Apple To Require Sandboxing For Mac App Store Apps

mario_grgic writes "And so it begins: Apple will require that all Mac apps submitted to the Mac App store stick to strict sandboxing requirements. This means you must ask Apple for read or read/write entitlements for additional folders outside your Application Support folder before your app is approved. There are also restrictions on direct hardware access, communication to processes your app did not start, or even something simple as taking a screenshot. All that is needed after this to turn your Mac into an appliance is to only allow app installations from App Store."

Cue Apple fans saying "That could NEVER happen"

[elrous0]

All that is needed after this to turn your Mac into an appliance is to only allow app installations from App Store.

I've made the argument that this is exactly where Apple is headed for a long time now. I'll summarize the responses you're going to get:

• They would never isolate developers like that.
• They depend on the creative crowd that would never tolerate being locked down like that
• Adobe and other developers would bitch about having to go through the app store and this would stop Apple from doing it
• We'll probably still be able to find a way to jailbreak it, so that makes it okay
• Just because they do it on iOS doesn't mean they'll ever do it on Mac's. They're COMPLETELY different things.
• The app store is just for iOS, Apple would be stupid to put it on Mac's. [they don't use this one so much anymore]

Of course, the second that Apple announces that they ARE, in fact, locking down the Mac's too, I suspect you'll see one of two responses (should be interesting to see how it goes):

• It's a great idea! I can't wait to buy one!! [this would have been the guaranteed response if Steve hadn't stepped down]
• Steve would have never done that!! [i.e., the faithful followers of Steve begin to denounce the new false messiah]

Re:Cue Apple fans saying "That could NEVER happen"

[dzfoo]

You forgot a couple of answers:
- Who the f*ck cares, as long as it works.
- Why do you care, just don't use the Mac App Store, don't upgrade your OS to the version that locks you out, or don't use a Mac.

        -dZ.

Re:Cue Apple fans saying "That could NEVER happen"

[Stellian]

There's nothing wrong with the sandboxing model per se. It's probably the only way to make our computers more secure. That Apple is moving in that direction should not be surprising: they make idiot-ready software (also known as good software), and you can't really have security and idiot friendliness without a trusted 3rd party to sort out the nitty-gritty details.

It should also be unsurprising that Apple moves to an authoritarian model where it and it alone can act as the trusted 3rd party. Almost everything Apple does is to maximize clout and control over the product environment. Apple is a control freak: it's profitable and risky, it almost got them killed when the PC revolution happened.

I would much rather like to see a sandbox where multiple private companies publish application profiles and the consumer choice is maximized; that's a nice role for the AV companies to play, move from a blacklist to a whitelist model. Should such a company turn into Big Brother, limit the consumer choice and push it's own interests, the consumers can easily move to a different "security provider".

Re:Cue Apple fans saying "That could NEVER happen"

[l0ungeb0y]

How are they isolating developers? I develop on the Mac and constantly install development software all the time. Know how many development related bits I've had to install via AppStore? -- ONE -- The latest version of XCode after it went to public release.

The AppStore is for CONSUMERS, there will never be a full lockdown because forcing every software writer to release through the AppStore would kill OS X as a development platform. Even XCode requires a whole bevy of gnu utilities. OS X is a full fledged UNIX and as such, you'll always be able to do *Nixy things such as wget/curl a file, gunzip, configure and make.

What Apple does with their CoCoa Framework and native apps is up to them, but as long as they are a UNIX, they'll never have the ability to stop apps written in C, Java, Python, Bash, Perl, PHP or Ruby from doing whatever the hell they please.

The day they do, is the day OS X leaves the Unix fold and becomes something else. And if that happens, you can bet your sweet ass that Apple will be dead within 3 years.

Re:Cue Apple fans saying "That could NEVER happen"

[Tetsujin]

There's nothing wrong with the sandboxing model per se. It's probably the only way to make our computers more secure. That Apple is moving in that direction should not be surprising: they make idiot-ready software (also known as good software)

I take exception to this.

"idiot-ready" software is good software... for "idiots".

(Of course, they're not really idiots, most of them - they're regular people who desire a simple level of interaction with their computer. But I'm just running with the "idiot-ready" terminology there.)

That approach to software design is "one size fits most" - but it's not "one size fits all" because the limitations of a simple UI will inevitably interfere with (or at least fail to support) something that someone is trying to do. When your expectations and skills pass a certain threshold, a simple UI is not necessarily a good UI.

Re:Cue Apple fans saying "That could NEVER happen"

[TheRaven64]

You seem to misunderstand what the sandbox is. OS X has had a set of APIs for sandboxing applications since 10.5. The sandbox(7) man page will tell you a lot about it. This comes with a few default policies, and you can add more. If you download an app and don't trust it, then you can start it in a sandbox (there's no GUI for doing this, which sucks, but it would be a few hours work to add one).

This isn't an 'authoritarian model' any more than the UNIX process model is: the kernel is the authority and any application has to go begging to it for access to anything. You can ship your own sandbox policies if you want to implement privilege separation and so on in your OS X application, and a lot of Apple's programs use it already, and have for a while - you may remember a mDNSResponder vulnerability that only affected 10.4, because it ran in a sandbox on 10.5. You can see the sandbox definition that mDNSResponder uses and it's pretty trivial to put something similar together for your own daemon.

The only difference now is that Apple is defining a sandbox profile for normal applications and forcing developers to use it if they want their application in the App Store. It is not a whitelist of applications, it's just a default security policy that applications must work with. This is like Microsoft requiring applications to work as non-Administrator users for the Designed For... certification, or a Linux distribution rejecting suid root apps from the default repository.

Re:Cue Apple fans saying "That could NEVER happen"

[Tetsujin]

The AppStore is for CONSUMERS, there will never be a full lockdown because forcing every software writer to release through the AppStore would kill OS X as a development platform. Even XCode requires a whole bevy of gnu utilities. OS X is a full fledged UNIX and as such, you'll always be able to do *Nixy things such as wget/curl a file, gunzip, configure and make.

I believe this is true for the time being. However, using words like "never" and "always" is a bit short-sighted. Desktop and laptop computers have traditionally been fairly open platforms in terms of what the user is allowed to do - but there is no reason to assume this will continue to be the case. If someone wants to change that, it will be a slow, difficult process to change user expectations to a point where they accept that loss of control - but it can be done. People have already accepted mobile phones as a fairly closed platform, and some contend that phone use is displacing most "personal computer" use - which means that the experience people get with their phones is redefining users' expectations of interaction with their computers.

OS X is currently a "full fledged UNIX" - this can change.
XCode requires a bunch of GNU stuff - that can change.
What do they gain from further restricting their platform? They gain a greater ability to simplify the user experience (which is a good thing for many users) and redefine various aspects of the OS that could be hard to do otherwise... And they gain status as a gatekeeper for the platform, a middleman who can extract money for every piece of software sold on the platform - much like what they enjoy on the iPhone platform, or what game console manufacturers enjoy.

One possible approach would be to give developers the same level of control they have now - but marginalize them. Charge them an extra $300 for the version of OS X that lets them do developerry things, or block developer machines from accessing the app store (apart from developer tools) - things like that. Things that would yield the desired level of control over most Mac systems, simply because most users wouldn't want the disadvantages (additional cost or reduced capabilities) that come with a development-capable machine.

I hesitate to say "Apple could do such-and-such" because I feel like that conveys the idea that I think this is likely to happen in the near future. My point is that it could, and it's silly to assume that it won't. The landscape of computing is changing, as it is bound to do over time. It's easy to assume that the status quo is some static, unchangeable thing, but it really isn't. Within the bounds of what users are willing to accept (even grudgingly, at first), the company in control of the platform can do whatever they like.

Re:Cue Apple fans saying "That could NEVER happen"

[dgatwood]

The only difference now is that Apple is defining a sandbox profile for normal applications and forcing developers to use it if they want their application in the App Store. It is not a whitelist of applications, it's just a default security policy that applications must work with. This is like Microsoft requiring applications to work as non-Administrator users for the Designed For... certification, or a Linux distribution rejecting suid root apps from the default repository.

Well, it's more like a range of default security policies tailored to the application, but yes. Apple has created a series of multiple high-level sandbox profile options that your app can choose from, depending on what it needs to do. If you are selling your apps on the Mac App Store, Apple vets those options to ensure that they make sense based on what your application does. If you aren't selling your app on the Mac App Store, this does not affect you at all, though you are strongly encouraged to sandbox your app because doing so makes the platform more robust against viruses, etc. At that point, the onus is on you to make sure that the options you choose are sane.

The big thing that makes the 10.7 App Sandbox different from the prior incarnations is the addition of PowerBox. By moving the open and save dialogs into a separate (system-provided) application that has the ability to add entitlements (capabilities) to your application's sandbox on the fly, it means that your app can access the files that the user specifies, and nothing else (outside of your app's personal scratch space). This is a significant win for security, as it puts the user directly in charge of what files an application can access.

I could go on for a while about privilege separation and techniques for making your app more secure, but that's a bit out of scope for this discussion forum. Go read App Sandbox Design Guide if you want more details.

Also, according to MacWorld, the original deadline was November (Source: MacWorld). The news is that Apple pushed the deadline out by four months, not that Apple is going to require sandboxing. That story is so out of date that when I first heard it, I fell off my dinosaur.

Problem?

[AdrianKemp]

I fail to see any problem with this.

I'm actually far happier when apps are clean and well controlled in terms of what they put where, Apple is providing an assurance that this *will* be the case for officially approved apps.

Good on them.

Whether or not they eventually disable applications from outside the App Store is completely irrelevant to this move.

Re:Problem?

[tripleevenfall]

As much as people like we /. denizens will gripe about this, for the average user it's a good solution. Disable by default the installation of unapproved apps. Allow users to opt out of that feature if they so choose.

For most users, who will never figure out how to enable non-market apps, or will have no desire to anyway, this makes their PC much more secure. For "power users", it's trivial enough to live in the old world.

Apple is a business

[linumax]

And they're here to make money. There seems to be a large market for people who want pretty appliances with certain "limitations" that work painlessly. Limitations is in quotes because it's a limit to myself and many on Slashdot, but not to most casual users.

Why is this unreasonable

[Geoffrey.landis]

So, is this actually unreasonable? Seems to me that if you don't want machines to be pwned, it would be nice to have somebody look over the ap before it starts controlling processes outside its sandbox. Sudo privilege is nice to have, but it's also something you don't want to give away without oversight.

OMG TEH EVIL APPLE

[wumpus188]

You don't ask Apple for anything. You just declare what your application needs from OS to function.

Ever heard of Android? Works the same way.

Re:OMG TEH EVIL APPLE

[onefriedrice]

You don't ask Apple for anything. You just declare what your application needs from OS to function.

Ever heard of Android? Works the same way.

But but but it's more fun to sensationalize the truth so we all can have another pretend reason to hate Apple.

Great Security

[dogmatixpsych]

This is very good practice for applications in the Mac App store. It's a huge security feature. Now, if Apple ever locks down the Mac to allow only applications from the Mac App Store (they won't), I'll give up Mac and go to Linux full-time (I use Macs for neuroimaging research and definitely don't have the applications/tools I use available through the Mac App Store; it would be nice to have a lot of them on a central repository though like Neurodebian {I virtualize that on my Macs}), but in the mean time I'll stick with my Macs. This is a wonderful security feature for applications given stamps of approval from Apple through the Mac App Store. Yes, there might be other security issues introduced through OS X issues but in general this is a positive step forward. Again, I'm not suggesting all applications should be sandboxed, I just think it is good practice for the ones distributed through the Mac App Store.

Re:Why is this such a bad thing?

[IamTheRealMike]

Sandboxing applications isn't so bad, and I think this is correct and inevitable. The fear comes purely from the fact that Apple has historically been very abusive with its app store policies, they aren't there purely to ensure security but are also used to simply crush apps some Apple executive didn't like, eg the "no competition" clauses.

Given Apples flaky approach to app store approvals, it's not unexpected that many people see this as the end of the Mac as an open(ish) computing platform. Given there aren't very many platforms, Microsoft tends to follow Apples lead these days, and Linux has never overcome its problems to go mainstream - that's a cause for concern indeed.

The good news is that there is Android, which gets it right - strong app sandboxing with an opt out checkbox you can tick if you want to. And it's open source so even if it stops being right tomorrow (unlikely), it's still a strong foundation others could build off. The bad news is that Android does not run on laptops or desktop machines, and does not have the enormous collection of industrial-strength apps like Photoshop, Office etc that MacOS/Win32 does.

Re:Why is this such a bad thing?

[SuricouRaven]

At a technical level, it isn't. Common-sense security is being applied: No app should have permissions to do something it can't show good need for. The fear isn't about technology, it's about Apple's business model, which is now built upon restricting the capabilities of their products in order to drive the users towards Apple's own supporting services. A successful business model, but one many regard as exploitative, detrimental to the users and a bad thing for the culture built around access to technology.

So now that Apple's doing it, sandboxing is evil?

[Trolan]

Sandboxing applications is a common security model on Unix systems, so why is this a bad thing on desktop apps as well? The App Store apps already had restrictions on where you could put your executable. This just codifies other accesses into a model where the developer sets up the privileges the app requires instead of leaving it at the free-for-all it is now.

The Future of Computer Security, Writ Large

[stating_the_obvious]

The future of all applications will be individual sandboxes. Why the hell would you have perimeter security (show your credentials to access the enture kingdom) versus a police state (show me your papers) that denies all privileges not specifically granted. I'm not saying I want to physically live in that world, but I definitely want my computers operating in that world

Ummm... good?

[Just+Some+Guy]

So a free Twitter app isn't allowed to take screenshots while I have my checkbook app open? I'm OK with that. Every one of those restrictions seem perfectly reasonable and good.

Re:Why is this such a bad thing?

[Ambitwistor]

This basically makes 3rd-party software - like you get from Fink, for example - non-existent, as far as a Mac user is concerned, because all software for Macs will have to be retrieved from this "app store".

You're spreading FUD.

Software for Macs will NOT have to be retrieved from the app store only. This does not kill 3rd-party software or Fink. This announcement ONLY applies to applications that are voluntarily listed in the app store by their developers. Developers do not have to use the app store to distribute their apps.

It is possible that Apple may someday require all apps go through the app store, as you suggest, but that's not what this announcement is about.

Re:Things you can't do on Windows or Linux

[tripleevenfall]

People are developing for WP7?

It's good, and I'd like it for Linux

[slim]

OK, not the "central authority can veto apps" part.

But the "app package declares what system calls it needs to access; package manager reports it; sandbox enforces it" part.

You can achieve it in a limited way with things like chroot, but having it conveniently bundled is nice.

# apt-get install gnuTunes
INFO: gnuTunes requires:
  - read/write access to ~/.gnuTunes/ for the user
  - access to audio output
  - read access to the optical drive
  - read/write access to ~/Music/ for the user
  - read access to /usr/share/Music/
  - make HTTP requests to http://gracenote.com/ ... and so on.

How is it restrictive? Freedom for real people

[SuperKendall]

You can install an application from anywhere. Apple is simply providing application writers a mechanism to help ensure user security (that you can also use in building non app-store apps), and a channel for people to get applications that they know will have less potential impact on the system if there's a security issue. If I get a computer for a grandparent and say "buy applications from here" then they are substantially better off and I can rest easier knowing it's less likely the system is compromised, even if any given application is compromised.

I would say what is restrictive is the notion that users should have to understand computers well enough to secure them. That is the real prison which we have forced millions to endure for years. A computer that people can use to a great desire without worrying about how to "maintain" it is liberation for 99% of computer users on the planet.

Permissions conspicuous by their absence

[tepples]

Ever heard of Android? Works the same way.

Every time Google adds a sensitive API to Android and documents it, it adds a corresponding permission to the application manifest schema. This means every single documented API in Android is either A. covered by the generic permission for all installed applications or B. covered by one of the permissions that an application can request. This Mac App Store sandbox, on the other hand, appears to add a category C: APIs that no sandboxed application can request, even with good reason. The page behind the second link points out a few noticeable omissions in the available permissions. This points to one of two paths of speculation: either Apple will add permissions covering these holes in a later revision of the policy, or Apple plans to completely remove the functionality corresponding to those holes in future versions of Mac OS X.

This is not news, and is slightly misleading

[sribe]

- The real news is that the deadline was announced today as March 1 2012, whereas back in the summer at WWDC it was announced as November 1 2011. So they've just delayed this for 4 months--probably to continue refining it.

This means you must ask Apple for read or read/write entitlements for additional folders outside your Application Support folder...

- But you are always allowed access to read/write files that the user selects through the normal open/save dialogs. So this restriction just applies to files you create without the user's specifying the location. Now, this still does potentially create some problems with some kinds of legitimate file access, keeping track of and using previously-saved/read files, and that sort of thing. But it's not nearly as drastic as the summary makes it sound.

more nonsense

[Tom]

ok, it really is nonsense-summary week on /.

This is fantastic news for everyone who is worried the slightest bit about security. This has absolutely nothing to do with turning a Mac into an appliance, and nobody from within Apple has ever alleged that non-App-Store installations would be made difficult or impossible.

But what this is is a huge and desperately step needed in putting applications into their own corner. Imagine what would happen if random apps couldn't crap all over your system? The horror! Most of the spy- and malware would go away!

The OS X sandbox is actually a fairly nifty beast, but is has been under-used. This is a great step into pushing it out and making developers accept that just because I want to use their app I don't mean to give them full access to everything on my system - not even everything I can access with my user account.