Print 13 comment(s) - last by B3an.. on Nov 6 at 6:57 AM

For small apps changes aren't any big deal, but for big apps Apple's new mandatory sandboxing could be game over

Great American statesman Benjamin Franklin once wrote, "They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety."

While he certainly wasn't talking about personal computers, that's exactly the dilemma PC makers find themselves in today.  After all, allowing apps full system liberties opens a world of intriguing new possibilities -- but also new dangers.

I.  Apple Backs Mandatory Sandboxing on the Personal Computer

Some are voicing support for sandboxing, the idea of preventing apps from "talking" to each other, accessing folders outside their own, executing shell commands, or using the attached hardware (without explicit permissions).  So far only one company has embraced such an approach for its personal computer -- Google Inc. (GOOG), makers of Chrome OS.  But sandboxing is about to get a big new proponent as Apple, Inc. (AAPL), the third largest maker of PCs in the U.S., is about to roll out the feature on March 1.

For apps that are distributed in retail form or over the internet, developers -- for now -- won't have to comply with the sandboxing restrictions.  But sandboxing will be mandatory to all new apps in the Mac App Store.  Developers will also have to change their existing Mac App Store apps to sandboxed form if they want to post an update.

Under Apple's new sandboxing system apps will be able to request "entitlements", such as access to a web camera, access to USB devices, access to special folders (music, downloads, etc.).  While this is similar to how sandboxing is handled in Google's Android operating system, Apple will take things a step further and decide whether the requested entitlements are appropriate as part of the applications submission process.

The new security features will help prevent malware, like the recent wave of trojans sweeping Apple's computers [1][2].

Apple wrote developers "the default sandbox environment is as simple as checking [the right] checkbox" in their development environment.  For simple apps, that indeed may be all the intervention that is needed in order to assume compliance with the new restrictions.  But for power apps, deep debugging, testing, and recoding may be required.

II. Developers Aren't Happy

Developers are upset because they fear that customers won't understand the changes and will simply blame them from removing features which can no longer be implemented under the sandboxing regime.  

Some developers are also frustrated at the timing of Apple's decision.  They are used to dealing with changes when there's an operating system release, but aren't used to having to make big changes mid-cycle.  The latest version of OS X, OS X 10.7 "Lion", launched back in July.

Describes Gus Mueller founder of Flying Meat Software, a Mac software company, in an interview with MacWorld, "It’s being introduced in the middle of an OS cycle.  I could see Apple turning it on with the release of 10.8, but forcing the sandbox on developers with a 10.7.x update? That’s crazy."

The changes have some developers considering rebellion -- abandoning the Mac App Store.  Even Mr. Mueller a firm App Store proponent acknowledges that the changes "force me to remove one of my applications", the screenshot app FlySketch.

That's troubling because the Mac App Store has already had some struggles to succeed, in the face of problems like piracy.  Still, it's important not to overstate the reaction -- most developers who use the App Store would be unwilling to turn their back on this lucrative means of mass distribution unless they had.

In the end sandboxing should beef up Mac security, although limiting the kinds of apps that can run on Macs in some cases.  Developers may enjoy several unhappy months thanks to the decision, but they will likely adapt.  After all, iOS -- Apple's operating system for the iPad, iPhone, and iPod Touch -- already implements strict mandatory sandboxing for all apps.

Source: MacWorld

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

By ltcommanderdata on 11/4/2011 12:45:41 PM , Rating: 0
"OS X has always had this goofy ASLR implementation where the randomized the libraries but not anything else, and you could still play the games and reuse code as long as there was one thing that wasn't randomized," said Charlie Miller, principal research consultant at Accuvant, who does a lot of OS X security research. " In Lion it seems like everything is randomized and no code is loaded at a predictable address. They made it much harder to exploit things. You probably need two bugs now, one for code execution and one for information disclosure."

Miller added that it's also more difficult to find information disclosure bugs because they can't be found with a fuzzer.
Among them is a sandbox design that shields the most vulnerable and vital parts of the computer from attack. Safari, for example, has now been divided into two processes that separate the browser's user interface and other functions from the part that parses JavaScript, images, and other web content.

With virtually all browser exploits targeting the way the program parses web content, Apple engineers have tightly locked down the new process, called Safari Web Content. The design is intended to limit the damage that can be done in the event an attacker is able to exploit a buffer overflow or other bug in the browser.

“Now, you end up inside this restricted process that only does the web parsing, and you can't do other things you might want to do as an attacker, such as write files or read a person's documents,” Miller explained. “ Even when you get code execution, you no longer have free rein to do whatever you want. You can do only what the sandbox allows you to do.

So is Charlie Miller, who everyone quotes when he criticizes OS X security, wrong when he says that Lion has a full ASLR implementation that randomizes everything and that the Safari browser is properly sandboxed? I believe Safari plugins were already sandboxed since Snow Leopard.

I don't have specific confirmation whether the mail client or iTunes are sandboxed, but it seems that Apple has sandboxed many of their first party applications such as Preview and QuickTime.

Though this was just an example, the QuickTime Player application in Lion does, in fact, delegate video decoding to an external, sandboxed, extremely low-privileged process called VTDecoderXPCService.

Another example from Lion is the Preview application, which completely isolates the PDF parsing code (another historic source of exploits) from all access to the file system.

“So far we have not seen a single Android device that does not infringe on our patents." -- Microsoft General Counsel Brad Smith

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki