Flutterby™! : App Store Sandboxing

Next unread comment / Catchup all unread comments User Account Info | Logout | XML/Pilot/etc versions | Long version (with comments) | Weblog archives | Site Map | | Browse Topics

App Store Sandboxing

2011-11-04 03:39:05.189124+00 by Dan Lyke 5 comments

Interesting: Macworld: Mac App Store sandboxing coming in March, developers wary.

When developers submit apps that adhere to Apple’s sandboxing restrictions, they can request specific “entitlements” for their apps, like read/write access to the user’s Music, Downloads, or Pictures folders, interaction with USB devices, printing, access to the built-in microphone, and others. Unlike other platforms (including Windows and Android), which display a list of features that apps will be able to access and ask for a user’s approval, Apple will determine whether an app should be granted the entitlements the developer requests as part of the Mac App Store approval process.

[ related topics: Apple Computer Music Photography Microsoft Macintosh ]

comments in ascending chronological order (reverse):

#Comment Re: made: 2011-11-04 09:33:07.366648+00 by: DaveP

See also Apple pushes back sandboxing deadline as devs struggle with tradeoffs.

In some cases, these entitlements make eminent sense. Such as BBEdit (written by Rich Siegel, who's quoted in both articles) which needs to modify files outside its bundle in order to be useful. But every development team with an existing app who's looking at sandboxing has been trying to figure out what the rules really are. My take is that the rules are not at all fixed, and Apple's trying to figure them out, too.

#Comment Re: made: 2011-11-04 13:37:12.120725+00 by: other_todd

As I commented to Medley - who also had a link making the same point - sandboxing is pretty inadequate as a security measure if there's not a single supply channel for all software. If you want to write malware that plays with things it shouldn't be allowed to touch, you simply don't submit it to the App Store.

Understand, I LIKE the straitjacket Apple puts on applications for the iPad and iPhone. I'm sure it would make me crazy as a developer, but as a user I value the confidence it provides. But they locked down the app channel there, and for Macs, it's far too late to do that.

Any standard I can think of which would make for a well-behaved app - for example, asking the user ("Hey, can I have a connection to the internet plzthx?") - falls down because non-well-behaved apps can just refuse to cooperate. This is why I use a fairly invasive firewall set on kill - some form of trusted external policeman seems to be required.

[It also has been revelatory in unexpected ways, such as revealing that my ThinkPad's update utility wants to call the mothership EVERY SINGLE DAY even though I have expressly told it not to. Not that I think it's malware; but I tell it no simply because I don't think it can possibly be communicating anything I want it to communicate. If I want a BIOS update I'll go look for one.]

#Comment Re: made: 2011-11-04 14:19:49.273087+00 by: TheSHAD0W

The obvious solution would be to sandbox the developer suite as well, with configurable overrides. If the app won't run, find out why, and checkmark the box for that override needed to get it to work (or disable the behavior in your code). You'll then know which ones that need to be submitted.

#Comment Re: made: 2011-11-04 16:17:32.994459+00 by: Dan Lyke

Real Security in Mac OS X Requires Apple-Signed Certificates is a good look at a lot of the issues flying around here from a developer's perspective.

#Comment Re: made: 2011-11-05 05:59:05.772834+00 by: igor' [edit history]

I think where this is really going, is towards the apple-tv which will run osx in locked-down mode so it will be idiot-proof.