Hacker News new | past | comments | ask | show | jobs | submit login

Anyone can sign up for the Apple Developer Program to become an "identified developer", so there's nothing that stops an attacker from signing their malware.



And according to the analysis [0], this is exactly what they did. They used a different cert to sign their malware.

I have to admit that Windows' UAC is better in that regard, as it shows the signees name. But of course this is only useful if you know the "right" name.

[0] http://researchcenter.paloaltonetworks.com/2016/03/new-os-x-...


Yeah, I think this is a major issue on OS X. For the average user it is impossible to tell who signed an app, if it is sandboxed, and what permissions it has. Hell, using the codesign command to extract entitlements from all binaries in a package is hard even for advanced users...

(There is third party tool named RB App Checker which does make these tasks a bit easier, though)


Well, I guess that’s at least one advantage for apps that use Installer.app¹ to install; Installer.app makes it really easy to see the certificate².

――――――

¹ — https://en.wikipedia.org/wiki/Installer_(OS_X)

² — http://f.cl.ly/items/1s1E3n19273M1l3i3S2X/developer_id_insta...




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: