According to researcher, circumventing Gatekeeper is as easy as having a signed binary executing unsigned executables

Sep 30, 2015 13:35 GMT  ·  By

According to a report by Ars Technica, Apple's Gatekeeper system, designed to block unsigned applications from being installed, can be circumvented very easily using a very simple and straightforward trick.

As Apple describes it, "if an app was developed by an unknown developer—one with no Developer ID—or tampered with, Gatekeeper can block the app from being installed."

However, as the security researcher has discovered, the Gatekeeper can be tricked into allowing the installation of malicious executables on a Mac, by using a binary signed using the digital certificate issued by Apple for any developer enrolled in its Developer Program.

As Apple says on the Apple Developer Program page, "Signing your Mac applications, plug-ins, and installer packages with a Developer ID certificate lets Gatekeeper verify that apps are not created by malware developers and haven't been tampered with since they were signed."

Signed OS X installers can be modified to install malicious binaries undetected by OS X's Gatekeeper feature

Nonetheless, as Patrick Wardle Synack's Director of Research has discovered, because Gatekeeper only checks for valid certificates when the user installs an application, it can very easily be fooled into allowing the installation of unsigned executables that will be able to run because Gatekeeper has already marked their installer as being signed and safe.

Wardle said to Ars Technica that "If the application is valid—so it was signed by a developer ID or was (downloaded) from the Mac App Store—Gatekeeper basically says 'OK, I'm going to let this run,' and then Gatekeeper essentially exits."

Furthermore, "It doesn't monitor what that application is doing. If that application turns around and either loads or executes other content from the same directory... Gatekeeper does not examine those files," according to the security researcher.

As Wardle also reports, he notified Apple about the problem two months ago, and they've affirmed that their developers are working on a solution for this issue.