Manage App Sources

Apple has offered an important security feature called Gatekeeper in its operating system releases available in releases dating back to Mac OS X 10.7.5 Lion. I alluded to it earlier in Control Which Apps Launch. Gatekeeper affects how you install and use software.

Gatekeeper examines downloaded apps when they are first launched, including custom installers from a developer. (Apple has a generic installer that most apps rely on.)

If you have set your app launch preference to App Store only, macOS tells you that you can’t open a given app (Figure 17). In Ventura, you can click Show in Finder to reveal the app.

However, there’s a workaround if you want to be able to open just some of these apps. With Gatekeeper set to App Store only, go to System Preferences > Security & Privacy > General (Monterey and earlier) or System Settings > Privacy & Security (Ventura). You will see this message: “‘App Name’ was blocked from use because it is not from an identified developer.” That much we know. But there’s also an Open Anyway button to the right of this message.

In Monterey or earlier, Unlock the Pane or Setting, then click the button; in Ventura, click the button, then Unlock the Pane or Setting. Once that’s clicked, macOS launches the app with a new dialog that asks you to confirm you really, really want to open it (Figure 18).

Gatekeeper can also reject launching an app in these circumstances:

• The app wasn’t notarized, an extra security check (explained below) that Apple made mandatory as of February 3, 2020.

• You allow non-App Store apps to launch, but this app is unsigned, which means it hasn’t gone through protections I describe next to give an extra pass of validation, including notarization.

• The app is or contains known malware or other harmful software, and Apple blocks it from running altogether.

• Something is wrong with the app, such as it having been tampered with, and it won’t launch, and you will be warned.

Gatekeeper’s point is to prevent apps from running that, more or less, don’t digitally smell right according to multiple characteristics. Let’s dig into app signing and notarization so you understand the benefit that accrues.

If everything’s okay, macOS launches the software. For apps outside the App Store, you still have one more step: you’re informed the app was downloaded from the internet and told that it was cleared for takeoff, but you must click Open to proceed (Figure 19). This may seem like overkill, but it’s one additional way that Apple ensures you haven’t been tricked into running software you didn’t intend to.

But, wait! There’s more! If you do not check “Don’t warn me when opening applications on this disk image,” macOS…warns you when you open the application, requiring yet another click of Open (Figure 20).

Understand App Signing and Notarization

Each developer who has joined Apple’s $99-per-year Mac Developer Program receives their own digital certificate that serves as a unique identifier bound with cryptography to prevent tampering and impersonation. In the process of building an app in Apple’s Xcode development environment, the creator can use that certificate to sign the app.

This signature results from feeding the binary compiled version of the app—the actual code package that you install and that runs—through a hashing routine, an iterative cryptographic process that produces a modest length number (the hash) that seems innocuous. However, hashing is designed so that if even a single byte is change in the entire source material (here, the app)—even if the number 8 becomes the number 9—the resulting hash is dramatically different. With modern hashing algorithms, there’s no way for a malicious party to modify an app, sign it, and get the same signature as the valid app.

That hash is then countersigned by secret keys tied to certificates only Apple possesses, which lets macOS validate the signature and making it impossible to forge the hash—otherwise, that would be a gaping loophole.

Notarization is a separate and distinct step that applies both to an app and any third-party components and libraries it makes use of. Notarized apps, non-Apple installers, kernel extensions, and other bits of code have been scanned by Apple for known malware and none was found. But it also includes other security scanning, such ensuring apps and component are hardened, which means there’s no way for parts of the app to be swapped out by malicious software while they’re running.

Apple requires signing and notarization for apps in the App Store and those distributed directly by developers. App Store apps also go through review by human beings for content and purpose, which is separate from these automated scanning and signing operations.

A signed and notarized app doesn’t look any different to us, as users, from an unsigned app (whether notarized in part or whole), but it contains extra data that lets macOS determine:

• Integrity: Whether the app has been changed since it was built

• Identity: Which developer created (and signed) an app

• Access: Which system resources the app may access

Each of these attributes helps to protect your security.

Let’s start with integrity. If an attacker were to modify an app after it was signed—for example, inserting malicious code while it sat on the developer’s web server or even after you started using it—Gatekeeper would notice the change, as the hash wouldn’t match, and it would prevent the app from running.

Next, suppose someone signed up for the Mac Developer Program and started delivering malicious software, signed with their certificate. The identity feature kicks in—once Apple discovers that the developer is distributing dangerous software, Apple can revoke that certificate, telling Gatekeeper not to let any software signed with that certificate launch. Gatekeeper checks with a revocation list every time an app launches to make sure it’s still valid.

The third aspect, access, involves system resources such as the Keychain. If you grant an app permission to store information in the Keychain or access it afterward, you don’t want to have to keep doing so every time you update the app.

But if you install a new version of an app that was signed with the same certificate, Gatekeeper considers it the “same” app for the purpose of allowing access to system resources, and you won’t be prompted for Keychain access again.

Conversely, if someone altered the app or gave you an unsigned and therefore unauthorized version, it wouldn’t be able to access your Keychain without your permission—in fact, Gatekeeper should prevent it from launching at all, because it won’t pass the signing test.

All of this reduces your risk of inadvertently running malicious software. However, if there’s an app that isn’t in the App Store and hasn’t gone through signing and notarization, there is one way to bypass Gatekeeper, which I explain next.

Override Gatekeeper

It’s increasingly rare, but you may download software from a developer’s site—typically free software that’s often developed by a group of volunteers—that isn’t signed and notarized.

While most developers consider Apple’s annual developer program fee and company oversight affordable and reasonable, some folks do not. They may be creating a small piece of utility software that’s maintained, but nobody in the group that produces it wants to either ask or donations or cough up the dough. Or they may find Apple’s oversight irksome and invasive, despite the advantage to users. Or they may have an interpretation of copyright that doesn’t match Apple’s policies, as with HandBrake, a video ripper with perfectly legitimate purposes.

If it’s not that above case, there are a few other reasons that you might encountered an app Gatekeeper balks at:

• You run a preliminary version of a new app that the developer simply hasn’t gotten around to signing yet.

• You create your own app or standalone script (perhaps using Script Editor) and don’t want to (or don’t know how to) sign it.

• You’ve downloaded malware. It isn’t signed because the developer doesn’t want to risk exposing their identity—and enabling Apple to revoke the certificate, thus preventing the app from being installed in the future.

Whatever the reason, if you launch an app that isn’t signed or is signed but not notarized, macOS explains the problem (Figure 21). Click OK—the only choice—and the app never completes launching.

Apple does let you install Mac software like this, but they don’t make it easy. There used to be an option in the Gatekeeper settings to disable Gatekeeper altogether; now, you have to use a manual bypass for any such app you want launch on its first use.

Now that I’ve filled your head with warnings and ways to check you’re not making a mistake, here’s how to bypass Gatekeeper:

1. Find the application in the Finder.

2. Control-click or right-click the app and choose Open from the contextual menu.

3. When you do this—and only when you do this—the dialog that appears (Figure 22) has an Open button. Click it.

Apple Avoids the Worst

While the first widespread malware appeared on Macintoshes many, many years ago, Apple’s choices over the last 20-plus years have meant that Macs have been generally resistant to the most common vectors of attack that afflicted and still plague Android and Windows users, as well as people running servers of all types.

There are a lot of reasons for this, some of it due to system choices and some due to obscurity—the number of devices running each operating system.

Windows wasn’t designed with the internet in mind, nor the receipt of arbitrary emails from people outside an organization. For too many years, successful exploit could hijack a machine by someone merely receiving (not even viewing) an email message or passively viewing a webpage. Microsoft has improved its security dramatically in Windows 10, the first release of which was 2015, but older versions—still in use on hundreds of millions of devices—still suffer from many attacks.

While Google built Android as a modern, Unix-based, internet-connected operating system, they made multiple interconnected errors that led to Android being highly insecure. Among other issues, they handed control to handset makers and carrier networks, making it difficult to push out security updates directly. They also rapidly revised and abandoned older versions, no longer releasing security updates, even while handsets were still being sold as new in the box that ran those versions. And despite the dangerous world into which Android was first launched in 2009, the OS seemed full of easily exploitable flaws that took years to move past. As with Windows, even if newer versions of Android are fairly secure (in relative terms), a billion older Android devices still remain on the market.

It’s in this space that Apple finds itself, with both iOS/iPadOS and macOS. Frankly, there are billions of better targets than any of those Apple operating systems. Apple didn’t have to engineer a system that was 10 times better than Windows, but just enough—better coupled with the substantially fewer numbers of Macs in use in the world—that malware creators targeted the low-hanging fruit instead.

While Apple has sold a lot of iPhones and iPads (and some iPod touches), Android and forked-Android phones and tablets (forked ones use open-source-derived variants) outweigh iOS and iPadOS copies by roughly three to one—and Apple patches security flaws quickly.

Remember the old joke about a bear rushing towards two campers woken from slumber: one stops to put on his shoes. The other says, “You can’t outrun the bear!” The other replies, “I only have to outrun you.” Apple always ties its shoes.

Understand the Kinds of Malware

Malware and its enablers come in a lot of varieties, and it’s worth knowing the terminology before we dig into what to focus on resisting with your time and money. Here’s a primer:

• Virus: Malware that injects itself inside existing software, and executes whenever that software runs. It can spread by software being copied, such as an app being corrupted by a virus on a download site, so everyone who downloads receives and runs an infected version. A virus can be a payload of a worm or Trojan horse, which install the virus.

• Worm: Worms are free-standing malware that can spread themselves across a network, and may install other malware, such as viruses. The world’s first widespread malware was a worm.

• Trojan horse: Malware masquerading as legitimate or desirable software that a user installs. It may result in freestanding malignant software or a virus inserted into otherwise valid software.

• Phishing: A technique of convincing someone, typically via email, to hand over personal details, particularly payment information, by sending them to a malicious webpage that’s a close copy of a credible site.

• Ransomware: Malware that targets user document files and encrypts them with a key that is discarded and only the attacker has access to. The attacker demands money to provide the key.

• Bots: A bot is not a “robot,” but automated software that performs automated activity on behalf of its owner, which can include coordinated attacks against websites or servers, illegitimately clicking ads, sending spam email.

The most likely scenario for a Mac user to be infected by malware is through a series of seemingly innocent, chained actions: phishing, Trojan horse, virus, and ransomware. Often this has to be coupled with a form of understandable naïveté: bypassing Apple’s warnings and installing seemingly unknown software.

Let’s look at a likely scenario.

Bob’s Bluffed, Beaten

Because I don’t want you to feel targeted in this story, let’s call the victim Bob. Bob is checking his email in Apple Mail or a third-party email app. Because Apple Mail has always been quite resistant to in-mailer attacks and most other mail clients are the same, Bob’s not at risk by reading messages.

But Bob sees a message about a piece of software he uses regularly. “Get a free 90-day trial of the new version of AliceDrawPlus! Click this link, and download and install. Because this is a special trial version, right-click the installer and click Open to make sure it runs!” (Real phishing email is often not that grammatically correct or well targeted, but some is.)

Bob hasn’t read this book, so he isn’t thinking about unsigned software. Instead, he looks carefully at the email, which absolutely looks like other messages he’s received from Alice Corp. He downloads the file, bypasses Gatekeeper protections, and the Trojan horse he was phished to download runs and installs a virus.

But because the installer is running in Bob’s home directory, and not accessing or trying to install in a privileged location or make similar changes, it doesn’t trigger a request for an administrator password—although Bob might have entered that without worrying, too.

The software appears to install, but instead of launching, it claims there was a license problem, and the file was corrupted. “Check back in four weeks for another update!”

Meanwhile, as Bob continues to work, every file in his home folder, starting with Documents, is being copied with encrypted to a new file and then the original deleted. He may have no notion it’s happening, particularly if he has an SSD and can’t hear a hard drive working away like mad, though his fan might spin up unexpectedly.

A few hours pass and Bob tries to open a file. It has a strange extension. It won’t open in the app that created it, but when he double-clicks the file, he gets a message that explains all his files are encrypted (Figure 23), he needs to pay up, or the decryption key will be thrown away and his files lost forever.

Bob’s been attacked by ransomware, and his only way out may come if he has a backup history—or wants to pay the Bitcoin or other cryptocurrency the criminal demands.

Protect Against Malware

Avoiding malware is a result of both preparation and ongoing vigilance and consistent behavior.

Pick Anti-Malware Software

Anti-malware software has a distinct weakness: it can’t protect against unknown threats. It’s 100% designed to keep out-of-date systems protected from well-known viruses and the like, and to as quickly as possible safeguard an up-to-date system from malware that has just been discovered and characterized. If you keep your Mac up to date all the time and never install software of any kind from the internet (besides the App Store) or software handed to you by other people, you can probably forego malware, as it has no real path to find you.

For everyone else, it’s worth considering. While a portcullis doesn’t protect a castle when it’s open, cutting the rope and dropping it is an effective way to keep hordes from rampaging through that front door. Likewise, automatic updates and scanning are terrific methods of ensuring you aren’t caught out with a prior or current exploit.

The best current anti-malware software helps you with five distinct issues:

• Blocking already known and extant malware, including routinely scanning files on your Mac, drives you mount on your mount, and attachments that arrive via email

• Blocking phishing websites and those that host to link to malicious software, either loaded in the browser or as downloads

• Identifying dubious behavior that might be fine, but you should review to be sure, such as opening a file or accessing a folder in an unexpected location

• Blocking ransomware activities based on the way that ransomware functions, which I’ll discuss below

• Preventing you from passing Windows viruses (see sidebar)

Ransomware is the odd one out in this whole discussion. While being the biggest likely threat to Mac users, it’s also by far the easiest to track. Ransomware operates by suddenly creating a mass of new, encrypted files and deleting ones with similar names. It’s rarely sophisticated; it just has to be launched by a user or through some method that lets it insert itself and run.

Some anti-malware software can detect this broad category of behavior because it’s so specific, and can lock down folders and prompt your response before more than one or a handful of files are locked away.

After all this, you might suspect I would have some strong recommendations about particular anti-malware software. The truth is, the packages change so frequently, and testing is such a specialized and difficult thing, that I typically refer people to the latest reviews at reputable sites, although I have a couple of packages that top my list.

Because of my association and background, I recommend Macworld’s constantly updated virus reviews as a great starting point. Their current recommendations for paid and free solutions are the same as mine were a couple of years ago, too, and still seem solid:

• Paid: Sophos Home Premium for Mac. This package includes robust anti-ransomware pattern monitoring and all the usual anti-virus stuff for just $59.99 a year for any combination of 10 Macs and PCs. (It’s often discounted, too.)

• Free: AVG Antivirus for Mac: While free is often only worth as much as you paid, AVG provides this baseline security tool as a come-on for its paid offerings. But it stands apart as providing web, email, and drive protection using the same virus-signature database as the paid version. It does not have active ransomware protection, so it’s useful only against known malicious software you or a loved one downloads unintentionally.

Understand the Workings of a VPN

A VPN creates what’s called an encrypted tunnel that extends between a device—a laptop, desktop, or mobile device like an iPhone or iPad—and a VPN server somewhere else on the internet. This lets your information traverse any local network with protection as well as every node on the internet between you and the VPN server.

A VPN is about both security and privacy:

• It’s a way to make a secure connection with remote resources—either from your Mac or to your Mac—with substantially less chance of interception.

• All your data that passes over the connection is strongly encrypted, preventing a breach of privacy.

However, these advantages come with provisos. For corporations offering employees a VPN, it can extend the aegis of corporate security to remote devices: it creates a tunnel between your home or roaming devices and the ostensibly secure bosom of the company’s intranet and even data centers.

For individuals, that’s less the case, because a personal VPN only protects your connection and data from your Mac (or other device) to a data center somewhere on the internet where the VPN provider’s servers operate. From that data center to its destination, data is unprotected, but that’s typically just fine, because the main locus of risk is the local link: your home network, your ISP (not the ISP, but attackers who might target its systems), or a coffee shop at which putatively in the future you might work again.

And because major internet sites—like Google, Apple, and the rest—have distributed sets of servers and even private links to big data centers, the hop from the VPN server to the destination network may be within the same building or close by.

It’s fine, too, because most services that we use routinely these days offer always-encrypted connections: websites, cloud storage, email, and so on. The VPNs advantage is that any lingering site that isn’t encrypted gets the bonus of your VPN’s encrypted, and unencrypted metadata (data about what exactly you’re doing or where you’re located) isn’t leaked along the way.

If this sounds good to you, VPN services are readily available—but you have to figure out how to pick one first.

Pick a VPN Service

Many, many companies offer VPN service as a free or paid offering, all with different limits. With paid services, you get more features and support, and typically pay either for a pass (for a period of time) or a subscription (like a month or a year).

With a VPN for hire, the connection you make—as noted above—runs from your device using the local Wi-Fi or cellular network, then goes through any intervening local area network routers and higher-level backbone routers. It winds up at one of the company’s VPN servers located in a data center, where it’s then sent over the open internet.

Because it’s exceedingly inexpensive for a supplier to set up a VPN service, many thousands of offerings exist, and it’s difficult to figure out which ones to trust.

I start with trying to find a reputable company, rather than seeing what features are offered in a VPN service, which are mostly comparable, or even before comparing pricing.

Several computing and mobile magazines and sites run VPN products through their paces and check privacy policies. If you’re looking for reviews, avoid sites named something like TopBestThings or TheBestVPNAppYouCanFind—these are typically paid-placement sites masquerading as objective review sites. Instead, go to Macworld, Wirecutter, PCWorld, or other well-known publications.

Apple’s updated privacy disclosure requirements are helpful for services that have their software in the Mac App Store, as you can see what services are promising in terms of tracking.

For all apps, I would find the company’s name, research the firm to see how long they’ve been in business, and check whether their Facebook page is riddled with negative comments and reviews—and how easy it is to find technical support. For services in the Mac App Store, you can also read reviews there.

Pricing Options for VPN Apps

Every VPN service is paying not just for servers and the overhead of staff and the like, but for the bandwidth you consume as well: every gigabyte you send through a VPN is 1 GB inbound and 1 GB outbound, and that has to be paid for somehow. Some users will consume 500 GB a month; others, a trickle.

Some VPN services offer free tiers that include bandwidth, and sometimes throughput limits. For instance, TunnelBear VPN (now owned by McAfee) has a 500 MB monthly limit on its free tier, while Hotspot Shield (once run by AnchorFree, now by Aura), has a 500 MB-per-day limit for its free service. Hotspot Shield also throttles bandwidth to 2 Mbps, while its paid tiers can peak at 1 Gbps.

For paid services, however, because the cost of bandwidth at data centers has plummeted, all the credible services I can find now include unlimited bandwidth, and variations tend to be on the maximum number of devices you can use with a plan. Costs are typically a few dollars for a day or week, about $10 per month, and about $100 per year. Many services have family plans or small-business plans that might be $130 to $150 per year for multiple users.

This pricing is fairly similar across all other professional-grade services. Some might be $10 to $20 less per year; others slightly more.

A number of VPN providers currently advertise on podcasts, so check to find if the company you want to sign up with offers a discount when you use a sponsorship code.

There are entirely free VPN services, not just ones that offer a free tier as a sort of advertisement and enticement for people to upgrade. My general opinion is that free is worth the price you paid for it: a free service has to pay its bills, which means it is showing you advertisements, examining your habits to sell for marketing purposes, or otherwise engaged in some kind of “monetizable” behavior. Free services also don’t have to make promises about availability or customer service. Do yourself a favor, and pay for a VPN.