Snake&Apple VI — AMFI

Karol Mazurek
22 min readMar 25, 2024

Introduction to the Apple Mobile File Integrity on the macOS with Python


Welcome to another article in the series on macOS security internals!

In Snake&Apple II — Code Signing, I explained how Code Signing works and introduced AMFI’s Trust Caches without further explanation.

Later, in Snake&Apple IV—Dylibs, I introduced the Dynamic Library concept and protections against Dynamic Library Hijacking vulnerability.

Then, in Snake&Apple V—Dyld, I presented Dyld Environment Variables, of which DYLD_INSERT_LIBRARIES has special meaning in macOS security as it allows for injecting custom code into a process memory using Dylib.

This article extends the above topics and explains (AMFI) the Apple Mobile File Integrity kernel extension, which plays a huge part in the process of Code Signature validation and protects against unsigned code injections.

The major part of this article describes the startup of the Kernel Extension from its early boot loading until it registers as a MAC policy.

Then, it shows how specific AMFI policy can be called by other system components focusing on protection against DYLD_INSERT_LIBRARIES.

Lastly, the article explains how AMFI communicates with amfid via Mach messages with…