Apple: Mac apps must be sandboxed

[Simon]

Apple is cranking up security for its computers by making sandboxing compulsory for all apps sold in the Mac App Store.

The rule was set to come into force this month, but in a message sent to developers the company said the rule would now come into effect next March.

"The vast majority of Mac users have been free from malware and we're working on technologies to help keep it that way," the company said. "As of 1 March 2012 all apps submitted to the Mac App Store must implement sandboxing."

The company said sandboxing – where code runs in isolation to protect other applications – was a "way to protect systems and users by limiting the resources apps can access and making it more difficult for malicious software to compromise users' systems".

However, given Apple's perceived heavy-handed approach to developers in the past, app creators are concerned that the sandbox innovation could be forced upon them with little flexibility and could inhibit development.

http://www.pcpro.co.uk/news/security/370924/apple-mac-apps-must-be-sandboxed

[Rik]

Apple is sandbagging the developers?

[Glenn]

...according to Core Security, the sandboxing is flawed. Processes directly spawned by a sandboxed application are blocked but indirectly spawned processes are permitted, according to Core, which has published an advisory containing harmless proof of concept code to illustrate its concerns.

The upshot of this is that "you can use Apple Script to tell OS X to start some other arbitrary program (or a second copy of your own) which won't inherit your sandbox settings," explains Paul Ducklin of net security firm Sophos.

http://www.theregister.co.uk/2011/11/15/apple_sandbox_security_fail/

[Rik]

Chocolate teapot springs to mind.

[Technical Ben]

Would taste nice though.