Cybereason Blog | Cybersecurity News and Analysis

MacOS Code Signing, the Emperor’s old-new clothes

Written by Eliad Kimhy | Jun 3, 2017 9:56:12 AM

The debate over whether Macs are better than PCs is an old, and quite frankly, tiresome debate. It’s become an incredibly divisive issue for some, despite the ever growing similarities between Windows based computer systems, and the ones powered by Apple’s MacOS. And while I care little to argue for and against different aesthetics and ease of use, there’s one idea I’m quite averse to- a mainstay argument that keeps coming up every time the Mac vs. PC topic is discussed- the notion that Macs don’t get viruses.

Those who support the argument, live in a state of cognitive dissonance. Experts are aware, and do warn of the vulnerabilities and faults that exist in Macs, but many Apple advocates seem unwilling to let go of the Mac’s old claim to fame. This can often lead to misleading and confusing advice, and a general misconception that's perpetuated among Macbook enthusiasts, summed up beautifully with this quote from Macworld.co.uk: “Do Macs get viruses? Do Macs need antivirus software? The short answers are yes (and no), and yes (and no)”. Here, the answer given to this very important question is yes, no, yes-no.

>This notion isn't entirely rooted in ignorance. It isn’t that Macs aren’t safe, it’s just that they aren’t necessarily much safer, and are by no means invulnerable. They're certainly aren't as popular as PCs (we're talking actual global market share, not the likelihood of being invited to a party), and thus, less frequently targeted. This, for some, creates the false impression that it's somehow impervious. The correlation is all wrong. The operating system that powers Macs employs a variety of security measures to protect Apple computers, some (like sandboxing) are highly effective, others, such as the titular code signing, less so. Trouble is that as attackers become more sophisticated, many of these defense mechanisms struggle to stay relevant. People’s insistence on the effectiveness of these systems means that instead of providing security, they end up providing a false sense of security. People feel safe, and let their guard down.

Code signing is a major contributor to the overall apparent safety of Apple computers. In order to be allowed to distribute software, you need to get a certificate from Apple. Many people believe that since all of their programs are signed, seemingly approved by Apple, that malware is unlikely to pass through. While it is true that you cannot run an application unless it receives certification, it is equally true that code isn’t really examined by Apple, and that code signing provides little in way of controlling what actually gets signed.

 

How code signing works – a certificate is purchased and later assigned by developers.

 

You see, code signing is a rather simple process. Much more a formality now, than a safety measure. In the simplest of terms, the process of receiving a certificate goes like this: you write your code- god willing, it compiles- then you send it to Apple along with an ID and 99 dollars. After which, you must answer a series of complicated questions assessing the true nature of the software you wrote, using examples of code.. Just kidding, all you need is an ID and 99 dollars.

I am, of course, being facetious in order to illustrate a point- there’s not much that stands in the way of a malware developer to receive a certificate. There’s not even a requirement to send any code, unless you’re submitting to the App Store (which is significantly safer, but not without its slip ups). All you need to do is buy a certificate, and later attach it to your application. ID’s are easy to fake or steal, and 99 dollars is no challenge, if you anticipate making more money than what you’d spend.

There is one benefit to code signing, and it’s the ability to revoke a certificate in case the app that’s tied to is malicious, but since certificates are bought independently of code, you can easily buy a new certificate and slap it on your application, even after your previous one has been revoked.

A fantastic example of this type of behavior would be the Pirrit adware. This relatively benign application is installed via a custom installer, and then reroutes ad traffic through its own servers, to show you the ad it wants you to see. If that does not sound like much, note that it does this by acquiring a high level of permission- one that could have easily been used for something more devious. Pirrit, as you might have guessed, was signed, and whenever it got its signature revoked, it would attach a new signature to the very same code, et voilà, they were back in business.

Cybereason’s principal researcher, Amit Serper, who was researching the Pirrit adware, recalls the process, “I’d go to Pirrit’s website, report their Installer to Apple to have their certificate revoked, and not two hours later they would have it back up with a new certificate. They must have had a bunch of certificates laying around, bought with fake IDs. When one was revoked, a new one was applied.” He added, “All you need to get your software signed is $99 and an excuse. If you have enough fake IDs, you can stockpile as many as you’d like. It all amounts, basically, to a really complicated algorithm that says if Money_Received() == true, then give_certificate.”

 

Examples collected by researcher Amit Serper of the Pirrit file being revoked and re-certified.

 

As Macs become more and more popular, they become a more lucrative target for creators of malware. That, in turn, creates more sophisticated attacks, and more vulnerabilities. In 2016 alone,  malware attacks on Apple’s operating system skyrocketed by 744 percent. The recently discovered Proton.B malware, for example, does not even require a certificate to execute, it simply piggy-backs on another application’s permissions, and presents the user with a fake request for their username and password. Once that’s acquired, it’s game over. When Handbreak, a popular video editing tool, had its website hacked into, the Proton.B malware was inserted into the code, piggy-backing Handbreak’s signature. Anyone that downloaded Handbreak between the time it was hacked, and the time the hack was discovered, had most likely been compromised.

This had implications far outreaching those of simple adware, and affected far more than the "stupid user", as Mac fanatics often portray as the single archetype of Mac users who are affected by malware and viruses. One company had the entire source code to its application stolen as a result of the Proton.B malware, and was faced with a ransom request to prevent it being released into the wild. Let's not forget as well- any user of Mac that's convinced that their Mac doesn't get malware is not just making themselves an easier target, but anyone on their network, in their company, and in their contacts. Like those who refuse vaccinations, anyone convinced of the fact that they don't need any kind of protection on their Mac because it is invulnerable, is putting everyone around them at risk.

Life is only going to get more complicated for Mac users, security-wise, as time passes. Unless Apple starts coming up with better solutions than its middle of the road antivirus and a lax certification process to protect its users, there will come a point when Macbooks become just as easy a target as any windows machine. That security gap is slowly closing already. And what will we do then, when we’ve, for years, drilled into the ears of fans that the Mac is an invulnerable platform, that it does not require an antivirus, or that certification trumps the need for common sense? We should stop focusing on useless, comparative arguments. Macs need not be safer than PCs, they need to be safe, period. Are we serving people best by recommending they do not employ extra protection? By counting solely on the Mac's intrinsic ability to protect itself? Probably not. Perhaps it's time we stopped.