Apple: Mac apps must be sandboxed

Started by Simon, Nov 03, 2011, 21:19:27

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Simon

Apple is cranking up security for its computers by making sandboxing compulsory for all apps sold in the Mac App Store.

The rule was set to come into force this month, but in a message sent to developers the company said the rule would now come into effect next March.

"The vast majority of Mac users have been free from malware and we're working on technologies to help keep it that way," the company said. "As of 1 March 2012 all apps submitted to the Mac App Store must implement sandboxing."

The company said sandboxing – where code runs in isolation to protect other applications – was a "way to protect systems and users by limiting the resources apps can access and making it more difficult for malicious software to compromise users' systems".

However, given Apple's perceived heavy-handed approach to developers in the past, app creators are concerned that the sandbox innovation could be forced upon them with little flexibility and could inhibit development.

http://www.pcpro.co.uk/news/security/370924/apple-mac-apps-must-be-sandboxed
Simon.
--
This post reflects my own views, opinions and experience, not those of IDNet.

Rik

Apple is sandbagging the developers? ;D
Rik
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

Glenn

Quote...according to Core Security, the sandboxing is flawed. Processes directly spawned by a sandboxed application are blocked but indirectly spawned processes are permitted, according to Core, which has published an advisory containing harmless proof of concept code to illustrate its concerns.

The upshot of this is that "you can use Apple Script to tell OS X to start some other arbitrary program (or a second copy of your own) which won't inherit your sandbox settings," explains Paul Ducklin of net security firm Sophos.

http://www.theregister.co.uk/2011/11/15/apple_sandbox_security_fail/
Glenn
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

Rik

Chocolate teapot springs to mind. :(
Rik
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

Technical Ben

I use to have a signature, then it all changed to chip and pin.