Code Identity (Code ID)
With the term “identity of a program” we refer to a compact data set which can be used to securely and reliably distinguish a program from any other program. It is usually based on properties of the code signature.
Note that the term “program” used here describes applications like Safari, as well as plain executables like /sbin/ping
. Once executed, all those executables become running “processes”. Little Snitch usually works with running processes, not executables on disk.
Little Snitch uses the code ID for two purposes:
- To uniquely identify a program (e.g. in identifier based rules).
- To verify the identity of a program at a specific file system path (e.g. in path based rules).
The data used for both purposes is basically the same.
Advantages of identifying processes by code ID:
- If the program is moved on disk, rules still match.
- If a new version of a program is installed, the code ID usually is the same, regardless where the new version is installed and rules still match.
What data is used to identify a program?
If the program has a code signature, the code ID consists of the Team Identifier and Identifier from this signature. The Team Identifier is a 10-character string assigned to each developer by Apple. Code from Apple often does not have a Team Identifier. In this case we use the string “APPLE”. The Identifier is an arbitrary string assigned by the developer. It distinguishes the program from other programs by the developer. By convention, the Identifier is in reverse DNS notation, e.g. at.obdev.littlesnitch
.
The code ID of Little Snitch therefore is MLZF7K7B5R/at.obdev.littlesnitch
, that of Safari is APPLE/com.apple.Safari
.
The simulator for iPhones, iPads, Apple Watch and similar devices is a special case: Many programs seen on macOS are also found in the simulator, even with the same code ID. Little Snitch therefore appends /simulator
to processes running in a simulator to distinguish them from macOS processes. Safari in a simulator is therefore identified by APPLE/com.apple.Safari/simulator
.
Code IDs can also be made for programs which have no code signature, although Little Snitch avoids this because they lack many of the advantages of signature based IDs.
When a program is not signed at all, the code ID is built as SHA256/<sha256 over executable on disk>
.
When a program is ad-hoc signed, the code ID is built as ADHOC/<code directory hash>
.
There is also the rare case where code is signed, but the certificate was not issued by Apple. In this case we cannot rely on a Team Identifier. We use a hash over the signer’s public key instead. The code ID is built as KEY/<hash over signer’s key>
.
Using the code ID to check identity
Previous versions of Little Snitch identified programs by their file system path. Malware could have taken advantage of this by replacing a popular trusted program, e.g. a web browser, which is known to have generous allow rules, with itself. Little Snitch therefore introduced identity checks to make sure this does not happen.
When a code ID is used to verify a program, we call it Code Requirement because it requires certain features from the program. Code requirements contain basically the same information as the code ID, but may list alternatives, e.g. multiple code directory checksums for universal binaries.
Was this help page useful? Send feedback.
© 2016-2024 by Objective Development Software GmbH