Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:50 PM
Connect Directly

Apple Neuters Mac App Store Software

Some Mac OS developers say requirement that third-party Mac OS X apps will have to run in a "sandbox" for security's sake stifles innovation.

10 Top iOS 5 Apps
10 Top iOS 5 Apps
(click image for larger view and for slideshow)
In a note posted to its developer news site, Apple said Wednesday that future Mac OS X apps in the Mac App Store will have to operate in an iOS-like "sandbox," a partitioned area where computing resources that allow potentially risky operations are inaccessible.

Apple says this step is necessary for your protection. "The vast majority of Mac users have been free from malware and we're working on technologies to help keep it that way," Apple explained in its posting. "As of March 1, 2012 all apps submitted to the Mac App Store must implement sandboxing. Sandboxing your app is a great way to protect systems and users by limiting the resources apps can access and making it more difficult for malicious software to compromise users' systems."

Apple's dictum doesn't affect Mac OS developers who distribute their own Mac software. But there's ongoing concern among developers that consumer affinity for the Mac App Store user experience will marginalize independent software distribution and limit potential revenue to the point that Apple's way becomes the only commercially viable way.

Based on Apple's marketing, sandboxing Mac App Store apps hardly seems necessary. The company maintains that the Mac "isn't susceptible to the thousands of viruses plaguing Windows-based computers," thanks to the built-in defenses of OS X Lion.

[Find out more about why developers are concerned about the Mac App Store. Read Apple's Mac App Store Brings Changes, Worries.]

But in the three years since Apple removed a knowledge base article for its "inaccurate" suggestion that Mac users should run antivirus software, perhaps something has changed.

Certainly the computing industry has changed, thanks to the success of devices running Apple's iOS, which is more locked down than Mac OS X. Microsoft's Metro apps in Windows 8 will be sandboxed, and Google sandboxes Android apps.

It's a trend that Harvard Law professor Jonathan Zittrain has warned about. Zittrain argues that as computers cease to be the center of the information ecosystem, our devices will become less subject to user control and more like sealed appliances.

"Short of completely banning unfamiliar software, code might be divided into first- and second-class status, with second-class, unapproved software allowed to perform only certain minimal tasks on the machine, operating within a digital sandbox," Zittrain wrote in The Future of the Internet and How to Stop It. "This technical solution is safer than the status quo but, in a now-familiar tradeoff, noticeably limiting."

Sandboxing does have some advantages: In conjunction with Apple's oversight of apps submitted to the Mac App Store, it should make computing safer and more predictable. But if the Mac is as safe as Apple says it is, then the biggest impact will be on legitimate developers who will have to plead for permission from Apple to think outside the sandbox.

As developer Pauli Olavi Ojala observed in a blog post comment, "The whole point of having an extensible platform is to enable third parties to create things that the original developers couldn't even have thought of. Innovation can't happen in an environment where everyone is 'only doing what they're expected to do.'"

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
11/6/2011 | 10:00:20 PM
re: Apple Neuters Mac App Store Software
Really, really boring example of extending the "Apple is a dictator" meme, which is boring, stupid and basically untrue. Google sandboxes the Flash extension in their browser, and get praise. Are they "control freaks"? No. As someone who has worked in an office with computers infected with every piece of crap that can get on XP, I don't take this as anything but necessary changes made necessary by Apple's increasing market share. Oh, by the way, Apple doesn't claim that it's "immune" to viruses, just that it's immune to the things that infect Windows machines. The malware industry is trying to catch up, too. Sandboxing is one of the tools you can use to make users safer. Randomizing the memory pointer locations is also something that Apple has finally implemented in Lion 10.7.

The cool new things a program can do are the province of cool developers. The iPad has a number of "Wow, look at that!" apps, and it's sandboxed. I don't see how developers could be "innovative" by making users more susceptible to urls that steal your bank account, for instance. If you have a freer way to guarantee privacy, go right ahead. If you can't convince Apple, you can convince somebody, if you just make it work. Then maybe Apple could offer a certificate to those "innovative" apps.

Seems to me a number of people here must be in the state of mind that Microsoft was in when they muscled in on the Internet in the late '90s. Security? No need for that on the World Wide Web. Let's put executable code in urls that can replay in the system core, that'll be really fast! Secure sockets? Don't harsh my innovation! And XP has been a constant, chronic flood of malware.

I think this is one Apple move that everybody else will copy, if they aren't already there. (I know it's not only Apple that innovates; but they're making a bet that the future platform should be super-secure. Yes, I have no doubt that Apple will be more of a target now that it's over 2% or whatever. And I'm sure a lot of the profligate, freeform programming on other platforms is easier; but it's also been a source of much time and money loss, and sense of being treated like dirt, that has been experienced so many times by people without an IT department.
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-17
A local file inclusion vulnerability was discovered in the captcha function in Monstra 3.0.4 which allows remote attackers to execute arbitrary PHP code.
PUBLISHED: 2021-06-17
An Out-of-Bounds Read was discovered in arch/arm/mach-footbridge/personal-pci.c in the Linux kernel through 5.12.11 because of the lack of a check for a value that shouldn't be negative, e.g., access to element -2 of an array, aka CID-298a58e165e4.
PUBLISHED: 2021-06-17
Affected versions of Octopus Server are prone to an authenticated SQL injection vulnerability in the Events REST API because user supplied data in the API request isn’t parameterised correctly. Exploiting this vulnerability could allow unauthorised access to database tables.
PUBLISHED: 2021-06-17
Quassel through 0.13.1, when --require-ssl is enabled, launches without SSL or TLS support if a usable X.509 certificate is not found on the local system.
PUBLISHED: 2021-06-17
A use-after-free issue exists in the DGN file-reading procedure in the Drawings SDK (All versions prior to 2022.4) resulting from the lack of proper validation of user-supplied data. This can result in a memory corruption or arbitrary code execution, allowing attackers to cause a denial-of-service c...