netnix.org
Networking and Unix


The Impeding Death of Java on MacOS

 April 22nd, 2014Apr 22nd, 2014      

It seems Apple’s long term goal is to eventually drive a wooden steak through any technology that doesn’t adhere to their vision of the future. Before they had finished putting the final nails on the coffin of Flash, they have moved onto Java and placed it firmly within their crosshairs. This hasn’t been totally unwarranted though, Oracle has had a lot of bad press recently (and Sun historically) with respect to Java security, which has resulted in Apple disabling Java in the browser on numerous occasions until exploits and vulnerabilities have been patched – a strategy that some think was drastic, but it places pressure on vendors to fix things quickly and in this case, it appears to have worked.

Extreme care should be taken with any technology or application which is allowed to be executed on your local machine from a web browser. If browser security was better then we might not have quite as many machines out their with numerous layers of malware installed on them.

However, they have now pretty much killed Java Web Start on MacOS since introducing Gatekeeper in Mountain Lion (OSX 10.8). Java 8 was considerably delayed so Oracle could focus on strengthening the security of Java, which has been beefed up since Java 7 Update 51 – this changes your default security settings to only permit running Jar files which have been signed by a trusted Certificate Authority.

So, after putting together a Java Web Start application and getting it signed with a Code Signing Certificate issued by a trusted Certificate Authority you would think Apple would allow it to run. It appears this isn’t the case, unlike Windows which will launch your Java application, Apple have decided that they don’t trust Certificate Authorities and they only trust applications which have been signed with a Developer ID and downloaded from the Mac App Store – something which isn’t possible as Apple doesn’t support Java applications in the App Store.

jnlp_mac

The only solution at present is to modify the settings of Gatekeeper and permit it to run applications downloaded from “Anywhere” – something that most people won’t be willing to do.

Luckily Apple hasn’t introduced such restrictions on standalone Java applications, but I suspect it won’t be too long before Apple will try to clean the Mac platform completely from anything not written in Objective C and developed using Xcode.

General Java MacOS Security