Apple Mozilla Security

On Gatekeeper

Gatekeeper is without question a bold move to prevent malware from impacting Mac OS X, but it will likely turn into a legal and ethical mess. Before I explain why, I’ll give a very high level overview. There are three options:

  • Mac App Store – Only run applications from the Mac App Store.
  • Mac App Store and identified developers – Only run applications from the Mac App Store and developers who sign up with Apple to get a key.
  • Anywhere – This is how every Mac and PC today operates out of the box.

The default in Mountain Lion is App Store and identified developers. As MacWorld’s Jason Snell explains:

Apple says, if a particular developer is discovered to be distributing malware, Apple has the ability to revoke that developer’s license and add it to a blacklist. Mountain Lion checks once a day to see if there’s been an update to the blacklist. If a developer is on the blacklist, Mountain Lion won’t allow apps signed by that developer to run.

It’s worth noting that at least today the authentication is only done on first run from what I’ve read. However it’s not impossible for Apple to later check an application on each run to make sure it’s not on the blacklist. That could even happen before the feature ships this summer.

What’s concerning is that Apple will now essentially be the gatekeeper (get it?) and thus pressured to control what users can or can’t install on their computer. Lets be honest, most developers will never get their users to open system preferences and change this, so getting “identified” is essentially required to develop on Mac OS X if you want more than geeks to use your software.

Apple in the past has been pressured to remove Apps from the iOS App Store. It’s likely (read: guaranteed) to be pressured to blacklist developers who write apps which are controversial. Anything that could be used for piracy from a BitTorrent client to VLC which uses libdvdcss (the library hasn’t been legally challenged ever AFAIK but pressuring Apple is a way around the court system) could be targeted. Apple has a bit of a history banning apps for all sorts of reasons including being negative towards Apple.

How would Apple deal with pressure from patent claims? What about a desktop client for WikiLeaks, like the one that was pulled from the App Store? What about a game distributed by Planned Parenthood or some other organization that tends to draw controversy? There’s also the international issues here (Nazi images and Germany, privacy violations and EU). What about more indirect things like Firefox which can run 3rd party code via plugins and addons. Mozilla refused to kill MaffiaaFire. Could the Feds have went to Apple?

These are all hypothetical situations technically since the feature hasn’t even launched and Apple hasn’t given any clear policies. That in my opinion is the big problem. Apple as far as I know hasn’t given any guidelines to what would put a developer on the blacklist? Is there even an appeals process?

I’m pretty sure we’ll learn more over the coming weeks. The cool guys over at Panic are pretty optimistic about the feature, so I guess we’ll see.