Sandboxing Apps?

Archives Forums/MacOS X Discussion/Sandboxing Apps?

SLotman(Posted 2011) [#1]
I just received this from Apple:


Sandboxing your app is a great way to protect systems and users by limiting the resources apps can access and making it more difficult for malicious software to compromise users' systems.

As of March 1, 2012 all apps submitted to the Mac App Store must implement sandboxing. Enabling the default sandbox environment is as simple as checking the Enable Entitlements checkbox in Xcode target settings, allowing you to begin sandboxing your app.



Exactly how can I do this on Max?

I have no clue, but I also don't want to loose the games I have on the mac app store... and I didn't even upgrade to Lion :(


Spot-Nothing(Posted 2011) [#2]
That's something I'd be very interested to know more about in combination with BlitzMax, too. Just to be prepared for upcoming submissions.


ima747(Posted 2011) [#3]
I haven't gotten into this yet, but it's definitely on my radar. It *should* be as simple as creating an entitlements file and including it in the signing process (see http://developer.apple.com/library/mac/#documentation/Darwin/Reference/ManPages/man1/codesign.1.html and search for the "--entitlements" arg). Beyond that you just have to make sure that you're following the sandboxing restrictions, such as accessing your prefs file in the right location (if you're using a module to find OS default locations and it actually does *find* the locations, rather than just use an internal record of the path, or if it's internal path is sandbox compliant (I think...)) then it should be OK...

My process to approach this when I have the time will be:
a) go over my source and see what paths I access and how. Dig into any modules I may be using to confirm that they're using sandbox approved methods for getting paths.
b) sort out the entitlements issue. Should be easy for me, I don't think I require any entitlements. I use the internet a little but it's easier to just cut that bit of code out since it's for app updates and the App Store does that for me so I'll put in a conditional compile for app store builds.
c) Go over the sandboxing documentation and see if there's anything specific I may have missed, such as you're no longer allowed to do ??? and even though I didn't think I was a module may be doing that in the background...
d) Check logs. If something is sandboxed and you do something it's not allowed to it's supposed to log it on the console...
e) Submit to apple and see what happens... if they reject it they should give a ballpark reason, such as my entitlements are FUBAR, etc.
f) cross fingers I didn't miss something... I would assume apple will notify violators that their apps are going to get punted prior to the sandbox becoming mandatory, but we'll see.


SLotman(Posted 2011) [#4]
Found some more info in here: http://forums.realsoftware.com/viewtopic.php?f=7&t=39840

Better yet: http://forums.realsoftware.com/viewtopic.php?f=7&t=40861

Also, all possible keys to an Entitlements file: http://developer.apple.com/library/mac/#documentation/Miscellaneous/Reference/EntitlementKeyReference/EnablingAppSandbox/EnablingAppSandbox.html#//apple_ref/doc/uid/TP40011195-CH4-SW1

Still not very clear on how to create the entitlements file... I made one just like on the first link, but the thing is that I save data into "˜/Application Support/Icon Games/<Game Name>" and I have no clue if everything will keep working with that entitlements thing :/


Edit: This might be of some use too... http://forums.realsoftware.com/viewtopic.php?p=227121#p227121
Last edited 2011

Last edited 2011


ima747(Posted 2011) [#5]
To my understanding sandboxing will limit the application to it's own bundle, including dynamic data such as you may be sticking an application's support folder. Check the official apple docs regarding sandboxing and what is allowed and changed for clarification.


*(Posted 2011) [#6]
apparently Apple are having problems with the sandboxing, something about calling launchd which can then call parts of OSX that are 'outside' the sandbox allowing access to everything. Apples response to this is quite simple, not much but they havent fixed it. They havent replied favourably it even though its been proven so the sandboxing idea isnt 100% secure.


DrDeath(Posted 2011) [#7]
apparently Apple are having problems with the sandboxing, something about calling launchd which can then call parts of OSX that are 'outside' the sandbox allowing access to everything.

I can't find that article for the hell of it at the moment, but one savvy developer described that there seem to be still quite a few changes in Mac OS X necessary until sandboxing is really as secure as Apple wants it to be. iOS has been developed with the idea of sandboxing from the ground up. Mac OS X - not so much...

That's the reason why the original deadline for the requirement of sandboxing apps for the MAS has been pushed back from November 1, 2011 to March 1, 2012. I wouldn't be surprised if they push back that deadline even further or even drop the requirement completely until OS X 10.8 or whatever with full sandboxing support is out.


ima747(Posted 2011) [#8]
I see 2 problems. 1 Is that sandboxing currently isn't as secure as it needs to be to make sense. And the other is that we have to comply with the rules by a deadline. They can make us comply without closing the holes, and they can close the holes without making us comply... I'm not expecting to see the sandboxing requirement get shifted, though I would REALLY like it to get dropped. I think they could easily just show some sort of a warning saying "This app is not protected, are you sure you would like to purchase it?" when buying non-sandboxed apps off the store without it being too detrimental with their goal of making app purchasing smooth and easy for everyone. That way power apps could still exist there, but people would be wary of downloading them. Most people would sandbox because it would mean people would be more likely to buy, but apps that can't be sandboxed, or if the dev just doesn't have the time, could still be sold with the known risk passed to the user... The flip side I suppose is that sandboxing does far less to protect the system until every app is compliant...

In the end we have to just go for their goals and deadlines. Doesn't mean we have to like it, but if we want juicy app store sales we have to play by the rules... there's always more traditional distribution methods if you prefer...


*(Posted 2011) [#9]
have a look at:
http://arstechnica.com/apple/news/2011/11/researchers-discover-mac-os-x-has-its-own-sandbox-security-hole.ars


SLotman(Posted 2011) [#10]
Well, I don't care if it has 'security holes' or not - It will be mandatory for any app in the Mac App Store in March 2012 :/

Thing is, I just submitted an App to the Store, and it got rejected exactly due to a wrong entitlements file. Apparently it didn't like this:

com.apple.security.documents.user-selected.read-write


So later I'm going to remove this and try submitting the binary again... :(

Edit: apparently it went through... but no guarantees it will work :P~

Last edited 2011


DrDeath(Posted 2011) [#11]

That's exactly what I'm talking about.


DrDeath(Posted 2011) [#12]
I just noticed that there is an app on the MAS called RB Package Maker for handling sandboxing and code signing. It touts to be for RealBasic apps but from the description I see no reason why it should only work for those (it apparently uses the already compiled binaries).

I can't test this for myself, since I have not access to XCode 4 (which is required), but I just wanted to point that out.


ima747(Posted 2011) [#13]
Very interesting... there's no technical reason why it shouldn't work for max, or any app for that matter... it anyone bites the bullet and tries it please report back here. $13 is worth it to me if it works even though I was already working on my own :0)


Cobra Blade(Posted 2013) [#14]
You could give AppPrep a try since they even offer a free demo on their site.
It's also cheaper.
http://www.pidog.com/

Haven't tried it for sandboxing yet, but I did use an earlier version to sign my BlizMax game Powerslam and it all went well.


Captain Wicker (crazy hillbilly)(Posted 2013) [#15]
Thanks, CB. Apple have rejected several of my exclusive Mac Apps due to them lacking sandboxing support. AppPrep should help some of my Apps see the light of day as soon as I renew my Developer membership! lol