05:50 PM
Connect Directly

Apple Neuters Mac App Store Software

Some Mac OS developers say requirement that third-party Mac OS X apps will have to run in a "sandbox" for security's sake stifles innovation.

10 Top iOS 5 Apps
10 Top iOS 5 Apps
(click image for larger view and for slideshow)
In a note posted to its developer news site, Apple said Wednesday that future Mac OS X apps in the Mac App Store will have to operate in an iOS-like "sandbox," a partitioned area where computing resources that allow potentially risky operations are inaccessible.

Apple says this step is necessary for your protection. "The vast majority of Mac users have been free from malware and we're working on technologies to help keep it that way," Apple explained in its posting. "As of March 1, 2012 all apps submitted to the Mac App Store must implement sandboxing. Sandboxing your app is a great way to protect systems and users by limiting the resources apps can access and making it more difficult for malicious software to compromise users' systems."

Apple's dictum doesn't affect Mac OS developers who distribute their own Mac software. But there's ongoing concern among developers that consumer affinity for the Mac App Store user experience will marginalize independent software distribution and limit potential revenue to the point that Apple's way becomes the only commercially viable way.

Based on Apple's marketing, sandboxing Mac App Store apps hardly seems necessary. The company maintains that the Mac "isn't susceptible to the thousands of viruses plaguing Windows-based computers," thanks to the built-in defenses of OS X Lion.

[Find out more about why developers are concerned about the Mac App Store. Read Apple's Mac App Store Brings Changes, Worries.]

But in the three years since Apple removed a knowledge base article for its "inaccurate" suggestion that Mac users should run antivirus software, perhaps something has changed.

Certainly the computing industry has changed, thanks to the success of devices running Apple's iOS, which is more locked down than Mac OS X. Microsoft's Metro apps in Windows 8 will be sandboxed, and Google sandboxes Android apps.

It's a trend that Harvard Law professor Jonathan Zittrain has warned about. Zittrain argues that as computers cease to be the center of the information ecosystem, our devices will become less subject to user control and more like sealed appliances.

"Short of completely banning unfamiliar software, code might be divided into first- and second-class status, with second-class, unapproved software allowed to perform only certain minimal tasks on the machine, operating within a digital sandbox," Zittrain wrote in The Future of the Internet and How to Stop It. "This technical solution is safer than the status quo but, in a now-familiar tradeoff, noticeably limiting."

Sandboxing does have some advantages: In conjunction with Apple's oversight of apps submitted to the Mac App Store, it should make computing safer and more predictable. But if the Mac is as safe as Apple says it is, then the biggest impact will be on legitimate developers who will have to plead for permission from Apple to think outside the sandbox.

As developer Pauli Olavi Ojala observed in a blog post comment, "The whole point of having an extensible platform is to enable third parties to create things that the original developers couldn't even have thought of. Innovation can't happen in an environment where everyone is 'only doing what they're expected to do.'"

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
11/6/2011 | 10:00:20 PM
re: Apple Neuters Mac App Store Software
Really, really boring example of extending the "Apple is a dictator" meme, which is boring, stupid and basically untrue. Google sandboxes the Flash extension in their browser, and get praise. Are they "control freaks"? No. As someone who has worked in an office with computers infected with every piece of crap that can get on XP, I don't take this as anything but necessary changes made necessary by Apple's increasing market share. Oh, by the way, Apple doesn't claim that it's "immune" to viruses, just that it's immune to the things that infect Windows machines. The malware industry is trying to catch up, too. Sandboxing is one of the tools you can use to make users safer. Randomizing the memory pointer locations is also something that Apple has finally implemented in Lion 10.7.

The cool new things a program can do are the province of cool developers. The iPad has a number of "Wow, look at that!" apps, and it's sandboxed. I don't see how developers could be "innovative" by making users more susceptible to urls that steal your bank account, for instance. If you have a freer way to guarantee privacy, go right ahead. If you can't convince Apple, you can convince somebody, if you just make it work. Then maybe Apple could offer a certificate to those "innovative" apps.

Seems to me a number of people here must be in the state of mind that Microsoft was in when they muscled in on the Internet in the late '90s. Security? No need for that on the World Wide Web. Let's put executable code in urls that can replay in the system core, that'll be really fast! Secure sockets? Don't harsh my innovation! And XP has been a constant, chronic flood of malware.

I think this is one Apple move that everybody else will copy, if they aren't already there. (I know it's not only Apple that innovates; but they're making a bet that the future platform should be super-secure. Yes, I have no doubt that Apple will be more of a target now that it's over 2% or whatever. And I'm sure a lot of the profligate, freeform programming on other platforms is easier; but it's also been a source of much time and money loss, and sense of being treated like dirt, that has been experienced so many times by people without an IT department.
Register for Dark Reading Newsletters
White Papers
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-01-26
The default D-Bus access control rule in Midgard2 allows local users to send arbitrary method calls or signals to any process on the system bus and possibly execute arbitrary code with root privileges.

Published: 2015-01-26
Off-by-one error in the jpc_dec_process_sot function in JasPer 1.900.1 and earlier allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted JPEG 2000 image, which triggers a heap-based buffer overflow.

Published: 2015-01-26
Multiple stack-based buffer overflows in jpc_qmfb.c in JasPer 1.900.1 and earlier allow remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted JPEG 2000 image.

Published: 2015-01-26
Cross-site scripting (XSS) vulnerability in admin/install.php in MantisBT before 1.2.19 and 1.3.x before 1.3.0-beta.2 allows remote attackers to inject arbitrary web script or HTML via the (1) admin_username or (2) admin_password parameter.

Published: 2015-01-26
MantisBT before 1.2.19 and 1.3.x before 1.3.0-beta.2 does not properly restrict access to /*/install.php, which allows remote attackers to obtain database credentials via the install parameter with the value 4.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
If youíre a security professional, youíve probably been asked many questions about the December attack on Sony. On Jan. 21 at 1pm eastern, you can join a special, one-hour Dark Reading Radio discussion devoted to the Sony hack and the issues that may arise from it.