Rumor: Undisclosed security breach cause of Apple's new Gatekeeper app signing policy
A report on Monday suggests Apple's recently modified OS X app signing policy is the result of an undisclosed Developer Portal security breach that leaked keys for multiple services, including Gatekeeper.
Noting tweets by user @SomeoneSW and one corroborating source, TUAW claims Apple's newly instituted policy forcing developers to re-sign app credentials is the result of a security breach that not only released Gatekeeper keys, but also "many other keys for many other things."
As seen in the tweets embedded below, @SomeoneSW, whose account was seemingly created today, claims inside knowledge of a data breach that released "virtually every key Apple used for anything." The Twitter user said they were approached with a proposal to buy said keys shortly after the undisclosed theft.
Apple could not be reached for comment on the issue.
According to the publication, also pilfered was Apple's Enterprise Signing Key, an asset used to sign activation tickets for bypassing iCloud locks. This particular key was used in a previously reported iCloud exploit that supposedly allowed hackers to defeat Activation Lock, the anonymous Twitter user said.
Gatekeeper is a security tool first offered in OS X 10.8 Mountain Lion that protects users from malicious software by placing restrictions on app installation. At its default setting, for example, Gatekeeper allows installation of apps from the Mac App Store and titles signed by developers who have registered through company's Developer ID Program.
The supposed Developer Portal breach would technically let nefarious users sign malicious apps as kosher, prompting Apple to change the way apps are recognized by Gatekeeper in OS X 10.9.5 Mavericks and the upcoming OS X 10.10 Yosemite.
Noting tweets by user @SomeoneSW and one corroborating source, TUAW claims Apple's newly instituted policy forcing developers to re-sign app credentials is the result of a security breach that not only released Gatekeeper keys, but also "many other keys for many other things."
As seen in the tweets embedded below, @SomeoneSW, whose account was seemingly created today, claims inside knowledge of a data breach that released "virtually every key Apple used for anything." The Twitter user said they were approached with a proposal to buy said keys shortly after the undisclosed theft.
Apple could not be reached for comment on the issue.
@marczak @cabel @danielpunkass @mikeash The keys used for Gatekeeper* were stolen in that Developer Portal breach a while back. Consider thi
— Somebody Somewhere (@SomebodySW) @marczak @cabel @danielpunkass @mikeash s your heads up. *and many other keys for many other things
— Somebody Somewhere (@SomebodySW) According to the publication, also pilfered was Apple's Enterprise Signing Key, an asset used to sign activation tickets for bypassing iCloud locks. This particular key was used in a previously reported iCloud exploit that supposedly allowed hackers to defeat Activation Lock, the anonymous Twitter user said.
Gatekeeper is a security tool first offered in OS X 10.8 Mountain Lion that protects users from malicious software by placing restrictions on app installation. At its default setting, for example, Gatekeeper allows installation of apps from the Mac App Store and titles signed by developers who have registered through company's Developer ID Program.
The supposed Developer Portal breach would technically let nefarious users sign malicious apps as kosher, prompting Apple to change the way apps are recognized by Gatekeeper in OS X 10.9.5 Mavericks and the upcoming OS X 10.10 Yosemite.
Comments
Sorry I have to say that but : duh!
I don't see any other reason that could explain the change.
Edit: Just to be clear, I'm not complaining about the article as it does bring some interesting new information. But obviously, a security issue was the reason behind the code signing change.
Thing that is odd it was only random people in Australia, it wasn't everyone all over the place. So it doesn't sound legit there.
Not sure what to think!
one question though. as I understand it this need to resign apps is tied to the whole 10.10 release. As in if you don't do it then your app even if in the MAS won't pass through gatekeeper.
but if this was tied to some security breach 'a while ago' wouldn't they have demanded the resigning of apps and now. Why have folks potentially in danger cause of the swiped keys for weeks
Of interest, Google's Certificate Transparency project (http://www.certificate-transparency.org/) is an attempt to detect (in near real time) SSL certificates that have been mistakenly issued by a certificate authority or maliciously acquired from an otherwise unimpeachable certificate authority. Google claims this also makes it possible to identify certificate authorities that have gone rogue and are maliciously issuing certificates.
I don't believe I have heard of any similar project to identify rogue certs that are being used for code signing.
A good article reviewing all the recent certificate authority misadventures is at: http://resources.infosecinstitute.com/cybercrime-exploits-digital-certificates/
A current list of 'bad' SSL certificates (issued in error or through manipulated PKI issuance) identified by abuse.ch associated with malware or botnet activities is at (https://sslbl.abuse.ch/).
I don't see a link to the icloud incidents to be honest - that did go a little wider than Australia but it was all traced to one individual who was caught and charged - nobody else has been able to do anything similar and the vast, vast majority of users were never affected - to me it sounds much more like he had a list of shared passwords (perhaps from some Australian based service) rather than something like this which would give him random access to the whole userbase.
1) I don't know if they are using Google's service or some other method to determine if sites may have been compromised but after Heartbleed but 1Password implemented Watchtower to let you know if you should change your password.
2) Google has one user-level security option I wish Apple (and Dropbox et al.) would adopt. Besides the two-step verification they have unique codes used for eachl app on each device that will access Gmail outside of a web browser.
There isn't. These are completely separate issues.