Risk
11/3/2011
05:50 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Apple Neuters Mac App Store Software

Some Mac OS developers say requirement that third-party Mac OS X apps will have to run in a "sandbox" for security's sake stifles innovation.

10 Top iOS 5 Apps
10 Top iOS 5 Apps
(click image for larger view and for slideshow)
In a note posted to its developer news site, Apple said Wednesday that future Mac OS X apps in the Mac App Store will have to operate in an iOS-like "sandbox," a partitioned area where computing resources that allow potentially risky operations are inaccessible.

Apple says this step is necessary for your protection. "The vast majority of Mac users have been free from malware and we're working on technologies to help keep it that way," Apple explained in its posting. "As of March 1, 2012 all apps submitted to the Mac App Store must implement sandboxing. Sandboxing your app is a great way to protect systems and users by limiting the resources apps can access and making it more difficult for malicious software to compromise users' systems."

Apple's dictum doesn't affect Mac OS developers who distribute their own Mac software. But there's ongoing concern among developers that consumer affinity for the Mac App Store user experience will marginalize independent software distribution and limit potential revenue to the point that Apple's way becomes the only commercially viable way.

Based on Apple's marketing, sandboxing Mac App Store apps hardly seems necessary. The company maintains that the Mac "isn't susceptible to the thousands of viruses plaguing Windows-based computers," thanks to the built-in defenses of OS X Lion.

[Find out more about why developers are concerned about the Mac App Store. Read Apple's Mac App Store Brings Changes, Worries.]

But in the three years since Apple removed a knowledge base article for its "inaccurate" suggestion that Mac users should run antivirus software, perhaps something has changed.

Certainly the computing industry has changed, thanks to the success of devices running Apple's iOS, which is more locked down than Mac OS X. Microsoft's Metro apps in Windows 8 will be sandboxed, and Google sandboxes Android apps.

It's a trend that Harvard Law professor Jonathan Zittrain has warned about. Zittrain argues that as computers cease to be the center of the information ecosystem, our devices will become less subject to user control and more like sealed appliances.

"Short of completely banning unfamiliar software, code might be divided into first- and second-class status, with second-class, unapproved software allowed to perform only certain minimal tasks on the machine, operating within a digital sandbox," Zittrain wrote in The Future of the Internet and How to Stop It. "This technical solution is safer than the status quo but, in a now-familiar tradeoff, noticeably limiting."

Sandboxing does have some advantages: In conjunction with Apple's oversight of apps submitted to the Mac App Store, it should make computing safer and more predictable. But if the Mac is as safe as Apple says it is, then the biggest impact will be on legitimate developers who will have to plead for permission from Apple to think outside the sandbox.

As developer Pauli Olavi Ojala observed in a blog post comment, "The whole point of having an extensible platform is to enable third parties to create things that the original developers couldn't even have thought of. Innovation can't happen in an environment where everyone is 'only doing what they're expected to do.'"

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Swift2
50%
50%
Swift2,
User Rank: Apprentice
11/6/2011 | 10:00:20 PM
re: Apple Neuters Mac App Store Software
Really, really boring example of extending the "Apple is a dictator" meme, which is boring, stupid and basically untrue. Google sandboxes the Flash extension in their browser, and get praise. Are they "control freaks"? No. As someone who has worked in an office with computers infected with every piece of crap that can get on XP, I don't take this as anything but necessary changes made necessary by Apple's increasing market share. Oh, by the way, Apple doesn't claim that it's "immune" to viruses, just that it's immune to the things that infect Windows machines. The malware industry is trying to catch up, too. Sandboxing is one of the tools you can use to make users safer. Randomizing the memory pointer locations is also something that Apple has finally implemented in Lion 10.7.

The cool new things a program can do are the province of cool developers. The iPad has a number of "Wow, look at that!" apps, and it's sandboxed. I don't see how developers could be "innovative" by making users more susceptible to urls that steal your bank account, for instance. If you have a freer way to guarantee privacy, go right ahead. If you can't convince Apple, you can convince somebody, if you just make it work. Then maybe Apple could offer a certificate to those "innovative" apps.

Seems to me a number of people here must be in the state of mind that Microsoft was in when they muscled in on the Internet in the late '90s. Security? No need for that on the World Wide Web. Let's put executable code in urls that can replay in the system core, that'll be really fast! Secure sockets? Don't harsh my innovation! And XP has been a constant, chronic flood of malware.

I think this is one Apple move that everybody else will copy, if they aren't already there. (I know it's not only Apple that innovates; but they're making a bet that the future platform should be super-secure. Yes, I have no doubt that Apple will be more of a target now that it's over 2% or whatever. And I'm sure a lot of the profligate, freeform programming on other platforms is easier; but it's also been a source of much time and money loss, and sense of being treated like dirt, that has been experienced so many times by people without an IT department.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-3308
Published: 2015-09-02
Double free vulnerability in lib/x509/x509_ext.c in GnuTLS before 3.3.14 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted CRL distribution point.

CVE-2015-4330
Published: 2015-09-02
A local file script in Cisco TelePresence Video Communication Server (VCS) Expressway X8.5.2 allows local users to gain privileges for OS command execution via invalid parameters, aka Bug ID CSCuv10556.

CVE-2015-6274
Published: 2015-09-02
The IPv4 implementation on Cisco ASR 1000 devices with software 15.5(3)S allows remote attackers to cause a denial of service (ESP QFP CPU consumption) by triggering packet fragmentation and reassembly, aka Bug ID CSCuv71273.

CVE-2015-6277
Published: 2015-09-02
The ARP implementation in Cisco NX-OS on Nexus 1000V devices for VMware vSphere 5.2(1)SV3(1.4), Nexus 3000 devices 7.3(0)ZD(0.47), Nexus 4000 devices 4.1(2)E1, Nexus 9000 devices 7.3(0)ZD(0.61), and MDS 9000 devices 7.0(0)HSK(0.353) and SAN-OS NX-OS on MDS 9000 devices 7.0(0)HSK(0.353) allows remote...

CVE-2015-6587
Published: 2015-09-02
The vlserver in OpenAFS before 1.6.13 allows remote authenticated users to cause a denial of service (out-of-bounds read and crash) via a crafted regular expression in a VL_ListAttributesN2 RPC.

Dark Reading Radio
Archived Dark Reading Radio
Another Black Hat is in the books and Dark Reading was there. Join the editors as they share their top stories, biggest lessons, and best conversations from the premier security conference.