Gatekeeper (OS X)

From Wikipedia, the free encyclopedia
Jump to: navigation, search
Gatekeeper logo.png
Developer(s) Apple Inc.
Initial release July 25, 2012 (2012-07-25)
Operating system OS X
Not to be confused with the third-party extension Gatekeeper for "classic" Mac OS.

Gatekeeper is a security feature of the OS X operating system by Apple.[1][2] It allows users to restrict which sources they can install applications from, in order to reduce the likelihood of inadvertently executing malware. It was originally introduced for OS X Mountain Lion and version 10.7.5 of its predecessor Mac OS X Lion.[3] Gatekeeper can also be activated on Lion as of version 10.7.3 via the command-line utility spctl.[4][5] The feature builds upon File Quarantine and code signing, which were introduced in Mac OS X Leopard.[6]



Screenshot of the System Preferences application of OS X Yosemite, showing the three Gatekeeper options as radio buttons.
Gatekeeper options in the System Preferences application.

In the security & privacy panel of System Preferences, users have three options:

Mac App Store
Allows only applications downloaded from the Mac App Store to be launched.
Mac App Store and identified developers
Allows applications downloaded from the Mac App Store and applications signed by certified Apple developers to be launched. This is the default setting since Mountain Lion.
Allows all applications to be launched. This is the default setting in Lion. In macOS Sierra, this option will no longer be provided.[7][8]

The command-line utility spctl provides granular controls, such as custom rules and individual or blanket permissions.[5]


Screenshot of a system alert, informing the user that the application cannot be opened, because it was not signed by a registered developer.
Screenshot of a system alert that appears when Gatekeeper prevents an application from running, because it was not signed by an Apple certified developer.

Upon download of an application, an extended file attribute ("quarantine flag") can be added to it.[9] This is typically done by the application that downloads the application, such as a web browser. When the user attempts to open such an application and it does not meet Gatekeeper's chosen criteria, then the system will refuse to open it and inform the user accordingly. To override Gatekeeper, the user (acting as an administrator) either has to switch to a more lenient option or has to authorize a manual override, either by opening the application from the context menu, from the security & privacy panel of System Preferences, or the command-line utility spctl. Once an application has passed Gatekeeper, it will be allowed to run normally and will not be verified again.[1][6]

When Apple identifies an application as malware, it can add the application to the known-malware list and prevent Gatekeeper from accepting it. In addition, Apple can revoke the developer's certificate with which the application was signed and prevent the developer from distributing additional copies or other malware. Applications that are already installed by the user will not be affected.[1][6]

At the Worldwide Developers Conference in June 2016, Apple announced that Gatekeeper in macOS Sierra will have two complementary mechanisms. Developers will be able to sign disk images that can be verified as a unit by Gatekeeper. This allows developers to guarantee the integrity of all bundled files and prevent attackers from infecting and subsequently redistributing them. In addition, a feature called "path randomization" will execute application bundles from a random, hidden path and prevent them from accessing external files relative to their location. This feature will be turned off, if the application bundle originated from a signed installer package or disk image or if the user manually moved the application without any other files to another directory.[7]


The effectiveness and rationale of Gatekeeper in combating malware have been acknowledged,[6] but been met with reservations. Security researcher Chris Miller noted that Gatekeeper will verify the developer certificate and consult the known-malware list only when the application is first opened. Malware that already passed Gatekeeper will not be stopped.[10] In addition, Gatekeeper will only verify applications that have the quarantine flag. As this flag is added by other applications and not by the system, any neglect or failure to do so does not trigger Gatekeeper. According to security blogger Thomas Reed, BitTorrent clients are frequent offenders of this. The flag is also not added if the application came from a different source, like network shares and USB flash drives.[9][10] Questions have also been raised about the registration process to acquire a developer certificate and the prospect of certificate theft.[11]

In September 2015, security researcher Patrick Wardle wrote about another shortcoming that concerns applications that are distributed with external files, such as libraries or even HTML files that can contain JavaScript.[7] An attacker can manipulate those files and through them exploit a vulnerability in the signed application. The application and its external files can then be redistributed, while leaving the original signature of the application bundle itself intact. As Gatekeeper does not verify such individual files, the security can be compromised.[12] With path randomization and signed disk images, Apple will provide mechanisms to mitigate this issue in macOS Sierra.[7]

See also[edit]


  1. ^ a b c "OS X: About Gatekeeper". Apple. February 13, 2015. Retrieved June 18, 2015. 
  2. ^ Siegler, MG (February 16, 2012). "Surprise! OS X Mountain Lion Roars Into Existence (For Developers Today, Everyone This Summer)". TechCrunch (AOL Inc.). Retrieved March 3, 2012. 
  3. ^ "About the OS X Lion v10.7.5 Update". Apple. February 13, 2015. Retrieved June 18, 2015. 
  4. ^ Ullrich, Johannes (February 22, 2012). "How to test OS X Mountain Lion's Gatekeeper in Lion". Internet Storm Center. Retrieved July 27, 2012. 
  5. ^ a b "spctl(8)". Mac Developer Library. Apple. Retrieved July 27, 2012. 
  6. ^ a b c d Siracusa, John (July 25, 2012). "OS X 10.8 Mountain Lion: the Ars Technica review". Ars Technica. pp. 14–15. Archived from the original on March 14, 2016. Retrieved June 17, 2016. 
  7. ^ a b c d "What's New in Security". Apple Developer (Video). June 15, 2016. At 21:45. Retrieved June 17, 2016. 
  8. ^ Cunningham, Andrew (June 15, 2016). "Some nerdy changes in macOS and iOS 10: RAW shooting, a harsher Gatekeeper, more". Ars Technica UK. Archived from the original on June 16, 2016. Retrieved June 17, 2016. 
  9. ^ a b Reed, Thomas (October 6, 2015). "Bypassing Apple's Gatekeeper". Malwarebytes Labs. Retrieved June 17, 2016. 
  10. ^ a b Foresman, Chris (February 17, 2012). "Mac developers: Gatekeeper is a concern, but still gives power users control". Ars Technica. Retrieved June 18, 2015. 
  11. ^ Chatterjee, Surojit (February 21, 2012). "OS X Mountain Lion Gatekeeper: Can it Really Keep Malware Out?". International Business Times. Retrieved March 3, 2012. 
  12. ^ Goodin, Dan. "Drop-dead simple exploit completely bypasses Mac’s malware Gatekeeper". Ars Technica. Archived from the original on March 20, 2016. Retrieved June 17, 2016.