Feeds

Apple requires Mac App Store candidates to be sandboxed

Protection for your own good

The Power of One Brief: Top reasons to choose HP BladeSystem

Developers submitting applications to Apple's Mac App Store will soon be required to add an extra layer of security for their wares to be accepted.

Beginning in March, all apps submitted must implement sandboxing, a protection that tightly restricts the way applications can interact with other parts of the operating system. By isolating the app from sensitive OS resources, sandboxing minimizes the damage that can be done when vulnerabilities are exploited. It was significantly improved with this year's release of OS X Lion.

“The vast majority of Mac users have been free from malware and we're working on technologies to help keep it that way,” a blurb on Apple's developer news page stated. “As of March 1, 2012 all apps submitted to the Mac App Store must implement sandboxing.”

The move comes as the quality and quantity of malware targeting Macs has steadily risen over the past year. The recently discovered DevilRobber.A trojan, for instance, commandeers a Mac's graphics card to coin the digital currency known as Bitcoin, and OSX/Revir.A can install itself even without explicit user permission, bypassing a protection that has long brought comfort to many Mac fans.

Recent changes to the Flashback trojan prevent the malware from running on virtual machines, a stealth technique adopted years ago by Windows malware developers.

The new sandboxing requirement was quickly applauded by many security researchers, but the reaction among Mac developers was decidedly more mixed. According to The Unofficial Apple Weblog, Apple's sandboxing approach has the potential to interfere with some functions, particularly those involving AppleScript and the programming interface known as Carbon.

"For 99.44% of the applications out there, sandboxing is a workable technology, whose adoption curve is relatively flat and low-friction, and whose users won't notice any functional difference," Rich Siegel, founder and CEO of the Mac development house Bare Bones Software, said in an email. "Applications whose functional scope is in that last 0.56% will require solutions that take into account the notion of 'implicit user intent,' which to date hasn't been adequately addressed by the sandboxing model as currently presented."

Siegel's percentages are figurative and not intended to be taken literally.

The contrasting reactions highlights the longstanding conflict between the security and functionality of software. More often than not, when one is increased, the other suffers.

Ultimately, the new Apple mandate is a good thing. An analysis from last year showed that some of the most popular Windows applications, including Java, Apple Quicktime, and OpenOffice.org, failed to implement security protections that had been available for years in the Microsoft OS. What's more, the report found that the Mozilla Firefox, Chrome, and Opera browsers applied the mitigations inconsistently.

Clearly, the build-it-and-they-will-come approach doesn't always work when OS developers bake important protections into their systems. Apple's mandate may be painful for some developers, but if it protects end users, it will be worth the hardship. ®

Securing Web Applications Made Simple and Scalable

More from The Register

next story
Whoah! How many Google Play apps want to read your texts?
Google's app permissions far too lax – security firm survey
Chrome browser has been DRAINING PC batteries for YEARS
Google is only now fixing ancient, energy-sapping bug
Do YOU work at Microsoft? Um. Are you SURE about that?
Nokia and marketing types first to get the bullet, says report
Microsoft takes on Chromebook with low-cost Windows laptops
Redmond's chief salesman: We're taking 'hard' decisions
EU dons gloves, pokes Google's deals with Android mobe makers
El Reg cops a squint at investigatory letters
Big Blue Apple: IBM to sell iPads, iPhones to enterprises
iOS/2 gear loaded with apps for big biz ... uh oh BlackBerry
OpenWRT gets native IPv6 slurping in major refresh
Also faster init and a new packages system
Google shows off new Chrome OS look
Athena springs full-grown from Chromium project's head
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Mobile application security vulnerability report
The alarming realities regarding the sheer number of applications vulnerable to attack, and the most common and easily addressable vulnerability errors.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.