Does macOS check an app for tampering when you open it?

Does macOS check an app for tampering when you open it?

In iOS/iPadOS, the operating system always checks to see if an app has been tampered with before running it. As Apple Platform Security explains,

At runtime, code signature checks of all executable memory pages are made as pages are loaded to help ensure that an app hasn’t been modified since it was installed or last updated.

This is critical for security because if any malicious code seeks to tamper with an app after it is installed, it will be detected by the iOS/iPadOS operating system and blocked from executing.

So, I wonder whether macOS 15 offers the same runtime code-signature checks too? I’ve done a quick investigation and the answer is, “sort of”.

Downloaded a Mac App Store app

As an experiment, I downloaded Microsoft’s Windows App from the Mac App Store. Then I copied the downloaded app from the “Applications” folder into a temporary folder. Next, I right-click on the app in Finder and select the “Show Package Contents” menu option.

Tampered with that app

Now, I can see the app as a folder with all its content. I deliberately made a tiny modification to this file by removing an empty line at the end:

/Contents/Resources/style.css

Confirmed that the app fails code-signature verification

After modifying that CSS file, I confirmed that this app fails the code-signature check by running this command in Terminal:

codesign  -v --verbose=2 ./Windows\ App.app

I got this response from this command:

Windows App.app: a sealed resource is missing or invalid
file modified: Windows App.app/Contents/Resources/style.css

By making a tiny modification to the app, I had broken its cryptographic ‘seal’. This command confirms that the cryptographic ‘seal’ is broken.

Did macOS stop me from running that tampered app?

I double-clicked on the tampered app to open it.

At first, the app runs!

This implies that, unlike iOS/iPadOS, macOS does not perform a runtime code signature check on the app when it is opened. That means that if malware tampered with the app after installation, macOS will not detect it.

But this is when it gets weird.

I repeated the experiment a few times. I made the exact modifications to the same file in the app. But a few times, I got this error message when I attempted to open the tampered app:

So sometimes, macOS detected that the app was tampered with and warned the user about it.

Conclusion

If a Mac App Store app is tampered with after installation, macOS sometimes detects that its cryptographic ‘seal’ is broken and warns the user about it.

This is not good enough for me.

You can manually check whether an app has been tampered with by running the “codesign” command. But this type of runtime code-signature checks should always be performed by macOS. Not sometimes!


DON'T GET HACKED!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Discover more from iSecurityGuru

Subscribe now to keep reading and get access to the full archive.

Continue reading