Headlines News :
Home » » Apple has slowly added Sandboxing facilities into Mac OS X

Apple has slowly added Sandboxing facilities into Mac OS X

Written By Hourpost on Friday, November 4, 2011 | 7:54 AM

In a note posted to its developer news site, Apple said Wednesday that future Mac OS X apps in the Mac App Store will have to operate in an iOS-like "sandbox," a partitioned area where computing resources that allow potentially risky operations are inaccessible.

Apple says this step is necessary for your protection. "The vast majority of Mac users have been free from malware and we're working on technologies to help keep it that way," Apple explained in its posting. "As of March 1, 2012 all apps submitted to the Mac App Store must implement sandboxing. SandboxingApple's dictum doesn't affect Mac OS developers who distribute their own Mac software. But there's ongoing concern among developers that consumer affinity for the Mac App Store user experience will marginalize independent software distribution and limit potential revenue to the point that Apple's way becomes the only commercially viable way.

Based on Apple's marketing, sandboxing Mac App Store apps hardly seems necessary. [Find out more about why developers are concerned about the Mac App Store. Read Apple's Mac App Store Brings Changes, Worries.] --But in the three years since Apple removed a knowledge base article for its "inaccurate" suggestion that Mac users should run antivirus software, perhaps something has changed.
Certainly the computing industry has changed, thanks to the success of devices running Apple's iOS, which is more locked down than Mac OS X. Microsoft's Metro apps in Windows 8 will be sandboxed, and Google sandboxes Android apps.

Sandboxing does have some advantages: In conjunction with Apple's oversight of apps submitted to the Mac App Store, it should make computing safer and more predictable. But if the Mac is as safe as Apple says it is, then the biggest impact will be on legitimate developers who will have to plead for permission from Apple to think outside the sandbox.--Developers submitting applications to Apple's Mac App Store will soon be required to add an extra layer of security for their wares to be accepted.

Beginning in March, all apps submitted must implement sandboxing, a protection that tightly restricts the way applications can interact with other parts of the operating system. By isolating the app from sensitive OS resources, sandboxing minimizes the damage that can be done when vulnerabilities are exploited. “The vast majority of Mac users have been free from malware and we're working on technologies to help keep it that way,” a blurb on Apple's developer news page stated. “As of March 1, 2012 all apps submitted to the Mac App Store must implement sandboxing.”

The new sandboxing requirement was quickly applauded by many security researchers, but the reaction among Mac developers was decidedly more mixed. Apple's mandate may be painful for some developers, but if it protects end users, it will be worth the hardship.--Apple has given developers a few more months to either come to grips with its new app sandboxing requirements or say goodbye to the Mac App Store. Apple originally set a November deadline for apps sold through the Mac App Store to use Lion's new sandboxing framework for increased security, but the company told developers on Wednesday that the deadline had been pushed back to March 1, 2012.

Ars spoke to a few experts in order to understand the tradeoffs Apple's sandboxing implementation will cause both developers and end users.--This increases overall security, as apps can't run roughshod over other parts of the system—they can only, in the worst case, ruin their own sandbox. For example, a normal application run by a user has the ability to delete every single file owned by that user.

As Siracusa noted, Apple has slowly added sandboxing facilities into Mac OS X over the last few versions, but added APIs to allow third-party apps to use sandboxing as part of Mac OS X Lion. To encourage developers to adopt the sandboxing APIs, Apple first set a deadline that all apps approved for distribution via the Mac App Store would be required to implement sandboxing by November of this year.--Agile Bits was quick to add sandboxing support to its popular password locker app 1Password in anticipation of the original November deadline. Bare Bones Software's Rich Siegel agreed that, in principle, sandboxing will benefit a majority of users.

"For 99.44 percent of the applications out there, sandboxing is a workable technology, whose adoption curve is very flat and low-friction, and whose users won't notice any functional difference," Siegel said. For instance, apps that can arbitrarily browse the file system, or tell other apps to do something via AppleScript or other means, violate the sandboxing principle.--Apple could mitigate some of the problems with improved APIs for developers to use. The problem, as many see it, is that developers will either be forced to remove functionality that users have come to rely on or simply not sell their software via the Mac App Store. Beyond that, the limitations that Apple imposes via sandboxing may not even bring the intended security benefits, either.

"I don't think this will benefit security," Jonathan Zdziarski, a computer forensics and security expert, told Ars. The ultimate downside, then, could be complete Apple control over which applications can be run on your system. "Sandboxing will severely limit the functionality of Mac applications, and may even make some applications impossible to use," Zdziarski warned. Less technical users may welcome the improved security and simplicity without thinking twice about being able to arbitrarily browse the file system or cross-app scripting.


Share this post :

Post a Comment

 
Copyright © 2012. Hourpost - All Rights Reserved
By Blogger