft, just as in every other version of Windows.

Mac OS X software was previously handled like that: both Snow Leopard and Lion had a restricted app store alongside an unrestricted desktop. Now with Mountain Lion the desktop is also restricted by default.

Edited by Arkose, Feb 21 2012, 6:18am :

Arkose said,
No, only the new "Metro style" apps require Microsoft's authorisation; desktop apps on Windows 8 run without any input from Microsoft, just as in every other version of Windows.

Mac OS X software was previously handled like that: both Snow Leopard and Lion had a restricted app store alongside an unrestricted desktop. Now with Mountain Lion the desktop is also restricted by default.

It doesn't matter if it is now only/part. Microsoft is going the same route as Apple. WOA will be fully behind Microsoft's "walled garden".
There is no difference any more between desktop PCs and tablets. Both are PCs.

Sounds awfully like Microsofts digital driver signing thing. What's the difference?
Normal, casual users won't notice a difference

AFineFrenzy said,
Sounds awfully like Microsofts digital driver signing thing. What's the difference?
Normal, casual users won't notice a difference
This is not at all like driver signing.

Many programs that work perfectly on Lion suddenly won't run on Mountain Lion out of the box--not because of genuine compatibility issues but because the developers haven't paid Apple for the privilege. Changing the Gatekeeper default will resolve this, but how many non-technical users will know how to do that, or even be willing to when Gatekeeper warns about this reducing security? This move effectively forces developers to pay Apple protection money every year in order to be able to continue offering their software to Mountain Lion users.

With Lion and earlier developers only had to pay if they wanted to sell their software through the Mac App Store; now all developers have to submit to remain competitive.

with today's threats i welcome the higher scrutiny. sloppy coding leads to breaches but no code is perfect.

"And even if the user allowed installations of software downloaded “Anywhere”, The Developer ID program suggests that Gatekeeper could complain about the install operation anyway."

This is incorrect. Anyone with the DP of 10.8 would know that it doesn't do any sort of "complaining" if Gatekeeper set to "Anywhere".

giga said,
Anyone with the DP of 10.8 would know that it doesn't do any sort of "complaining" if Gatekeeper set to "Anywhere".

Neowin - Where unprofessional journalism looks better.

PyX said,

Neowin - Where unprofessional journalism looks better.

The author is simply reporting what F-Secure's weblog said as-is.

Unprofessional readers should click that big red X or ball and GTFO.

F-Secure is upset because with Gatekeeper running, Apple will finally be able to legitimately claim that Macs don't get viruses.

I like the idea of Gatekeeper myself. If we could get away from the constant scanning of AntiVirus software, that's a good thing. Windows has actually had a similar feature since Vista. To enable it, run "gpedit.msc" and go to: Local Computer Policy > Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options. Near the bottom of the list, you will see: "User Account Control: Only elevate executable files that are signed and validated"

Just imagine the uproar if Microsoft had enabled that by default!

I'm no Apple fan for several reasons, but as long as you can still install whatever you want without jailbreaking your Mac, I don't see any problems here.

Enron said,
I'm no Apple fan for several reasons, but as long as you can still install whatever you want without jailbreaking your Mac, I don't see any problems here.

If Apple remove control of the Root FileSystem then they'll kick themselves out of the Enterprise Market. And theres no way they want to risk that right now.

CPressland said,

If Apple remove control of the Root FileSystem then they'll kick themselves out of the Enterprise Market. And theres no way they want to risk that right now.

They started removing themselves from that market a while back when they hosed the XServe line in favour of those stupid little mini servers.

CPressland said,

If Apple remove control of the Root FileSystem then they'll kick themselves out of the Enterprise Market. And theres no way they want to risk that right now.


Not just for them, actually, quite a lot of Mac users are quite tech savvy and they are often the ones who suggest that platform to friends.
Them being savvy usually gives them the "credibility" to have a say in suggestions for friends and family.

A pi**ed enthusiast/professional is a couple of sales less for as long as the root problem exists at least.

They won't remove access to such core elements of the desktop OS anytime soon.

SoupDragon said,

They started removing themselves from that market a while back when they hosed the XServe line in favour of those stupid little mini servers.


True.

And sad.

GS:mac

Oh no you mean Mac users will have more nags when doing things that can affect the system? Isn't this the same kind of stuff that Apple made a million commercials mocking Windows for? That and requiring root permission, which Apple also does.

mrp04 said,
Oh no you mean Mac users will have more nags when doing things that can affect the system? Isn't this the same kind of stuff that Apple made a million commercials mocking Windows for? That and requiring root permission, which Apple also does.
Actually if the application is signed properly or comes from the AppStore the user will see NOTHING...much better than all the nagging Windows Vista was doing

mrp04 said,
Oh no you mean Mac users will have more nags when doing things that can affect the system? Isn't this the same kind of stuff that Apple made a million commercials mocking Windows for? That and requiring root permission, which Apple also does.

Uhm, would you please kindly educate yourself before posting this?

GS:mac

There's a critical line in the article that is wrong : the $99 fee that devs pay actually will become free. So anyone will be able to get signed app certificates.

PyX said,
There's a critical line in the article that is wrong : the $99 fee that devs pay actually will become free. So anyone will be able to get signed app certificates.

Do you have a link for this?

It's all about capturing revenue share from not selling/doing anything. Imagine if MS allowed you to only install and buy software through them. It's every companies dream. Soon they'll take 1/3 of the app costs for no reason and we'll have to pay 1/3 more for no reason.

They should give me the money for putting my app on store.

dancedar said,
It's all about capturing revenue share from not selling/doing anything. Imagine if MS allowed you to only install and buy software through them. It's every companies dream. Soon they'll take 1/3 of the app costs for no reason and we'll have to pay 1/3 more for no reason.

Elliott said,
And I conclude that F-Secure is spreading FUD because they're ****ed that Apple's making their product unnecessary.

This is mostly what I believe too.

Oh come on! Windows Vista received the same Criticism and UAC was fine! This is no different and can be turned off if required. Code Signing is an important part of any stable setup.

CPressland said,
Oh come on! Windows Vista received the same Criticism and UAC was fine! This is no different and can be turned off if required. Code Signing is an important part of any stable setup.

UAC was criticized because it was as annoying as a crying baby. GateKeeper doesn't make it much more annoying than what we have now on OS X.