Craig explains how app design libraries are causing problems with the security of apps for some of the big tech firms.
For more tech tips, news, and updates visit – CraigPeterson.com
Automated Machine-Generated Transcript:
Craig Peterson: [00:00:00] We’re going to get into the guts right now of something called notarization. When it comes to our apps. What’s Apple doing what’s Google doing and how did Apple mess this is up so badly, frankly.
Hey, you’re listening to Craig Peterson. Thanks for joining me today. We’ve had a problem for a very long time when it comes to any sort of apps. I saw a funny meme about yeah about Bill Gates this week. It said Bill Gates couldn’t even stop viruses and Windows. It’s a really good point that Windows was never designed to be secure at all.
When they came out with NT, that was their first attempt to design it like a real operating system. They took the design of VMS, basically of Dave Cutler and company that had been designed over a DEC – digital equipment. And they said, Hey, we’ll use this as a framework. This really works. It’s not a hack. Let’s just make this work.
Then, of course, Microsoft had his fingers on it. So they really messed it up. They wanted to be compatible with everything that they could possibly be compatible with in the past. In the past, Microsoft did not have the barriers walls. If you will between the apps between the operating system, between the hardware and the apps. They didn’t have the appropriate protections in place. Programmers used some lazy mechanisms to get around the operating system, going directly to things like graphics cards, because the operating system just slowed it down and they couldn’t do the graphics they wanted to do that way. So it’s been a real problem, frankly.
It’s been a real problem for a long time in the windows world, and NT was supposed to fix some of that. It did initially, and then it didn’t. Now they’re trying to tighten up this whole thing. how do you, if you’re Microsoft or Google or Apple, how do you protect the people who are using your products from some of this malicious software?
What’s the way to do it? What Apple has come up with is a mechanism and Google as well that signs the software. You might have noticed that if you are trying to install software on your computer or your Google device from a third party website, it will come up and say, can’t be opened, It can’t be installed. There are a few different messages that come up.
In the case of Apple now, with MacOS Catalina, which is the latest Operating system. Although, there’s another one that is about to hit and it looks like they’re going to change the whole nomenclature to, with the next release, but in Catalina, Apple now requires what they call notarization for all apps.
Any apps that you are installing on that computer need to be signed digitally by Apple. So the developer, when they write the software, they compile it, they sign it themselves. It’s a whole public key cryptography thing. Apple takes that software and checks it and then signs it.
Both Google and Apple are using automated systems that try to verify whether or not the software is malicious. So it’ll go through this automated system and will try and figure out well, is there any malicious content? Are they doing things they shouldn’t be doing? Are they making suspicious calls to the operating system? Is it trying to get into files that it shouldn’t be getting into?
Now, there are ways to hide things from these automated systems. In fact, obfuscation seems to be the norm when it comes to any program or programming anything. It’s just absolutely amazing. It does look for code signing issues and then it’s designed to return the results to the developer very quickly and say, okay, it’s all set. It is signed. You are ready to go. Then they can put it up for sale on the app store or available for free, et cetera. The same trick over on the Google side.
In this case, in the Google side, they’ve got this alphabet owned malware scanning service called virus total that looks at data from over 60 different antivirus providers to figure out, is this software malicious? Is it using any sort of malicious libraries or routines?
Now we have seen that happen, unfortunately, and it’s scary because we have now found that even in the Apple app store, there have been many apps that included this library that was designed to basically steal personal information from you.
Developers would use this library and it wasn’t flagged by this notarization process. Now you install it and it’s not the main feature of the app, but the app is spying on you. Now, there is a new piece of software out there that they’re actually not all that new. It’s been around for quite a while.
It’s called S H L E Y E R Schleyer and it is a Trojan that has been one of the most prolific pieces of Mac malware now for the last couple of years and it was notarized by Apple. Now, this is interesting, right? This whole notarization thing it’s been in the last couple of major releases, but it snuck by.
There is if you’re an Apple user, there is a piece of software there’s you can put on your Mac called brew and it uses open-source software to install all kinds of features. I use many of these pieces of open-source software all of the time. And they provide functionality that does not come with the base Mac operating system. And so in the case of brew, It is verified and validated by the brew people, right?
Apple has nothing to do with this. There is another site out there called a homebrew.sh, which is a knockoff of the brew site, which is brew.sh. And the number of people were tricked into using that site, this homebrew.sh, and it apparently had fake flash updates. So it pops up and it says, Hey, you need to update.
And we’ve all seen that before if we have flash on our computer. you click on it and open it and install it. In fact, this Schleyer was slash is so smart. It gives you instructions on how to get around Apple’s notarization checks. So in case you didn’t know if you install an app on your Mac and you, first of all, you probably can’t get it to install, but if you do get it to install or if you download it and you try and run it out of your downloads. If you right-click on it, you then have the option to just open it and get around the signatures from Apple.
Not good, not a good thing. So this, bottom line means that you cannot 100% trust these signed apps from Apple or from Google. Just, this is just to remember. Okay. This isn’t something that any of these companies messed up recently. It’s just normal. So be very careful. About what you install and it goes right back to something. I said a little earlier today, which is, do not install any software you do not absolutely need and make sure that you keep it all up to date. Some of this stuff does clickJacking. It tricks users into installing these cryptographic certificates. It decrypts and reads all of your HTTPS traffic.
So if you’re going to a secure server that is using SSL, it’s decrypting it. It’s harvesting your user IDs, everything. Okay.
Apples goof, in this case, and they fixed it very quickly. It was reported to Apple. Apple did not figure this particular one out by themselves. So that goes right back to how important it is to have third parties out there that are looking at security, not just for Apple, but for many other pieces of software.
All right, stick around. When we come back, we’re going to talk about a new little study that was done about the internet of things hardware.
Make sure you get all of this and more. My newsletter, Craig peterson.com/subscribe and stick around. Cause we’ll be right back.
More stories and tech updates at:
Don’t miss an episode from Craig. Subscribe and give us a rating:
Follow me on Twitter for the latest in tech at:
For questions, call or text: