Apple's Mac App Store Sandboxing Requirement Gaining Renewed Scrutiny as Deadline Approaches

[Rot'nApple]

http://www.barebones.com/support/bbedit/auth-saves.html

http://www.barebones.com/support/bbedit/cmd-line-tools.html

Yeah, broken. In other news, the sky is falling.

So Apple's "One Click" is now "One Click, then Another Click, then another Click"???
/
/
/

 

[bnerd]

Developers aren't FORCED to used the MacApp store and Mac users aren't FORCED to buy apps from it.... if a devs application is that sophisticated then they should sell it directly from their website and bypass the MacApp Store rules... plus they get to keep 100% of their profits.

 

[Mr. Retrofire]

There seems to be a lot of misunderstanding about what sandboxing really is. I recommend everyone read this article before complaining. http://arstechnica.com/apple/reviews/2011/07/mac-os-x-10-7.ars/9#sandboxing

Yeah, one of the misunderstandings is, that sandboxing provides reliable security. That is not the case. I recommend you read first this:
http://apple.slashdot.org/story/11/11/13/2152232/mac-os-x-sandbox-security-hole-uncovered

i.e. nothing is secure.

 

[tkermit]

I do not need a sandbox. I'm not a kid. Or who needs limited functionality?

The sandbox isn't for you, but for the app to play in. It's not about limiting functionality, but about limiting access to the system that would go beyond an app's functionality. That's the theory at least. In practice, Apple's approach to sandboxing still needs a lot of work to not hinder app developers' efforts (or so it seems).

 

[BaldiMac]

Developers aren't FORCED to used the MacApp store and Mac users aren't FORCED to buy apps from it.... if a devs application is that sophisticated then they should sell it directly from their website and bypass the MacApp Store rules... plus they get to keep 100% of their profits.

They get to keep 100% of their profits from apps they sell on the MAS as well!

 

[jinnj]

literally said "look.. we want to stay in business, and if we don't put our stuff in the app store apple has made it clear they will not take our other apps".

Dude you are so full of *****. Apple hasn't threaten anyone that the must include their apps in the App store. Fact is that it's cheaper to publish via the app store than to manage it all on your own. Ambrosia will save money by selling their apps in the App Store but Wiretap shouldn't be there. Same as some of my developer utilities. MAS is there for the general public to buy software with some security. So a photo retoucher like Pixelmator is great for MAS but a packet sniffer and analyzer not for the MAS targeted audience.

 

[gnasher729]

What? Why do Mac App Store apps need sandboxing as a way of keeping them secure?! Surly Apple aren't going to let developers post viruses into the Mac App Store anymore than with the iOS App Store, so the apps don't need to be sandboxed?

That is not what sandboxing is about.

Here is how a hacker attacks a system: They find some application that is badly programmed. They find a way to take control of that application. And once they have control of that application, they take control of your computer.

With good programming you can prevent a hacker from taking control of the application, so they are stuck. But no programming is perfect. So Apple adds another layer of defense: Sandboxing means that even if a hacker takes control of an application, that application itself cannot do much damage, and so the hacker is stuck again.

A good example is a video player. A video player must decode a video. The code for decoding the video is highly complicated. The more complicated that code is, the higher the chance that there is a bug that would let some hacker take control of it, in this case by feeding the player video data that exploits the bug in the code. Now comes sandboxing: The video decoder is put into its own sandbox with extremely little capability: All it can do is take a stream of bytes (the compressed video) and produce a sequence of images (the individual frames of the movie). The sandbox doesn't give the video decoder any access to files, to the network, to anything, just the stream of bytes that it can read, and the images that it creates. So even if a hacker takes complete control of the video decoder, the hacker cannot do more than read the compressed video, and create images. Nothing they can do to harm your computer.

So all this is not about controlling what the application does, but making sure that a hacker that breaches the Mac's and the application's defenses still cannot do anything harmful.

Yeah, one of the misunderstandings is, that sandboxing provides reliable security. That is not the case. I recommend you read first this:
http://apple.slashdot.org/story/11/11/13/2152232/mac-os-x-sandbox-security-hole-uncovered

i.e. nothing is secure.

A good example of an article written by someone who is genuinely clueless. Basically what it says is "locking your windows down is no use if you leave your front door wide open".

 

[Stella]

This will certainly become a problem for non MAS applications as time goes by.

People are lazy and some are less knowledgeable and both .. some will not know that you can obtain Mac software from any other sources but MAS.. others simply won't bother to look any other place than MAS.

So.. non MAS software will slowly decline in sales.

Apple want MAS to be the defacto method of OSX software distribution together with its rules. Apple can't close OSX so MAS as defacto software distribution is the next best thing. The Apple developer rules will certainly restrict creativity and innovation.

Sure making a secure OS is a good thing, but you need balance.. which isn't the case in the current Apple's sandboxing form. Apple need to address the limitations of the current sand boxing implementation.

 

[linuxcooldude]

So I said "so don't put it on the store, just distribute online". and the guy .. literally said "look.. we want to stay in business, and if we don't put our stuff in the app store apple has made it clear they will not take our other apps.

I don't believe what he said at all. I know there is software in the App store right now that you can purchase elsewhere. Games for instance.

They probably don't want to spend the time to make a separate version to sell from their website.

 

[baryon]

So far, non-sandboxed apps are pretty secure, I don't really see the problem… The good thing is you'll always (hopefully) be able to download apps from outside the app store.

 

[nuckinfutz]

This will certainly become a problem for non MAS applications as time goes by.

People are lazy and some are clueless and both .. some will not know that you can obtain Mac software from any other sources but MAS.. others simply won't bother to look any other place than MAS.

So.. non MAS software will slowly decline in sales.

Apple want MAS to be the defacto method of OSX software distribution together with its rules. Apple can't close OSX so MAS as defacto software distribution is the next best thing. The developer rules will certainly restrict creativity and innovation.

That's not the half of it. If you want to use iCloud which Tim Cook says 85 million people are already doing it you must be on the Mac App Store. So by not being on the store not only are you risking the lack of exposure going forward but you're also potentially cutting off revenue/profits from iPhone/iPad apps and syncing.

 

[Fuzzi]

all kind of window management applications (moom, bettersnaptool, optimal layout etc.) also are not sandboxable.

All kind of apps that need to send mouse movements or mouseclicks to the system are not sandboxable.

All kind of apps that need to control arbitrary applications in some way are not sandboxable.

All kind of apps that need to send keyboard shortcuts (e.g. for pasting text or s.th. like this) are not sandboxable.

Apps that make use of the media keys on the keyboard are not sandboxable (or will lose this functionality)

This list can be continued for quite a while... you see sandboxing will eliminate many applications from the Mac App Store. Especially utilities. Those apps probably won't be pulled from the store, but their old, possibly insecure versions will stay there and the developers won't be able to update them, even if they'd like to. Hundreds of thousands or even millions of users will be affected by this. Also Apple provides no way to migrate App Store customers to non - App Store versions.

Also the licenses only allow the use of iCloud for App Store apps like nuckinfutz said. This creates a real two class system and I think it'll hurt the mac platform...

 

[rockstarjoe]

I am developing an app for the MAS and getting it to work with sandboxing was a bit of a pain in the butt. It definitely makes you jump through hoops and throws up obstacles in the way you approach your coding. I understand why Apple is doing it but I think they are enforcing the rules too early. They need to give developers more time to work on making their apps work with the sandbox, and they need to address the concerns of developers who feel that the sandboxing rules are half baked at best right now. I personally think they should just add a padlock icon next to apps in the MAS that support sandboxing, as a way to show customers that the app is "extra secure" (sort of like the plus sign next to universal apps in the iPhone/ipad app store). Let non-sandboxed apps co-exist for at least another year.

 

[zorinlynx]

Pardon me if I'm wrong, but isn't sandboxing dependent on the type of app?

For instance, an image editing app might just need access to read and write user files to save and load images. Other, more advanced operations aren't really needed. Therefore this app would operate under stricter sandboxing rules.

However, something like Transmit, which is not just an FTP client but also lets you mount remote FTP locations as drives, etc... requires a lot deeper system access to do what it needs to do. Wouldn't Apple therefore allow this access, since the app simply can't do what it needs to do with a strict sandboxing model?

Sandboxing is probably overall a good thing, but I can't see why Apple wouldn't tailor it to the type of application. A simple text editor has different requirements than something like Transmit or a battery status app.

 

[Fuzzi]

@zorinlynx they do have different "entitlements" for different types of applications. The problem is, that there are too few entitlements to cover all usecases, and so many apps are not sandboxable with the current sandboxing technology. So the apple solution is to just not allow further updates for those apps which can't work with the few given entitlements .

Developers can file bugreports / feature requests but often you just get the answer that the technology you need for your application is theoretically able to workaround the purpose of the sandbox and so they won't allow it....

 

[Stella]

Sandboxing applies to ALL applications, AFAIK.

So, in your example, transmit would have to be sandboxed too. If you wanted to download files to an area of the hard disk that isn't your home directory, the user would have to confirm every single file.

Pardon me if I'm wrong, but isn't sandboxing dependent on the type of app?

For instance, an image editing app might just need access to read and write user files to save and load images. Other, more advanced operations aren't really needed. Therefore this app would operate under stricter sandboxing rules.

However, something like Transmit, which is not just an FTP client but also lets you mount remote FTP locations as drives, etc... requires a lot deeper system access to do what it needs to do. Wouldn't Apple therefore allow this access, since the app simply can't do what it needs to do with a strict sandboxing model?

Sandboxing is probably overall a good thing, but I can't see why Apple wouldn't tailor it to the type of application. A simple text editor has different requirements than something like Transmit or a battery status app.

 

[thejoelhansen]

Not that relevant, but...

I grew up in Vancouver, WA!!!

 

[NAG]

So Apple's "One Click" is now "One Click, then Another Click, then another Click"???
/
/
/

So having to download an extra CLI interface that most people don't use = broken.

Feel free to shove more words in my mouth though. May I suggest "donut" or maybe "cake". I could use some cake.

 

[4nNtt]

They are granting exceptions so I don't know that it is a big deal. You always have the choice to distribute it outside the store. This is just Apple's way to address these integration problems in a way that is less fragile. In the log run it will help OS X evolve without breaking software compatibility.

 

[Fuzzi]

They are granting exceptions so I don't know that it is a big deal. You always have the choice to distribute it outside the store. This is just Apple's way to address these integration problems in a way that is less fragile. In the log run it will help OS X evolve without breaking software compatibility.

They don't grant exceptions. They just worded this nicely so that users won't complain. In reality you can't get any exception, it's pretty much "sandbox or leave the store".
What they grant is "entitlements" from a very limited list of available entitlements. See my last post whats the problem with those.

 

[arkmannj]

Perhaps the rule should be changed that all apps must be sandboxed "by default" and then Apple can add a "sandboxing" in the "Security and Privacy" system preferences where users can disable sandboxing for particular apps if they want.
Kind of like applications wanting to access your location on the iPhone.

This means that the uninformed user can still have security by default, but the "more advanced" user can go open up the application.

 

[KnightWRX]

Security comes at the price of flexibility. Always. Too much security and flexibility suffers. Too much flexibility and security suffers. Swing the pendulum either way too far and you've got problems.

Is mandatory sandboxing really needed ? Oh well, there's always Linux to go back to if Apple ever manages to screw up OS X too badly.

 

[gotluck]

Interesting...

I've been considering a Mac lately but I'm not interested if apple ever takes the walled garden approach from iOS. I realize this is only a small step in that direction but I've been on windows long enough to know how to not compromise my security. I'll stay tuned I guess.

 

[Daveoc64]

So, to be clear. It's a problem when Apple allows access to other application data and it's a problem when Apple doesn't allow access to other application data.

It's a problem where Apple publishes guidelines that they don't follow and even more of a problem when they allow developers to do things that are illegal (i.e. collecting, storing and transmitting personal data without permission).

It's not a problem for Apple to let developers do things that are essential for their App to function.

If they're concerned about Apps having too much access, they should have a permissions system that lets the user choose what the App can do.

 

[tkermit]

Interesting...

I've been considering a Mac lately but I'm not interested if apple ever takes the walled garden approach from iOS. I realize this is only a small step in that direction but I've been on windows long enough to know how to not compromise my security. I'll stay tuned I guess.

As far as I know, Metro apps on Windows 8's app store are going to be sandboxed as well.