Apple To Require Sandboxing For Mac App Store Apps

mario_grgic writes "And so it begins: Apple will require that all Mac apps submitted to the Mac App store stick to strict sandboxing requirements. This means you must ask Apple for read or read/write entitlements for additional folders outside your Application Support folder before your app is approved. There are also restrictions on direct hardware access, communication to processes your app did not start, or even something simple as taking a screenshot. All that is needed after this to turn your Mac into an appliance is to only allow app installations from App Store."

Cue Apple fans saying "That could NEVER happen"

[elrous0]

All that is needed after this to turn your Mac into an appliance is to only allow app installations from App Store.

I've made the argument that this is exactly where Apple is headed for a long time now. I'll summarize the responses you're going to get:

• They would never isolate developers like that.
• They depend on the creative crowd that would never tolerate being locked down like that
• Adobe and other developers would bitch about having to go through the app store and this would stop Apple from doing it
• We'll probably still be able to find a way to jailbreak it, so that makes it okay
• Just because they do it on iOS doesn't mean they'll ever do it on Mac's. They're COMPLETELY different things.
• The app store is just for iOS, Apple would be stupid to put it on Mac's. [they don't use this one so much anymore]

Of course, the second that Apple announces that they ARE, in fact, locking down the Mac's too, I suspect you'll see one of two responses (should be interesting to see how it goes):

• It's a great idea! I can't wait to buy one!! [this would have been the guaranteed response if Steve hadn't stepped down]
• Steve would have never done that!! [i.e., the faithful followers of Steve begin to denounce the new false messiah]

Re:Cue Apple fans saying "That could NEVER happen"

[dzfoo]

You forgot a couple of answers:
- Who the f*ck cares, as long as it works.
- Why do you care, just don't use the Mac App Store, don't upgrade your OS to the version that locks you out, or don't use a Mac.

        -dZ.

Re:Cue Apple fans saying "That could NEVER happen"

[Stellian]

There's nothing wrong with the sandboxing model per se. It's probably the only way to make our computers more secure. That Apple is moving in that direction should not be surprising: they make idiot-ready software (also known as good software), and you can't really have security and idiot friendliness without a trusted 3rd party to sort out the nitty-gritty details.

It should also be unsurprising that Apple moves to an authoritarian model where it and it alone can act as the trusted 3rd party. Almost everything Apple does is to maximize clout and control over the product environment. Apple is a control freak: it's profitable and risky, it almost got them killed when the PC revolution happened.

I would much rather like to see a sandbox where multiple private companies publish application profiles and the consumer choice is maximized; that's a nice role for the AV companies to play, move from a blacklist to a whitelist model. Should such a company turn into Big Brother, limit the consumer choice and push it's own interests, the consumers can easily move to a different "security provider".

Re:Cue Apple fans saying "That could NEVER happen"

[l0ungeb0y]

How are they isolating developers? I develop on the Mac and constantly install development software all the time. Know how many development related bits I've had to install via AppStore? -- ONE -- The latest version of XCode after it went to public release.

The AppStore is for CONSUMERS, there will never be a full lockdown because forcing every software writer to release through the AppStore would kill OS X as a development platform. Even XCode requires a whole bevy of gnu utilities. OS X is a full fledged UNIX and as such, you'll always be able to do *Nixy things such as wget/curl a file, gunzip, configure and make.

What Apple does with their CoCoa Framework and native apps is up to them, but as long as they are a UNIX, they'll never have the ability to stop apps written in C, Java, Python, Bash, Perl, PHP or Ruby from doing whatever the hell they please.

The day they do, is the day OS X leaves the Unix fold and becomes something else. And if that happens, you can bet your sweet ass that Apple will be dead within 3 years.

Re:Cue Apple fans saying "That could NEVER happen"

[Tetsujin]

There's nothing wrong with the sandboxing model per se. It's probably the only way to make our computers more secure. That Apple is moving in that direction should not be surprising: they make idiot-ready software (also known as good software)

I take exception to this.

"idiot-ready" software is good software... for "idiots".

(Of course, they're not really idiots, most of them - they're regular people who desire a simple level of interaction with their computer. But I'm just running with the "idiot-ready" terminology there.)

That approach to software design is "one size fits most" - but it's not "one size fits all" because the limitations of a simple UI will inevitably interfere with (or at least fail to support) something that someone is trying to do. When your expectations and skills pass a certain threshold, a simple UI is not necessarily a good UI.

Re:Cue Apple fans saying "That could NEVER happen"

[Tetsujin]

The AppStore is for CONSUMERS, there will never be a full lockdown because forcing every software writer to release through the AppStore would kill OS X as a development platform. Even XCode requires a whole bevy of gnu utilities. OS X is a full fledged UNIX and as such, you'll always be able to do *Nixy things such as wget/curl a file, gunzip, configure and make.

I believe this is true for the time being. However, using words like "never" and "always" is a bit short-sighted. Desktop and laptop computers have traditionally been fairly open platforms in terms of what the user is allowed to do - but there is no reason to assume this will continue to be the case. If someone wants to change that, it will be a slow, difficult process to change user expectations to a point where they accept that loss of control - but it can be done. People have already accepted mobile phones as a fairly closed platform, and some contend that phone use is displacing most "personal computer" use - which means that the experience people get with their phones is redefining users' expectations of interaction with their computers.

OS X is currently a "full fledged UNIX" - this can change.
XCode requires a bunch of GNU stuff - that can change.
What do they gain from further restricting their platform? They gain a greater ability to simplify the user experience (which is a good thing for many users) and redefine various aspects of the OS that could be hard to do otherwise... And they gain status as a gatekeeper for the platform, a middleman who can extract money for every piece of software sold on the platform - much like what they enjoy on the iPhone platform, or what game console manufacturers enjoy.

One possible approach would be to give developers the same level of control they have now - but marginalize them. Charge them an extra $300 for the version of OS X that lets them do developerry things, or block developer machines from accessing the app store (apart from developer tools) - things like that. Things that would yield the desired level of control over most Mac systems, simply because most users wouldn't want the disadvantages (additional cost or reduced capabilities) that come with a development-capable machine.

I hesitate to say "Apple could do such-and-such" because I feel like that conveys the idea that I think this is likely to happen in the near future. My point is that it could, and it's silly to assume that it won't. The landscape of computing is changing, as it is bound to do over time. It's easy to assume that the status quo is some static, unchangeable thing, but it really isn't. Within the bounds of what users are willing to accept (even grudgingly, at first), the company in control of the platform can do whatever they like.

Why is this such a bad thing?

Why, at a technical level, is this so bad?
Because... uhh... uhhh.... uuhh... SCREW Apple!!

Haters gotta hate.

Re:Why is this such a bad thing?

[IamTheRealMike]

Sandboxing applications isn't so bad, and I think this is correct and inevitable. The fear comes purely from the fact that Apple has historically been very abusive with its app store policies, they aren't there purely to ensure security but are also used to simply crush apps some Apple executive didn't like, eg the "no competition" clauses.

Given Apples flaky approach to app store approvals, it's not unexpected that many people see this as the end of the Mac as an open(ish) computing platform. Given there aren't very many platforms, Microsoft tends to follow Apples lead these days, and Linux has never overcome its problems to go mainstream - that's a cause for concern indeed.

The good news is that there is Android, which gets it right - strong app sandboxing with an opt out checkbox you can tick if you want to. And it's open source so even if it stops being right tomorrow (unlikely), it's still a strong foundation others could build off. The bad news is that Android does not run on laptops or desktop machines, and does not have the enormous collection of industrial-strength apps like Photoshop, Office etc that MacOS/Win32 does.

Re:Why is this such a bad thing?

[SuricouRaven]

At a technical level, it isn't. Common-sense security is being applied: No app should have permissions to do something it can't show good need for. The fear isn't about technology, it's about Apple's business model, which is now built upon restricting the capabilities of their products in order to drive the users towards Apple's own supporting services. A successful business model, but one many regard as exploitative, detrimental to the users and a bad thing for the culture built around access to technology.

Problem?

[AdrianKemp]

I fail to see any problem with this.

I'm actually far happier when apps are clean and well controlled in terms of what they put where, Apple is providing an assurance that this *will* be the case for officially approved apps.

Good on them.

Whether or not they eventually disable applications from outside the App Store is completely irrelevant to this move.

Why is this unreasonable

[Geoffrey.landis]

So, is this actually unreasonable? Seems to me that if you don't want machines to be pwned, it would be nice to have somebody look over the ap before it starts controlling processes outside its sandbox. Sudo privilege is nice to have, but it's also something you don't want to give away without oversight.

OMG TEH EVIL APPLE

[wumpus188]

You don't ask Apple for anything. You just declare what your application needs from OS to function.

Ever heard of Android? Works the same way.

Great Security

[dogmatixpsych]

This is very good practice for applications in the Mac App store. It's a huge security feature. Now, if Apple ever locks down the Mac to allow only applications from the Mac App Store (they won't), I'll give up Mac and go to Linux full-time (I use Macs for neuroimaging research and definitely don't have the applications/tools I use available through the Mac App Store; it would be nice to have a lot of them on a central repository though like Neurodebian {I virtualize that on my Macs}), but in the mean time I'll stick with my Macs. This is a wonderful security feature for applications given stamps of approval from Apple through the Mac App Store. Yes, there might be other security issues introduced through OS X issues but in general this is a positive step forward. Again, I'm not suggesting all applications should be sandboxed, I just think it is good practice for the ones distributed through the Mac App Store.

So now that Apple's doing it, sandboxing is evil?

[Trolan]

Sandboxing applications is a common security model on Unix systems, so why is this a bad thing on desktop apps as well? The App Store apps already had restrictions on where you could put your executable. This just codifies other accesses into a model where the developer sets up the privileges the app requires instead of leaving it at the free-for-all it is now.

The Future of Computer Security, Writ Large

[stating_the_obvious]

The future of all applications will be individual sandboxes. Why the hell would you have perimeter security (show your credentials to access the enture kingdom) versus a police state (show me your papers) that denies all privileges not specifically granted. I'm not saying I want to physically live in that world, but I definitely want my computers operating in that world

Ummm... good?

[Just+Some+Guy]

So a free Twitter app isn't allowed to take screenshots while I have my checkbook app open? I'm OK with that. Every one of those restrictions seem perfectly reasonable and good.

How is it restrictive? Freedom for real people

[SuperKendall]

You can install an application from anywhere. Apple is simply providing application writers a mechanism to help ensure user security (that you can also use in building non app-store apps), and a channel for people to get applications that they know will have less potential impact on the system if there's a security issue. If I get a computer for a grandparent and say "buy applications from here" then they are substantially better off and I can rest easier knowing it's less likely the system is compromised, even if any given application is compromised.

I would say what is restrictive is the notion that users should have to understand computers well enough to secure them. That is the real prison which we have forced millions to endure for years. A computer that people can use to a great desire without worrying about how to "maintain" it is liberation for 99% of computer users on the planet.