Malicious Third-Party macOS Apps Could Appear to be Signed by Apple, Bypassing Security Measures


Apple has specific security tools in place to keep users safe from malicious apps, which is an ever-evolving and ongoing effort.

But sometimes exploits and workarounds can be discovered, rendering those security tools inert and less effective. That appears to be the case in some specific situations, as was reported by Ars Technica on Tuesday. According to the publication, it has been discovered that some malicious third-party macOS apps have been discovered to appear to be signed by Apple, which makes it possible for those apps to effectively bypass Apple’s built-in security checks.

Worse, it appears this has been an issue for almost 11 years, dating back to 2007.

The report indicates that it comes down to the tool that Apple has used since 2007 to check digital signatures, and it has basically been “trivial” to bypass up to this point. The results indicate that malicious apps could easily make it through the digital signature check. This means that they were approved by Apple’s own digital security efforts, making it possible to be a trusted resource for someone looking to download a new app for their Mac.

“Digital signatures are a core security function for all modern operating systems. The cryptographically generated signatures make it possible for users to know with complete certainty that an app was digitally signed with the private key of a trusted party. But, according to the researchers, the mechanism many macOS security tools have used since 2007 to check digital signatures has been trivial to bypass. As a result, it has been possible for anyone to pass off malicious code as an app that was signed with the key Apple uses to sign its apps.

The technique worked using a binary format, alternatively known as a Fat or Universal file, that contained several files that were written for different CPUs used in Macs over the years, such as i386, x86_64, or PPC. Only the first so-called Mach-O file in the bundle had to be signed by Apple. At least eight third-party tools would show other non-signed executable code included in the same bundle as being signed by Apple, too. Affected third-party tools included VirusTotal, Google Santa, Facebook OSQuery, the Little Snitch Firewall, Yelp, OSXCollector, Carbon Black’s db Response, and several tools from Objective-See.”

Interestingly enough, it appears the underlying root issue here is “unclear/confusing documentation”, according to Patrick Wardle, the developer of the aforementioned Objective-See:

‘To be clear, this is not a vulnerability or bug in Apple’s code… basically just unclear/confusing documentation that led to people using their API incorrectly,’ Wardle told Ars. ‘Apple updated [its] documents to be more clear, and third-party developers just have to invoke the API with a more comprehensive flag (that was always available).'”

The good news here is that Apple has clarified the documentation, which means the issue should be fixed now. Only over a decade later.

Our Take

Well, that could have been much worse, it seems. It might have taken Apple over ten years to clarify some documentation and fix the issue, but at least it’s fixed now.

[via Ars Technica]