{"id":25065,"date":"2019-04-22T14:56:36","date_gmt":"2019-04-22T18:56:36","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=25065"},"modified":"2019-12-23T16:32:20","modified_gmt":"2019-12-23T21:32:20","slug":"the-true-and-false-security-benefits-of-mac-app-notarization","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2019\/04\/22\/the-true-and-false-security-benefits-of-mac-app-notarization\/","title":{"rendered":"The True and False Security Benefits of Mac App Notarization"},"content":{"rendered":"<p><a href=\"https:\/\/lapcatsoftware.com\/articles\/notarization.html\">Jeff Johnson<\/a> (<a href=\"https:\/\/twitter.com\/lapcatsoftware\/status\/1120019311165411329\">tweet<\/a>):<\/p>\n<blockquote cite=\"https:\/\/lapcatsoftware.com\/articles\/notarization.html\"><p>Notarization is a kind of two-factor authentication. In order to notarize an app, you first need to sign it with your Developer ID cert, but then you have to submit it to Apple using the Apple ID and password of your developer account. If your signing cert is compromised, that by itself would no longer be sufficient to distribute the app.<\/p><p>[&#8230;]<\/p><p>A myth has been spread that Developer ID certs can only be revoked in entirety, meaning that all versions of all apps signed with a Developer ID cert would be invalidated when the cert is revoked. Apple has contributed a bit to this myth[&#8230;]<\/p><p>[&#8230;]<\/p><p>The ability of Mac apps to update themselves shows that the notarization malware scan is security theater. Apple&rsquo;s notarization service scans for malware, but malware authors don&rsquo;t need to submit malware to Apple! They can submit a perfectly innocent app for notarization, get the app notarized, and then flip a switch on their own server to download a malware software update when the victim opens the &ldquo;innocent&rdquo; notarized app. The downloaded malware update doesn&rsquo;t need to be notarized, because the software updater will delete the quarantine attribute, thus bypassing Gatekeeper.<\/p><\/blockquote>\n<p>I guess the questions are:<\/p>\n<ul>\n<li>Is having to integrate something like Sparkle enough of a hurdle to <a href=\"https:\/\/twitter.com\/etresoft\/status\/1115626532230320132\">deter<\/a> malware authors?<\/li>\n<li>Can notarized malware convince users to update the app and download the actual malware?<\/li>\n<\/ul>\n<p>I suspect that the answers are &ldquo;no&rdquo; and &ldquo;yes.&rdquo; Apple presumably believes otherwise. (They are surely aware of this loophole, and I don&rsquo;t see why they would bother developing notarization if they didn&rsquo;t believe in it.)<\/p>\n<blockquote cite=\"https:\/\/lapcatsoftware.com\/articles\/notarization.html\">\n<p>The malware scan is unlikely to catch serious malware authors, but it does punish legitimate developers, because they have to submit their apps and then sit and wait for Apple&rsquo;s response, which Apple claims should take less than an hour (already too long), but in practice has taken much longer in some instances, according to developers I&rsquo;ve heard from. Just yesterday, Apple&rsquo;s <a href=\"https:\/\/developer.apple.com\/system-status\/\">Developer System Status<\/a> showed 2 outages of 90 minutes each with the Developer ID Notary Service. The whole point of distributing software outside the Mac App Store is to avoid problems like these, submitting to Apple for approval and waiting for their response, but now Apple is imposing those very same problems on software outside the App Store. If notarization is to be required at all, I think it should skip the security theater of malware checks and simply notarize the app on submission, a process that would be almost instantaneous.<\/p>\n<\/blockquote>\n<p>I&rsquo;m not sure that the malware scan is the reason that notarization can sometimes take a long time, because I&rsquo;ve had the same problem with &ldquo;Processing for App Store&rdquo; when submitting via App Store Connect.<\/p>\n<p>Besides the notary service being down, mandatory notarization is risky for developers because code signing requirements can (and have) changed without warning and the malware scan might falsely block a legitimate app as malware. I&rsquo;m not sure what you&rsquo;re supposed to do in that case, but it would likely take a while. Developers know that when the App Store scanner falsely flags their app for violating a rule, contacting Apple through official channels rarely leads to a resolution. Instead, they have to act like an actual malware author and try to obfuscate their code to fool Apple&rsquo;s tools.<\/p>\n\n<p>Previously:<\/p>\n<ul>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2019\/04\/08\/macos-10-14-5-requires-new-developers-to-notarize\/\">macOS 10.14.5 Requires New Developers to Notarize<\/a><\/li>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2018\/12\/06\/mac-app-notarization-and-customer-privacy\/\">Mac App Notarization and Customer Privacy<\/a><\/li>\n<\/ul>\n\n<p id=\"the-true-and-false-security-benefits-of-mac-app-notarization-update-2019-04-23\">Update (2019-04-23): <a href=\"https:\/\/twitter.com\/lapcatsoftware\/status\/1120750802409336838\">Jeff Johnson<\/a>:<\/p>\n<blockquote cite=\"https:\/\/twitter.com\/lapcatsoftware\/status\/1120750802409336838\"><p>&ldquo;signing applications with your Developer ID certificate provides users with the confidence that your application is not known malware&rdquo;<\/p><p>Isn&rsquo;t that the exact same story we&rsquo;re being told again with notarization? Fool me once, shame on you, fool me twice&#8230;<\/p><\/blockquote>\n\n<p id=\"the-true-and-false-security-benefits-of-mac-app-notarization-update-2019-04-28\">Update (2019-04-28): <a href=\"https:\/\/twitter.com\/iTod\/status\/1121578975799783425\">Todd Ditchendorf<\/a>:<\/p>\n<blockquote cite=\"https:\/\/twitter.com\/iTod\/status\/1121578975799783425\"><p>I fully appreciate the criticisms on this, but I can think of one good reason why Notarizing is not just Security Theater: It gives the responsible developer some &ldquo;confirmation&rdquo; that his app does not <em>unintentionally<\/em> contain malware. Like a mandatory virustotal dot com check.<\/p><\/blockquote>\n\n<p id=\"the-true-and-false-security-benefits-of-mac-app-notarization-update-2019-04-29\">Update (2019-04-29): <a href=\"https:\/\/twitter.com\/packagesdev\/status\/1122781004886872066\">Stephane<\/a>:<\/p>\n<blockquote cite=\"https:\/\/twitter.com\/packagesdev\/status\/1122781004886872066\">\n<p>Strangely, I tend to remember that Apple was not able to detect XCodeGhost by itself and prevent infected iOS apps from entering the App Store. So why should we believe they would be more effective with the notarization process?<\/p>\n<\/blockquote>\n\n<p id=\"the-true-and-false-security-benefits-of-mac-app-notarization-update-2019-05-09\">Update (2019-05-09): <a href=\"https:\/\/twitter.com\/Freerunnering\/status\/1124130116290801665\">Kyle Howells<\/a>:<\/p>\n<blockquote cite=\"https:\/\/twitter.com\/Freerunnering\/status\/1124130116290801665\">\n<p>App notarisation I think is the biggest threat to the Mac remaining the open app platform we know today.<\/p>\n<p>It can act as a Mac AppStore style, sandboxing and private API gate at the flick of a switch.<\/p>\n<p>And we all just have to hope Apple will never flick that switch.<\/p>\n<\/blockquote>\n\n<p id=\"the-true-and-false-security-benefits-of-mac-app-notarization-update-2019-05-10\">Update (2019-05-10): <a href=\"https:\/\/www.macworld.com\/article\/3393195\/why-the-mac-wont-end-up-locked-down-like-ios.html\">Jason Snell<\/a>:<\/p>\n<blockquote cite=\"https:\/\/www.macworld.com\/article\/3393195\/why-the-mac-wont-end-up-locked-down-like-ios.html\">\n<p>Yes, it&rsquo;s possible that Apple could use this approach to ban most third-party apps outside of the App Store, but I don&rsquo;t think that&rsquo;s the intent. Instead, I think this is yet another example of how Apple wants to gain some of the benefits of App Store-style security without forcing every piece of Mac software through the Mac App Store.<\/p>\n<\/blockquote>\n\n<p id=\"the-true-and-false-security-benefits-of-mac-app-notarization-update-2019-09-09\">Update (2019-09-09): <a href=\"https:\/\/twitter.com\/tclementdev\/status\/1170105585758539778\">Thomas Clement<\/a>:<\/p>\n<blockquote cite=\"https:\/\/twitter.com\/tclementdev\/status\/1170105585758539778\">\n<p>Funny thing, someone notarized the latest version of my app and that&rsquo;s not me. Is it some random developer? Is Apple notarizing apps out there to avoid too much breakage?<\/p>\n<\/blockquote>\n\n<p><a href=\"https:\/\/twitter.com\/lapcatsoftware\/status\/1170666718643085312\">Jeff Johnson<\/a>:<\/p>\n<blockquote cite=\"https:\/\/twitter.com\/lapcatsoftware\/status\/1170666718643085312\"><p>My old blog post &ldquo;The true and false security benefits of Mac app notarization&rdquo; said that notarization is a kind of 2FA, but now we see that&rsquo;s false.<\/p><p>Any developer can notarize signed software, not just the owner of the Developer ID signing certificate.<\/p><p>This means that if someone has unauthorized access to your DevID cert (not the situation for Thomas, but other devs have had certs stolen), the unauthorized person can still notarize and distribute software using your cert without your knowledge or access to your AppleID.<\/p><\/blockquote>\n\n<p id=\"the-true-and-false-security-benefits-of-mac-app-notarization-update-2019-12-23\">Update (2019-12-23): <a href=\"https:\/\/lapcatsoftware.com\/articles\/notarization2.html\">Jeff Johnson<\/a> (<a href=\"https:\/\/twitter.com\/lapcatsoftware\/status\/1208486854879789058\">tweet<\/a>):<\/p>\n<blockquote cite=\"https:\/\/lapcatsoftware.com\/articles\/notarization2.html\"><p>In my previous article I claimed that notarization protects your Developer ID certificate from unauthorized use, because once your app is signed with the certificate, it also has to be uploaded to Apple&rsquo;s notary service using your Apple developer account, which itself requires 2FA. Consequently, unauthorized distribution would require compromise of both your Developer ID certificate and your developer account, and you would still receive email notification of any notarization performed with your account, or indeed any changes whatsoever to your account, including change of the email address associated with the account. Nobody can notarize an app using your account without your knowledge.<\/p>\n<p>My mistake was assuming that a Mac app signed with your Developer ID certificate would have to be notarized with <em>your<\/em> Apple developer account. [&#8230;] It seems that anyone with an Apple developer account can notarize any signed Mac app, even if the signer and the notarizer have no knowledge of each other.<\/p><\/blockquote>\n\n<p>Previously:<\/p>\n<ul>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2019\/12\/19\/apple-platform-security-guide-fall-2019\/\">Apple Platform Security Guide (Fall 2019)<\/a><\/li>\n<\/ul>","protected":false},"excerpt":{"rendered":"<p>Jeff Johnson (tweet): Notarization is a kind of two-factor authentication. In order to notarize an app, you first need to sign it with your Developer ID cert, but then you have to submit it to Apple using the Apple ID and password of your developer account. If your signing cert is compromised, that by itself [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"apple_news_api_created_at":"2019-04-22T18:56:39Z","apple_news_api_id":"7220c74f-029c-4350-9746-93cf1c96b5c2","apple_news_api_modified_at":"2019-12-23T21:32:24Z","apple_news_api_revision":"AAAAAAAAAAAAAAAAAAAADA==","apple_news_api_share_url":"https:\/\/apple.news\/AciDHTwKcQ1CXRpPPHJa1wg","apple_news_coverimage":0,"apple_news_coverimage_caption":"","apple_news_is_hidden":false,"apple_news_is_paid":false,"apple_news_is_preview":false,"apple_news_is_sponsored":false,"apple_news_maturity_rating":"","apple_news_metadata":"\"\"","apple_news_pullquote":"","apple_news_pullquote_position":"","apple_news_slug":"","apple_news_sections":"\"\"","apple_news_suppress_video_url":false,"apple_news_use_image_component":false,"footnotes":""},"categories":[2],"tags":[466,465,653,30,39,1609,504,1842,71,48,226],"class_list":["post-25065","post","type-post","status-publish","format-standard","hentry","category-technology","tag-codesigning","tag-gatekeeper","tag-itunes-connect","tag-mac","tag-macappstore","tag-macos-10-14","tag-malware","tag-notarization","tag-programming","tag-security","tag-xcode"],"apple_news_notices":[],"_links":{"self":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/25065","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/comments?post=25065"}],"version-history":[{"count":12,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/25065\/revisions"}],"predecessor-version":[{"id":27669,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/25065\/revisions\/27669"}],"wp:attachment":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/media?parent=25065"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/categories?post=25065"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/tags?post=25065"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}