Now, say a game or web browser that runs potentially malicious content, sure, sandbox it. But other things like code interpreters, low level Unix tools, or inter process tools like AppleScript, they're still open to (mis)use by anyone.
I'm going to guess that most malware for OS X will soon become non-compiled scripts. Sure, the interpreter would be signed, but what it runs is totally arbitrary.
I'm a user of one of Apple's "pro" applications, Logic Pro 9, a top music recording software (or DAW). I started using it long before it was put in the appstore, and was surprised when they moved it there, as it was a 5 DVD install.
Anyways ... the tool interacts with plugins written in a Logic Pro independent standard, VST. It burns CDs. It manipulates midi through wifi, usb, and firewire. It reads third party provided sound samples and loops. It manipulates analog instrument interfaces through firewire ...
Is Apple going to cripple Logic Studio? Or will they also have to take their "pro" software out of the appstore?
Unfortunately, it appears this may be a "do as I say, not as I do" situation.
The answer is simple, Apple's apps will have special access that will make them better than 3rd party apps which have to jump through all these hoops.
Actually, Logic Pro does not interact with VST plugins at all. It interacts with AU (Audio Unit) plugins. Plugins like Native Instrument's etc that come as VST plugins also come in AU versions.
Is Apple going to cripple Logic Studio?
No, Apple is not going to cripple Logic Studio. They even said so, a few months ago.
Or will they also have to take their "pro" software out of the appstore?
They can also do whatever they want with THEIR apps in the appstore, like have them there despite not implementing sanboxing, or giving them arbitrary sanboxing rights (after all, Apple TRUSTS their own apps not to be malware).
In theory, all the games and apps have to sign/encrypt/check everything they load. But I can't believe they will all implement this correctly or that Apple will find all the subtle bugs when reviewing.
The only way to parlay that into control of the system would be to break the sandbox. And then, because OS X default security is fairly sane, the only way to do real lasting damage is to use a further exploit to escalate your permissions.
Splinter Cell and MechAssault where famous for this. The bug is actually in the XBox Dashboard code itself, so the Host system was buggy.
--------------------------------
Starting in Mac OS X v10.6, the NSURL class and the CFURLRef opaque type each provide a facility for creating and using bookmark objects. A bookmark provides a persistent reference to a file-system resource. When you resolve a bookmark, you obtain a URL to the resource’s current location. A bookmark’s association with a file-system resource (typically a file or folder) usually continues to work if the user moves or renames the resource, or if the user relaunches your app or restarts the system.
In an app that adopts App Sandbox, you must use a security-scoped bookmark to gain persistent access to a file-system resource.
Security-scoped bookmarks, available starting in Mac OS X v10.7.3, support two use cases:
• An app-scoped bookmark provides a specific sandboxed app with persistent access to a user-specified file or folder.
For example, if your app employs a download or processing folder, present an NSOpenPanel dialog to obtain the user’s intent to use a specific folder. Then, by creating a security-scoped bookmark for that folder and storing it as part of the app’s configuration (perhaps in a property list file or using the NSUserDefaults class), your app acquires a means to obtain future access to the folder.
• A document-scoped bookmark provides a specific document with persistent access to a file.
For example, a code editor typically supports the notion of a project document that refers to other files and needs persistent access to those files. Other examples are an image browser or editor that maintains an image library, in which the library file needs persistent access to the images it owns; or a word processor that supports embedded images, multimedia, or font files in its document format. In these cases, you configure the document format (of the project file, library file, word processing document, and so on) to store security-scoped bookmarks to the files a document refers to. (A document-scoped bookmark can point only to a file, not a folder.)
A document-scoped bookmark can be resolved by any app that has access to the bookmark data itself and to the document that owns the bookmark. The document can be a flat file, or a document distributed as a bundle.
--------------------------------
"Click the button below, locate file xyz and 'Open' it to proceed"
I would be perfectly ok with a system "Grant permission to xyz" dialog, but the open file dialog is a terrible way of requiring access to a file or folder.
Rather than presenting it as some pointless mechanical chore in which you direct a user to a specific file in a known place, wouldn't "Choose where you would like Foo.app to save your XYZ (project/file/whatever)" make a lot more sense?
For the duration of the company's existence, one of their biggest customer segments has been the creative industry. I can't think of a single pro audio/video/graphic/etc app that doesn't make extensive use of plug-ins, another Mac App Store disqualifier.
Do the developers of these apps necessarily have a "right" to iCloud APIs, delta updates, and other benefits of playing in Apple's sandbox? Of course not.
But is Apple harming themselves and their customers by excluding the creators of these apps from the party and potentially causing them to focus their development efforts elsewhere? I think they may be.
I would have thought the Final Cut Pro X debacle (http://pogue.blogs.nytimes.com/2011/06/23/professional-video...) would have served adequate notice to those folks that Apple doesn't consider them an important market segment anymore...
I don't know if you have used/use Final Cut 6/7, but it is a phenomenally ugly, often poor performing, generally unintuitive piece of software. I can see where the motivation for a full reboot would stem from.
Now, a reboot that involves consolidating formerly modular panes into a single window when the target market typically works on two, three or more displays is just dumb. A reboot that was, as a practical matter, 0% backwards-compatible may have been necessary, but if it could have been avoided, it should have been. But buried under all the mistakes, I think there was some genuine good intent (yes, I know I'm grasping at straws).
I primarily work with music, and you don't need to be as involved as I am or attend as many shows as I do to know that for any artist/band that uses a laptop on stage, the MacBook Pro is the de facto standard. The same applies to Mac Pros in studios (although those boxes may be going the way of the Dodo as well).
None of this necessarily makes a difference to Apple; the new features in Mountain Lion which focus on Chinese web portals and social networks serve as a reminder that the emerging Chinese middle class is likely as important a segment to Apple as any, and the number of potential customers in that group already dwarfs the ranks of every DJ, producer, sound engineer, and electronic musician on earth.
Still, it would be a great disappointment to me and many others if Apple were to abandon such a loyal group of customers who helped them reach this point.
Unlike, say, Adobe, that merely piles incremental bloat upon incremental bloat, and calls it a "new version of the suite".
The complains are from people that:
1) see a black interface as some kind of iMovie-fication (iMovie is black, so they have dumded down FCP).
2) Think professional software means convoluted GUI (they made things simpler, so they have dumbed it down)
3) Expect a rewrite of a 10+ year old codebase to have feature parity with the old version from day one.
4) Expect a rewrite of a 10+ year old codebase, with the intention to support modern movie making practices, to also cater for obsolete practices that the old version covered (like tape editing).
I guess I should step back a bit and make my argument more clear. I'm not opposed to the concept of sandboxing, I recognize the benefits of these policies as Apple's user base grows and malware becomes a greater concern.
My contention is that the imposition this places on users and developers alike will most likely dissuade pro media software developers from participating in the Mac App Store to begin with, thereby depriving Apple of potential income, depriving developers access to useful features like iCloud file sharing/mirroring, and exposing users to the very risks this policy is intended to shield them from.
They're just disallowed from supporting plugins in the manner that they have been on every platform for 20 or 30 years.
Um, no. If there's one thing that's more private than my address book, it's my ssh keys. The fact that they aren't available to your application by default is a feature. If you need a key, ask me for it. If I want to give you the access, I'll do that.
There are other tools that do similar in other OS's, for example the "keychain" script in Debian. This isn't something weird IMO.
Very very popular apps like:
Chrome
Photoshop/Adobe CS
Fusion/Parallels
Microsoft Office
Text Editors
FTP Clients
Dropbox
The Mac App Store loses a bit of its allure when you get your new MacBook Air [even as a non developer] and can't find basics like Chrome or Dropbox or Microsoft Office in there.
I can testify about that. I just bought MBA recently and opened up App Store out of curiosity, however almost all of software I needed I bought at writer's store (apparently there is final draft now in app store, but I bought directly from Final Draft). Same goes for Office, Chrome, Dropbox, etc...
> Chrome
"Safari."
> Photoshop/Adobe CS
"Creatives? Did you see what we did to Final Cut? Have you noticed how little we talk about the Mac Pro anymore?"
> Fusion/Parallels
> Text Editors
> FTP Clients
"We're in the consumer products business, not the 'tools for nerds' business. Ask an XServe customer if you want more information."
> Microsoft Office
"We could care less if we sell boring-ass business software into enterprises."
> Dropbox
"iCloud."
As someone who has lived through a protracted antitrust review (Google acquiring ITA Software, a company I co-founded), I can tell you that there are dozens of hard-working people at the DOJ and FTC ready to make their careers on taking Apple down should Apple give them the tools to do so. A "some animals are more equal than others" app store policy -- whether intended or unintended -- is definitely fodder for a juicy DOJ/FTC lawsuit.
That gives a photo editor, a movie editor, spreadsheet, and word processor.
What DID they do to Final Cut? They spend tons of money and engineering time to rewrite the app from scratch with a modern codebase and added new innovative features. The got it to 64bit, they added the magnetic timeline (HUGE timesaver), the improved tons of workflow stuff, they made it take advantage of multiple cores, and they made it work with files in whatever format they are in to begin with.
In the process, as with any version 1.0 app, FPCX lost a few of the features that the old, bloated, version of FCP had. Some because you just cannot just scratch from scratch and replicate absolutely everything at once, and others because they don't make much sense moving forward. Some of those features, like multicam editing, they delivered in subsequent minor versions (of which there have been 3 already).
That is much more than what Adobe does, which is incrementally adding a few features, without ever rethinking their apps, and keeps adding bloat upon bloat (Flash based custom panels, anyone?) to the same 10 or 20 year old codebase. Apple betted on the future, Adobe plays it safe.
So, I beg to differ in respect to FCP X.
Have you noticed how little we talk about the Mac Pro anymore?"
And why should they? A quad core iMac is just as capable for the needs of 90% of creatives, and in fact, if you looked at any design studio in the past 2-3 years you were more likely to find one of those than a Mac Pro or a G5.
They also know that they sell a very small amount of those Pro machines, and it's not like Intel is making new chips for them all the time.
Besides, Thunderbird, the Apple/Intel interconnect perfectly suited for professionals and creatives that no other PC vendor took the time and effort to create, solves most of the connectivity issues that an iMac (or even a MacBook Pro laptop) had related to a Mac Pro.
2. As of iOS 5, the platform has native Audio Unit support. I haven't seen much use of it, more commonly devs have been porting their work to JUCE (as in the case of the Auria iPad DAW, which features some popular third party plug-ins as in-app purchases).
I don't understand: What prevents an app from having an "Add Plugin..." dialog that uses the sandboxed file browser to locate a plugin library in whatever sensible format?
I wonder if Apple might give some companies of just distributing the installer via the app store as well.
1: future anti-trust cases or congressional testimonies nonwithstanding
Sure, iDevice developers have no choice. But for desktop software there's this handy thing called the Internet. Why kick up revenue to apple, subject myself to submission rules and arbitrary rejection, absurd technical limitations and switcheroos like the one described in this article, and all the rest?
Right, there are no success stories.
"Why kick up revenue to apple"
People keep saying this like Apple doesn't deliver buying customers and revenue. The app store making a profit on sales is exactly how every other store in the world works. Why does Apple 'kick up revenue' to Amazon when they could just sell all their iPads online through Apple.com? The answer is because lots of people shop at Amazon and Apple will sell way more iPads with Amazon then without them.
Example: The Keychain application from Apple (used to store certificates, private keys and passwords) is using a encryption algorithm that is too weak for what it is used - namely: DES. You can break it with a reasonable amount of money.
Wouldn't it make more sense to improve these kind of things first? We would gain so much more security with a minimal effort.
"All the password data in the keychain is protected using the
Triple Digital Encryption Standard (3DES)."
"NIST considers keying option 1 to be appropriate through 2030."
Source? This is relevant to my interests. Namely, I'm trying to figure out if using something like 1password or other services would be worth it. Thanks!
I don't know what the best solution is. Possibly allowing non-sandboxed apps in the app store, which go under extra review (possibly with a premium charge to defray the cost of extra review), or requiring the user to select a 'do not sandbox this' option when installing the app.
However, Apple can't give this app what it wants while keeping the integrity of their sandbox.
The goal is to create the most secure running environment that is possible. Allowing random apps to access/modify different files on the system (without user explicitly allowing that) kinda defeats the purpose of sandboxing (from user's point of view - from developers POV, sandboxing makes his app more secure and stable).
All I see is people ranting about sandboxing's limitations, without coming up with actual plans to improve it.
Is that a bad thing? I'm not saying it will happen soon, or that those of us long in the tooth will go easily, but I honestly think it's the future.
Think about young teenagers who will soon be "in charge". They snap a pic on their phone and send it to someone else. Nobody cares where it is in the filesystem, or even what the filename is. I used to meticulously name, tag and organize my mp3 collection into folders and sub-folders. Now I don't even know where they are on my hard drive - because I just don't care.
Those are old concepts we used to rely on to find and use information stored inside the computer, but I honestly don't see the need for the in the future. We can stop focusing on the "how" of the computer, and focus on the doing.
I will add that "power" users like developers will require these kind of concepts for a lot longer than your average Joe, but I still see it becoming less and less important.
If you find it so objectionable, go build your own hardware and OS platform. This isn't a matter of human rights because no one is telling you that you can't make your own.
It's very similar to their support for "multitasking" on iOS. Handle the common cases well, most others will find some way to make it work, and the rest are out of luck.
It's also important to note that the point of black hat hackers is to get around limitations. Without putting serious teeth into the sandboxing, it's largely pointless and security theater.
I think now might be the time for a rival App Store to set up shop before Apple locks developers into only releasing through their approval process.
Maybe I'm over reacting, but an ounce of prevention is worth a pound of cure.
So basically, it's notable that some applications are having difficulty with the first iteration of these new restrictions, but it's not surprising and I'm confident the issues will be resolved in time. Meanwhile, we've all survived without the App Store for a long time. I think these applications can survive. This is not the time for outrage.
http://techcrunch.com/2012/02/16/os-x-mountain-lion/ (scroll down to Gatekeeper)
Here's hoping that 10.9 doesn't disallow such installations at all (or void your warranty instead?).
So while you can abandon the App Store without penalty, you shouldn't stop paying Apple the $99 a year you need to do so to get the app signed, even if you aren't going to sandbox it or distribute it through the MAS. They just want the option of pulling a cert for a dev found to be distributing malware, not to personally review and reject every application that runs in OS X.