{"id":20503,"date":"2018-02-13T15:17:32","date_gmt":"2018-02-13T20:17:32","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=20503"},"modified":"2019-09-25T14:06:36","modified_gmt":"2019-09-25T18:06:36","slug":"mac-app-sandbox-non-native-apps","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2018\/02\/13\/mac-app-sandbox-non-native-apps\/","title":{"rendered":"The Mac App Sandbox and Non-Native Apps"},"content":{"rendered":"<p><a href=\"https:\/\/krausefx.com\/blog\/mac-privacy-sandboxed-mac-apps-can-take-screenshots\">Felix Krause<\/a> (<a href=\"https:\/\/twitter.com\/KrauseFx\/status\/962440588502052864\">tweet<\/a>, <a href=\"https:\/\/news.ycombinator.com\/item?id=16350277\">Hacker News<\/a>):<\/p>\r\n<blockquote cite=\"https:\/\/krausefx.com\/blog\/mac-privacy-sandboxed-mac-apps-can-take-screenshots\"><p>Any Mac app, sandboxed or not sandboxed can:<\/p>\r\n<ul>\r\n<li>Take screenshots of your Mac silently without you knowing<\/li>\r\n<li>Access every pixel, even if the Mac app is in the background<\/li>\r\n<li>Use basic <a href=\"https:\/\/en.wikipedia.org\/wiki\/Optical_character_recognition\">OCR software<\/a> to read the text on the screen<\/li>\r\n<li>Access all connected monitors<\/li>\r\n<\/ul>\r\n<\/blockquote>\r\n<p><a href=\"https:\/\/twitter.com\/lapcatsoftware\/status\/962669860546383872\">Jeff Johnson<\/a>:<\/p>\r\n<blockquote cite=\"https:\/\/twitter.com\/lapcatsoftware\/status\/962669860546383872\">\r\n<p>Nobody tell Felix that Mac apps can also read the clipboard.<\/p>\r\n<\/blockquote>\r\n<p>This is why I think a network blocker like <a href=\"https:\/\/www.obdev.at\/products\/littlesnitch\/index.html\">Little Snitch<\/a> is more important for protecting users than the sandbox. Anyway, this is <a href=\"https:\/\/twitter.com\/patrickwardle\/status\/962803166323531777\">not really<\/a> <a href=\"https:\/\/blog.timschroeder.net\/2011\/09\/16\/sandbox-of-doom\/\">news<\/a>, but it prompted some interesting comments from <a href=\"https:\/\/www.linkedin.com\/in\/peterammon\">former Apple engineer<\/a> <a href=\"https:\/\/news.ycombinator.com\/item?id=16351522\">Peter Ammon<\/a>:<\/p>\r\n<blockquote cite=\"https:\/\/news.ycombinator.com\/item?id=16351522\">\r\n<p>We did our best but the fact is that sandboxed apps run more slowly, have fewer features, are more isolated, and take longer to develop. Sometimes this cost is prohibitive (see Coda 2.5).<\/p><p>IMO the app sandbox was a grievous strategic mistake for the Mac. Cocoa-based Mac apps are rapidly being eaten by web apps and Electron psuedo-desktop apps. For Mac apps to survive, they must capitalize on their strengths: superior performance, better system integration, better dev experience, more features, and higher general quality.<\/p><p>But the app sandbox strikes at all of those. In return it offers security inferior to a web app, as this post illustrates. The price is far too high and the benefits too little.<\/p><p>IMO Apple should drop the Mac app sandbox altogether (though continue to sandbox system services, which is totally sensible, and maybe retain something geared towards browsers.) The code signing requirements and dev cert revocation, which has been successfully used to remotely disable malware, will be sufficient security: the Mac community is good at sussing out bad actors. But force Mac devs to castrate their apps even more, and there won&rsquo;t be anything left to protect.<\/p>\r\n<\/blockquote>\r\n\r\n<p>I still think the idea of sandboxing makes sense, but the actual implementation of it&mdash;the available entitlements, the framework bugs, the lack of documentation, and the App Store policies&mdash;were botched. And there has been little visible progress since macOS 10.7. Is this because it&rsquo;s fundamentally not possible to do better, given that the Mac wasn&rsquo;t designed with sandboxing in mind? Or has it simply not been a priority for Apple?<\/p>\r\n\r\n<p><a href=\"https:\/\/news.ycombinator.com\/item?id=16351883\">Peter Ammon<\/a>:<\/p>\r\n<blockquote cite=\"https:\/\/news.ycombinator.com\/item?id=16351883\"><p>It&rsquo;s a hard UI problem. The Mac sandbox overcorrects to requiring capability resources for all file accesses, while on the other extreme we have e.g. Windows UAC which trains users to roll their eyes and click through.<\/p><p>But Apple doesn&rsquo;t enjoy the luxury of solving this problem in a nuanced way, because Mac apps are not acting from a position of strength. I suspect you aren&rsquo;t downloading lots of Mac apps today, and the reason is not insufficient sandboxing, but instead the limited selection, annoying install experience, etc. These are the problems that Apple must fix first.<\/p><p>[&#8230;]<\/p><p>Instead Apple should leverage the Mac&rsquo;s unique software strengths. Aggressively evolve the Mac&rsquo;s unique &ldquo;UI vocabulary&rdquo; and application frameworks. Empower, not punish, the dedicated and passionate developer community. Ship love to the userbase (perhaps the only one in existence) that&rsquo;s willing to open their wallets for high-quality desktop software. And yes, tolerate web-tech apps too - but embarrass them!<\/p><\/blockquote>\r\n\r\n<p><a href=\"https:\/\/news.ycombinator.com\/item?id=16352284\">Peter Ammon<\/a>:<\/p>\r\n<blockquote cite=\"https:\/\/news.ycombinator.com\/item?id=16352284\"><p>The theory of the Mac is to establish a set of UI conventions. When you launched a new app, you would already know how to use most of it, because it was a Mac app. It looks and behaves like other apps, so you feel at home already. And as a developer, you get the right behavior now and in the future, for free.<\/p>\r\n<p>But if every developer builds a cross-platform app with a custom framework and appearance and behavior and UI, then the OS loses its role in defining the platform conventions. In that event, what&rsquo;s the point in having more than one OS?<\/p><\/blockquote>\r\n\r\n<p><a href=\"https:\/\/daringfireball.net\/2018\/02\/non_native_apps_threat_to_mac\">John Gruber<\/a> (<a href=\"https:\/\/twitter.com\/daringfireball\/status\/963143179045400578\">tweet<\/a>):<\/p>\r\n<blockquote cite=\"https:\/\/daringfireball.net\/2018\/02\/non_native_apps_threat_to_mac\">\r\n<p>I&rsquo;m with Ammon: I think the Mac&rsquo;s (relatively) recent move to cryptographically signed applications &mdash; with certificates that can be revoked by Apple &mdash; has been a win all around for security. But I don&rsquo;t think the Mac sandbox has.<\/p>\r\n<p>[&#8230;]<\/p>\r\n<p>The whole point of the Mac is to be a great platform for native Mac apps. Sandboxing doesn&rsquo;t help Mac apps do more. If the Mac devolves into a platform where people just use web browsers and cross-platform Electron apps, it might as well not exist[&#8230;]<\/p>\r\n<p>[&#8230;]<\/p>\r\n<p>The real problems facing the Mac are the number of developers creating non-native &ldquo;Mac&rdquo; apps and the number of users who don&rsquo;t have a problem with them.<\/p>\r\n<\/blockquote>\r\n\r\n<p><a href=\"https:\/\/www.macworld.com\/article\/1162504\/app_sandboxing_risks_eroding_the_macs_identity.html\">Andy Ihnatko<\/a> (in 2011, <a href=\"https:\/\/mjtsai.com\/blog\/2011\/10\/02\/app-sandboxing-automation\/\">previously<\/a>):<\/p>\r\n<blockquote cite=\"https:\/\/www.macworld.com\/article\/1162504\/app_sandboxing_risks_eroding_the_macs_identity.html\">\r\n<p>Traditionally, the mandate of an operating system has been to enable all of a machine&rsquo;s potential. Higher-level software is responsible for making a computer easy to use and <em>sometimes<\/em> that means putting the power tools high enough on a shelf that the kids can&rsquo;t hurt themselves, but those resources should be there for anybody who looks for them.<\/p>\r\n<p>[&#8230;]<\/p>\r\n<p>The Mac must never, ever become a consumer product like the iPad, saddled with artificial limitations in the name of safety, reliability, and tidiness.<\/p><\/blockquote>\r\n\r\n<p>See also: <a href=\"https:\/\/twitter.com\/lapcatsoftware\/status\/962700069425303552\">Jeff Johnson<\/a>, <a href=\"https:\/\/twitter.com\/dancounsell\/status\/963137817638572037\">Dan Counsell<\/a>, <a href=\"https:\/\/twitter.com\/sayzlim\/status\/963140730603544576\">Sayz Lim<\/a>, <a href=\"https:\/\/twitter.com\/michaeldupuis\/status\/963144335058505729\">Michael Dupuis<\/a>, <a href=\"https:\/\/twitter.com\/davedelong\/status\/963116603649871872\">Dave DeLong<\/a>, <a href=\"https:\/\/twitter.com\/mzarra\/status\/963119435010646016\">Marcus Zarra<\/a>.<\/p>\r\n\r\n<p>Previously: <a href=\"https:\/\/mjtsai.com\/blog\/2018\/02\/05\/sandbox-limitation-on-number-of-files-that-can-be-opened\/\">Sandbox Limitation on Number of Files That Can Be Opened<\/a>, <a href=\"https:\/\/mjtsai.com\/blog\/2017\/12\/20\/apple-rumored-to-combine-iphone-ipad-and-mac-apps-to-create-one-user-experience\/\">Apple Rumored to Combine iPhone, iPad, and Mac Apps to Create One User Experience<\/a>.<\/p>","protected":false},"excerpt":{"rendered":"<p>Felix Krause (tweet, Hacker News): Any Mac app, sandboxed or not sandboxed can: Take screenshots of your Mac silently without you knowing Access every pixel, even if the Mac app is in the background Use basic OCR software to read the text on the screen Access all connected monitors Jeff Johnson: Nobody tell Felix that [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"apple_news_api_created_at":"2019-09-25T18:06:39Z","apple_news_api_id":"0cc5e884-3573-4969-a005-4966d11699c5","apple_news_api_modified_at":"2019-09-25T18:06:40Z","apple_news_api_revision":"AAAAAAAAAAD\/\/\/\/\/\/\/\/\/\/w==","apple_news_api_share_url":"https:\/\/apple.news\/ADMXohDVzSWmgBUlm0RaZxQ","apple_news_coverimage":0,"apple_news_coverimage_caption":"","apple_news_is_hidden":false,"apple_news_is_paid":false,"apple_news_is_preview":false,"apple_news_is_sponsored":false,"apple_news_maturity_rating":"","apple_news_metadata":"\"\"","apple_news_pullquote":"","apple_news_pullquote_position":"middle","apple_news_slug":"","apple_news_sections":"\"\"","apple_news_suppress_video_url":false,"apple_news_use_image_component":false,"footnotes":""},"categories":[2],"tags":[69,1627,465,295,139,30,1529,622,355,53,282,96],"class_list":["post-20503","post","type-post","status-publish","format-standard","hentry","category-technology","tag-cocoa","tag-electron","tag-gatekeeper","tag-history","tag-littlesnitch","tag-mac","tag-macos-10-13","tag-ocr","tag-privacy","tag-sandboxing","tag-screenshots","tag-web"],"apple_news_notices":[],"_links":{"self":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/20503","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/comments?post=20503"}],"version-history":[{"count":4,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/20503\/revisions"}],"predecessor-version":[{"id":20510,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/20503\/revisions\/20510"}],"wp:attachment":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/media?parent=20503"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/categories?post=20503"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/tags?post=20503"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}