Feeds

Apple requires Mac App Store candidates to be sandboxed

Protection for your own good

Secure remote control for conventional and virtual desktops

Developers submitting applications to Apple's Mac App Store will soon be required to add an extra layer of security for their wares to be accepted.

Beginning in March, all apps submitted must implement sandboxing, a protection that tightly restricts the way applications can interact with other parts of the operating system. By isolating the app from sensitive OS resources, sandboxing minimizes the damage that can be done when vulnerabilities are exploited. It was significantly improved with this year's release of OS X Lion.

“The vast majority of Mac users have been free from malware and we're working on technologies to help keep it that way,” a blurb on Apple's developer news page stated. “As of March 1, 2012 all apps submitted to the Mac App Store must implement sandboxing.”

The move comes as the quality and quantity of malware targeting Macs has steadily risen over the past year. The recently discovered DevilRobber.A trojan, for instance, commandeers a Mac's graphics card to coin the digital currency known as Bitcoin, and OSX/Revir.A can install itself even without explicit user permission, bypassing a protection that has long brought comfort to many Mac fans.

Recent changes to the Flashback trojan prevent the malware from running on virtual machines, a stealth technique adopted years ago by Windows malware developers.

The new sandboxing requirement was quickly applauded by many security researchers, but the reaction among Mac developers was decidedly more mixed. According to The Unofficial Apple Weblog, Apple's sandboxing approach has the potential to interfere with some functions, particularly those involving AppleScript and the programming interface known as Carbon.

"For 99.44% of the applications out there, sandboxing is a workable technology, whose adoption curve is relatively flat and low-friction, and whose users won't notice any functional difference," Rich Siegel, founder and CEO of the Mac development house Bare Bones Software, said in an email. "Applications whose functional scope is in that last 0.56% will require solutions that take into account the notion of 'implicit user intent,' which to date hasn't been adequately addressed by the sandboxing model as currently presented."

Siegel's percentages are figurative and not intended to be taken literally.

The contrasting reactions highlights the longstanding conflict between the security and functionality of software. More often than not, when one is increased, the other suffers.

Ultimately, the new Apple mandate is a good thing. An analysis from last year showed that some of the most popular Windows applications, including Java, Apple Quicktime, and OpenOffice.org, failed to implement security protections that had been available for years in the Microsoft OS. What's more, the report found that the Mozilla Firefox, Chrome, and Opera browsers applied the mitigations inconsistently.

Clearly, the build-it-and-they-will-come approach doesn't always work when OS developers bake important protections into their systems. Apple's mandate may be painful for some developers, but if it protects end users, it will be worth the hardship. ®

The essential guide to IT transformation

More from The Register

next story
The Return of BSOD: Does ANYONE trust Microsoft patches?
Sysadmins, you're either fighting fires or seen as incompetents now
China hopes home-grown OS will oust Microsoft
Doesn't much like Apple or Google, either
Sin COS to tan Windows? Chinese operating system to debut in autumn – report
Development alliance working on desktop, mobe software
Linux turns 23 and Linus Torvalds celebrates as only he can
No, not with swearing, but by controlling the release cycle
Microsoft cries UNINSTALL in the wake of Blue Screens of Death™
Cache crash causes contained choloric calamity
Eat up Martha! Microsoft slings handwriting recog into OneNote on Android
Freehand input on non-Windows kit for the first time
Linux kernel devs made to finger their dongles before contributing code
Two-factor auth enabled for Kernel.org repositories
This is how I set about making a fortune with my own startup
Would you leave your well-paid job to chase your dream?
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
5 things you didn’t know about cloud backup
IT departments are embracing cloud backup, but there’s a lot you need to know before choosing a service provider. Learn all the critical things you need to know.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?