What is App Notarization on a Mac and why should I care?
What is App Notarization on a Mac?
Apple already has a system called Gatekeeper that tries to prevent Mac users from installing malicious software on their machines by checking for an Apple-issued Developer ID certificate that’s included within the app.
To make it possible for third-party applications distributed outside of the Mac App Store to run on Macs without disabling Gatekeeper security, Apple added Developer ID to OS X Mountain Lion. This enabled registered developers to identify themselves and their apps.
The problem was that Developer ID certificates could also be attached to malware (see OS X/Dok below).
Under this system, third party developers who want to sell their apps outside Apple’s Mac App Store can submit their software to Apple for notarization. Apple’s Notary Service will then automatically perform security checks on the software to ensure the installations are malware-free, signed correctly and that they use the appropriate runtime.
Software signed with a Developer ID certificate can also take advantage of advanced capabilities such as CloudKit and Apple Push Notifications.
What Apple says
“Make sure to sign any apps, plug-ins, or installer packages that you distribute to let Gatekeeper know they’re safe to install. And now, you can give users even more confidence in your apps running on macOS Mojave by submitting them to Apple to be notarized,” Apple explains.
Why should I care?
Apple platform security is not fixed in stone and attempts to subvert it are evolving rapidly.
One thing that some people try is to convince customers to download software that is actually useful, but which also installs malware, keyloggers, or other malicious codes. Not every attack is aimed at a user’s Mac, in some cases more complex attacks see criminals subvert one person’s system in order to more easily penetrate another person’s.
One way to protect against such incidents is to ensure that apps that are installed and run on a user’s Macs are safe to use.
App Notarization is a step further than Gatekeeper, in that while Gatekeeper can alert users to potential risk, Notarization provides extra confidence that Apple has examined the app.
Apple has also worked to make the whole process almost transparent to the customer – we don’t really know all this work is going on to protect our Mac experience.
“A notarized app is a macOS app that was uploaded to Apple for processing before it was distributed. When you export a notarized app from Xcode, it code signs the app with a Developer ID certificate and staples a ticket from Apple to the app. The ticket confirms that you previously uploaded the app to Apple.”
How do I know?
When you first try to open a Mac that has been downloaded from a source outside the Mac App Store you will see a warning message, which reads:
“[Application name] is an application downloaded from the Internet. Are you sure you want to open it?”
- When the app has not been notarized, you’ll see choices including Cancel, visit the website of the app developer, or open the app.
- A notarized app also flags a warning message, but through a more streamlined interface with Cancel and Open buttons instead.
When you install an application from a trusted source you should be fine. If you are installing software from an unknown or dogy-seeming source you should double check its security status first, and definitely run a malware checker once it is installed (even though that is by no means always going to find a threat — the best protect is not to install bad software).
What happens next?
“In an upcoming release of macOS,” Apple says, “Gatekeeper will require Developer ID signed software to be notarized by Apple.”
This will make it much harder for rogue developers to slip malware into your Mac, and also means Mac users can feel a little more secure when installing software from outside the Mac App Store.
Why is Apple doing this?
Apple recognizes that the threat landscape is becoming far more complex.
Phishing and malware injection attempts rely on creating and abusing user trust, with humans still the weakest link in the chain. As we become more tuned into digital communications, we are becoming increasingly less likely to click on links in spam emails, prompting attackers to look for other ways to undermine system security.
One way to achieve this is to provide what seem to be useful and benign apps that also carry malware – these are hard to spot because you get to do what the app promises it will do, but you as a user are left in the dark when the malware also quietly undermines system security.
This kind of app spoofing is a growing problem on mobile platforms, but with Apple working to boost application development across Mac and iOS, it is already taking steps to protect its computer systems from similar forms of attack.
Think about OS X/Dok
It is likely Apple is also taking these steps as a response to 2017’s OSX/Dok malware attack, which tried to bypass Gatekeeper by shipping with numerous Developer ID’s to fool the system. (There’s a good explanation of what this was up to here).
App Notarization should make it much harder for such exploits because Mac users will be much more aware that when they install an app that isn’t notarized then they are running a risk of installing unsafe software. At the end of the day, most legitimate developers will provide both a Developer ID and make the effort to notarize their app. If they don’t, then perhaps there’s another application that does.
The battle for application and platform security is unending, of course, and that’s why anyone using any device on any platform should never become complacent about security – and should also avoid use of any app or platform with a poor record in software patches, update distribution or timely security response.
This is the best report explaining the technology behind App Notarization from a developer’s point of view that I’ve come across: Eclecticlight.