Apple's app-security tech Gatekeeper caused all kinds of problems last week, but here's why your Mac would be in far worse shape without it
- The surge of downloads for Apple's latest version of macOS Big Sur caused an issue with Apple's servers that triggered a bug in the company's Gatekeeper.
- Gatekeeper is the service that confirms that a piece of software is legitimate before it's downloaded — when it stopped working, apps didn't open.
- Gatekeeper, and its failure, can be an annoyance for those who don't want Apple regulating what they download, but most people would argue it's better to be safe than sorry.
- "Security always includes a tradeoff between convenience and protecting a user, sometimes from themselves," says columnist Jason Aten.
Last week, as Apple users upgraded to the latest version of macOS Big Sur, the surge of downloads caused an issue with Apple's servers that triggered a bug in the company's Gatekeeper. That may not sound like a big deal, except that Gatekeeper is the service that confirms that the software on your Mac has a valid developer certificate. When it couldn't be reached, apps simply didn't open.
To make things worse, most people had no idea what was happening. They just knew they couldn't use the apps on their Mac. The icons would simply bounce in the dock, but there was no error message or other indication of what was happening.
I think we can all agree that's a problem. That much isn't really that complicated at all.
Where it starts to get complicated is what security researchers found when they started figuring out what was happening. They determined that the information Apple was sending was, at a minimum, unencrypted. At least one suggested that Apple was spying on users by collecting information such as their location, their device, and the apps they were running.
Apple made it pretty clear that it isn't spying on users to see which apps they're running or what they've installed on their devices.
"We have never combined data from these checks with information about Apple users or their devices," the company says in a support document. "We do not use data from these checks to learn what individual users are launching or running on their devices."
It turns out that much of that fuss was overblown, but it didn't stop people from rightly wondering exactly what was happening, and whether Apple was exerting far too much control over their Macs. That's a fair question, and it's one worth considering in context.
In macOS Catalina and Big Sur, Gatekeeper verifies that an app has a valid developer certificate when you install or launch it. It's true that Apple wasn't encrypting the data it sent back and forth between the server, meaning that someone who was monitoring your internet traffic could conceivably intercept that information. Apple has since said it would change that practice.
The reason macOS does this is to confirm that an app you downloaded isn't malware. The software must have a valid developer certificate. That's why you see a warning dialogue box when you install an app you downloaded from the internet, instead of from Apple's macOS App Store.
Likewise, every time you launch an app, it checks with its servers to confirm the app still has a valid certificate. In this case, when it couldn't perform the check due to the server issues, the apps simply didn't launch. To prevent similar issues in the future, Apple said it has made a few changes to the Gatekeeper technology, including improving the server system that handles the check.
More importantly, however, is why Apple added Gatekeeper in the first place. To really understand that, think about how apps work on iOS. When you download an app from the iOS App Store, you don't have to worry about whether or not that app will make your iPhone unusable. Apple requires developers to submit software through app review. You don't have to worry that it's malware or that it will steal your personal information.
On a Mac, however, you've always been able to download apps from anywhere on the internet. Sure, there's an App Store for macOS, but you aren't limited to only software found there. Gatekeeper ensures that regardless of where you download an app from, your computer won't install or run it without checking first to make sure it's legitimate.
Most people have no idea what's happening behind the scenes, and frankly, they don't care. What they care about is that they don't have to worry about things like malware, viruses, or scams.
We can debate all day whether or not we prefer a world where Apple acts as sort of a nanny to make sure we don't get in too much trouble with our Mac. I completely understand the argument that they shouldn't.
A more precise, and appropriate — in my opinion — argument would be that they shouldn't stop you if you'd rather they didn't. If you want to mess up your Mac, you should absolutely have the right to do so. It's yours, after all. You should be able to download and run anything you want, provided you aren't violating any laws by doing so.
If that's you, you probably hate Gatekeeper. The idea that anyone would stand in the way of what you do with your Mac, or that you would have to ask permission to launch an app, probably goes against everything you believe about computers.
Most people, however, prefer the peace of mind that comes from knowing that they won't accidentally install an app that will take over their webcam or monitor their keystrokes or steal their personal information. Which, by the way, isn't exactly unheard of.
It's why Windows devices are constantly updating their software security settings to prevent exactly the same thing. I spend a lot of time reviewing different laptops, and it never ceases to amaze me how often they have to update their antivirus software.
Apple's solution is to make it almost impossible to accidentally download malicious software at the expense of making it harder to intentionally download and install software from the internet. It gets even harder if the software doesn't have a developer certificate from Apple. Security always includes a tradeoff between convenience and protecting a user, sometimes from themselves.
For example, if your bank requires two-factor authentication when you log on, it's annoying that you have to wait for a text message or an emailed code before you can access your account. Of course, knowing that someone else isn't going to log in and empty your account makes it worthwhile.
That doesn't change the fact that it's most definitely a problem when the system fails and no one knows why. To the average user, their Mac just didn't work, which is literally the opposite of the primary value proposition of Apple's entire ecosystem: It just works.
The difference is, it was temporary. If you download malware, on the other hand, there's a good chance that having your laptop stop working for a few minutes will be the least of your problems.