Apple Mac OS X Lion Includes Revised Encryption Mechanism

The safe move by Macintosh owners may be to decrypt any encrypted files before upgrading to Lion because of Apple's changes in the encryption mechanism in the latest edition of Mac OS X, according to a security specialist.

Apple has added a number of new privacy and security features into the latest version of the Mac operating system, expected by the end of July.

The Mac OS X Version 10.7, code-named "Lion," has over 250 new features, including more controls over user privacy and security capabilities to keep users safe. The new operating system is expected in July, but no one knows the exact timing.

Endpoint security vendor Safend offers several kinds of security protection to data, including encryption, controlling whom the file can be shared with and identifying user-access rights. While developing their security tools for Mac OS X Lion, the Safend team identified certain changes that could affect how people work with the new operating system, Edy Almer, Safend vice president of marketing and business development, told eWEEK.

Apple has revamped its approach to encryption, so users should be careful when upgrading from "Snow Leopard" to "Lion." If they have encrypted any files using File vault or other encryption tools, they should first decrypt the file before running the upgrade process, Almer advised. Once the operating system has finished the upgrade process and the user has ensured everything was working correctly, then it would "be safer" to re-encrypt the files, Almer said.

Apple made some changes to the way it implemented encryption in Lion, according to Almer, but he didn't know exactly what those changes were. He said there wasn't a lot of documentation available at the moment on the way the new encryption scheme worked.

"Whenever you aren't sure what changed in an encryption product, it's safer to do the upgrade without it running," Almer said.

In previous versions of the Mac OS X, encryption was handled on a file-by-file basis. The operating system did not offer a way to fully encrypt the disk. That hasn't changed in Lion, according to Almer. However, under Lion, users would be able to encrypt their Time Machine backups as well.

According to Apple, the ASLR (address space layout randomization) has been improved for all applications so that it would be harder for attackers to target the 64-bit applications.

"The kernel is definitely 64-bit," Almer said. All the drivers now must be 64-bit or it won't work on Lion, he said, calling this a "big change for anyone who develops" for the Mac platform. Up until now, it was "optional" to have 64-bit, but now it will be "mandatory," Almer said.

For privacy, Lion features a new Privacy pane, a central location for enabling and disabling location services and data collection as well as designating which applications have access to the location information. An icon appears in the menu bar whenever the application requests the information, making it easy for users to identify what the app is doing.

Apple also has improved its sandbox technology so Websites and applications are isolated from each other and from the operating system. Malicious Websites and applications are automatically trapped within the sandbox and unable to access the data stored elsewhere on the system.

Apple is still very consumer-focused and Lion reflects that, Almer said. The goal is to make everything easier and more straightforward. To that end, Apple has moved a lot of housekeeping and system tasks to automatically run in the background.

Editor's Note: This story was updated to reflect the correct title of Safend executive Edy Almer.