Friday, September 9, 2011 [Tweets] [Favorites]

Sandbox Corners

Daniel Jalkut:

I think that Apple would have a lot more developer enthusiasm for this feature if it wasn’t so clear to many of us that our apps will be forced to lose features in order to adopt sandboxing. And while users may be happy about the prospects of improved security with the sandbox, I think there will be less excitement about the diminished functionality of apps whose features don’t fit nicely into the sandbox confines.

Sandboxing is a very nice idea in theory, but so far the benefits seem to be hypothetical while the costs—in features and development time—are real. Furthermore, we’re coming up on the November deadline, and Apple has yet to actually say what its policy will be.

5 Comments

"Furthermore, we’re coming up on the November deadline, and Apple has yet to actually say what its policy will be."

They'll release a policy that's objectionable 17 different ways to Tuesday, let the outrage build for a week, and then change the policy to one that's only objectionable 12 different ways to Tuesday. Massive gratitude ensues. Everybody wins!

(And, of course, they'll always be a few ad hoc exceptions for strategic exemptions. The policy will be worded with lots of discretionary wiggle and vagueness as possible. In other words, business as usual.)

IMHO,the sandbox is useless.

Why?

For the following reasons:

- Unless your company name is Apple or Adobe, your application won't probably be used as an entry point for an attack on the Mac. And can you remind me how many Apple System apps are sandboxed right now?

- If you are adopting the sandbox mechanism, you are protecting for instance your application from being used to do some networking operations, read/write files on disk, etc following a buffer overflow attack. So what would a malware writer do? Well, he (or she) would target an application that can perform network operations, read and write files on disk? Hmm, what kind of applications can do that? Oh wait, isn't it what a web browser can do? And aren't web browsers already the preferred target of security flaws?

- Do you think a malware author will adopt the sandbox in the trojan horse app (s)he would be mainly distributing via e-mail relying on end-user lack of knowledge or drinking habits?

The way I see it, but I can be totally wrong is that the sandbox requirement on the Mac App Store is not about security or safety, it's about control. Control over Mac developers.

"If you are adopting the sandbox mechanism, you are protecting for instance your application from being used to do some networking operations, read/write files on disk, etc following a buffer overflow attack. So what would a malware writer do?"

Y'know, I've got no problem with a voluntary and helpful sandboxing scheme implemented at the OS level.

See, for example, Michael's post on 1 Password. That's an app I would never have trusted or installed without sandboxing. (I'm still not particularly interested in the app, but sandboxing makes it seem potentially viable if I were.)

Sandboxing's greatest appeal to the user would not be protecting from straight-up malware, but instead by enforcing the level of access a user wishes to grant a particular app. Power to the user.

So, in a scenario where apps advertise their sandbox level, (or advertise their variable sandbox levels to set by the user), which gives consumers valuable info, and still lets informed users install non-sandboxed or minimally sandboxed apps for tasks which need more access would be highly appreciated. It would be a way of the user giving finer-grained control over their apps beyond just the current binary admin priviligdes or not scenario, sort of like an OS-level Little Snitch or Hands Off made easy. In a happy world, the admin user would be able to grant finely grained permissions to their apps, on their rigs, according to their desired specs, all enforced by the OS. But, of course, I think we all know that benign and helpful scenario for the user is not where the platform is headed...

Henry Ford wrote in his autobiography that he told his management team in 1909 that in the future “Any customer can have a car painted any colour that he wants so long as it is black”

Mark Pilgrim's prediction is looking too conservative by a year or two. I'd say 2013 or 2014 instead of 2015 is where root access gets shifted to "Apple ID" access.

"Sandboxing's greatest appeal to the user would not be protecting from straight-up malware, but instead by enforcing the level of access a user wishes to grant a particular app. Power to the user."

Why not, but what is the percentage of Mac users with the ability to deal with that? 1%, 0.1%, 0.0001%?

It makes more sense that only the developer defines what the application can do. Would you enjoy providing tech support to a customer who tells you your app is not working and you discover it's not because that user said your application should not do this or that?

"what is the percentage of Mac users with the ability to deal with that?"

Obviously not enough to merit attention from the mothership. (And as you correctly note, the mothership is interested in gaining control for itself these days, not its users or its devs.)

However, as a user, I've always appreciated the OS forcing me to choose whether or not to grant admin privileges to an app that wants them. And I'd appreciate finer grained user control over such matters baked into the OS with user choice at the core of the design. (I'm in the small enough percentage to have purchased Little Snitch to gain some of that functionality. Hands Off seems even more appealing to me, but I don't trust the dev as much as I do ObjDev.)

I know. I know. The past decade spoiled me. I got conned into thinking I had a home in an easy-to-use mass-market OS that also had top-notch power user support.

What percentage of Mac users will mind (or even notice) when they no longer have root access to their gear? Probably a pretty low number too. It's when you end up with the "any color as long as it is black" philosophy behind OS design that you effectively stop being a general purpose computer platform and morph into something else.

I do all kinds of things on the platform that have low market share. And thus I don't assume it's going to be my platform looking forward, since the whole ecosystem will quickly decay. I can only hope Microsoft has it's mindset in the right place to serve customers like me, and is in one of its period phases of good execution, which may all be too much to expect.

Stay up-to-date by subscribing to the Comments RSS Feed for this post.

Leave a Comment