Notarization, introduced with macOS 10.14 Mojave, is a “mandatory” **screening process for distribution outside the App Store. It primarily enables Apple to validate that an executable is free from malware. The process is pretty quick and usually takes less than five minutes. Generally speaking as part of distribution outside of the App Store, developers will: opt-into the hardened runtime, completely and validly sign their code places, and lastly submit their executable to the Notarization service using either:
xcrun notarytoolhttps://appstoreconnect.apple.com/notary/v2/submissionsAfter Apple processes the request developers have two options: staple the resulting ticket to their executable or they can choose to not do this and rely on Gatekeeper to perform an internet lookup via the the com.apple.gk.ticket-delivery endpoint (… as we’ll see below). Gatekeeper’s use of this endpoint is our primary topic of conversation today.
“by default all software in macOS is checked for known malicious content the first time it’s opened, regardless of how it arrived on the Mac”. — Apple Platform Security
Gatekeeper is the runtime security control on macOS, similar to Microsoft Defender SmartScreen on Windows, responsible for enforcing the above. Simply put Gatekeeper ensures that “all” software downloaded outside the App Store is checked for malicious content on first launch.
The end user’s experience with Gatekeeper is usually in the form of app first launch prompts which relay information about underlying Gatekeeper scans. Some top level artifacts you might see include: which application downloaded the executable, if it’s notarized, XProtect scan result, does not meet system policy, etc. Some examples of these prompts can be seen below.
Gatekeeper enforces these system security policies through the /usr/libexec/syspolicyd system daemon. On first launch of new software syspolicyd will check for a stapled notarization ticket. If none is found then it will perform a lookup over the internet to check if the app has been notarized.
Notarized and meets system policy (trusted developers)
If the app does not meet system policy (App Store only)
The XProtect detected malware (XCSSET)
There are a few different tools we have to answer this question. Firstly, since our goal is to identify how Gatekeeper looks up remote tickets we can target for dynamic analysis one of two layers: network or application (/usr/libexec/syspolicyd ).
Firing up a test box and Frida we can immediately get to work by tracing and hooking key functions which may initiate or handle the ticket lookup requests. Using Frida for this task is a fun exercise for those just getting started with dynamic analysis and reverse engineering. If you’re starting from scratch on your own with this task you’ll want to at least answer these questions first to help guide your analysis:
syspolicyd linked to?
otool -L /usr/libexec/syspolicydsyspolicyd using any of them? Foundation, Networking, System, etc.