Monday, November 7, 2022

Ventura App Management

WWDC 2022:

In addition to an integrity check, Gatekeeper will also prevent your app from being modified in certain ways.

The most common way apps are modified is for updates. Apps validly signed by the same developer account or team will continue to be able to update each other. This will just work.

To allow another development team to update your app or restrict updates to only your updater, you can update your info-plist.


If an app is modified by something that isn’t signed by the same development team and isn’t allowed by an NSUpdateSecurityPolicy, macOS will block the modification and notify the user that an app wants to manage other apps.

Jeff Johnson (tweet):

The modified Bonjeff app still launches successfully, which raises questions about Apple’s explanation of the feature. […] In my testing, the difference seems to be that Ventura will block the first launch of a modified notarized app even if the quarantine extended attribute (xattr) was removed from the app, whereas Monterey and earlier will only block the first launch if the modified notarized app is still quarantined.


It’s unclear how much of a barrier this poses to attacks, however, because the app could be allowed to run first unmodified before it’s then maliciously modified and run again. I’ve seen it claimed elsewhere that Ventura will block any launch of a notarized app if its code signature has been broken, but this is proven untrue in testing.


[Full] disk access automatically entails app management permission. This is true even if app management permission is disabled for Terminal in System Settings! So the user interface can be misleading. […] Consequently, any unsandboxed app is also granted app management permission on Ventura, because an unsandboxed app can “piggyback” on Terminal’s permissions by running a shell script in Terminal.

He’s also found an (undisclosed) App Management bypass that doesn’t require Full Disk Access.


Comments RSS · Twitter

Leave a Comment