Friday, November 4, 2011

Real Security in Mac OS X Requires Apple-Signed Certificates

Wil Shipley has an excellent post about the bigger picture:

The problem Mac developers are facing is that the two that Apple is enforcing on the Mac App Store (Sandboxing and Code Auditing) are implemented currently to be actively bad for developers and not particularly good for users. And the method that would provide the most benefit for developers and users (Certification) isn’t enforced broadly enough to be useful.

There are so many good paragraphs I was tempted to quote, but you should just read the whole thing.

2 Comments RSS · Twitter

From the Reaction and Updates section: "With a whitelist they have to go through the process of re-applying to be developers and lying to Apple and paying the annual fee, which slows them down and costs them a lot."

The cost argument is flawed. If the goal of malware developers were to make less than $37,000 a year, they would be iOS developers instead.

Also the article is not highlighting enough one point:

The only interest of the Sandbox protection is for hacking contests. It's not to protect against the actual malware programs.

It's like optimizing your OpenGL drivers for benchmarks.

[...] is, of course, Gatekeeper and the Developer ID—which are along the lines of the system that Wil Shipley proposed. The technology behind Gatekeeper is good and unsurprising. What’s important is how [...]

Leave a Comment