Thursday, March 01, 2012

Sandboxing? No, thanks!

Mac app sandboxing was to become mandatory back in November last year. According to Apple this is a piece of technology destined to protect app users: "Sandboxing your app is a great way to protect systems and users by limiting the resources apps can access and making it more difficult for malicious software to compromise users' systems.".


From my point of view, sandboxing in the Mac is wrong. Sandboxing is going to affect both application developers and users if Apple ever makes it mandatory for Mac App Store applications. It is already making developers simplify their software, making it less attractive and useful to users, frustrating both.

Mac App Store rules have already prevented many good apps, particularly utilities, from being sold through it. This is likely the case of apps like Hazel, Carbon Copy Cloner, AppZapper or iStat menus, and certainly the case for our own Xslimmer and Clusters, among many others. To cope with the rules, some developers have created partially crippled versions of their apps in order to comply with these rules. Some have even adapted their product to those rules, even if it meant reducing its functionality.

Sandboxing restricts apps even more. Applications cannot directly access files, networks or devices outside their own sandbox. While this might help in preventing malicious software from accessing the user's data, it also forbids many good apps from doing what they are designed to, and prevents them from interacting with each other like they currently do. For example, in Snapshot, our photo printing app, we use Karelia's iMedia framework. This library allows Snapshot users to access pictures from apps like iPhoto, Aperture or Lightroom. To do so, iMedia reads the preference files of these apps and determines the location of their photo libraries. Reading other apps preferences or accessing their content is no longer possible using a sandboxed app. Should we have the user search for the pictures through the file system instead of offering them directly like we do now?

Apple is trying to make the Mac sandboxing work. They are implementing new entitlements, APIs and even exceptions to make it a little bit more convenient for developers to adopt the technology. However, except for keeping access to the MAS, developers do not gain anything by doing so. What's more, adapting existing apps to the sandbox is far from easy, and, in many cases, it is impossible to offer their complete current functionality. In addition, it makes the application submission process more complicated, as entitlements and exceptions have to be justified. Apple explains: "If your app requires access to sandboxed system resources you will need to include justification for using those entitlements as part of the submission to the Mac App Store. Apps that are being re-engineered to be sandbox compatible may request additional temporary entitlements. These entitlements are granted on a short-term basis and will be phased out over time."

With the announcement of Mountain Lion, we have been surprised with a new technology called Gatekeeper. This is a different, newer technology to prevent downloading and installing malicious software. It allows the user to select the level of safety they want: run all apps, run MAS apps or run MAS apps and those signed with a developer ID issued by Apple. Users can even temporarily override secure settings by Control-clicking, and use any app at any time. So, the user is in control and developers do not have to make any major changes to their apps.

So far, Apple has had to delay the MAS mandatory sandboxing deadline twice, and the last time, it has even relaxed some of the rules. I hope that when June comes Apple kills the sandbox completely, and when it does, it does so in favor of Mountain Lion's Gatekeeper. For well-behaved developers, it would mean to keep working as before. For users, it would mean to keep enjoying fully functioning, well integrated apps, and yes, this time, in a more secure fashion.

--
Other articles on the same topic:

The App Culture

OS X Lion Sandboxing Is A Killjoy Destined To Ruin Our Mac Experience

Mac App Store Sandboxing Requirement Pushed to March as Uncertainty Looms

Real Security in Mac OS X Requires Apple-Signed Certificates

Sandboxing and Clipstart

Between a rock and a hard place – our decision to abandon the Mac App Store

Why the Mac App Sandbox makes me sad

Sandboxing

Think sandboxing will stop malware? Here's why you're wrong, Apple

Mac OS X 10.7 Lion: the Ars Technica review

Developers React to OS X Mountain Lion

No comments: