
Mountain Lion quietly includes app blacklist and security restrictions - driverdan
http://www.red-sweater.com/blog/2765/exceptional-apps
======
runjake
This doesn't look evil. It looks like an internal stop-gap measure to prevent
the execution of incompatible application versions that crash the OS. Most of
the list are older versions of Apple's own apps.

It's "hidden" because it's almost certainly a hacky stop-gap. As far as I can
tell, it isn't live updating or checking for new signatures, so the signatures
are probably updated on a release basis as issues are found.

~~~
0x0
I'm pretty sure Microsoft has been doing the same thing at least since windows
95. I remember trying to run some old version of Nero, the CD-ROM burning
tool, on a recent-ish version of Windows, and it popped up a message about
known incompatibilities.

~~~
sitharus
They certainly do. If you want to SQL Server 2008 Developer Edition on Windows
7 you get that message - you have to get R2.

------
DHowett
> _I immediately jumped to the conclusion that Apple was “blacklisting” the
> app for political reasons_

> _Wow, they really don’t want me to open this app!_

I can't really imagine why one would instantly jump to the first conclusion,
and then _after a kernel panic_ still believe it to be malice on the part of
the operating system developer. The instant a kernel panic is thrown into the
mix, you barely need to check the crash log to realize that there's something
_fundamentally incompatible._

I was nearly expecting a follow-up line to say "It looks like Apple is
_patching the VMware modules at runtime, to cause them to crash!_ "

> _... it’s worth considering whether they will be tempted to use these powers
> for less honorable goals._

In addition to the version blacklist described here, there's the much-bandied-
about "killswitch" in the iOS app store. In the years since iPhoneOS 2.0, has
Apple used it for less honourable goals than platform security?

Come to think of it, has Apple used it at all?

~~~
ryannielsen
There is a somewhat justifiable reason for the author to jump to that
conclusion – VMware Fusion 4.1 (accidentally?) supports the virtualization of
Snow Leopard, which violates Apple's EULA. That feature was very quickly
removed in a 4.1.x update.

Given that Fusion 4.1.0 is blacklisted while 4.1.3 works fine on Mountain
Lion, it's not entirely unreasonable to think that Apple purposefully disabled
4.1.0 to prevent users from virtualizing Snow Leopard against their will.

Not the conclusion I would have jumped to right off the bat, but I can see the
train of thought.

------
delinka
What with Gatekeeper* and Developer ID, who didn't see this coming? How else
do you protect the walled garden from vile betrayers that come in via
Developer ID?

Criminal Hacker gets Dev ID, makes malicious app, distributes said app, runs
for months, then one day _whamo!_ it does Nasty Shit. Apple blacklists the app
_and_ the Dev ID certs. Easier worm and virus control. At least until one of
these rogue devs finds a privilege escalation bug that gets it out of the
sandbox and also into more privileged execution.

It's not a magic bullet, but it'll be a good thing unless they abuse it. An
example of Apple's track record in this regard would be GPL apps on the App
Store - they'll pull the app from the store but I have yet to hear Apple
'remote wiping' someone's previously downloaded apps.

Tangentially, I'm a little miffed at spending $100 to get certificates to do
Developer ID, but in the Grand Scheme of Business, it's just not that much
money.

*I have flashbacks to 'The Net' - I shudder

~~~
ceejayoz
> Tangentially, I'm a little miffed at spending $100 to get certificates to do
> Developer ID, but in the Grand Scheme of Business, it's just not that much
> money.

My understanding is that Gatekeeper signing is free.

~~~
delinka
Depends on how you define "free." Apple says "no additional charge over your
Mac Dev membership. It's included with the Mac Developer Program." I spent two
entire days watching WWDC videos and digging around on developer.apple.com
trying to find out how to get certificates without paying Apple the $99 for
Mac Dev.

The Apple employees that I am connected to were also surprised to find out
that it wasn't free outside the Mac Dev program. A former Appler helping me
dig around also noted that Apple never said it'd be "free."

If you can find somewhere Apple said it would be free, I'd love to dig deeper.

~~~
jvdongen
Don't know about you, but with my hourly rate wasting 2 whole days on looking
for a way to avoid a 99 dollar fee does not make sense ...

~~~
CrazedGeek
The principle of the matter may very well be more important in delinka's mind.

------
ryannielsen
For what it's worth, this mechanism was actually introduced in and first
employed by Lion.

~~~
wtallis
I've got the Exceptions.plist on my 10.6 system, and it's got 48 entries in
the MinimumVersionRequirements section. Mostly Apple stuff, but also Parallels
Desktop (and I've triggered the error message with this), Intego Virus Barrier
and NetUpdate, Elgato EyeTV, and a few others that are a bit surprising: SPSS
17.0, Macromedia Director MX 2004, and Asobo's video game tie-in to
Ratatouille.

------
ZoFreX
Windows 7 has something similar, but rather than blocking the app just tells
you something like "This application has known problems on Windows 7" and
gives you options to check for a fix online, or to run the application anyway
(in most cases. there are a select few where it doesn't let you run them at
all, but you still get a button to check for a solution).

Even if Apple sticks with blocking the application entirely (which in this
particular case they're probably right to do so, as it would cause a kernel
panic) it would be nice to put something _actionable_ in the dialog.

~~~
eridius
Has automatically checking for a fix online _ever_ worked? Admittedly I'm only
an infrequent user of Windows, but I've never once had it actually do
anything.

~~~
ZoFreX
Yup! From Vista onwards the various incarnations of that started being more
effective for me. In the case of incompatible programs it points you at the
latest version of that program, if that fixes the problem. When applications
crash and you send the report to Microsoft, I've had fixes come back in some
cases including telling me to update a particular driver, or even giving me a
Windows hotfix specific to that problem.

------
mmariani
I have an iPhone 4 (out of warranty) that all of sudden got stuck on dock mode
and stopped playing sounds trough it's speaker. The only time I could hear
something from the speaker was the ringtone when someone was calling me.

Before I opened the phone to try to find a fix, I wanted to resolve the issue
with software. That because I knew it was a software and not a hardware issue.

Googling around I've found a fix. I had to jailbreak and SSH into the phone in
order to delete a launch deamon. After downloading the app for the job, to my
amusement, when i executed the app nothing happened.

I quickly fired up a terminal window so I could run the app. It ran. I could
jailbreak the device, remove the service, and then the issue was gone.

So Apple is really blacklisting apps in Mountain Lion, not only to protect
users. But to keep us from running things they don't like.

Lucky for us that we're hackers. ;)

~~~
Karunamon
> But to keep us from running things they don't like.

 _Really._ Perhaps you could point to the app on the openly viewable
blacklist?

------
jakobe
There was a problem when installing Snow Leopard, where your computer would
crash on boot if you had a specific third party extension installed (I think
it was Application Enhancer). I assume to prevent similar problems, Apple
started disabling incompatible software after system upgrades in Lion.

The blacklist can't really be called "quiet": On first boot after system
upgrade, a dialog box pops up that tells you that incompatible software was
moved to a special folder. The affected stuff is mostly kernel extensions that
become incompatible.

------
therealarmen
This may be a small step towards further "appification" of the MacBook line of
products, which for better or for worse has been Apple's M.O. lately.

On one hand, I love opening up the App Store on my MacBook and flipping
through all the shiny icons in one central location that is safe and easy to
use. On the other hand, I worry about Apple controlling the entire
distribution channel for consumer software.

------
MaysonL
Actually, this mechanism has been there since at least Snow Leopard, if not
before. See the screenshot of Exceptions.plist on page 4 of [0].

[0][http://www.intego.com/mac-security-blog/dl/How-the-Anti-
Malw...](http://www.intego.com/mac-security-blog/dl/How-the-Anti-Malware-
Function-in-Apples-Snow-Leopard-Works.pdf)

------
mikeryan
Interesting, spent some time perusing the Exceptions.plist file from what I
can tell there's nothing explicitly hinky. Looks like it could be big
brotherish, but most of the file looks, well helpful.

Most Browsers and BitTorrent clients are set to quarantine files that they
create. A lot of keys for App Store categorization etc.

------
smcnally
I got a similar message when I found I'd had to reinstall git. Pulled down an
image from google code, then git-scm and received a ~"cannot install from
unsigned source."

I'm not sure why I had to reinstall in the first place. Specifying "Allow
software from ANYWHERE to run" did the trick. This might be off-putting to
some.

------
smackfu
>Not surprisingly, the list of bundle IDs are all web browsers and torrent
downloaders.

This part is really interesting, that Apple is externally enforcing the
quarantine bit rather than relying on the apps to set it.

~~~
ryannielsen
That's been the case since file quarantining was introduced.

------
joe_the_user
All this stuff does disturb a bit but as a less-than-lover of Apple, I'll
still admit that whitelists are where the real big-brotherishness comes in.
Blacklists are inherently more an "FYI, this is a problem" approach.

