Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Apple's Mac App Store Sandboxing Requirement Gaining Renewed Scrutiny as Deadline Approaches
- Thread starter MacRumors
- Start date
- Sort by reaction score
Thing is, isn't OSX supposedly the most secure OS on the planet? Isn't it completely immune to viruses and all the other bugs that come along to ruin everyone's day? If so, why this sudden extreme need to sandbox all the applications bought via the app store? I mean they're not exactly hurting on the security front, right?
If it's so secure, wouldn't it be better to start with the framework, then build up to something more palatable, instead of shutting out any access to the OS, then opening up as time goes on?
The problem isn't so much that one app disappears as that going forward that new app would never have been created.
Predictable response: If it isn't allowed under Apple's rules, then I probably didn't need it to begin with.
But have you seen the myriad Twitter and Facebook apps I can choose from? Over 30,000!
Wirelessly posted (Mozilla/5.0 (iPhone; CPU iPhone OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A334 Safari/7534.48.3)
That is not the problem. The problem is if an app becomes compromised once installed it can wreak havoc without sandboxing
thekeyring said:
That is not the problem. The problem is if an app becomes compromised once installed it can wreak havoc without sandboxing
but the thing is: if an attacker is able to compromise an app on your local system, he's most of the time already able to access your system and do nasty stuff without the hassle of compromising an app.
Sure there are a few cases where this isn't true, especially for apps that connect to the internet, but for apps that don't need internet access and don't load arbitrary data...
Sure there are a few cases where this isn't true, especially for apps that connect to the internet, but for apps that don't need internet access and don't load arbitrary data...
Wirelessly posted (Mozilla/5.0 (iPhone; CPU iPhone OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A334 Safari/7534.48.3)
That doesn't mitigate sand boxing providing a superior level of security. That listed vulnerability is likely dangerous only from rogue developers. The Mac store deals with that. Sand boxing prevents compromised apps from ruining things, which is unlikely to happen with this supposed vulnerability.
Mr. Retrofire said:
That doesn't mitigate sand boxing providing a superior level of security. That listed vulnerability is likely dangerous only from rogue developers. The Mac store deals with that. Sand boxing prevents compromised apps from ruining things, which is unlikely to happen with this supposed vulnerability.
How often has that happened in the past? Back when every app you downloaded could potentially raise havok, because programmers could put whatever they felt like into their app without any restrictions whatsoever. Did it happen...rarely? Never? Why the sudden need for security against it now?
11 years of OSX mostly problem free. Now everyone is hearing about this new sandboxing thingy, and suddenly they're all scared of the what-ifs that could potentially arise, and the rogue developers that could unleash such horrors upon us.
Last edited:
I think it was because back then not that many people were using Macs. Now they're selling very well, they're a potential target, especially since the user base is seen as less tech-savvy and so more likely to install something dodgy.
The entitlement list looks a like a precursor to a file system that isn't really a file system at all.
This is true. 99% of all Windows problems are due to the less tech savvy among us installing something hinky because, hey, free games and music. What could possibly go wrong?
But here's the thing. If an operating system is designed specifically to protect the end users from themselves, it's no longer an operating system. Or at least not one in the traditional sense. It's a support structure for a playground, where grandma can post recipes on Facebook, and check her email trouble free.
Obviously I'm exaggerating a bit, and I doubt OSX will become nothing more than a pretty way to post pictures to your flickr account. But it doesn't change the fact that the more power you take away from your developers, the less robust your platform becomes.
I find the last part "... and don't load arbitrary data..." especially notable. Sure, there's some truth to it: if you only bother reading and writing our OWN data -ever-, sure, your applications won't get compromised in a malicious way.
However more and more data comes from "somewhere else", via email from friends, you rely on your data in some clouded service (ever thought of the consequences if someone managed to hack such a "cloud service", and would replace all your iWorks documents which would then be able to exploit a security hole in iWorks -wuah, the fun!), you downloaded it yourself...
So these "few cases" might be more than you think!
On another note: the idea of sandboxing is just the "second defence line of many" (the first one should be the user. The last one is the OS itself) and per se a good idea! Software is not bulletproof - fact!
But there's always this thin line between security (which implies restrictions and usually those restrictions are good!) and freedom. The freedom to enumerate hardware and even manipulate it, for instance!
Now it is up to Apple to establish this line, which naturally comes with trade-offs (e.g. no applications which manipulate hardware are possible in the app store - how much would that put off our users?).
An interesting problem is certainly the possibility to browse the filesystem, naturally necessary for the given example of an FTP application: the trick here would off course be to split such an application into several processes with different entitlements: the file system browser would only be allowed to read the filesystem (but no networking!), the file uploader would only be allowed to read and write file the user has explicitly selected (via the Open/Save dialogs), the actual FTP app would only be allowed to do networking (but no file access whatsoever) etc.
Off course this "modularisation" of an existing application does not come "for free" (and yes, that is hard work to re-engineer such an existing application without breaking anything). And I did not follow the latest sandbox restrictions, but there are certain restrictions which do currently and will continue to exclude certain types of applications.
One possible solution for the FTP application problem could e.g. be to say "a module can have full access to the filesystem, but that must then exclude the ability to do networking and ..., that is only certain combinations of entitlements are allowed (or not allowed).
How that will be handled in the future by Apple is an interesting topic, but again, sandboxing per se is a Good Thing(tm)!
Cheers
new OS coming?
I'm wondering if Lion is setting the stage for a new, more consumer-oriented, but limited, OS to be released in the near future:
The primary interface could be LaunchPad.
The file system is hidden from the user. Access documents through Pages, presentations through Keynote, etc. Share with iCloud.
All apps are ONLY purchased through the Mac App Store (with the sandbox requirement)
Utilities have less features, but easier to access and use (like the recent AirPort Utility. Version 6 is iOS-like and limited. Version 5.6 Mac-like with more advanced features)
It's the only thing I can think of that makes sense of some of the things that Apple has been doing.
I'm wondering if Lion is setting the stage for a new, more consumer-oriented, but limited, OS to be released in the near future:
The primary interface could be LaunchPad.
The file system is hidden from the user. Access documents through Pages, presentations through Keynote, etc. Share with iCloud.
All apps are ONLY purchased through the Mac App Store (with the sandbox requirement)
Utilities have less features, but easier to access and use (like the recent AirPort Utility. Version 6 is iOS-like and limited. Version 5.6 Mac-like with more advanced features)
It's the only thing I can think of that makes sense of some of the things that Apple has been doing.
How does that make the sandbox secure and flexible ? 1 process, multiple processes doing IPC, in the end, the sandbox is worthless if you have access to the system as a whole.
Too many entitlements ? Why bother with a sandbox ? Too few ? Some Apps can't be made.
It's simple guys : sometimes, you have to give up a bit of security to have flexibility. Sandboxing is not needed for every application out there, that's just going to extremes for extremes sake.
It's not sandboxing per se, it is how it is currently implemented and the lack of answers to developers. Read explanations like Why the Mac App Sandbox makes me sad and examples like this one from Craig Hockenberry.
So does OS X (and before that Mac OS) compared to Windows. Without sandboxing.
That doesn't automatically mean that everything is perfect and can't be criticized. A lot of valid concerns has been raised from developers who know what that are talking about.
Consumers may not always know what they are missing. These are real consequences of bad sandboxing:
- Popular apps currently in the MAS will need to remove features or be removed completely.
- Developers may remove features just to stay in the MAS because of the benefits. Thus apps will become less useful.
- Developers may not even consider creating new apps that would benefit the users.
But Apple are heading in the directions where developers can't access the full API of the OS unless they're in the Mac App Store.
The MAS is a good thing for consumers, for the first time there is a really easy way for non-tech people to buy, download and install apps. Apple should encourage developers to get in the App Store as many as possible. That would benefit everyone.
In the end, a bad implementation of the sandboxing will hurt us, the users. We will see less great apps and have less useful features. That's the real concern here.
Ever heard of buffer overflows?
Would you prefer to wait for when it has already happened?
Would you then complain that Apple got complacent and did nothing?
No need to exaggerate, of course.
But rogue developers do can unleash horrors upon us.
As always, burying a valid point in hyperbole doesn't help making the point.
It really frightens me what is happening in computing sphere theses days. On one front you have proposals such as ACTA, SOPA, PIPA and their many incarnations around the world. On the other hand you have continuous dumbification of desktop computers. All seemingly in the name of "Security" one way or another.
I fear where it might lead if we continue like this. It doesn't take a genius to figure out what might happens after Sand Boxing - it might very well lead to a iPad like closed down, strictly monitored & curated "experience"
I fear where it might lead if we continue like this. It doesn't take a genius to figure out what might happens after Sand Boxing - it might very well lead to a iPad like closed down, strictly monitored & curated "experience"
I've not read the docs for sandboxing, I'll have to ask the guys responsible for our OSX stuff, but it strikes me that it can't be as restrictive as people are suggesting otherwise apps such as Final Cut would be stuffed. Needs full filesystem access...needs to be able to upload files. Perhaps it's all covered by treating files you open in the app as fair game, but even so... they can't be so stupid as to block 90% of the things that we consider "useful functions of a computer"...can they?
I guess sandboxing will get a lot of bad press. But it might be a necessary step (forward or one step backward to better move on, I don't know).
Take Windows Vista, sure it was crap, but it did introduce better security (for lack of a better term) to Windows. I mean BEFORE vista, any application could (and did!) write to c:\Program Files and C:\Windows instead of the user directory. Microsoft did attempts to put virtualization of file system so that legacy apps would still be able to write there, but would be redirected to the user directory instead. But on the apps I worked on, that didn't do it.
So Windows 7 comes along and most people like it. But it did gain from the bad stuff that happened with Vista. Vista was the passing of the kidney stone, so to speak, but after that, things were much better.
So Mac OS X 10.8 or Mac OS XI or whatever will gain from whatever is perceived as bad with Lion.
Maybe I'm lucky, but I didn't have any issues with Lion...
... or Vista back in the day. Hey, the fact that I had to re-write some part of our software was job security in my mind!
Cheers!
Take Windows Vista, sure it was crap, but it did introduce better security (for lack of a better term) to Windows. I mean BEFORE vista, any application could (and did!) write to c:\Program Files and C:\Windows instead of the user directory. Microsoft did attempts to put virtualization of file system so that legacy apps would still be able to write there, but would be redirected to the user directory instead. But on the apps I worked on, that didn't do it.
So Windows 7 comes along and most people like it. But it did gain from the bad stuff that happened with Vista. Vista was the passing of the kidney stone, so to speak, but after that, things were much better.
So Mac OS X 10.8 or Mac OS XI or whatever will gain from whatever is perceived as bad with Lion.
Maybe I'm lucky, but I didn't have any issues with Lion...
... or Vista back in the day. Hey, the fact that I had to re-write some part of our software was job security in my mind!
Cheers!
Applescript based-apps
Sandboxing prevents applications based on Applescript controlling third party applications from working at all. They can't be sold through the MAStore. They can be sold on private websites.
For example, there could be an application that controls a Filemaker database, gets some information from the fields, tells Apple Mail to make a new email with addresses from the FM record, then tells Photoshop to make a picture, save it, and then attach the image to the email you made, and send the email.
With Sandboxing, this application is *completely impossible to be sold in the store*, because sandboxing disallows the 'Script app to control FM, Mail, or Photoshop. In sandboxing's view, this is the same as a hacker trying to control FM, Mail, or Photoshop.
The slippery-slope theorist among us (and I think this is a *possibility*) is that Apple soon will restrict ALL apps to comply with the sandbox rules, even if not sold through the store. And any fancy workflows you've developed are all invalid, or we're pushing "allow this action" dialogs 100x per day.
Sandboxing prevents applications based on Applescript controlling third party applications from working at all. They can't be sold through the MAStore. They can be sold on private websites.
For example, there could be an application that controls a Filemaker database, gets some information from the fields, tells Apple Mail to make a new email with addresses from the FM record, then tells Photoshop to make a picture, save it, and then attach the image to the email you made, and send the email.
With Sandboxing, this application is *completely impossible to be sold in the store*, because sandboxing disallows the 'Script app to control FM, Mail, or Photoshop. In sandboxing's view, this is the same as a hacker trying to control FM, Mail, or Photoshop.
The slippery-slope theorist among us (and I think this is a *possibility*) is that Apple soon will restrict ALL apps to comply with the sandbox rules, even if not sold through the store. And any fancy workflows you've developed are all invalid, or we're pushing "allow this action" dialogs 100x per day.
Yes, when I worked in support I was often amazed at some of the things folk managed to get onto their machines. I remember one case where a fella had tried to delete large chunks of his operating system because a piece of malware told him the files were viruses.
Apple wants the operating system to be invisible more or less. This sandbox stuff is their way of training their developers for the future - whether they want it or not.
I think it becomes more robust. The question is, will it be anywhere near as useful?
Suppose we'll have to wait and see.
I can't believe how many people here are modding down everyone who's against the sandbox. Just because you like Apple doesn't mean you have to sycophantically support everything they do.
I've lost a lot of my affection for Apple because of their growing restrictions. Linux is good, but a little byzantine with all its different layers and components. If you want a free OS that's simpler and more Mac-like, check out Haiku at http://haiku-os.org. It's a reimplementation of BeOS.
The way you talk is "Just in case"... "it may happen".. therefore Apple MUST prevent it.
This "it may happen" is not the path to go down.. Sandboxing in its current form is an extreme measure.
Apple can help prevent buffer over runs and other coding issues in its ObjectiveC compilers, so the OS doesn't have to be overly restrictive.
This "it may happen" is not the path to go down.. Sandboxing in its current form is an extreme measure.
Apple can help prevent buffer over runs and other coding issues in its ObjectiveC compilers, so the OS doesn't have to be overly restrictive.
Last edited:
If there was ever a case of the pot calling the kettle black!https://forums.macrumors.com/posts/14296667/
https://forums.macrumors.com/posts/14296667/
And why is that? Explain?
I don't have anything against sand boxing but Apple's current implementation is too restrictive.
I thought it was pretty clear. Your argument that I linked to in this thread is based on what may possibly happen with Mac App Store taking over all distribution at some point in the future. And then, it the last post I quoted you said "This "it may happen" is not the path to go down.. Sandboxing in its current form is an extreme measure."