Apple To Require Sandboxing For Mac App Store Apps

mario_grgic writes "And so it begins: Apple will require that all Mac apps submitted to the Mac App store stick to strict sandboxing requirements. This means you must ask Apple for read or read/write entitlements for additional folders outside your Application Support folder before your app is approved. There are also restrictions on direct hardware access, communication to processes your app did not start, or even something simple as taking a screenshot. All that is needed after this to turn your Mac into an appliance is to only allow app installations from App Store."

Cue Apple fans saying "That could NEVER happen"

[elrous0]

All that is needed after this to turn your Mac into an appliance is to only allow app installations from App Store.

I've made the argument that this is exactly where Apple is headed for a long time now. I'll summarize the responses you're going to get:

• They would never isolate developers like that.
• They depend on the creative crowd that would never tolerate being locked down like that
• Adobe and other developers would bitch about having to go through the app store and this would stop Apple from doing it
• We'll probably still be able to find a way to jailbreak it, so that makes it okay
• Just because they do it on iOS doesn't mean they'll ever do it on Mac's. They're COMPLETELY different things.
• The app store is just for iOS, Apple would be stupid to put it on Mac's. [they don't use this one so much anymore]

Of course, the second that Apple announces that they ARE, in fact, locking down the Mac's too, I suspect you'll see one of two responses (should be interesting to see how it goes):

• It's a great idea! I can't wait to buy one!! [this would have been the guaranteed response if Steve hadn't stepped down]
• Steve would have never done that!! [i.e., the faithful followers of Steve begin to denounce the new false messiah]

Re:Cue Apple fans saying "That could NEVER happen"

[dzfoo]

You forgot a couple of answers:
- Who the f*ck cares, as long as it works.
- Why do you care, just don't use the Mac App Store, don't upgrade your OS to the version that locks you out, or don't use a Mac.

        -dZ.

Re:Cue Apple fans saying "That could NEVER happen"

[Stellian]

There's nothing wrong with the sandboxing model per se. It's probably the only way to make our computers more secure. That Apple is moving in that direction should not be surprising: they make idiot-ready software (also known as good software), and you can't really have security and idiot friendliness without a trusted 3rd party to sort out the nitty-gritty details.

It should also be unsurprising that Apple moves to an authoritarian model where it and it alone can act as the trusted 3rd party. Almost everything Apple does is to maximize clout and control over the product environment. Apple is a control freak: it's profitable and risky, it almost got them killed when the PC revolution happened.

I would much rather like to see a sandbox where multiple private companies publish application profiles and the consumer choice is maximized; that's a nice role for the AV companies to play, move from a blacklist to a whitelist model. Should such a company turn into Big Brother, limit the consumer choice and push it's own interests, the consumers can easily move to a different "security provider".

Re:Cue Apple fans saying "That could NEVER happen"

[l0ungeb0y]

How are they isolating developers? I develop on the Mac and constantly install development software all the time. Know how many development related bits I've had to install via AppStore? -- ONE -- The latest version of XCode after it went to public release.

The AppStore is for CONSUMERS, there will never be a full lockdown because forcing every software writer to release through the AppStore would kill OS X as a development platform. Even XCode requires a whole bevy of gnu utilities. OS X is a full fledged UNIX and as such, you'll always be able to do *Nixy things such as wget/curl a file, gunzip, configure and make.

What Apple does with their CoCoa Framework and native apps is up to them, but as long as they are a UNIX, they'll never have the ability to stop apps written in C, Java, Python, Bash, Perl, PHP or Ruby from doing whatever the hell they please.

The day they do, is the day OS X leaves the Unix fold and becomes something else. And if that happens, you can bet your sweet ass that Apple will be dead within 3 years.

Re:Cue Apple fans saying "That could NEVER happen"

[Tetsujin]

There's nothing wrong with the sandboxing model per se. It's probably the only way to make our computers more secure. That Apple is moving in that direction should not be surprising: they make idiot-ready software (also known as good software)

I take exception to this.

"idiot-ready" software is good software... for "idiots".

(Of course, they're not really idiots, most of them - they're regular people who desire a simple level of interaction with their computer. But I'm just running with the "idiot-ready" terminology there.)

That approach to software design is "one size fits most" - but it's not "one size fits all" because the limitations of a simple UI will inevitably interfere with (or at least fail to support) something that someone is trying to do. When your expectations and skills pass a certain threshold, a simple UI is not necessarily a good UI.

Re:Cue Apple fans saying "That could NEVER happen"

[TheRaven64]

You seem to misunderstand what the sandbox is. OS X has had a set of APIs for sandboxing applications since 10.5. The sandbox(7) man page will tell you a lot about it. This comes with a few default policies, and you can add more. If you download an app and don't trust it, then you can start it in a sandbox (there's no GUI for doing this, which sucks, but it would be a few hours work to add one).

This isn't an 'authoritarian model' any more than the UNIX process model is: the kernel is the authority and any application has to go begging to it for access to anything. You can ship your own sandbox policies if you want to implement privilege separation and so on in your OS X application, and a lot of Apple's programs use it already, and have for a while - you may remember a mDNSResponder vulnerability that only affected 10.4, because it ran in a sandbox on 10.5. You can see the sandbox definition that mDNSResponder uses and it's pretty trivial to put something similar together for your own daemon.

The only difference now is that Apple is defining a sandbox profile for normal applications and forcing developers to use it if they want their application in the App Store. It is not a whitelist of applications, it's just a default security policy that applications must work with. This is like Microsoft requiring applications to work as non-Administrator users for the Designed For... certification, or a Linux distribution rejecting suid root apps from the default repository.

Re:Cue Apple fans saying "That could NEVER happen"

[Superken7]

Excellent. I have never seen all this common sense about this matter summarized in a post so briefly without resorting to typical "fanboy-ish" claims.
Someone should mod this up!

Re:Cue Apple fans saying "That could NEVER happen"

[Tetsujin]

The AppStore is for CONSUMERS, there will never be a full lockdown because forcing every software writer to release through the AppStore would kill OS X as a development platform. Even XCode requires a whole bevy of gnu utilities. OS X is a full fledged UNIX and as such, you'll always be able to do *Nixy things such as wget/curl a file, gunzip, configure and make.

I believe this is true for the time being. However, using words like "never" and "always" is a bit short-sighted. Desktop and laptop computers have traditionally been fairly open platforms in terms of what the user is allowed to do - but there is no reason to assume this will continue to be the case. If someone wants to change that, it will be a slow, difficult process to change user expectations to a point where they accept that loss of control - but it can be done. People have already accepted mobile phones as a fairly closed platform, and some contend that phone use is displacing most "personal computer" use - which means that the experience people get with their phones is redefining users' expectations of interaction with their computers.

OS X is currently a "full fledged UNIX" - this can change.
XCode requires a bunch of GNU stuff - that can change.
What do they gain from further restricting their platform? They gain a greater ability to simplify the user experience (which is a good thing for many users) and redefine various aspects of the OS that could be hard to do otherwise... And they gain status as a gatekeeper for the platform, a middleman who can extract money for every piece of software sold on the platform - much like what they enjoy on the iPhone platform, or what game console manufacturers enjoy.

One possible approach would be to give developers the same level of control they have now - but marginalize them. Charge them an extra $300 for the version of OS X that lets them do developerry things, or block developer machines from accessing the app store (apart from developer tools) - things like that. Things that would yield the desired level of control over most Mac systems, simply because most users wouldn't want the disadvantages (additional cost or reduced capabilities) that come with a development-capable machine.

I hesitate to say "Apple could do such-and-such" because I feel like that conveys the idea that I think this is likely to happen in the near future. My point is that it could, and it's silly to assume that it won't. The landscape of computing is changing, as it is bound to do over time. It's easy to assume that the status quo is some static, unchangeable thing, but it really isn't. Within the bounds of what users are willing to accept (even grudgingly, at first), the company in control of the platform can do whatever they like.

Re:Cue Apple fans saying "That could NEVER happen"

[Fnord666]

To put it another way, Apple's current design methodology is centered around the notion that people should not have to think about how to use their computers. Let me emphasize the important part: people should not have to think. If the term "idiot" does not properly convey the notion of someone who is not willing or able to think, I am not really sure what would.

I respectfully disagree. In most cases the average person's goal is not to use a computer. Their goal is to send/receive email or keep up with what is going on in their family (via a social media site) or edit and print their photos. The computer is just a tool to accomplish those goals, not a goal in and of itself. For these very common use cases, good UI design enables the user to accomplish their goals without having to get involved in the details of how the tool accomplishes the goal. Looking at a hammer and a nail and knowing that the nail needs to go into a piece of wood, it doesn't require a lot of thought to figure out how to get the job done. Good software should be the same way.

Re:Cue Apple fans saying "That could NEVER happen"

[dgatwood]

The only difference now is that Apple is defining a sandbox profile for normal applications and forcing developers to use it if they want their application in the App Store. It is not a whitelist of applications, it's just a default security policy that applications must work with. This is like Microsoft requiring applications to work as non-Administrator users for the Designed For... certification, or a Linux distribution rejecting suid root apps from the default repository.

Well, it's more like a range of default security policies tailored to the application, but yes. Apple has created a series of multiple high-level sandbox profile options that your app can choose from, depending on what it needs to do. If you are selling your apps on the Mac App Store, Apple vets those options to ensure that they make sense based on what your application does. If you aren't selling your app on the Mac App Store, this does not affect you at all, though you are strongly encouraged to sandbox your app because doing so makes the platform more robust against viruses, etc. At that point, the onus is on you to make sure that the options you choose are sane.

The big thing that makes the 10.7 App Sandbox different from the prior incarnations is the addition of PowerBox. By moving the open and save dialogs into a separate (system-provided) application that has the ability to add entitlements (capabilities) to your application's sandbox on the fly, it means that your app can access the files that the user specifies, and nothing else (outside of your app's personal scratch space). This is a significant win for security, as it puts the user directly in charge of what files an application can access.

I could go on for a while about privilege separation and techniques for making your app more secure, but that's a bit out of scope for this discussion forum. Go read App Sandbox Design Guide if you want more details.

Also, according to MacWorld, the original deadline was November (Source: MacWorld). The news is that Apple pushed the deadline out by four months, not that Apple is going to require sandboxing. That story is so out of date that when I first heard it, I fell off my dinosaur.

Re:Cue Apple fans saying "That could NEVER happen"

[dishpig]

"Idiot Ready" actually means 'thoughtfully designed'.

... To put it another way, Apple's current design methodology is centered around the notion that people should not have to think about how to use their computers. Let me emphasize the important part: people should not have to think. If the term "idiot" does not properly convey the notion of someone who is not willing or able to think, I am not really sure what would.

No, you don't get it at all. People should not have to learn how to use computers. Or software. That part is true.

But you're missing the point - you're not listening to why that's true. People should be able to discover, through design, how to use a computer or piece of software. That's what thoughtful design is. Paying attention to how people interact with things and using those tendencies to inform them. The idea that people should learn how computers need to be interacted with and not the other way around is ludicrous and nothing but elitism by tech-savvy types.

I'm not saying Apple is all that, but the concept is sound.

Re:Cue Apple fans saying "That could NEVER happen"

[Guy+Harris]

Ironically, the fact that bash on Mac OS X does not let you overwrite files when you redirect a program's output was an annoyance yesterday. Before anyone asks, yes, we did read the manual and found out how to disable that feature.

WTF?

$ echo $SHELL
/bin/bash
$ echo "this is a test" >/tmp/testme
$ echo "this is a testicle" >/tmp/testme
$ cat /tmp/testme
this is a testicle

You didn't accidentally do set -C, did you? /etc/bashrc in Snow Leopard, at least, does

# System-wide .bashrc file for interactive bash(1) shells.
if [ -z "$PS1" ]; then
return
fi

PS1='\h:\W \u\$ '
# Make bash check its window size after a process completes
shopt -s checkwinsize

and that's it.

Re:Cue Apple fans saying "That could NEVER happen"

[jedidiah]

Why would an IT guy "love" something that is limited and limiting?

We're the people that are ahead of the curve. We're already past where Apple wants to lead people to. Thus we tend to chaffe at the limits they set.

Apple already had a nice implementation of Unix that didn't include any of the draconian Big Brother nonsense. They already disproved the idea that general purpose systems have to be crap and infested with malware. All the screeching that your chains are really for your own good make no sense in light of Apple's previous work.

Of course IT people that like to push tech in new directions are going to get cranky when it starts to get crippled and even crankier when the BS justifications begin.

Re:Cue Apple fans saying "That could NEVER happen"

[lgw]

You have a fundament flaw in your reasoning (and it's a very popular one these days). You're asserting that "anyone who doesn't want to spend mental effort on the stuff I find appealing must lack the ability to spend mental effort at all". Which is arrogant bullshit, and illustrates the difference between "geek" and "smart".

There are a few areas of interest that will make a real difference to almost anyone's quality of life. All the rest, such as complicated software, if they're not tools you need professionally then they're a hobby. Good for entertainment. Arguing that another man's choice of entertainment is mindless, but your entertainment is for smart people is, well, not very smart.

Re:Cue Apple fans saying "That could NEVER happen"

[Guy+Harris]

To be honest, it was not my Mac, and I have little knowledge of what its owner had done before I touched it (but he seemed equally annoyed).

Perhaps he accidentally did set -C, then.

The point was more about features that stop you from overwriting files than about Mac OS X.

Then it would more accurately have been stated as "Ironically, the fact that bash on a coworker's machine did not let you overwrite files...", or something such as that, so as to clearly indicate that it had absolutely nothing to do with Mac OS X. I.e., you can't blame that one on Apple.

Yes, features that prevent you from doing things can be annoying (and, yes, that sometimes goes for dialog boxes, e.g. if I just want to dump something to /tmp/patch - or, given e.g. Safari's insistence on calling all text files something .txt, /tmp/patch.txt - as the latest patch to look at and apply to whatever, it can be a nuisance). However, features that don't prevent you from doing things can be annoying, too, if you end up destroying a valuable file because of a typo. Fortunately, at least at the command line, -C isn't the default, even on Mac OS X, and you can override it with >| if you want it set to protect yourself.

Why is this such a bad thing?

Why, at a technical level, is this so bad?
Because... uhh... uhhh.... uuhh... SCREW Apple!!

Haters gotta hate.

Re:Why is this such a bad thing?

[IamTheRealMike]

Sandboxing applications isn't so bad, and I think this is correct and inevitable. The fear comes purely from the fact that Apple has historically been very abusive with its app store policies, they aren't there purely to ensure security but are also used to simply crush apps some Apple executive didn't like, eg the "no competition" clauses.

Given Apples flaky approach to app store approvals, it's not unexpected that many people see this as the end of the Mac as an open(ish) computing platform. Given there aren't very many platforms, Microsoft tends to follow Apples lead these days, and Linux has never overcome its problems to go mainstream - that's a cause for concern indeed.

The good news is that there is Android, which gets it right - strong app sandboxing with an opt out checkbox you can tick if you want to. And it's open source so even if it stops being right tomorrow (unlikely), it's still a strong foundation others could build off. The bad news is that Android does not run on laptops or desktop machines, and does not have the enormous collection of industrial-strength apps like Photoshop, Office etc that MacOS/Win32 does.

Re:Why is this such a bad thing?

[SuricouRaven]

At a technical level, it isn't. Common-sense security is being applied: No app should have permissions to do something it can't show good need for. The fear isn't about technology, it's about Apple's business model, which is now built upon restricting the capabilities of their products in order to drive the users towards Apple's own supporting services. A successful business model, but one many regard as exploitative, detrimental to the users and a bad thing for the culture built around access to technology.

Re:Why is this such a bad thing?

[Ambitwistor]

This basically makes 3rd-party software - like you get from Fink, for example - non-existent, as far as a Mac user is concerned, because all software for Macs will have to be retrieved from this "app store".

You're spreading FUD.

Software for Macs will NOT have to be retrieved from the app store only. This does not kill 3rd-party software or Fink. This announcement ONLY applies to applications that are voluntarily listed in the app store by their developers. Developers do not have to use the app store to distribute their apps.

It is possible that Apple may someday require all apps go through the app store, as you suggest, but that's not what this announcement is about.

Re:Why is this such a bad thing?

[DangerOnTheRanger]

You have a point; as a developer, you're not required to go through the app store - yet. Considering that 1) Apple is quickly making OSX behave like iOS 2) Apple has never liked not being able to control everything in the first place, it probably will be true in a matter of years (if not months). You're still right though - my statement is not true at the moment, and that's completely my fault.

Problem?

[AdrianKemp]

I fail to see any problem with this.

I'm actually far happier when apps are clean and well controlled in terms of what they put where, Apple is providing an assurance that this *will* be the case for officially approved apps.

Good on them.

Whether or not they eventually disable applications from outside the App Store is completely irrelevant to this move.

Re:Problem?

[tripleevenfall]

As much as people like we /. denizens will gripe about this, for the average user it's a good solution. Disable by default the installation of unapproved apps. Allow users to opt out of that feature if they so choose.

For most users, who will never figure out how to enable non-market apps, or will have no desire to anyway, this makes their PC much more secure. For "power users", it's trivial enough to live in the old world.

Apple is a business

[linumax]

And they're here to make money. There seems to be a large market for people who want pretty appliances with certain "limitations" that work painlessly. Limitations is in quotes because it's a limit to myself and many on Slashdot, but not to most casual users.

Why is this unreasonable

[Geoffrey.landis]

So, is this actually unreasonable? Seems to me that if you don't want machines to be pwned, it would be nice to have somebody look over the ap before it starts controlling processes outside its sandbox. Sudo privilege is nice to have, but it's also something you don't want to give away without oversight.

OMG TEH EVIL APPLE

[wumpus188]

You don't ask Apple for anything. You just declare what your application needs from OS to function.

Ever heard of Android? Works the same way.

Re:OMG TEH EVIL APPLE

[onefriedrice]

You don't ask Apple for anything. You just declare what your application needs from OS to function.

Ever heard of Android? Works the same way.

But but but it's more fun to sensationalize the truth so we all can have another pretend reason to hate Apple.

Re:OMG TEH EVIL APPLE

I dont have an iPhone, but with Android you have permissions, like entitlements. The application is written to 'ask' for these perms from the OS, but the *end user* gets to decide if they want to accept them or not - when they install the application. Not the case with IOS. The article says: "It’s important to note that these entitlements are granted by Apple, not by the user herself." It sounds like Apple has to approve your permission request, when it approves the application itself. That ridiculous! Im not trying to blindly hate Apple here, but that very clearly *sucks* compared to the more 'open' Android model, at least in my opinion. That kind of stuff stifles innovation! Everything on the iphone seems so locked up to me.. heck.. Didnt iphone OS 'like *just* get the ability to multitask, and the apps have to be explicitly written to support?! Co-operative multitasking OS in 2011!?! :)

Re:OMG TEH EVIL APPLE

[MichaelJ]

Yes, and the Android model sucks. I have to either grant the app all the permissions it asks for, or refuse to install it. There's no way to say "yes, install it, but don't let it access my address book."

Great Security

[dogmatixpsych]

This is very good practice for applications in the Mac App store. It's a huge security feature. Now, if Apple ever locks down the Mac to allow only applications from the Mac App Store (they won't), I'll give up Mac and go to Linux full-time (I use Macs for neuroimaging research and definitely don't have the applications/tools I use available through the Mac App Store; it would be nice to have a lot of them on a central repository though like Neurodebian {I virtualize that on my Macs}), but in the mean time I'll stick with my Macs. This is a wonderful security feature for applications given stamps of approval from Apple through the Mac App Store. Yes, there might be other security issues introduced through OS X issues but in general this is a positive step forward. Again, I'm not suggesting all applications should be sandboxed, I just think it is good practice for the ones distributed through the Mac App Store.

Re:If they weren't so pretty

[couchslug]

No. Their target market wants appliance-like reliability.

Other software choices exist outside the RDF and the sooner those who WANT choice are shunted there by Apple and MSFT the better.

Security

[Hentes]

This would be an important security feature if users could force it for any program.

So now that Apple's doing it, sandboxing is evil?

[Trolan]

Sandboxing applications is a common security model on Unix systems, so why is this a bad thing on desktop apps as well? The App Store apps already had restrictions on where you could put your executable. This just codifies other accesses into a model where the developer sets up the privileges the app requires instead of leaving it at the free-for-all it is now.

The Future of Computer Security, Writ Large

[stating_the_obvious]

The future of all applications will be individual sandboxes. Why the hell would you have perimeter security (show your credentials to access the enture kingdom) versus a police state (show me your papers) that denies all privileges not specifically granted. I'm not saying I want to physically live in that world, but I definitely want my computers operating in that world

Ummm... good?

[Just+Some+Guy]

So a free Twitter app isn't allowed to take screenshots while I have my checkbook app open? I'm OK with that. Every one of those restrictions seem perfectly reasonable and good.

Too far?

[GWBasic]

I do think some kind of sandboxing would be nice; for example, blocking Skype from automatically installing plugins in every browser under the sun without asking my permission. It's important that sandboxing doesn't prevent programs from being useful.

Re:Things you can't do on Windows or Linux

[GuldKalle]

Developing for WP7 requires a mac?

Re:Things you can't do on Windows or Linux

[tripleevenfall]

People are developing for WP7?

It's good, and I'd like it for Linux

[slim]

OK, not the "central authority can veto apps" part.

But the "app package declares what system calls it needs to access; package manager reports it; sandbox enforces it" part.

You can achieve it in a limited way with things like chroot, but having it conveniently bundled is nice.

# apt-get install gnuTunes
INFO: gnuTunes requires:
  - read/write access to ~/.gnuTunes/ for the user
  - access to audio output
  - read access to the optical drive
  - read/write access to ~/Music/ for the user
  - read access to /usr/share/Music/
  - make HTTP requests to http://gracenote.com/ ... and so on.

How is it restrictive? Freedom for real people

[SuperKendall]

You can install an application from anywhere. Apple is simply providing application writers a mechanism to help ensure user security (that you can also use in building non app-store apps), and a channel for people to get applications that they know will have less potential impact on the system if there's a security issue. If I get a computer for a grandparent and say "buy applications from here" then they are substantially better off and I can rest easier knowing it's less likely the system is compromised, even if any given application is compromised.

I would say what is restrictive is the notion that users should have to understand computers well enough to secure them. That is the real prison which we have forced millions to endure for years. A computer that people can use to a great desire without worrying about how to "maintain" it is liberation for 99% of computer users on the planet.

Permissions conspicuous by their absence

[tepples]

Ever heard of Android? Works the same way.

Every time Google adds a sensitive API to Android and documents it, it adds a corresponding permission to the application manifest schema. This means every single documented API in Android is either A. covered by the generic permission for all installed applications or B. covered by one of the permissions that an application can request. This Mac App Store sandbox, on the other hand, appears to add a category C: APIs that no sandboxed application can request, even with good reason. The page behind the second link points out a few noticeable omissions in the available permissions. This points to one of two paths of speculation: either Apple will add permissions covering these holes in a later revision of the policy, or Apple plans to completely remove the functionality corresponding to those holes in future versions of Mac OS X.

Re:Permissions conspicuous by their absence

[Roogna]

Mind you, Apple has a way for Developer's to provide feedback for APIs they need. If enough enter tickets requesting a API be sandboxed, it'll show up at some point. This has proven true on iOS side as well. If enough dev's put in requests for an API for something, it usually does show up, eventually. This isn't always a quick process, but the more feedback they get, the more likely it will turn up at some point.

Re:Things you can't do on Windows or Linux

[Motard]

Yep.

I'm not so sure

[Viol8]

"OS X is a full fledged UNIX and as such, you'll always be able to do *Nixy things such as wget/curl a file, gunzip, configure and make"

I wouldn't bet on it. Its entirely possible to make the kernel limit what a user can do above and beyond a chroot jail - SELinux does it already. That doesn't make it any less of a version of unix. All you'd see on the command line is the "Operation not permitted" error and that would be that.

As for apple being dead if they messed about with the unix roots of OS/X , very unlikely. 99% of apple users couldn't care less and most of them don't even know their OS is a version of unix.

Re:Things you can't do on Windows or Linux

[Synerg1y]

Would develop* the death of android would not prompt an exodus to apple but to wp7, most people who own an android specifically chose not to go apple cause of apple bs, and while microsoft has their share, it's not nearly as bad.

Then again the death of android is only speculative by people who are not even close to being qualified to make that judgement (slashdotters), so I'll be enjoying my android for a long time to come I'm sure.

This is not news, and is slightly misleading

[sribe]

- The real news is that the deadline was announced today as March 1 2012, whereas back in the summer at WWDC it was announced as November 1 2011. So they've just delayed this for 4 months--probably to continue refining it.

This means you must ask Apple for read or read/write entitlements for additional folders outside your Application Support folder...

- But you are always allowed access to read/write files that the user selects through the normal open/save dialogs. So this restriction just applies to files you create without the user's specifying the location. Now, this still does potentially create some problems with some kinds of legitimate file access, keeping track of and using previously-saved/read files, and that sort of thing. But it's not nearly as drastic as the summary makes it sound.

Re:Stupid

[DaphneDiane]

This is not to prevent trojans from coming from the App Store, it is to decrease the attack area of apps if exploits are found through them. For example suppose an app registers an URI handle, but does not properly sanitize the data before processing it leading to an arbitrary code exploit. It would still have to bypass the sandbox to further infect the system. Yes, pretty much all malware software is based on trojans. But that doesn't mean that ignoring other risks is a good thing.

The biggest problems with sandboxing is making sure that rules are tight enough but no tighter. Most of the developer complaints I've seen are either the "sandboxing is hard, I don't want to worry about enumerating what my app will do so that everything else can be blocked" or the "sandboxing is fine in principle, but without the ability to mark ( plugins / full filesystem access / ) as allowed my app will ( have reduced functionality / be unable to work )." The later issues are the ones I think that have merit. I can understand Apple being extremely tight with the original permissions because it's easier to loosen up rather than tighten, but it is going to limit what apps from the App Store can do. Hopefully they will be using some of the extra time from moving the sandbox deadline that was originally this month to March, to improve selection of the sandbox criteria to better meet the needs of some of the developers that are unable to work with the options currently provided.

The one thing I like about Apple's sandboxing over some other approaches is that it isn't noisy to the end users. People like most of us on this forum might care, but the average user sees a dialog that such an such app is requesting permissions to do . and there eyes glaze over and they either just press accept to get to the program or start panicking needless and become more susceptible to fake antivirus software claims.

Re:Things you can't do on Windows or Linux

[Sir_Sri]

Lots of people who are slashdotters are the ones writing the software to be deployed in future. 2 years ago I had iPhone projects out the wazoo (before that it was Nokia/Qt and blackberry), last year it was blackberry because we're close to RIM and they gave us free stuff, along with iPhone and QT was gone, this year it's android, and next year we're slated for WP7.5 or WP8.

Windows phone development is pretty easy, and I have a suspicion they can angle into the business market from RIM, while still tying into the xbox for gaming related stuff on the phone, that's a fairly big market. The big player in all of this is samsung. Sony is in the Android court, Nokia in MS. RIM is off doing it's own thing in fantasy land, and without steve jobs to sell their bad stuff Apple is going to be in trouble. With Google buying Moto mobile and Nokia and MS drinking the same kool-aid in the same bed, Samsung is the big player in all of this, and as much as they might be in the Android camp now a better corporate connected experience from MS could quickly sway them (or google going crazy with Motorola Mobile somehow).

I think WP7 devices will be as powerful as androids, but, loathe as I am to credit steve ballmer with anything, his 'you need a degree in CS to use an Android' is hyperbole, but not far off. MS could make a much cleaner experience with an equally powerful store and change the game considerably, if they can get Samsung and Nokia to produce decent handsets quickly.

No native code, no Emit

[tepples]

Applications for Windows Phone 7 must be written in a language that compiles to verifiably type-safe IL and must not use System.Reflection.Emit. All the efficient ways I know of making an emulator use either (unsafe) native code or Emit.

Don't care, as long as...

[scot4875]

I don't really care about this at all; in fact, it's a perfectly reasonable thing to do -- with one caveat. They must at least have an option to run non-Mac store applications on the computer. If we ever get to a point where we can't run arbitrary code on general purpose computers without some sort of special permission from the manufacturers, we're fucked.

--Jeremy

more nonsense

[Tom]

ok, it really is nonsense-summary week on /.

This is fantastic news for everyone who is worried the slightest bit about security. This has absolutely nothing to do with turning a Mac into an appliance, and nobody from within Apple has ever alleged that non-App-Store installations would be made difficult or impossible.

But what this is is a huge and desperately step needed in putting applications into their own corner. Imagine what would happen if random apps couldn't crap all over your system? The horror! Most of the spy- and malware would go away!

The OS X sandbox is actually a fairly nifty beast, but is has been under-used. This is a great step into pushing it out and making developers accept that just because I want to use their app I don't mean to give them full access to everything on my system - not even everything I can access with my user account.

Re:35,000 apps

[BitZtream]

You do realize that Gartner is basically a subsidiary marketing division for Microsoft right? And has been for what, 15 years? Their reports ALWAYS favor Microsoft. Shit, they probably said Bob was going to take over the world. You really have to be dense to believe anything they 'report' on.

Re:35,000 apps

[recoiledsnake]

That was intended to be a facetious reply to a rhetorical question. Nothing serious.

>Their reports ALWAYS favor Microsoft

Like this one? The first Google hit?

http://www.eweek.com/c/a/Messaging-and-Collaboration/Gmail-Now-Credible-Rival-to-Microsoft-Exchange-Gartner-617996/

Your comments NEVER favor Microsoft though. :) People have to be dense to believe you?