Most anti-virus companies trust the Gatekeeper security technology in Apple’s Mac products so much that they use unencrypted HTTP lines, instead of HTTPS, to transmit their software to Macs. They believe Gatekeeper would guarantee authenticity of the download by recognizing the digital signatures anti-virus companies sign their software with.

Apple Gatekeeper Anti-Virus

Gatekeeper doesn’t check all components

But former NSA researcher Patrick Wardle told Thomas Fox-Brewster of Forbes that he has found a way to bypass the Apple Mac’s Gatekeeper security and abuse such insecure downloads. Wardle told Fox-Brewster that the Gatekeeper does not check all components of the OS X download files. A malicious version of a “dylib file” (dynamic library) can be sneaked into legitimate downloads performed over insecure HTTP lines. This way you can infect Macs and steal data.

However, apps downloads via Apple’s Mac app store are not vulnerable. If a hacker can “hijack” dylib processes in Mac apps, they can attack an Apple computer and steal user data. Wardle admits that this kind of attack won’t be easy. The first step is to get on the same network as the target. Then you have to put in a legitimate but vulnerable application into the download.

Apple’s XCODE can also be abused

Next, rearrange the .dmg content so that your legitimate software is shown to the target. That’s not a tricky thing because you can set an icon and name of the vulnerable app to make sure that nothing looks suspicious. To find vulnerable apps, Wardle created a scanner that identified apps that would use his malicious dylib files, according to Forbes.


The scanner identified over 150 such apps on Wardle’s own Mac. It included Dropbox, iCloud Photos, Microsoft Word and Excel. Apple’s GPS Keychain and developer tool XCODE can also be abused. When the target launches the injected legitimate app, the unsigned naughty dylib files are loaded or executed even before the app’s main code. The dylibs can do anything at this point.

Apple Hijack

Wardle said that the attack could also work on downloaded .zip files that contain applications.