Lately the tech media has been full of information about the next generation of desktop/laptop operating systems that will probably come out later this year. Microsoft has been blogging continuously about Windows 8 at the Building Windows 8 blog for months, culminating in the recent announcement of Windows on ARM (WoA) and the Windows 8 Consumer Preview. Apple has also released to developers a preview of OS X 10.8 Mountain Lion.
While all of these new operating systems have their own set of new features, there are some changes and new features that may change the way consumers use and secure their systems. They all have one common theme: they are increasingly being “locked down”, with users being unable to download and run applications without some form of curation by the vendor – i.e., Microsoft or Apple.
Windows 8/Windows on ARM: WinRT and the Windows App Store
Most of the press attention on Windows 8 has focused on its new UI, which is based on the Metro design language currently used by Windows Phone and the Xbox 360 Dashboard. However, not only do Metro apps look different, they are developed completely different as well.
Metro apps are built using a completely different set of APIs, which is known as WinRT. This represents a break from the previous Windows API, which is in use by all current applications (and malware) on Windows. From a security perspective, there are two key changes with WinRT: first, all WinRT apps are sandboxed. While some developers may find this problematic, this will help minimize the impact of application vulnerabilities.
The second change is far more important. WinRT apps can only be downloaded from the Microsoft-sanctioned Windows Store. This was made clear as far back as September 2011 at the BUILD developer conference. “Sideloading ” (running and downloading apps from outside the app store) will be available for developers (and probably enterprise users down the road). However, ordinary consumers will only be able to download apps from the Microsoft-curated app store.
This change will not affect all new Windows versions equally. Desktop and laptop users will be able to use both WinRT and Win32 applications. Microsoft, however, has made clear that it considers WinRT to be the future of development for Windows. Users who buy ARM-powered Windows tablets will only be able to use WinRT apps.
The end result is that users on desktops and laptops will have a user experience that is broadly similar to today’s download-and-run environment. If developers adapt WinRT in significant numbers, these users will be transitioned to a more locked-down environment – such as the one Windows on ARM users will be in right from the start. While more obvious improvements, like the addition of integrated antivirus and reputation technology, have been made to Windows, adding a locked down app environment to Windows and strongly encouraging its usage is the real game changer that will reach users.
Mac OS X Mountain Lion: Gatekeeper
From a security perspective, the most meaningful change in the upcoming version of OS X is Gatekeeper. It represents the first time a consumer OS has implemented a meaningful attempt at whitelisting based solely on where an app came from.
Gatekeeper, as the name implies, restricts whether applications can run based solely on where they were downloaded from. It has three possible settings:
- Mac App Store. This allows only applications downloaded from the Apple-curated Mac App Store to run on the system.
- Mac App Store and identified developers. This allows programs from the Mac App Store, as well as applications that are members of the Mac developer program (which costs $99 a year.)
- Anywhere. Gatekeeper will not attempt to stop applications from running.
By default, Gatekeeper is set to the second setting. At the very least, this can be seen as Apple’s way of gently “encouraging” developers to be officially associated with it. Whether this setting will stay this way until 2013 (when Mountain Lion’s successor will be released) is unclear.
What All This Means For Users
Both the Windows and Mac platforms are clearly showing signs of towards a more restricted, locked-down usage models (like smartphones and tablets.) Is this something that will help users? Not necessarily.
Existing app stores have had their defenses breached by attackers. The Android Market is replete with examples – which we’ve discussed multiple times here on the Malware Blog. While the iOS App Store has not suffered from the malware problems of the Android Market, fake apps have appeared there as well.
Also, concentrating on malicious apps and applications ignores the fact that many threats to users don’t even have a malware or app component to them. Social networks are under constant attack by scammers and spammers, using tools such as fake apps and survey scams. HTML5 serves as a powerful tool for attackers as well. Even legitimate apps with perfectly good uses are helping themselves to valuable user information.
The trend in modern operating systems – as seen towards these app stores on both Windows and OS X – appears to be taking away the user’s ability to decide for themselves what and what not to run. Instead of the user being able to make their own decisions, these are instead left in the hands of the curators like Apple and Microsoft. Their message is basically: trust us. We’ll take care of you. Bruce Schneier called this security model feudal security.
The trouble here is that personal user security may not always be at the forefront of their minds. For example, developers have a strong interest in accessing user information – it makes monetization of their apps much easier. Users may or may not be comfortable with this. Similarly, large companies can be subject to government pressure in a way small independent developers aren’t. Companies who run app stores tend to have operations that can be affected by government; small developers do not.
In addition, app stores tend to encourage lax coding as well due to the perceived “safety net” of a restricted mobile OS. For example, researchers have already noted that many Android apps contain serious security flaws. Other studies have found that some mobile apps send important user data over the air without any encryption, such as user names and passwords. If these same unsafe practices persist into apps designed for locked down desktop OSes, user data could be put at risk.
The threat landscape as we know it for consumers will change dramatically as a result of the decisions by Microsoft and Apple to push an app store business model. While it may be successful in curtailing some security threats, it takes away a large degree of user choice and puts it in the hands of app store curators. Going to app stores everywhere has serious implications for user security and privacy. Better for the discussion to take place now rather than later.