Rant: Welcome to Apple's sandbox

Will sandbox mandates help CSOs make apps play nice?

Whether you love Apple or hate it, you may be in line to benefit as a crackdown on Mac OS X apps extends the company's iPhone and iPad application metaphor to desktop applications as well. Even if you don't use Macs within your business environment, your company's security profile may eventually benefit as Microsoft slowly positions itself to follow Apple's recent announcement that, from March 1, it will require all app developers to sandbox their applications in order for them to be distributed using the company's Mac App Store.

It's a big change: while Mac OS X has been bundling its apps in manageable, mostly self-contained packages for yonks, the mandate that they now withdraw their tendrils and live in isolation from the rest of the operating system will require significant changes to many apps that have become accustomed to happily extending themselves throughout the desktop environment.

It's the digital equivalent of telling your messy cousin Bazza that, if he wants to keep living in your house, he has to pick up his dirty towels and stop leaving greasy Chiko roll wrappers all over the lounge-room sofa. And it seems to be a Godsend for security, breaches of which have often involved sneaky malware playing off of operating-system security compromises to wend their way into the danger zone.

While they'll present user interfaces and application logic the same way, apps interacting with the rest of the operating system will apparently have to be managed through tightly controlled Mac OS X APIs. Without the correct credentials, the apps will simply be unable to get where they want to go. It's a process that extends Apple's notorious reputation for micromanagement — but should, presumably, go some way towards improving security.

If your business is based on Windows, don't sneer: Apple's Mac App Store, which in turn is based on Apple's successful iTunes App Store, is now being emulated by Microsoft and will become a primary distribution method once Windows 8 hits the traps.

Not too long from now, this sort of software distribution will be the de rigeur standard. Will you be thanking Microsoft and, indirectly, Apple? Perhaps. It's certainly a logical way to bring order to what has — especially in the world of Windows — previously been a disastrous mishmash that has made security something of an interminable Hail-Mary pass.

Conflicting and poorly-written applications have wantonly plundered the Windows registry for years, installing configuration settings and files that have been corrupted, destroyed and pwned by purpose-built malware with impunity. Apple's security model has been arguably more tied-down, although even it has recently proved to be susceptible to the odd security issue or two and was this week exposed when a security researcher found a way to sneak malware onto iPhones and iPads through the iTunes App Store.

Given the broader range of functionality available in Mac OS X, there will be many more potential attack vectors that will be dutifully probed, tested, and exploited by security researchers. But these will be readily identified and fixed, and may be eliminated altogether as all apps become subject to the same tight controls that already regulate interactions between desktop operating systems and operating systems running within virtual machines.

For security professionals, the move towards sandboxed apps may eventually prove to be the best thing to happen to corporate security since the invention of antivirus scanners. Realising those benefits, however, will require strong takeup by ISVs, who tend to be quite cagey about kowtowing to the mandates of any particular supplier. Instead, they often prefer to load their own interfaces, drivers and whatnot to make your desktops behave just the way they want them to; experience shows that this is often exactly the opposite to how you'd prefer to have the desktops operating.

There's no need for businesses to wait until Windows 8 to get the benefits of sandboxing, of course: Symantec, Microsoft and other vendors already offer application virtualisation solutions that use a Mac-like approach by bundling Windows applications into self-contained virtual packages that can be loaded and removed from desktops more easily than with conventional uninstallers. That makes for easier management and, in theory at least, better security since apps can be quickly slapped down if they try to put their greasy fingers where they shouldn't be.

Time will tell whether Microsoft can force ISVs of enterprise applications to get in line, or whether they simply bypass app stores for as long as possible. The easier distribution and monetisation offered by the Mac App Store may be enough to convince authors of casual applications to get in line, but monolithic Windows applications may require significant investments in time and money to change apps to play nicer.

For those ISVs, fealty to sandbox designs may only come when Microsoft and Apple change gears and make their app stores the only authorised way to install apps at all.When this happens, desktop operating systems will have become bigger, gruntier versions of the iPhone and iPad app model: discrete, self-contained apps that abstract application logic away from data files so they can be readily updated in situ and isolated from their neighbours. You may not like the comparisons – especially if you're an Android fan – but the benefits may be indisputable.What do you think? Will app sandboxes plug application security holes? Or will hackers always find a way?

Join the CSO newsletter!

Error: Please check your email address.

Tags AppleApple sandboxMac OS Xsandbox

More about AppleMacsMicrosoftSymantec

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts