{
	"id": "1cc12ccd-92cf-4f80-a127-e30d57db8ae2",
	"created_at": "2026-04-06T00:10:47.019742Z",
	"updated_at": "2026-04-10T03:20:16.483165Z",
	"deleted_at": null,
	"sha1_hash": "80de4a5682abd8260c7b93378cef44f591ba74a2",
	"title": "Bypassing Apple’s Gatekeeper",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 77721,
	"plain_text": "Bypassing Apple’s Gatekeeper\r\nBy Thomas Reed\r\nPublished: 2015-10-05 · Archived: 2026-04-05 22:51:08 UTC\r\nEver since Apple first introduced Gatekeeper, malware creators have been trying to find a way around it.\r\nMany different pieces of malware have done so, but at the Virus Bulletin Conference in Prague, Patrick Wardle, a\r\nsecurity researcher at Synack, presented his findings on some new and interesting ways to skirt Apple’s security.\r\nFirst, let’s take a look at what Gatekeeper is. OS X has a security feature called file quarantine, and when a file is\r\ndownloaded by a well-behaving app, it is “quarantined.” When you open a newly-downloaded application and OS\r\nX asks you if you’re sure you want to open it, that’s quarantine in action.\r\nGatekeeper is built on top of quarantine. When you try to open an app, Gatekeeper checks it out to see if it’s legit.\r\nIf the app isn’t digitally signed, and your security settings specify that only apps signed by “identified developers”\r\nare allowed (the default setting), then Gatekeeper won’t let you open it.\r\nIf you set it to the most restrictive setting, not even a digitally signed app is good enough, unless it was\r\ndownloaded from the App Store. Gatekeeper will reject all others.\r\nThere have always been ways to get around the walls, though. The key to getting through the gate is\r\nunderstanding that the guards only check those who have already had their hands stamped, so to speak.\r\nSpecifically, in order to get stopped by Gatekeeper, an app must have been downloaded from the internet using a\r\nquarantine-savvy app, resulting in it being marked with a “quarantine flag.”\r\nAn app could very easily get on your system without this flag if it were copied from a USB flash drive, optical\r\ndisk, external hard drive, or even from a drive shared over the local network. This could also happen if you\r\ndownload an app using software that does not properly set the quarantine flag on files it downloads. (Torrent apps\r\nare frequent offenders.) In either of these cases, an app could be opened with no warnings, and without being\r\nscreened by any of the built-in security in OS X.\r\nBeyond this kind of thing, vulnerabilities used to be the only other way known to bypass Gatekeeper. For\r\nexample, in 2012 and 2013, there was a glut of malware that relied on Java vulnerabilities to get installed.\r\nBecause this malware was downloaded and installed behind the back of the quarantine system, it also was ably to\r\nbypass Apple’s security measures.\r\nhttps://blog.malwarebytes.com/cybercrime/2015/10/bypassing-apples-gatekeeper/\r\nPage 1 of 3\n\nHowever, Wardle has discovered a some other interesting ways to bypass Gatekeeper. In March, he wrote a paper\r\non dylib hijacking on OS X, which allows a hacker to trick a vulnerable app into loading and executing the code\r\nin a malicious dynamic library. Packaged properly, a hacker could use a legit app as a payload to deliver malware.\r\nA legit app would be capable passing Gatekeeper’s checks, while a malicious dynamic library that it inadvertently\r\nloaded would never be examined by Gatekeeper.\r\nAt Thursday’s talk in Prague, Wardle revealed yet another, similar attack vector. Some apps, including apps made\r\nby Apple, are known to load secondary “helper” apps or other executable files as needed. An example given by\r\nWardle is Adobe Photoshop.\r\nPhotoshop will load and execute files found in its Plug-ins folder. If a hacker were to package an unmodified copy\r\nof Photoshop in a folder also containing an invisible Plug-ins folder with a malicious executable inside, that\r\nmalicious code would execute without any chance of being blocked by Gatekeeper.\r\nWorse, a hacker wouldn’t necessarily need to rely on users downloading a file from a weird site. If a hacker were\r\nable to get into a privileged position between you and the server you were downloading an app from, it would be\r\npossible to substitute a modified download for the legit one.\r\nThis lowers the bar for getting malware past Gatekeeper, and unfortunately, hackers are already starting to look in\r\nthis direction. The recent XcodeGhost malware, for example, involved a modified copy of Apple’s Xcode\r\nsoftware, which was made to load malicious code and, from there, was used to inadvertently create thousands of\r\niOS apps that made it into the App Store.\r\nAs Wardle points out, it’s time for Apple to make some changes to the way this system works. It’s no longer good\r\nenough to only examine files with the quarantine flag before running the code inside them. There are simply too\r\nmany holes in the wall, and the Gatekeeper is only watching one of them.\r\nAbout the author\r\nHad a Mac before it was cool to have Macs. Self-trained Apple security expert. Amateur photographer.\r\nhttps://blog.malwarebytes.com/cybercrime/2015/10/bypassing-apples-gatekeeper/\r\nPage 2 of 3\n\nSource: https://blog.malwarebytes.com/cybercrime/2015/10/bypassing-apples-gatekeeper/\r\nhttps://blog.malwarebytes.com/cybercrime/2015/10/bypassing-apples-gatekeeper/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://blog.malwarebytes.com/cybercrime/2015/10/bypassing-apples-gatekeeper/"
	],
	"report_names": [
		"bypassing-apples-gatekeeper"
	],
	"threat_actors": [],
	"ts_created_at": 1775434247,
	"ts_updated_at": 1775791216,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/80de4a5682abd8260c7b93378cef44f591ba74a2.pdf",
		"text": "https://archive.orkl.eu/80de4a5682abd8260c7b93378cef44f591ba74a2.txt",
		"img": "https://archive.orkl.eu/80de4a5682abd8260c7b93378cef44f591ba74a2.jpg"
	}
}