Brave CEO Eyes Mac App Store After macOS Security Flaw Targets Direct Downloads
Brave CEO Brendan Eich says his company may reconsider distributing its privacy-focused browser through the Mac App Store after security researchers exposed a macOS vulnerability targeting apps downloaded directly from developer websites.
The debate surfaced when researchers at Mysk posted findings on X about a macOS Archive Utility bug, tracked as CVE-2026-28910, that let attackers bypass Apple’s App Sandbox — a system designed to isolate app data and limit damage from malicious software.
Mysk specifically named Brave and Mullvad as vulnerable to executable hijacking, a technique where an attacker replaces a legitimate program file with a malicious one. The researchers praised DuckDuckGo as the only private browser distributed through the Mac App Store, noting that sandboxed distribution mitigates the attack vector.
Eich Responds
Eich joined the thread after a user tagged him directly. He argued Apple should fix macOS itself rather than pushing developers into its walled ecosystem.
Still, he acknowledged the flaw changes the calculus. He said putting Brave on the Mac App Store “has hair on it” but is something his team can revisit.
The phrase signals real friction, not a clean path forward. Browser developers have long resisted App Store distribution because Apple’s review process can delay emergency security patches by days or longer — a serious problem when a zero-day exploit, meaning a vulnerability attackers actively exploit before a fix exists, is in the wild.
The Patch Question
Apple has already patched CVE-2026-28910 in its macOS 26.4 update, removing the immediate threat that started the discussion.
An independent researcher responding to Mysk also said the original exploit required a victim to manually run an attacker’s shell script and drag and drop files — a high bar for real-world exploitation.
Mysk pushed back hard. The firm said other unpatched local vulnerabilities currently exist in macOS that can hijack executables without any user interaction required.
That claim raises the stakes considerably. If accurate, it means the patched Archive Utility bug was one instance of a broader class of risks that direct-download apps still face.
The App Store Trade-Off
The core tension for browser makers is speed versus security architecture. App Store distribution adds a layer of sandboxing that limits what a compromised or malicious app can access on a user’s system.
By contrast, direct downloads give developers full control over update delivery — meaning they can push critical patches instantly, without waiting for Apple’s review team to sign off.
For a browser handling passwords, financial data, and private communications, that update lag carries real risk. Even so, surrendering update autonomy to Apple is a significant operational concession for any developer.
Brave launched in 2016 and has built its user base largely on a direct-download model that bypasses platform gatekeepers. The browser uses a built-in ad blocker and routes traffic to limit advertiser tracking.
Whether Eich’s comments translate into an actual App Store submission remains unclear. No timeline or commitment has come from the company.
