Apple to Require Sandboxing in Mac App Store Apps As of March 2012

November 02, 2011

Apple sent an email to registered developers today telling us that sandboxing will be required for all applications in the Mac App Store as of March next year.

Sandboxing basically requires you to engineer your application to live in isolation and only access anything outside of what you are given via entitlements. Some temporary entitlements will be granted for a limited time to aid in the transition.

For some kinds of apps this is a no-brainer. But for anything that uses Applescript to tie application together or do automation it's a killer. Utilities are likely to be unable to perform their duties as access to the file system is very limited. Anything that cleverly changes the UI for example is toast.

Of course you don't have to use the Mac App Store although it's pretty easy to use. Unless Apple is intent on forcing all application developers to Sandbox (no clue how that would work) it seems likely to simply force most developers to avoid the App Store entirely.

Of course the reason for Sandboxing is to limit the damage any one app (especially a trojan or compromised one) can do. This is the iOS model in effect translated to OSX.

What bothers me (and apparently a fairly large number of others) is that we are entirely dependent on what Apple deems an entitlement and how it is implemented. The intent is nice, to provide security, but at the expense of allowing the user by choice to control their environment. If I want an application launcher other than the (execrable) LaunchPad I may be unable to do so (I think it might still be possible for now), or maybe I want a utility to control iTunes from the outside, or automate a number of applications via a control application - with Sandboxing these types of applications may no longer be available. Of course that will drive me to third-party download sites and app stores where Sandboxing is not necessary, which of course will concentrate all the bad guys there. The App Store might wind up where you go to get Apple products and little else.

The end result might be where my OSX computer becomes more like a mainframe, where I have little control of how it works other than how Apple wants me to use it. Of course thats the iPad/iPhone world. But those are not where I live every day. I write software and I wonder if tools will be as restricted as everything else, meaning I have to go through hoops and pain to do anything but plain Xcode coding.

Count me as unsure how great an idea this is. I wonder if any of this will affect the command line for example. Even worse I wonder if Apple as the next step will lockdown everyone's applications no matter where they came from.

Next thing you know you will have to visit a TSA checkpoint before touching your computer. OK maybe not that far but this strange controlled world isn't going to be much fun.