Apple Sandboxes the Mac App Store
On Friday, June 1st, Apple officially began requiring all apps sold in the Mac App Store must be sandboxed. What does this mean, and how will it affect you and your apps?
WHAT IS SANDBOXING?
Sandboxing gets its name from kids playing in a sandbox. When a kid plays in a sandbox, the idea is that all of the play happens in the sandbox. The kids enter the sandbox to play and don’t leave the sandbox until they are done playing. No toys or sand enter or leave the sandbox. In reality the allusion has some flaws, but I think you get the idea.
Apple has required that any apps sold in its Mac App Store do a very similar thing. A developer codes their app to create a sandbox when launched. This prevents the apps from accessing unnecessary resources, such as critical system files, documents, contact info, etc. This will prevent apps from unnecessarily grabbing private info, as well as potentially breaking the Mac OS. This should mean apps in the Mac App Store have a higher level of privacy and more security because of the limited access to the system.
App makers will also be able to add entitlements if they need to access something out of the ordinary. This means apps that need to scan through system files to find something or access your webcam, have to have the entitlement written in and approved by Apple.
HOW DOES IT AFFECT YOU?
For users, this only means added security. Users will not see much difference between how their apps worked before sandboxing was required and how they will work in the future. By limiting what an app can and cannot have access to, one app crashing will limit the potential damage to other apps running. Troubleshooting may also be easier. Things like caches and preference folders will be kept in “containers” only pertaining to a specific app, making it easier to clean these out should any trouble arise.
There are some limitations to be noted however. Users may see a rise in the number of dialogue boxes asking for permission to access other apps because of sandboxing. Grant Cowie speaking to Macworld notes that many apps currently have the ability to send files directly into other apps. He uses the example of his own program “MoneyWorks” being able to send a spreadsheet to be directly opened in Microsoft Excel or iWork’s Numbers. Now, users will have to close MoneyWorks and then manually open the file in Numbers or Excel. Image editing programs will likely feel the same crunch. Some people have already reported bugs in apps like Apple’s Preview, which has already been sandboxed, that prevent it from sending a PDF straight to Mail or print. Many of these bugs will be phased out in the next couple of months.
WHAT IT MEANS FOR DEVELOPERS
Some developers have taken to selling the “full versions” of apps on their websites, or allow users to upgrade from within the app to add these features. ClamXAV, a popular, free, and open source antivirus for Mac (my review of it here), is not allowed to use the Sentry program, which scans incoming and created files as they are written to the hard drive, if downloaded from the Mac App Store. If you want that feature, you must download the full version from the ClamXAV website. We can expect to see more of this in the future.
Many developers hope to see looser restrictions and guidelines for sandboxing in the future, fearing potential lost revenue in the Mac App Store (for both them and Apple), as well as less powerful apps available.
WHAT ABOUT APPS NOT AVAILABLE IN THE MAC APP STORE?
There are still many apps not sold or available in the Mac App Store. Tools like Firefox, Google Chrome, Microsoft Office, Steam, Onyx, and more still publish their products outside of the Mac App Store for various reasons. These programs will not be directly affected by the rules of sandboxing because the rules don’t apply to them. Apps sold in the Mac App Store that use these apps may see restrictions, such as the previously mentioned MoneyWorks example, but apps sold outside of the store should still function as they have.
Sandboxing will make apps more secure and most users should not notice many differences before the sandboxing implementation and after it. Developers will have to implement some features in new ways to meet the new standards, or remove some features entirely, while power users may notice a change in their workflow. Whether Apple will ease these restrictions or not has yet to be seen. If you have any questions, comments, or suggestions about this or any other topic, leave a comment below or email me at firstname.lastname@example.org You can also check me out on Facebook, Twitter, and YouTube by hitting the buttons on the top of your screen. And check out my Google Plus. Thanks!