Apple Faces Twitter Storm Over Mac App Security Glitch

By David Jones

Apple faced the wrath of legions of Mac users after it reportedly allowed a security certificate to expire on Wednesday, leaving customers unable to use some apps.

The expiration appeared to impact a number of apps, including Acorn, Byword, Daisy Disk, Tweetbot and 1Password.
It's likely that the incident occurred due to problems with the security certificate management system.
"The big firms, providers of applications and services, want to maintain control of the services and software they are selling," noted Ian Trump, security lead at Logic Now.

In many cases, they have created a certificate ecosystem that "has grown beyond human means to manage," he told TechNewsWorld.

User Complaints

Apple thus far has not made any public statements about the issue, but a number of users have posted similar questions in various developer forums and support pages on the Apple site.
Apple did upgrade the certificate after the glitch was discovered with a new 2035 expiration date, according to The Guardian. However, a large number of users apparently continued to have problems, ranging from an inability to log onto iCloud after forgetting their password to an inability to verify the new certificate because they were unable to log onto the Internet.
Users were widely greeted with error messages instructing them to delete the respective damaged app that failed to open and download it again.
Developer Paul Haddad, of the iOS specialist Tapbots, on Thursday tweeted his discovery of the link between the apps going down and the certificate expiration on Nov. 11.

After taking a break from dealing with the problem, Haddad returned to it to find things had gotten worse.

The source of the problem apparently was an expired SSL, agreed Thomas Reed,director of Mac offerings at Malwarebytes Labs. "Apple recently upgraded the Mac App store certificate to a more secure SHA-2 algorithm," he told TechNewsWorld. "However, some apps were using a version of Open SSL that didn't support that and thus were still using an older SHA-1 certificate."

Another potential source of concern is that while Apple is using outdated certificates, there could be a problem on the development side as well.
"Potentially, the bigger implication is with Apple developers that are still utilizing old cryptology code," Stephen Pao, GM of security at Barracuda, told TechNewsWorld.

Another Argument for Automation

Allowing the security certificate to expire this week was "obviously a mistake," said Kevin O'Brien, chief executive officer at GreatHorn. "The certificates in question, which ensure that apps are both original -- untampered with -- and not pirated versions of App Store software, should not have been allowed to expire like this."
The certificates were valid from Nov. 11, 2010, through the same date this week, which is standard, O'Brien explained. SSL certificate expirations prevent apps from living for too long a period of time, while at the same time allowing for certification issuance to be a viable business through the use of fees.
"Finally -- and perhaps, fundamentally -- this is an example of why security should be as automated as possible," O'Brien told TechNewsWorld. "Relying on user action is at best a partial solution. Security solutions should be ambient."
Despite the brouhaha among some Mac users, the long-term impact on Apple likely will be minimal.
"Apple's reputation is safe," said Logic Now's Trump. "This kind of incident has happened to almost all tech companies at one time or another."