Application security

MacOS includes built-in technology to ensure that only trusted applications are installed and to help defend against malware. To ensure that legitimate applications cannot be tampered with, macOS also includes application runtime protection and application signing methods.

Gatekeeper

To control the source of installable applications, macOS provides a feature called Gatekeeper. Gatekeeper allows users and organizations to set a level of security required to install applications.

Under the most secure Gatekeeper setup, users can only install signed apps from the App Store. The default Settings allow users to install apps from the App Store, as well as apps with a valid developer ID signature. This signature indicates that the application was signed by a certificate issued by Apple, and that they have not been modified since then. Gatekeeper can also be completely disabled. If necessary, run the sudo SPCTL -master-disable command to disable Gatekeeper.

In addition, Gatekeeper applies path randomization in some cases, including when applications are launched directly from an unsigned disk image or from a location where they are downloaded and automatically unarchived. Path randomization makes an application available from an unspecified read-only location in the file system before it is started. This prevents applications from accessing code or content using relative paths, but also prevents them from self-updating when they start from this read-only location. For example, using Finder to move an application to the Applications folder means path randomization will no longer be applied.

The primary security advantage of the default protection model is that it provides extensive ecosystem protection. If the author of the malware manages to steal or otherwise acquire the Developer ID signature capability and use it to distribute the malware, Apple can respond quickly by revoking the signing certificate. This will prevent the malware from spreading further. This protection cripples most malware activity on macs and provides extensive protection for all users.

Users can temporarily override these Settings to install any application. Organizations can use their MDM solution to establish and enforce Gatekeeper Settings, as well as add certificates to macOS trust policies to evaluate code signatures.

XProtect

MacOS includes built-in signature-based malware detection technology. Apple monitors new malware infections and strains, and automatically updates the XProtect signature — independent of system updates — to help protect Mac systems from malware infection. XProtect automatically detects and blocks the installation of known malware.

Malware removal tool

MacOS also includes technology to repair the infection if malware enters the Mac system. In addition to monitoring malware activity in the ecosystem to revoke developer ids (if applicable) and release XProtect updates, Apple also releases updates to macOS to remove the malware from any affected systems that are configured to receive automatic security updates. Once the malware removal tool receives the updated message, the malware is removed after the next restart. The malware removal tool does not automatically restart the Mac

Automatic security updates

Apple automatically releases updates to XProtect and its malware removal tool. By default, macOS checks these updates every day. For more information about Automatic security updates, see the Apple support article “Mac App Store: Automatic Security Updates.”

Runtime protection

System files, resources, and kernels are shielded from the user’s application space. All apps in the App Store are sandboxed to limit access to data stored by other apps. If an application in the App Store needs to access data from another application, it can only do so through the apis and services provided by macOS.

Enforce application code signing

All apps from the App Store are signed by Apple to make sure they haven’t been tampered with or altered. Apple has signed applications available on all Apple devices. Many applications distributed outside the App Store are signed with an Apple-issued Developer ID certificate (combined with a private key) to run under the default Gatekeeper Settings.

Apps from outside the App Store are usually signed using a signing developer certificate issued by Apple. This allows you to verify that the application is authentic and has not been tampered with. Internally developed apps should also be signed with a developer ID issued by Apple so you can verify their integrity.

Mandatory Access Control (MAC) requires code signature to enable authorization for system protection. For example, an application that needs to be accessed through a firewall must be signed with the appropriate MAC authorization code