Mac App Store

sandboxPhoto credit: livingindryden.org

I’m very excited about the new operating system and the APIs it holds for developers.

One new feature that is going to be very popular amongst users and holds real benefits for them is the App Sandbox.

What is App Sandbox?

Entitlements

Basically, the App Sandbox needs developers to specify what kind of access to user data an application they create needs.

You basically start with no privileges (so called “entitlements”) at all and work your way up for what your app needs. 
Does it have open or save panels? You need an entitlements for that.
Does it need access to the network? More entitlements.
Does it need to access iCal or Address Book? Even more entitlements.

Apple states there are currently 15 entitlements, but the list may change in the future.

Containers

For data saved by applications, like preferences files, Core Data storage, “Shoebox” data, basically everything except Documents the user saves or are autosaved by OS X Lion, each application gets its own Container in /Users/yourname/Library/Containers/, like /Users/matthias/Library/Containers/at.EternalStorms.ScreenFloat/

An application that has no entitlements for file system access can not access anything beyond that folder without the user’s consent (a user can give their consent with selecting files in open or save panels or by drag’n’dropping items onto or out of the sandboxed application).

Deny, deny, deny!

Anything an application requests it doesn’t have the proper entitlement for gets denied by a process called sandboxd, the sandbox daemon. It manages the sandboxed applications and their access to things they are or aren’t entitled to.

This is what your Console looks like when something gets denied:

27.07.11 16:56:14,480 sandboxd: ([2460]) screencapture(2460) deny file-read-data /usr/sbin/screencapture

XPC

XPC helps take the sandbox paradigm even further, making apps even more secure. Instead of having one executable that does it all (access the web, access iCal data, access Address Book data, write stuff to disk, read stuff from disk), a developer splits these tasks up and basically creates for each of these operations a executable with just enough entitlements to do its work.

So if you have an application that can access your Address Book and the web, there’s nothing from stopping the app, had it been compromised, from sending that data to a server.

However, if you have two different executables, one with just the Address Book entitlement and another with just network access, it’s not that easy anymore for intruders to do their dirty business.

XPC lets these two executables talk to one another, inside their shared sandbox.

What is App Sandbox good for?

Something that has been said a thousand times in the WWDC sessions to make abundantly clear what App Sandbox is good for:

It’s a last line of defense against evil-doers.

If an application has been compromised, it can’t do anything beyond its entitlements. That’s a very good thing.

So what does it all mean for users and developers?

Users

For users, it’s a great thing to have in terms of security and privacy of your data and I think every user should be excited about it. I know I am. It’s a great solution to a problem that has been dragging on too long, and Apple stood up and took a shot at it, and I think they did very well. For the most part.

In terms of what app developers will be able to make for those users, well, that’s another story which I’ll explain next.

Developers

In general, for most cases, developers won’t have any trouble with the App Sandbox. Version 1.2 of ScreenFloat – which is currently in Review for the App Store – already is a client of the sandbox and I ran into no trouble with adopting the entitlements, what so ever. It does what it does, just like before, but now, it’s safer, and I’m very excited about that.

What worries me, however, and, judging from what I’ve read on Apple’s developer forums, worries quite a lot of other developers as well, are the so-called temporary entitlements.

Temporary entitlements are for certain cases where it’s not really safe to do something, but Apple hasn’t figured out a safe way to let the app do it yet, so they made an entitlement for it. A temporary one.

Let’s take, for example, iTunes. There are a lot of applications out there that can “remote control” iTunes with global hotkeys.
In the background, the application is sending out an Apple Script, or doing its work over the Scripting Bridge, or are sending Apple Events directly (Apple Scripts and Scripting Bridge work with Apple Events in the end, but it’s at a higher abstraction level API wise for developers like me, who have no idea how to create Apple Events in the first place).

For this case, Apple has created a temporary entitlement. Alright, so it works.

What bothers developers however is the term “temporary”. What _is_ temporary, exactly? Will there be a replacement once the temporary entitlements vanish?

Let’s look at a perfect example for this:

GimmeSomeTune and the App Sandbox

Some of you might have read it on Facebook, others may have on twitter, for those of you who haven’t, here’s what happened:

I’ve halted development on GimmeSomeTune because of the temporary entitlements, more so because of the questions I asked above that have yet to be answered by Apple.

But let’s take it one step at a time:

GimmeSomeTune gets notifications with userInfo payload objects from iTunes. That’s no problem yet, since iTunes is yet to be sandboxed. But once it is, it can only send notifications without userInfo payload objects, and that object contains all the necessary information, like Title of Song, Album, Artist, etc.

So GimmeSomeTune, in its current form, could work for some time, until Apple decides to sandbox iTunes. Boom! Rien ne va plus.

GimmeSomeTune downloads artwork and lyrics and sends them to iTunes through the Scripting Bridge. The Scripting Bridge is essentially sending Apple Events to the app you target, in my case, iTunes.

The sandbox allows for Apple Events to be received by an application (without entitlements), but can not send any, without the temporary entitlement. When the entitlement is no longer valid, the main functionality of GimmeSomeTune breaks. Boom! Rien ne va plus.

So what it comes down to is this:

GimmeSomeTune would work right now in its current state, with temporary entitlements and hoping that Apple will never sandbox iTunes so it will continue to send notifications with userInfo payloads (which is doubtful, since iTunes is your digital hub and all, so they’ll be sure to sandbox it at some point, I guess).

But what happens if iTunes was sandboxed?
GimmeSomeTune would break, it would not know what song is playing in iTunes and hence wouldn’t download information and send it to iTunes, rendering the application useless.

And what if the temporary entitlements go away without a proper replacement API?
Again, GimmeSomeTune would break and it couldn’t send downloaded data to iTunes anymore, again rendering the application useless.

Why not just release it and hope for the best?

Sure, I could release GimmeSomeTune with temporary entitlements and hope they stay around forever or that there’ll be a replacement API for them.

But I have to consider what happens if they don’t (which is, in my opinion, 100% certain) – angry users, having paid for software that doesn’t do its job.

I am not willing to take that chance. I will wait to see what Apple comes up with.
And if there is a replacement for temporary entitlements in the works, and when I’m certain GimmeSomeTune will work with it, without the fear of having the application break at some random point in the future due to functionality that is ripped out from under it, only then can I release GimmeSomeTune with confidence and the knowledge that its users will be able to actually use the app.

And I believe this is the right choice.

Sandbox at its finest

Would you like an example of what kind of apps are completely unsupported in the sandbox environment?

Applications that change developer-signed files inside of app bundles that are a) developer-signed and b) running in the sandbox environment.

May I present the worst case Scenario: PresentYourApps

Some of you may know this little app of mine. PresentYourApps lets you hide the menu bar and / or dock for applications you specify, making more screen real estate available. Or at least, it _let_ you.

On OS X Lion, it works some of the time, but I highly discourage you from using it on that system, and I will take down the download link in the next couple of hours.

I discourage you, because it breaks apps you use it on.

I got an e-Mail from a user who tried it on Preview.app on Lion, and after he restarted Preview.app, it crashed on launch. Luckily, PresentYourApps keeps backups of the file it edits, so the user could make Preview.app work again, but it was scary.

Well, PresentYourApps has been long overdue and begging for an update, but because of these circumstances, I decided to discontinue working on it all together and removing it from my website, since it will do more harm than good on Lion systems.

 

If you have any thoughts regarding all of this, or GimmeSomeTune especially, please be sure to leave a comment or contact me in any other way!

Thank you kindly for reading,
Take care,
Matthias

[twitter-follow screen_name=’eternalstorms’ show_count=’yes’]

[twitter-follow screen_name=’flickeryapp’ show_count=’yes’]

[twitter-follow screen_name=’screenfloatapp’ show_count=’yes’]

[twitter-follow screen_name=’gimmesometune’ show_count=’yes’]

Read more