Comments on: Fix The Sandbox http://www.red-sweater.com/blog/2324/fix-the-sandbox Mac & Technology Writings by Daniel Jalkut Wed, 08 Oct 2014 03:07:32 +0000 hourly 1 http://wordpress.org/?v=4.0 By: Shameer M. http://www.red-sweater.com/blog/2324/fix-the-sandbox/comment-page-1#comment-271111 Sun, 26 Feb 2012 09:24:56 +0000 http://www.red-sweater.com/blog/?p=2324#comment-271111 how does this compare to MS’ sandboxing rules for Windows 8 & Metro Apps? Anyone know?

]]>
By: Ross (not Roscsco) http://www.red-sweater.com/blog/2324/fix-the-sandbox/comment-page-1#comment-271103 Thu, 23 Feb 2012 18:04:18 +0000 http://www.red-sweater.com/blog/?p=2324#comment-271103 Gatekeeper cannot stand in for Sandboxing. The two don’t solve the same issue. The purpose of Gatekeeper is to reduce the spread of known malware, where Sandboxing is a way to mitigate potential (inevitable) bugs that allow an otherwise non-malware app to be compromised.

]]>
By: Daniel Jalkut http://www.red-sweater.com/blog/2324/fix-the-sandbox/comment-page-1#comment-271102 Thu, 23 Feb 2012 15:16:49 +0000 http://www.red-sweater.com/blog/?p=2324#comment-271102 Hi Ross – I agree it would be a nice to go into more details about how sandboxing threatens existing apps. I will consider blogging separately about that.

I would like to point out that I never said this is about MarsEdit in particular. Don’t assume that just because I’m complaining, it’s entirely self-serving. In fact, the primary point of my complaint and criticism of sandboxing has more to do with the widespread impact it will have on a large variety of applications. MarsEdit, as it happens, is relatively easy to adapt to sandboxing compared to some other types of applications.

]]>
By: Ross Rossco http://www.red-sweater.com/blog/2324/fix-the-sandbox/comment-page-1#comment-271101 Thu, 23 Feb 2012 15:00:11 +0000 http://www.red-sweater.com/blog/?p=2324#comment-271101 This would be a lot more convincing if you were explicit about how it will break MarsEdit, for example. I looked at the list that is currently supported and I didn’t notice any crucial missing entitlements, but I don’t know what your app does internally.

]]>
By: Haravikk http://www.red-sweater.com/blog/2324/fix-the-sandbox/comment-page-1#comment-271098 Thu, 23 Feb 2012 11:36:15 +0000 http://www.red-sweater.com/blog/?p=2324#comment-271098 Great article! I do completely agree that Apple’s sandbox is too restrictive, and too silent. It needs to add the ability to handle “runtime entitlements” whereby if an application wishes to do something that it isn’t currently allowed to do, then the user is informed clearly, and given the option to allow, deny, or always allow that behaviour.

This can also be complemented by expanding the sandboxing entitlements, but provide the user with a dialogue the first time they run an app, unless the entitlements are all non-threatening ones, so they can see at a glance that their new app needs read access to X and Y, as well as read/write access to Z.

While I can appreciate that Apple doesn’t want to bombard users with security dialogues, trying to hide all the workings of the security systems is not good either; I’m very much of the opinion that giving users a sane amount of information about what’s going on, is enough to allow them to protect themselves.

Anyway, I want to finish by pointing out that it is possible to apply sandboxing to your apps and then enable exceptions for things that sandboxing is currently too restrictive to prevent. If you’re doing this though then do make sure to let apple know via bugreport.apple.com so they know why! So long as the app store review process is looking at entitlements/exceptions to make sure you’re not picking weird ones that make no sense, then I think this should be okay.

But yeah, it’s all way to simplistic at the moment, and simple isn’t always better.

]]>
By: writerscash.com http://www.red-sweater.com/blog/2324/fix-the-sandbox/comment-page-1#comment-271094 Wed, 22 Feb 2012 20:59:02 +0000 http://www.red-sweater.com/blog/?p=2324#comment-271094 Greaat!

]]>
By: Travis Butler http://www.red-sweater.com/blog/2324/fix-the-sandbox/comment-page-1#comment-271092 Wed, 22 Feb 2012 19:51:35 +0000 http://www.red-sweater.com/blog/?p=2324#comment-271092 Sorry, I have to disagree – *vehemently* – that pushing off the issue of approving app behavior onto users, via entitlements, is a good idea. In almost any respect. This is what Android does, and it’s a disaster there.

The essential problem is that you’re asking users to think and act like programmers. Which may be fine for a small percentage of power users, but doesn’t work at all for average users.

First, entitlements would have to be described in clear, simple language that is understandable to ordinary users. This is one area where Android fails, badly; I used to do native-code Toolbox programming, I still do database development, and even for me the descriptions of some of the Android entitlements are opaque, to say the least. How many hundreds of entitlements would be required to cover the full range of behavior of MacOS applications, and what are the chances of doing a clear, coherent non-programmer description of each and every one of them?

Second, it puts too great a burden on non-programmers to connect the dots – and this will only get worse as the number and granularity of entitlements increases. To use the Path situation as an example: Path would presumably list an entitlement to access the Address Book – which, hey, it’s a social networking app, that sounds reasonable. And it would list network access as an entitlement – which again, it’s a networking app, what would you expect? But then the onus is put on the user to put these two together and say ‘Wait a minute, that means it could upload my address book to some network site!’ Except of course that it doesn’t automatically mean that, because an app doesn’t *have* to connect the entitlements that way.

Certainly I agree that the number of entitlements needs to increase for the Sandbox to be viable. But unless I’m misreading what you’re saying with “Apple should take a cue from its own Gatekeeper approach”, I think it’s a very bad idea for Apple to loosen up its App Store restrictions by pawning the approval issue onto users.

]]>
By: Jason http://www.red-sweater.com/blog/2324/fix-the-sandbox/comment-page-1#comment-271091 Wed, 22 Feb 2012 16:23:01 +0000 http://www.red-sweater.com/blog/?p=2324#comment-271091 Here’s how to fix the sandbox:

1. A fresh install of OS X should include ONLY the absolutely essential software needed for the computer to run. No Safari, no Mail, no Calendar, no Contacts. Not even Chess. Pretty much the only installed apps would be System Preferences and the stuff in the Utilities folder.

2. Those apps that formerly shipped with OS X, along with all of Apple’s other apps, should be distributed through the App Store and have to play by all of the same rules as third-party applications. The only exceptions I would make would be for things like Xcode or OS X Server.

Bottom line: if Apple had to play by all of the same rules for their apps as third-party developers, you bet all of the necessary entitlements would be there. To be fair, I would apply this same set of rules to iOS as well.

In conclusion, to keep things as simple as possible for new users, after installing OS X (or upon first boot for a new system), the user should be prompted to install those apps that he/she wants. Apple could even have a “default” selection that includes all of the apps that formerly were installed by default.

]]>
By: Maynard Handley http://www.red-sweater.com/blog/2324/fix-the-sandbox/comment-page-1#comment-271090 Wed, 22 Feb 2012 06:19:12 +0000 http://www.red-sweater.com/blog/?p=2324#comment-271090 “Really dumb question: does Apple maintain an open bug board for developers and users alike?”

bugreport.apple.com

]]>
By: Carl http://www.red-sweater.com/blog/2324/fix-the-sandbox/comment-page-1#comment-271084 Tue, 21 Feb 2012 03:02:05 +0000 http://www.red-sweater.com/blog/?p=2324#comment-271084 There is an Apple bug tracker, but you can only read the bugs you submit if you don’t work for Apple.

]]>