Mac App Store Sandboxing Requirement Pushed to March as Uncertainty Looms

[mazz0]

In Apple's own words (from the email to developers):

If your app requires access to sandboxed system resources you will need to include justification for using those entitlements as part of the submission to the Mac App store

There's also a separate bit about temporary entitlements while devs continue to work on making their apps sandboxed, but you can still have permanent access outside the sandbox if Apple's happy with your justification.

 

[Khadgar]

The way I understand it is that the developers have to submit a list of things they need access to, so if an FTP app needs access to the file system as it should then it'd be allowed in.

My fear in all of this comes down to Apple's tightening control. Right now it's just on the App Store where in my opinion they're well within their right to do, but will they in upcoming updates make it to where all apps have to be App Store apps? Will they remove features not allowed on the App Store? That's the fear. I don't want that, and I'm sure many won't want that. There'd be a mass exodus of users and developers. I would be one of them.

"They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety." – Benjamin Franklin

 

[Vizin]

.

 

[MacRohde]

The way I understand it is that the developers have to submit a list of things they need access to, so if an FTP app needs access to the file system as it should then it'd be allowed in.

You can get a so called temporary entitlement to the file system if you're doing stuff with arbitrary/absolute paths. But that is only temporary and is meant to be in effect until developers can make it work within the sandbox.

If the temporary entitlements are withdrawn by Apple at some time - and they don't loosen some of the rules, I cannot see how apps like FTP, browsing, launchers, Growl, BBEdit etc. can be in the App Store.

My fear in all of this comes down to Apple's tightening control. Right now it's just on the App Store where in my opinion they're well within their right to do, but will they in upcoming updates make it to where all apps have to be App Store apps? Will they remove features not allowed on the App Store? That's the fear. I don't want that, and I'm sure many won't want that. There'd be a mass exodus of users and developers. I would be one of them.

"They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety." – Benjamin Franklin

I agree. I think a sand box is a great idea, but not in the current form. It is way too restrict. But I really fear that this is the first step towards MAS being the only distribution channel.

 

[Bernard SG]

My fear in all of this comes down to Apple's tightening control. Right now it's just on the App Store where in my opinion they're well within their right to do, but will they in upcoming updates make it to where all apps have to be App Store apps? Will they remove features not allowed on the App Store? That's the fear. I don't want that, and I'm sure many won't want that. There'd be a mass exodus of users and developers. I would be one of them.

Nothing is impossible, but when you look at the technicalities and the implications, the notion that Apple would close the Mac in a iOS way sounds like pure fantasy.

 

[skoorbevad]

I wonder how much this will differ from things like jails in FreeBSD which have been around for 15+ years now for running certain applications in secure areas within an OS. Given OSX has roots in BSD, I'm betting it's quite similar.

 

[MacRohde]

Interesting blog post on just this subject, and how for example plug ins will not be possible:

http://lacquer.fi/pauli/blog/2011/11/why-the-mac-app-sandbox-makes-me-sad/

 

[Sackvillenb]

Hmmm, tricky stuff. In theory, good for potential security risks, and it's it's good that apple is taking their security relatively seriously, but this will definitely hamper developers in a variety of ways...

Someone needs to make a parallel distribution channel to the app store, minus the restrictions. I'm sure there are already some similar websites for mac applications...

 

[KnightWRX]

In Apple's own words (from the email to developers):



There's also a separate bit about temporary entitlements while devs continue to work on making their apps sandboxed, but you can still have permanent access outside the sandbox if Apple's happy with your justification.

The problem is not the availability of entitlements, it's the limit on these. Even with the entitlements, you're limited in what your app has access to, which means in turn that your app's functionality is limited.

If as a user you're happy being limited in what your applications can and can't do, that's fine. Security has always been a balancing act. Too secure of a system means you can't get any work done (the most secure computer is one buried under 6 ft of concrete with no power or cables running to it).

 

[Bernard SG]

Someone needs to make a parallel distribution channel to the app store, minus the restrictions. I'm sure there are already some similar websites for mac applications...

You're being sarcastic, I suppose...

 

[Jaredk8]

No!

This really worries me. Transmit is one of the best apps I've ever used! If Apple want the Mac App Store and Launchpad to be of any use to us, they can't put such limitations on applications!

The system works fine at the moment. Apps can access the filesystem and preferences and will ask you before they make changes. What's wrong with that? especially since all applications are approved by apple before being live on the app store.

 

[chaosbunny]

"A wasteland of arcade games and one-trick-pony apps" - isn't this what the app store is supposed to be? Just like the iOS app store.

 

[FourCandles]

I notice there's a version of Cyberduck on the App Store. Presumably that will be kicked off come March, as I can't see how it will conform to the sandboxing requirements.

 

[Riemann Zeta]

All of these 'security' restrictions might just mean the end of Mac OS as a useful platform for actual work. Imagine, all Mac applications will no longer be able to access the file system, will not be able to modify any preferences or settings, will have to be installed to a hidden folder named /private/var/Apps/3EA114-75435D-1FFB7... and will have to adopt iOS's backasswards "app-to-app" file copy handoff system because the vast majority of the filesystem is rendered hidden and read-only. How monumentally dumb is that? Users could no longer have an accessible home folder, a Documents folder or any other centralized, multi-application file storage paradigm. All user files would have to reside within the individual application directory itself (the /private/var/apps/crazy-random-number folder) and editing a specific file with different applications would be impossible.

That'd be bad, m'kay. But it certainly does fit with Apple's desire to abandon the "workstation/professional/technical" market segment and stick with internet appliances.

 

[Boomchukalaka]

Are the Apps mentioned Cover Sutra, Fantastical, Transmit, and TextExpander malicious? Is that why they won't or don't support sandboxing? I'm not sure I understand this correctly.

 

[shadowlawless]

It does not prevent system wide access

its true that no program will be able to access the entire system by "itself" but that doesn't mean it can't do it.

"Apple has chosen to solve this problem by providing heightened permissions to a particular class of actions: those explicitly initiated by the user. Lion includes a trusted daemon process called Powerbox (pboxd) whose job is to present and control open/save dialog boxes on behalf of sandboxed applications. After the user selects a file or directory into which a file should be saved, Powerbox pokes a hole in the application sandbox that allows it to perform the specific action".

http://arstechnica.com/apple/reviews/2011/07/mac-os-x-10-7.ars/

it just means that the app will require the "USER" to request access then an entirely different sandboxed app will access file systems (Powerbox). which is actually really clever, it means all apps remain sandboxed improving security and efficiency by allowing easier multi-threading, without loosing the permissions they had before. it's walled gardens inside walled gardens

which leads me to next question. how easy would it be to hack Powerbox?

Can Powerbox only access file systems if asked by another application which must be verified by a user input / request?

If it was hacked would it mean it could stop all apps from being able to save/open files or force apps to save unsafe files?

 

[Grumpy48]

Question about the wisdom of this approach to Sandboxing.

My First post, I guess I'm the newcomer. I've only been around computers for the last 50 years, mainframes. This was mostly US Gov't computers, then US Military. In 1980, bought my first Apple, an Apple //c. As times changed, I moved to this new thing called, "The Internet", We always knew it as the "ARPANET". One of my instructors was one of the pioneers, she had one life lesson, she would always stress balance. Let's leave the virtual world and come into the tangible concrete world. In a ball and socket joint, there is a tiny, tiny gap between the two. Without that gap, the two will freeze solid and not move at all. Apple cannot control this whole ecosystem, if they try, the whole ecosystem will freeze solid. Sandboxing has a place under the hood and only under the hood. The last group are the end users, if Apple Policies frustrate them enough, Apple and and Apple shareholders will ultimately lose everything. This will be Apple's choice, they've earned it. They should be thinking about the end users first and not just themselves.

 

[NAG]

The way I understand it is that the developers have to submit a list of things they need access to, so if an FTP app needs access to the file system as it should then it'd be allowed in.

My fear in all of this comes down to Apple's tightening control. Right now it's just on the App Store where in my opinion they're well within their right to do, but will they in upcoming updates make it to where all apps have to be App Store apps? Will they remove features not allowed on the App Store? That's the fear. I don't want that, and I'm sure many won't want that. There'd be a mass exodus of users and developers. I would be one of them.

"They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety." – Benjamin Franklin

It isn't just safety, there are also stability benefits as well. It is all a cost/benefit analysis.

 

[Brutha]

What people seem to be missing with this focus on the filesystem is the even more daunting idea that after March: Apple Events are over. That means no more controlling iTunes. That means Growl is dead. That means any plugins, addons, or other software that piggybacks on a major application is dead. That means you cannot take a PDF, run it through photoshop or the finder, then print it automatically. That means the death of, pretty much, any type of workflow that uses more than one application.

No more web development software. No more FTP software. No more Parallels or other emulators (because they can't talk to the Finder! The Finder is an application!) When the Finder is sandboxed.... well, it's all over for just about any application.

Sure, you don't have to use the sandbox yet, if your application will be destroyed by it. But Apple's pushing the "Sandboxed app is a secure app. No sandbox, it's vulnerable." And that is true, but that means any application that does anything worth doing (heck, can Word even talk to Excel in a Sandboxed world?) cannot be sandboxed, and is by definition insecure, and thus will suffer.

This is a big freaking deal.

Edit: As an example, after march no longer will applications likely be able to tell Safari to open up a webpage. Like, say, the documentation for the application.

What about database access? Unless you use sqlite, can you actually get any data from a mysql process? Or did Apple just kill any kind of database program that is useful?

There's myriads of things this is going to affect. And I bet people will be shocked at how much functionality is destroyed by this. Now, Apple might figure out another way to preserve AppleEvents, but if they don't... that's a major, MAJOR loss of functionality for the Mac.

 

[FourCandles]

Are the Apps mentioned Cover Sutra, Fantastical, Transmit, and TextExpander malicious? Is that why they won't or don't support sandboxing? I'm not sure I understand this correctly.

No, they're not malicious.

Sandboxing is a way of preventing potentially malicious software (or software that has been compromised) from affecting other applications and the system itself. Unfortunately, in so doing it prevents perfectly legitimate applications from accessing parts of the system that they need to function normally. Or, at least, it will in the way that Apple seem to be implementing it.

 

[arn]

Here's a complete list of entitlements that you can ask for as a sandboxed app

http://lacquer.fi/pauli/blog/2011/11/why-the-mac-app-sandbox-makes-me-sad/

- Read-only access to the user’s Movies folder and iTunes movies
- Read/write access to the user’s Movies folder and iTunes movies
- Read-only access to the user’s Music folder
- Read/write access to the user’s Music folder
- Read-only access to the user’s Pictures folder
- Read/write access to the user’s Pictures folder
- Capture of movies and still images using the built-in camera, if available
- Recording of audio using the built-in microphone, if available
- Interaction with USB devices
- Read/write access to the user’s Downloads folder
- Read-only access to files the user has selected using an Open or Save dialog
- Read/write access to files the user has selected using an Open or Save dialog
- Child process inheritance of the parent’s sandbox
- Outgoing network socket for connecting to other machines
- Incoming network socket for listening for requests from other machines
- Read/write access to contacts in the user’s address book
- Read/write access to the user’s calendars
- Use of the Core Location framework for determining the computer’s geographical location
- Printing

That’s it. (There are also a couple of temporary exception entitlements that will be going away. If your app uses Apple Events or Mach ports, Apple may grant you a temporary license to keep doing so, if you can make your case convincingly.)

Need to access hardware using something else than USB, for example Thunderbolt, FireWire or Bluetooth? Tough luck. (Just because these interfaces are on your Mac doesn’t mean Apple wants anyone to use them via 3rd party software.)

Need to communicate with processes that your app didn’t directly start, or perhaps take screenshots? Not going to happen.

Maybe you’d like to read and write files in a known location on a network disk? Not possible, unless you pop up the Open/Save dialog for every file.

 

[FourCandles]

...
No more web development software. No more FTP software. No more Parallels or other emulators (because they can't talk to the Finder! The Finder is an application!) When the Finder is sandboxed.... well, it's all over for just about any application.
...

Well, no more Finder in fact. I wouldn't be surprised if OS X 10.8, or whatever the iOS X will be called, either removes the Finder or hides it by default. Remember, the Finder is a means to access the file system, it's not the file system itself.

 

[Brutha]

Thanks for posting that, arn.

Guess what, folks: You have an nice camera that uses Firewire? Manages a Thunderbolt device? Sorry, you can't talk to it at all! Not and stay sandboxed. Only USB for you!

It's a total and complete hardship on anything in the Mac Store. It's a "kiddie app" store. Why? Because only simple applications that don't do much will fit under those requirements.

Notice that arn's list didn't include the Document's folder. That means that any application in a sandbox will NOT be able to open or process more than one file at a time that you have to choose in an open dialog. Batch processing, or even just looking at, say, a folder full of pictures in your documents folder will not be allowed!

 

[*LTD*]

This what some of us have been saying for a while now. Lock it all down. Malware becomes more or less a non-issue. Not that it's a real issue with OS X to begin with. Smart move.

No, they're not malicious.

Sandboxing is a way of preventing potentially malicious software (or software that has been compromised) from affecting other applications and the system itself. Unfortunately, in so doing it prevents perfectly legitimate applications from accessing parts of the system that they need to function normally. Or, at least, it will in the way that Apple seem to be implementing it.

Quite possible that Apple will redesign this implementation in the next iteration of OS X.

 

[MacRohde]

This what some of us have been saying for a while now. Lock it all down. Malware becomes more or less a non-issue. Not that it's a real issue with OS X to begin with. Smart move.



Quite possible that Apple will redesign this implementation in the next iteration of OS X.

I am beginning to think all your posts are satire.