{{short description|Security feature of macOS}} {{Hatnote|Not to be confused with the third-party extension Gatekeeper by Chris Johnson for "classic" Mac OS.}} {{Use mdy dates|date=October 2013}} {{Infobox software | name = Gatekeeper | logo = Gatekeeper logo.png | developer = Apple Inc. | released = {{Start date|2012|7|25}} | operating system = macOS }} '''Gatekeeper''' is a security feature of the macOS operating system by Apple.<ref name=":0">{{Cite web|url = https://support.apple.com/en-us/HT202491|title = OS X: About Gatekeeper|date = February 13, 2015|access-date = June 18, 2015|website = Apple}}</ref><ref>{{cite news|url=https://techcrunch.com/2012/02/16/os-x-mountain-lion/|title=Surprise! OS X Mountain Lion Roars Into Existence (For Developers Today, Everyone This Summer)|last=Siegler|first=MG|date=February 16, 2012|work=TechCrunch|publisher=AOL Inc.|access-date=March 3, 2012}}</ref> It enforces code signing and verifies downloaded applications before allowing them to run, thereby reducing the likelihood of inadvertently executing malware. Gatekeeper builds upon '''File Quarantine''', which was introduced in Mac OS X Leopard (10.5) and expanded in Mac OS X Snow Leopard (10.6).<ref name=":2">{{Cite web|url=https://arstechnica.com/apple/2012/07/os-x-10-8/14/#gatekeeper|title=OS X 10.8 Mountain Lion: the Ars Technica review|last=Siracusa|first=John|date=July 25, 2012|website=Ars Technica|pages=14–15|archive-url=https://web.archive.org/web/20160314044507/http://arstechnica.com/apple/2012/07/os-x-10-8/14/|archive-date=March 14, 2016|url-status=live|access-date=June 17, 2016}}</ref><ref>{{Cite web |url=http://www.thesafemac.com/mmg-builtin/|title=Mac Malware Guide : How does Mac OS X protect me? |last=Reed |first=Thomas |date=April 25, 2014 |website=The Safe Mac|access-date=October 6, 2016 |url-status=dead |archive-url=https://web.archive.org/web/20161006175434/http://www.thesafemac.com/mmg-builtin/ |archive-date=October 6, 2016}}</ref> The feature originated in version 10.7.3 of Mac OS X Lion as the command-line utility {{mono|spctl}}.<ref>{{cite web |url = http://isc.sans.edu/diary.html?storyid=12631|title = How to test OS X Mountain Lion's Gatekeeper in Lion|first = Johannes|last = Ullrich|date = February 22, 2012|access-date = July 27, 2012|website = Internet Storm Center}}</ref><ref name=":1">{{cite web|url=https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man8/spctl.8.html|title=spctl(8)|website=Mac Developer Library|publisher=Apple|access-date=July 27, 2012}}</ref> A graphical user interface was originally added in OS X Mountain Lion (10.8) but was backported to Lion with the 10.7.5 update.<ref>{{cite web|url = http://support.apple.com/kb/HT5313|title = About the OS X Lion v10.7.5 Update|access-date = June 18, 2015|date = February 13, 2015|website = Apple|archive-date = September 22, 2012|archive-url = https://web.archive.org/web/20120922075451/http://support.apple.com/kb/HT5313|url-status = bot: unknown}}</ref>

==Functions==

=== Configuration === [[File:Gatekeeper.png|alt=Screenshot of the System Preferences application of OS X Yosemite, showing the three Gatekeeper options as radio buttons.|frame|Gatekeeper options in the System Preferences application. Since macOS Sierra, the "Anywhere" option is hidden by default.]] In the security & privacy panel of System Preferences, the user has three options, allowing apps downloaded from: {{Glossary}} {{Term|Mac App Store}} {{Defn|Allows only applications downloaded from the Mac App Store to be launched.}} {{Term|Mac App Store and identified developers}} {{Defn|Allows applications downloaded from the Mac App Store and applications signed by certified Apple developers to be launched. This is the default setting since Mountain Lion.}} {{Term|Anywhere}} {{Defn|Allows all applications to be launched. This effectively turns Gatekeeper off. This is the default setting in Lion. Since macOS Sierra (10.12) this option is hidden by default.<ref name=":3">{{Cite web|url=https://developer.apple.com/videos/play/wwdc2016/706/|title=What's New in Security|date=June 15, 2016|website=Apple Developer|at=At 21:45|type=Video|access-date=June 17, 2016}}</ref><ref>{{Cite web|url=http://arstechnica.co.uk/apple/2016/06/ios-10-macos-sierra-changes-raw-shooting-gatekeeper/|title=Some nerdy changes in macOS and iOS 10: RAW shooting, a harsher Gatekeeper, more|last=Cunningham|first=Andrew|date=June 15, 2016|website=Ars Technica UK|archive-url=https://web.archive.org/web/20160616184734/http://arstechnica.co.uk/apple/2016/06/ios-10-macos-sierra-changes-raw-shooting-gatekeeper/|archive-date=June 16, 2016|url-status=live|access-date=June 17, 2016}}</ref>}} {{Defn|However, this option can be re-enabled by using the 'sudo spctl --global-disable' command from the Terminal and authenticating with an admin password.}} {{Glossary end}}

The command-line utility {{mono|spctl}} provides granular controls, such as custom rules and individual or blanket permissions, as well as an option to turn Gatekeeper off.<ref name=":1" />

=== Quarantine === Upon download of an application, a particular extended file attribute ("quarantine flag") can be added to the downloaded file.<ref name=":4">{{Cite web|url=https://blog.malwarebytes.com/cybercrime/2015/10/bypassing-apples-gatekeeper/|title=Bypassing Apple's Gatekeeper|last=Reed|first=Thomas|date=October 6, 2015|website=Malwarebytes Labs|access-date=June 17, 2016}}</ref> This attribute is added by the application that downloads the file, such as a web browser or email client, but is not usually added by common BitTorrent client software, such as Transmission, and application developers will need to implement this feature into their applications and is not implemented by the system. The system can also force this behavior upon individual applications using a signature-based system named Xprotect.<ref name=":6">{{Cite web|url=http://www.macworld.com/article/1142457/snowleopard_malware.html|title=Inside Snow Leopard's hidden malware protection|last=Moren|first=Dan|date=August 26, 2009|website=Macworld|access-date=September 30, 2016}}</ref>

=== Execution === [[File:Gatekeeper alert.png|alt=Screenshot of a system alert, informing the user that the application cannot be opened, because it was not signed by a registered developer.|frame|Screenshot of a system alert that appears when Gatekeeper prevents an application from running, because it was not signed by an Apple certified developer]] When the user attempts to open an application with such an attribute, the system will postpone the execution and verify whether it: * is blacklisted, * is code-signed by Apple or a certified developer, or * has code-signed contents that still match the signature.

Since {{Nowrap|Mac OS X}} Snow Leopard, the system keeps two blacklists to identify known malware or insecure software. The blacklists are updated periodically. If the application is blacklisted, then File Quarantine will refuse to open it and recommend that the user drag it to Trash.<ref name=":6" /><ref>{{Cite web|url=https://support.apple.com/HT201940|title=About the 'Are you sure you want to open it?' alert (File Quarantine / Known Malware Detection) in OS X|date=March 22, 2016|website=Apple Support|archive-url=https://web.archive.org/web/20160617155624/https://support.apple.com/en-us/HT201940|archive-date=June 17, 2016|url-status=live|access-date=September 30, 2016}}</ref>

Gatekeeper will refuse to open the application if the code-signing requirements are not met. Apple can revoke the developer's certificate with which the application was signed and prevent further distribution.<ref name=":0" /><ref name=":2" />

Once an application has passed File Quarantine or Gatekeeper, it will be allowed to run normally and will not be verified again.<ref name=":0" /><ref name=":2" />

=== Override === To override Gatekeeper, the user (acting as an administrator) either has to switch to a more lenient policy from the security & privacy panel of System Preferences or authorize a manual override for a particular application, either by opening the application from the context menu or by adding it with {{mono|spctl}}.<ref name=":0" /> Starting with macOS 15 (Sequoia) the user additionally has to go to "System Settings / Privacy & Security" then scroll down to the bottom and select "Open Anyway".

=== Path randomization === Developers can sign disk images that can be verified as a unit by the system. In macOS Sierra, this allows developers to guarantee the integrity of all bundled files and prevent attackers from infecting and subsequently redistributing them. In addition, "path randomization" executes application bundles from a random, hidden path and prevents them from accessing external files relative to their location. This feature is turned off if the application bundle originated from a signed installer package or disk image or if the user manually moved the application without any other files to another directory.<ref name=":3" />

== Implications == The effectiveness and rationale of Gatekeeper in combating malware have been acknowledged,<ref name=":2" /> but been met with reservations. Security researcher Chris Miller noted that Gatekeeper will verify the developer certificate and consult the known-malware list only when the application is first opened. Malware that already passed Gatekeeper will not be stopped.<ref name=":5">{{Cite web|url = https://arstechnica.com/apple/2012/02/developers-gatekeeper-a-concern-but-still-gives-power-users-control/|title = Mac developers: Gatekeeper is a concern, but still gives power users control|date = February 17, 2012|access-date = June 18, 2015|website = Ars Technica|last = Foresman|first = Chris}}</ref> In addition, Gatekeeper will only verify applications that have the quarantine flag. As this flag is added by other applications and not by the system, any neglect or failure to do so does not trigger Gatekeeper. According to security blogger Thomas Reed, BitTorrent clients are frequent offenders of this. The flag is also not added if the application came from a different source, like network shares and USB flash drives.<ref name=":4" /><ref name=":5" /> Questions have also been raised about the registration process to acquire a developer certificate and the prospect of certificate theft.<ref>{{cite news|url=http://www.ibtimes.com/articles/302094/20120221/os-x-mountain-lion-gatekeeper-malware-out.htm|title=OS X Mountain Lion Gatekeeper: Can it Really Keep Malware Out?|last=Chatterjee|first=Surojit|date=February 21, 2012|work=International Business Times|access-date=March 3, 2012}}</ref>

In September 2015, security researcher Patrick Wardle wrote about another shortcoming that concerns applications that are distributed with external files, such as libraries or even HTML files that can contain JavaScript.<ref name=":3" /> An attacker can manipulate those files and through them exploit a vulnerability in the signed application. The application and its external files can then be redistributed, while leaving the original signature of the application bundle itself intact. As Gatekeeper does not verify such individual files, the security can be compromised.<ref>{{Cite web|url=https://arstechnica.com/security/2015/09/drop-dead-simple-exploit-completely-bypasses-macs-malware-gatekeeper/|title=Drop-dead simple exploit completely bypasses Mac's malware Gatekeeper|last=Goodin|first=Dan|website=Ars Technica|date=September 30, 2015|archive-url=https://web.archive.org/web/20160320093306/http://arstechnica.com/security/2015/09/drop-dead-simple-exploit-completely-bypasses-macs-malware-gatekeeper/|archive-date=March 20, 2016|url-status=live|access-date=June 17, 2016}}</ref> With path randomization and signed disk images, Apple provided mechanisms to mitigate this issue in macOS Sierra.<ref name=":3" />

In 2021, a vulnerability was discovered where putting <code>#!</code> on the first line (without the path of the interpreter) of a file bypassed Gatekeeper.<ref>{{Cite web |last=Gatlan |first=Sergiu |date=December 23, 2021 |title=Apple fixes macOS security flaw behind Gatekeeper bypass |url=https://www.bleepingcomputer.com/news/apple/apple-fixes-macos-security-flaw-behind-gatekeeper-bypass/ |access-date=2022-05-06 |website=Bleeping Computer |language=en-us}}</ref>

In 2022, a Microsoft researcher shared a vulnerability that abuses the AppleDouble format to set an arbitrary access-control list to bypass Gatekeeper.<ref>{{Cite web |last=Gatlan |first=Sergiu |date=December 19, 2022 |title=Microsoft: Achilles macOS bug lets hackers bypass Gatekeeper |url=https://www.bleepingcomputer.com/news/security/microsoft-achilles-macos-bug-lets-hackers-bypass-gatekeeper/ |access-date=2022-12-19 |website=Bleeping Computer |language=en-us}}</ref>

== See also == * Microsoft SmartScreen * System Integrity Protection * Sandbox (computer security)

==References== {{reflist|30em}}

{{OS X}}

Category:MacOS security technology