Last Week on My Mac: Heavy hand on the kill switch

Imagine one day you sit in front of your Mac and open one of your apps. Maybe it’s Charlie Monroe’s time tracking app Eon, or you need to do some invoicing with his UctoX. Instead of seeing the app open, macOS out of the blue tells you that the app which you’ve been using and trusting “will damage your computer”, and should be moved to the Trash. What do you do next?

Exactly that happened to many thousands of Mac users last week. Among the most shocked was the developer of those and other affected apps, Charlie Monroe. On 4 August 2020, according to Apple, one of its automated security systems decided that one of Charlie’s developer distribution certificates, which allows all those apps to run on Macs around the world, was bad and revoked it without even informing the developer.

For Charlie Monroe, this was the start of a nightmare, worse perhaps than those around him being struck down overnight by Covid-19. [Please read my Postscript below.] His software business had vanished with the revocation of his certificate. He couldn’t even log into his developer account with Apple, which had also been taken away from him.

It was also a nightmare for many thousands who rely on Charlie’s software: note these aren’t entertainment or trivial apps, but tools used by many professionals who need to prepare invoices, track their time so they can bill it to customers, and more. Apple wasn’t even telling all those thousands of users that there was a temporary problem, but that Charlie’s software “will damage your computer”.

You’d have thought that, for such a draconian system, Apple might have a phone number staffed 24/7, but Charlie had to wait until Apple’s convenience in opening for the day. It took almost 24 hours before Apple’s error was rectified, and his certificate and developer account reinstated, as you can read in his account.

From Apple’s explanation, this all occurred because an automated security checking system made an error, and automatically revoked his developer’s certificate and account, without any human checking whether this was the correct action. So it could happen again to someone else, maybe me, and you could suddenly find all my utilities “will damage your computer”. Or it could happen to far more important apps, with which you prepare accounts or taxes, or earn your living.

What Apple did to Charlie Monroe on 4 August is inexcusable. We all make errors, but allowing any automated process to make this type of decision is guaranteed to cause serious harm to everyone involved, particularly to large numbers of Mac users.

There’s also the curious question as to why Apple revoked the certificate, rather than pulled one or more of Charlie’s notarizations. When it introduced notarization, one of Apple’s justifications was that it would provide finer control, rather than the huge and heavy-handed kill switch of revoking a certificate and blocking everything signed with that. Perhaps Apple didn’t really mean that after all, but just wanted another level of control over your Mac?

Apple has since apologised to Charlie Monroe for its error. It hasn’t released any statement to reassure other developers that it’s changing anything which might prevent such as catastrophe from happening again, nor has it explained to the billions who run third-party software on Apple products how it’s going to prevent a recurrence – which could readily prevent any Apple user from using their software on their computer or device.

With the enormous power of certificate revocation like this, Apple assumes two further responsibilities. The first is to exercise due diligence in wielding that power, and the second is transparency of process to both developers and users. For if we can’t have complete confidence that Apple won’t make such a grave error, then we have lost confidence in Apple as a supplier.

Would you expect anything less if you bought a car with a remote kill switch which its manufacturer could use to disable it completely? Wouldn’t you demand to know what processes were involved in hitting that kill switch, and what safeguards were in force to ensure that couldn’t happen in error or even maliciously? Then extend that kill switch so the manufacturer could disable not just one car at a time, but tens or even hundreds of thousands. Would you be happy for that kill switch to be controlled by an opaque and fully automated process?

Neither has Apple explained whether its automated systems could do this to more widely used products, which are used by millions. Or is this just the privilege of the small independent developer, who has less clout with Apple?

What sort of error was responsible? Is this something, like the appearance of a forged certificate purporting to be one of Charlie Monroe’s, which could be manipulated maliciously? Is there a vulnerability in Apple’s certificate revocation system?

Perhaps the most important question for all of us, though, is how Apple came to revoke the certificate of a developer whose apps have passed its malware checks when undergoing notarization. In revoking that certificate, Apple was surely admitting that malicious software signed by that developer had been detected, and that the Notary Service had proved inadequate to prevent its notarization and distribution. Doesn’t that undermine the whole justification for notarization?

Apple will no doubt try to ride this one out in silence, as it usually does in matters of security. For developers and users, that doesn’t answer these fundamental questions. Can we ever have confidence in Apple again?

Postscript

A couple of you have objected to my comparison between what happened to Charlie Monroe and those around him being struck down by Covid-19, considering it “hyperbole” or “flip”. In my opinion, it is neither, but shockingly accurate, which is exactly how I intend it.

For many independent developers, having their signing certificate revoked without notice or reason is every bit as cataclysmic as the comparison I make. They have pursued a passion, coding long hours, putting everything they have and know into their products. That is also how they pay the bills, feed their family, and keep the roof over their head. When this type of disaster strikes an independent software developer, it can destroy them to the point where they commit suicide.

I hope that you can appreciate the seriousness of the situation that Charlie Monroe was in, and that is what I am trying to convey. For those who feel this is too near the bone, and for those who have lost loved ones and colleagues to Covid-19, I mean no offence, and apologise if you feel it inappropriate. But that is how I feel we should see this, not as a bit of a glitch which was soon fixed. In other cases, it could have ended very differently.

10Comments

Add yours

1

Leo M on August 9, 2020 at 8:43 am

The answer for me is a resounding NO. I want Notarization, and this “super kill” feature out of my very small fleet YESTERDAY. Apple “owned” us as bad as any hacker or ransomware. In fact, this was like ransomware only no demands for payment. And no public word from Apple either. Nobody asked for Notarization, and we certainly didn’t ask for this “feature” either.

As some commenters said on Michael J Tsai’s blog, what if Apple or some other actor who reverses this process “killswitches” finance software around tax time?? Tax authorities don’t forgive nor extend unless you file for it. Will Apple be responsible for that? How about if this is done to a hospital?

Boeing had MCAS. Apple has this. I want this MCAS tier sabotage OUT of my (modest) fleet or Apple gets no more money from me or my users.

LikeLiked by 1 person
- 2
  
  hoakley on August 9, 2020 at 9:05 am
  
  Thank you.
  I think you miss the point over notarization. What Apple did here is what it said it wouldn’t need to do when it introduced notarization: it revoked the developer’s certificate.
  Notarization provides fine control. If there’s one version of an app which has turned bad or rogue, with notarization Apple can disable just that. Users can revert to a different version, and the developer can deliver a fixed version within a couple of hours. That makes good sense, but Apple still needs to do this in conjunction with the developer.
  In this case, the automated system pulled the entire certificate, stopping every piece of software signed with that certificate. Apple should never have to do that unless the certificate is being used to sign malware, which clearly isn’t the case. And even if it was, now that notarization is required, Apple would be admitting that malware had not just been signed with that certificate, but had been successfully notarized – in other words, it had cheated its way through Apple’s malware check in the Notary Service. If that was the case, the whole notarization system would have been compromised.
  But automated systems don’t understand implications or consequences.
  Howard.
  
  LikeLike
3

Valdo on August 9, 2020 at 9:41 am

There is a completely different perspective on this event.

Airplane troubleshooting checklists runs on iPads and the pilots are using them to clear ALL abnormal events during the flight. Now one can imagine what happens when such Apple automated procedure kicks in….

LikeLiked by 1 person
- 4
  
  hoakley on August 9, 2020 at 4:54 pm
  
  Thank you for that. I’m glad I seldom fly now!
  Howard.
  
  LikeLike
5

Philip Noguchi on August 9, 2020 at 3:16 pm

Howard,

I was one of those who uses Downie, and when this debacle happened, I was floored! I even tried to replace it with an older disk image that would not mount, but said something like “cannot be opened, move it to the trash?”

I then saw that Charlie had written to AppleInsider, where some comments were sympathetic, but a minor storm saw a lot of commenters thought this was a publicity stunt…Outrageous!

Despite itself, Apple managed to correct the situation. One can’t help but wonder if this was due to the negative publicity rather than true remorse.

Phil

LikeLiked by 1 person
- 6
  
  hoakley on August 9, 2020 at 4:55 pm
  
  Thank you, Phil. It must have been a very worrying experience. Not that Apple has said a word about it, apparently, let alone apologised to any users who were affected.
  Howard.
  
  LikeLike
7

prairiewalker on August 9, 2020 at 4:10 pm

We should all be asking Apple how they will prevent such events and like-ones from occurring in the future. Emails, calls, public posts, Twitter, Facebook. I like having protections and improved security but expect more from Apple.

LikeLiked by 1 person
- 8
  
  hoakley on August 9, 2020 at 4:56 pm
  
  Yes indeed.
  Howard.
  
  LikeLike
9

Michael Tsai - Blog - Apple Remote-Kills Long-time Developer’s Apps on August 10, 2020 at 8:06 pm

[…] (2020-08-10): Howard Oakley […]

LikeLike
10

Szabesz on August 10, 2020 at 9:00 pm

And you’ll see why 2024 will be like “1984”.

LikeLiked by 1 person