The next version of Apple’s Mac operating system, OS X Mountain Lion, is scheduled for release in July.
The new OS includes a feature called Gatekeeper that can be configured to allow only applications from the Mac App Store to run (the most restrictive choice) or only apps signed with a Developer ID, which includes but is not limited to Mac App Store apps (this is the default option).
A third choice allows all apps to run including unsigned ones, but Mountain Lion warns that this is the path of least security.
Apple touts Gatekeeper as a way to help you “keep your system free from malware.” Sophos’s Chester Wisniewski has previously expressed doubts as to how effective Gatekeeper will be at fulfilling this goal.
Though its approach may be somewhat flawed, Gatekeeper can nevertheless provide a bit of additional protection by encouraging users to download apps from the Mac App Store, which contains only apps that have been vetted by Apple.
Apple claims that by using the Mac App Store, “you’ll always have the latest version of every app you own.”
But what if apps in the Mac App Store are less secure than their non-App Store counterparts?
One week ago, Opera Software released version 12.00 of its Opera browser which fixes a number of security vulnerabilities, some of which are rather serious and could lead to cross-site scripting or code execution. Opera Software also released a security-only update for the old version 11 of the browser, from 11.64 to 11.65.
Opera Software offers its browser for download from its site, and Apple also distributes the browser through its Mac App Store. A full week after the new version of Opera was released on the Web, the old and insecure version 11.64 is still being distributed in the Mac App Store.
This doesn’t just mean that new users of Opera who download it from the Mac App Store will get an outdated version.
Neither current users nor new users of the Mac App Store version of Opera will be prompted to download a newer and more secure version until the new version becomes available in the store. Apple requires that all apps distributed through the Mac App Store must only be updated via the store’s own update mechanism.
This is not the first time that an insecure version of Opera has been distributed through the Mac App Store.
In fact, there’s nearly always a delay of several days in between the release of the new version on Opera’s site and in the Mac App Store.
I have personally made Opera and Apple aware of this on multiple occasions, but they don’t seem to have learned their lesson.
Another app that I’ve observed is nearly always out of date in the Mac App Store is Amazon’s Kindle app.
Amazon doesn’t publicly share any release notes, so there’s no way to know whether the old version in the Mac App Store (1.8.1, which was released in October 2011) contains any security-related bugs that might have been patched in the current version (1.9.2, which was released this month).
Some versions of applications in the Mac App Store have limited functionality compared to their non-App Store counterparts.
For example, ClamXav is a freeware virus scanner based on the ClamAV engine. If you download the program from the developer’s site, it includes a built-in Sentry feature that allows you to manually configure on-download scanning for individual folders.
The Mac App Store version doesn’t include the Sentry feature because, according to the developer, “the App Store requirements stipulate that everything must be self-contained within the app.”
Thus, not only does the Mac App Store version of ClamXav have limited features, but this reduced functionality also hinders the program’s ability to protect your computer.
Also, the non-App Store version doesn’t include a code signature, so depending on how you have Gatekeeper configured, Mountain Lion might not even let you run the version of ClamXav that comes with the Sentry feature.
(You can, of course, get the full-featured Sophos Anti-Virus for Mac Home Edition for free. Sophos has announced that a fully Mountain Lion compatible version of the installer will be available soon.)
Interestingly, I found one developer (Celestial Teapot Software) whose applications were actually more up-to-date in the Mac App Store than on the developer’s own site. Score a point for the Mac App Store in this case, I suppose.
There are at least a few lessons that can be learned here:
1. Apple and developers need to be diligent about ensuring that versions of software in the Mac App Store are kept up-to-date, especially when new versions contain security improvements.
2. Those who download from the Mac App Store should research whether it makes more sense to obtain a particular app directly from the developer rather than through the Mac App Store. Depending on the app, there may be advantages to either option.
3. Users must not rely solely upon the security features built into their operating system.
Think about it; an attacker knows exactly what weaknesses exist in the platforms they target, which means they’ll do everything they can to sidestep the security measures built into the OS.
Users would be wise to take additional precautions such as using a full-featured anti-virus product from a trustworthy company and staying abreast of the latest computer security news.