Risk
11/3/2011
05:50 PM
Connect Directly
LinkedIn
Twitter
Google+
RSS
E-Mail
50%
50%

Apple Neuters Mac App Store Software

Some Mac OS developers say requirement that third-party Mac OS X apps will have to run in a "sandbox" for security's sake stifles innovation.

10 Top iOS 5 Apps
10 Top iOS 5 Apps
(click image for larger view and for slideshow)
In a note posted to its developer news site, Apple said Wednesday that future Mac OS X apps in the Mac App Store will have to operate in an iOS-like "sandbox," a partitioned area where computing resources that allow potentially risky operations are inaccessible.

Apple says this step is necessary for your protection. "The vast majority of Mac users have been free from malware and we're working on technologies to help keep it that way," Apple explained in its posting. "As of March 1, 2012 all apps submitted to the Mac App Store must implement sandboxing. Sandboxing your app is a great way to protect systems and users by limiting the resources apps can access and making it more difficult for malicious software to compromise users' systems."

Apple's dictum doesn't affect Mac OS developers who distribute their own Mac software. But there's ongoing concern among developers that consumer affinity for the Mac App Store user experience will marginalize independent software distribution and limit potential revenue to the point that Apple's way becomes the only commercially viable way.

Based on Apple's marketing, sandboxing Mac App Store apps hardly seems necessary. The company maintains that the Mac "isn't susceptible to the thousands of viruses plaguing Windows-based computers," thanks to the built-in defenses of OS X Lion.

[Find out more about why developers are concerned about the Mac App Store. Read Apple's Mac App Store Brings Changes, Worries.]

But in the three years since Apple removed a knowledge base article for its "inaccurate" suggestion that Mac users should run antivirus software, perhaps something has changed.

Certainly the computing industry has changed, thanks to the success of devices running Apple's iOS, which is more locked down than Mac OS X. Microsoft's Metro apps in Windows 8 will be sandboxed, and Google sandboxes Android apps.

It's a trend that Harvard Law professor Jonathan Zittrain has warned about. Zittrain argues that as computers cease to be the center of the information ecosystem, our devices will become less subject to user control and more like sealed appliances.

"Short of completely banning unfamiliar software, code might be divided into first- and second-class status, with second-class, unapproved software allowed to perform only certain minimal tasks on the machine, operating within a digital sandbox," Zittrain wrote in The Future of the Internet and How to Stop It. "This technical solution is safer than the status quo but, in a now-familiar tradeoff, noticeably limiting."

Sandboxing does have some advantages: In conjunction with Apple's oversight of apps submitted to the Mac App Store, it should make computing safer and more predictable. But if the Mac is as safe as Apple says it is, then the biggest impact will be on legitimate developers who will have to plead for permission from Apple to think outside the sandbox.

As developer Pauli Olavi Ojala observed in a blog post comment, "The whole point of having an extensible platform is to enable third parties to create things that the original developers couldn't even have thought of. Innovation can't happen in an environment where everyone is 'only doing what they're expected to do.'"

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Swift2
50%
50%
Swift2,
User Rank: Apprentice
11/6/2011 | 10:00:20 PM
re: Apple Neuters Mac App Store Software
Really, really boring example of extending the "Apple is a dictator" meme, which is boring, stupid and basically untrue. Google sandboxes the Flash extension in their browser, and get praise. Are they "control freaks"? No. As someone who has worked in an office with computers infected with every piece of crap that can get on XP, I don't take this as anything but necessary changes made necessary by Apple's increasing market share. Oh, by the way, Apple doesn't claim that it's "immune" to viruses, just that it's immune to the things that infect Windows machines. The malware industry is trying to catch up, too. Sandboxing is one of the tools you can use to make users safer. Randomizing the memory pointer locations is also something that Apple has finally implemented in Lion 10.7.

The cool new things a program can do are the province of cool developers. The iPad has a number of "Wow, look at that!" apps, and it's sandboxed. I don't see how developers could be "innovative" by making users more susceptible to urls that steal your bank account, for instance. If you have a freer way to guarantee privacy, go right ahead. If you can't convince Apple, you can convince somebody, if you just make it work. Then maybe Apple could offer a certificate to those "innovative" apps.

Seems to me a number of people here must be in the state of mind that Microsoft was in when they muscled in on the Internet in the late '90s. Security? No need for that on the World Wide Web. Let's put executable code in urls that can replay in the system core, that'll be really fast! Secure sockets? Don't harsh my innovation! And XP has been a constant, chronic flood of malware.

I think this is one Apple move that everybody else will copy, if they aren't already there. (I know it's not only Apple that innovates; but they're making a bet that the future platform should be super-secure. Yes, I have no doubt that Apple will be more of a target now that it's over 2% or whatever. And I'm sure a lot of the profligate, freeform programming on other platforms is easier; but it's also been a source of much time and money loss, and sense of being treated like dirt, that has been experienced so many times by people without an IT department.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-4403
Published: 2015-04-24
Multiple cross-site request forgery (CSRF) vulnerabilities in Zen Cart 1.3.9h allow remote attackers to hijack the authentication of administrators for requests that (1) delete a product via a delete_product_confirm action to product.php or (2) disable a product via a setflag action to categories.ph...

CVE-2012-2930
Published: 2015-04-24
Multiple cross-site request forgery (CSRF) vulnerabilities in TinyWebGallery (TWG) before 1.8.8 allow remote attackers to hijack the authentication of administrators for requests that (1) add a user via an adduser action to admin/index.php or (2) conduct static PHP code injection attacks in .htusers...

CVE-2012-2932
Published: 2015-04-24
Multiple cross-site scripting (XSS) vulnerabilities in TinyWebGallery (TWG) before 1.8.8 allow remote attackers to inject arbitrary web script or HTML via the (1) selitems[] parameter in a copy, (2) chmod, or (3) arch action to admin/index.php or (4) searchitem parameter in a search action to admin/...

CVE-2012-5451
Published: 2015-04-24
Multiple stack-based buffer overflows in HttpUtils.dll in TVMOBiLi before 2.1.0.3974 allow remote attackers to cause a denial of service (tvMobiliService service crash) via a long string in a (1) GET or (2) HEAD request to TCP port 30888.

CVE-2015-0297
Published: 2015-04-24
Red Hat JBoss Operations Network 3.3.1 does not properly restrict access to certain APIs, which allows remote attackers to execute arbitrary Java methos via the (1) ServerInvokerServlet or (2) SchedulerService or (3) cause a denial of service (disk consumption) via the ContentManager.

Dark Reading Radio
Archived Dark Reading Radio
Join security and risk expert John Pironti and Dark Reading Editor-in-Chief Tim Wilson for a live online discussion of the sea-changing shift in security strategy and the many ways it is affecting IT and business.