Skip to main content

Malicious Mac apps could appear to be signed by Apple, problem existed since 2007

A security problem that has existed for eleven years means that malicious Mac apps could appear to be signed by Apple, fooling many of the tools designed to detect them.

The problem – caused by unclear guidance by Apple – meant that malware could be whitelisted in a wide range of tools used by individuals and companies alike …

ArsTechnica explains the issue.

Digital signatures are a core security function for all modern operating systems. The cryptographically generated signatures make it possible for users to know with complete certainty that an app was digitally signed with the private key of a trusted party. But, according to the researchers, the mechanism many macOS security tools have used since 2007 to check digital signatures has been trivial to bypass. As a result, it has been possible for anyone to pass off malicious code as an app that was signed with the key Apple uses to sign its apps.

The technique worked using a binary format, alternatively known as a Fat or Universal file, that contained several files that were written for different CPUs used in Macs over the years, such as i386, x86_64, or PPC. Only the first so-called Mach-O file in the bundle had to be signed by Apple. At least eight third-party tools would show other non-signed executable code included in the same bundle as being signed by Apple, too. Affected third-party tools included VirusTotal, Google Santa, Facebook OSQuery, the Little Snitch Firewall (see below), Yelp, OSXCollector, Carbon Black’s db Response, and several tools from Objective-See.

In other words, you could have a file that contained a legitimate version of an app for PPC, and malware for Intel, and the tools would be fooled into applying the PPC whitelisting to the Intel version too. That malware would then be appear to be signed by Apple.

The problem, says security researcher Patrick Wardle – whose own Objective-See apps were caught out – is that Apple’s documentation was unclear.

The bypass was the result of ambiguous documentation and comments Apple provided for using publicly available programming interfaces that make the signature checks work.

“To be clear, this is not a vulnerability or bug in Apple’s code… basically just unclear/confusing documentation that led to people using their API incorrectly,” Wardle told Ars. “Apple updated [its] documents to be more clear, and third-party developers just have to invoke the API with a more comprehensive flag (that was always available).”

Apple has now clarified the documentation, which should result in the developers of the third-party tools fixing the problem.

Update: Little Snitch tells us that although its firewall would show the app as valid, it would flag a mismatch when a malicious app requested a network connection. The default behavior in that situation would be that the connection would be blocked. It has now resolved the issue so that unsigned apps are no longer shown as valid. See their blog post for more details,=.

Check out 9to5Mac on YouTube for more Apple news:

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel



Avatar for Ben Lovejoy Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!

Ben Lovejoy's favorite gear