Secure Loadable Bundles (MacOS)

Question

thecoolwinter OP

Created May ’23

Replies 3

Boosts 1

Participants 2

I'm wondering how one might be able to securely load bundles signed by a developer ID into a parent app.

Here's my use case, we have a series of plugin-like bundles that each contain some compiled C code and some wrapper code. They are loaded at runtime to perform some function and maintained in memory for the lifetime of the app. These bundles can be rather large (10-15Mb each), and our app size is growing large as we add them.

Right now these are baked into a framework that is embedded in the app, but we're looking at using a Bundle to load each one individually on demand. We've been successful implementing the on-demand loading. But, we're concerned about maintaining security while loading these into the parent app.

Each bundle is signed by the parent app's developer ID, and it's feasible that we could verify a code signature before loading them without running into performance issues as usually only one is needed at a time.

What we'd like to try and prevent is a bad actor injecting some code into the bundle, and the parent app loading it leading to a compromise of user data. It seems like code signing could help prevent this by verifying that each bundle has not been modified and has been signed by us.

To verify code signature we'd be using SecCode objects and SecCodeCheckValidity to verify them.

So here's the question, is just verifying a code signature enough to prevent breaches of security like the one's we're concerned about? Is this the correct model for this type of use case on MacOS?

Boost

Answer 1

DTS Engineer OP

Apple

May ’23

Right now these are baked into a framework that is embedded in the app, but we're looking at using a Bundle to load each one individually on demand.

Where are these bundles going to be located on the file system? Embedded inside your main app? Or in some specific directory (say ／Library／Application Support／MyApp／PlugIns)? Or at an arbitrary location chosen by the user?

Are you planning to support these bundles being created by other third-party developers? Or is this mechanism solely for your own use?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 2

thecoolwinter OP

May ’23

They would be in a specific directory, something like what you suggested in Library/Application Support/MyApp/Folder. We are not going to support these packages being created by third-party developers it would just be a mechanism to slim app size. These are code language support bundles, so we'd also be allowing users to only download language features for languages they use.

0

Answer 3

DTS Engineer OP

Apple

May ’23

We are not going to support these packages being created by third-party developers

In that case the way forward is easy: Make sure that library validation is enabled for your main app. Library validation ensures that your app can only load code signed by you or that’s built in to the OS. Library validation is enabled by default by the hardened runtime, so you just have to make sure you don’t mistakenly turn it off.

The only potential gotcha here is the resources associated with bundle. If those resources could be exploited as attack vector, it would make sense for you to verify the code signature of the bundle as a whole. The classic example of this is a nib file.

However, verifying the bundle’s code signature is harder than it seems because of TOCTTOU issues. If you live without that, life will be much easier.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

1