[Openmcl-devel] Apple To Require Sandboxing For Mac App Store Apps - Slashdot

Mon Nov 7 13:34:47 PST 2011

On Nov 7, 2011, at 4:19 PM, Gary Byers wrote:

> My understanding is that users downloading a sandboxed app from the App Store
> get to see the app's entitlements before doing so.
> 
> If one of the goals of sandboxing (and the App Store) is to make it easier
> and safer for non-technical users (e.g., your grandmother) to download and
> install applications, it's not clear how that fits.  (I have mental images
> of a kindly old lady thinking "well, I'm not really sure why this program
> that's supposed to help me manage my cookie recipes needs to talk to an IRC
> server in Minsk, but ..." before downloading.

I'd be surprised if Apple presented this information to the user.  Their goal, I believe, is both to (a) make the platform more secure, (b) give Tim's grandmother confidence that she can download and run anything from the Mac App Store without something bad happening.  Grandmothers are remarkably comfortable purchasing iPhone apps and Apple wants to duplicate that for the Mac.

In his second presentation, Ivan Krstić talks about the requirement that entitlements "make sense" to the person at Apple who is reviewing the app.  If you have an app that shows a picture of grass growing, it doesn't make sense for it to need access to the users address book and to the Internet.  Apple would reject the app and/or ask for clarification from the developer.  They do that, so that by the time the app is in the store, it only has entitlements that are intuitively unsurprising based on the name and description of the app.  That way entitlements don't need to be presented to the user.

The big exception to this is location information.  That's one where they are on track to ask the user's permission in every app.

The problem is that there are large categories of useful applications that need dangerous privileges in order to do their job.  If you want write a backup application it needs to be able to access every single file on disk.  There's just no way around that.  

I would be surprised if Apple allowed multiple tiers of apps in the Mac App Store, some more locked down and some less locked down.  Once you open that door, users have to start thinking, and once users have to start thinking they will inevitably click the wrong button and give permission at the wrong time.  That's why all those certificate warnings in web browsers have turned out to be so useless.  People say, "oh, but this is citibank so the fact that the certificate is invalid must just be a little mistake.  I trust citibank so I'll click okay anyway."

I hope Apple figures out a way around this because (a) the App Store is a great channel for selling software to a large audience, but (b) it's nice to be able to get something more than another Twitter client or drawing program.