Risk
11/3/2011
05:50 PM
Connect Directly
LinkedIn
Twitter
Google+
RSS
E-Mail
50%
50%

Apple Neuters Mac App Store Software

Some Mac OS developers say requirement that third-party Mac OS X apps will have to run in a "sandbox" for security's sake stifles innovation.

10 Top iOS 5 Apps
10 Top iOS 5 Apps
(click image for larger view and for slideshow)
In a note posted to its developer news site, Apple said Wednesday that future Mac OS X apps in the Mac App Store will have to operate in an iOS-like "sandbox," a partitioned area where computing resources that allow potentially risky operations are inaccessible.

Apple says this step is necessary for your protection. "The vast majority of Mac users have been free from malware and we're working on technologies to help keep it that way," Apple explained in its posting. "As of March 1, 2012 all apps submitted to the Mac App Store must implement sandboxing. Sandboxing your app is a great way to protect systems and users by limiting the resources apps can access and making it more difficult for malicious software to compromise users' systems."

Apple's dictum doesn't affect Mac OS developers who distribute their own Mac software. But there's ongoing concern among developers that consumer affinity for the Mac App Store user experience will marginalize independent software distribution and limit potential revenue to the point that Apple's way becomes the only commercially viable way.

Based on Apple's marketing, sandboxing Mac App Store apps hardly seems necessary. The company maintains that the Mac "isn't susceptible to the thousands of viruses plaguing Windows-based computers," thanks to the built-in defenses of OS X Lion.

[Find out more about why developers are concerned about the Mac App Store. Read Apple's Mac App Store Brings Changes, Worries.]

But in the three years since Apple removed a knowledge base article for its "inaccurate" suggestion that Mac users should run antivirus software, perhaps something has changed.

Certainly the computing industry has changed, thanks to the success of devices running Apple's iOS, which is more locked down than Mac OS X. Microsoft's Metro apps in Windows 8 will be sandboxed, and Google sandboxes Android apps.

It's a trend that Harvard Law professor Jonathan Zittrain has warned about. Zittrain argues that as computers cease to be the center of the information ecosystem, our devices will become less subject to user control and more like sealed appliances.

"Short of completely banning unfamiliar software, code might be divided into first- and second-class status, with second-class, unapproved software allowed to perform only certain minimal tasks on the machine, operating within a digital sandbox," Zittrain wrote in The Future of the Internet and How to Stop It. "This technical solution is safer than the status quo but, in a now-familiar tradeoff, noticeably limiting."

Sandboxing does have some advantages: In conjunction with Apple's oversight of apps submitted to the Mac App Store, it should make computing safer and more predictable. But if the Mac is as safe as Apple says it is, then the biggest impact will be on legitimate developers who will have to plead for permission from Apple to think outside the sandbox.

As developer Pauli Olavi Ojala observed in a blog post comment, "The whole point of having an extensible platform is to enable third parties to create things that the original developers couldn't even have thought of. Innovation can't happen in an environment where everyone is 'only doing what they're expected to do.'"

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Swift2
50%
50%
Swift2,
User Rank: Apprentice
11/6/2011 | 10:00:20 PM
re: Apple Neuters Mac App Store Software
Really, really boring example of extending the "Apple is a dictator" meme, which is boring, stupid and basically untrue. Google sandboxes the Flash extension in their browser, and get praise. Are they "control freaks"? No. As someone who has worked in an office with computers infected with every piece of crap that can get on XP, I don't take this as anything but necessary changes made necessary by Apple's increasing market share. Oh, by the way, Apple doesn't claim that it's "immune" to viruses, just that it's immune to the things that infect Windows machines. The malware industry is trying to catch up, too. Sandboxing is one of the tools you can use to make users safer. Randomizing the memory pointer locations is also something that Apple has finally implemented in Lion 10.7.

The cool new things a program can do are the province of cool developers. The iPad has a number of "Wow, look at that!" apps, and it's sandboxed. I don't see how developers could be "innovative" by making users more susceptible to urls that steal your bank account, for instance. If you have a freer way to guarantee privacy, go right ahead. If you can't convince Apple, you can convince somebody, if you just make it work. Then maybe Apple could offer a certificate to those "innovative" apps.

Seems to me a number of people here must be in the state of mind that Microsoft was in when they muscled in on the Internet in the late '90s. Security? No need for that on the World Wide Web. Let's put executable code in urls that can replay in the system core, that'll be really fast! Secure sockets? Don't harsh my innovation! And XP has been a constant, chronic flood of malware.

I think this is one Apple move that everybody else will copy, if they aren't already there. (I know it's not only Apple that innovates; but they're making a bet that the future platform should be super-secure. Yes, I have no doubt that Apple will be more of a target now that it's over 2% or whatever. And I'm sure a lot of the profligate, freeform programming on other platforms is easier; but it's also been a source of much time and money loss, and sense of being treated like dirt, that has been experienced so many times by people without an IT department.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2963
Published: 2014-07-10
Multiple cross-site scripting (XSS) vulnerabilities in group/control_panel/manage in Liferay Portal 6.1.2 CE GA3, 6.1.X EE, and 6.2.X EE allow remote attackers to inject arbitrary web script or HTML via the (1) _2_firstName, (2) _2_lastName, or (3) _2_middleName parameter.

CVE-2014-3310
Published: 2014-07-10
The File Transfer feature in WebEx Meetings Client in Cisco WebEx Meetings Server and WebEx Meeting Center does not verify that a requested file was an offered file, which allows remote attackers to read arbitrary files via a modified request, aka Bug IDs CSCup62442 and CSCup58463.

CVE-2014-3311
Published: 2014-07-10
Heap-based buffer overflow in the file-sharing feature in WebEx Meetings Client in Cisco WebEx Meetings Server and WebEx Meeting Center allows remote attackers to execute arbitrary code via crafted data, aka Bug IDs CSCup62463 and CSCup58467.

CVE-2014-3315
Published: 2014-07-10
Cross-site scripting (XSS) vulnerability in viewfilecontents.do in the Dialed Number Analyzer (DNA) component in Cisco Unified Communications Manager allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter, aka Bug ID CSCup76308.

CVE-2014-3316
Published: 2014-07-10
The Multiple Analyzer in the Dialed Number Analyzer (DNA) component in Cisco Unified Communications Manager allows remote authenticated users to bypass intended upload restrictions via a crafted parameter, aka Bug ID CSCup76297.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.