macOS third-party applications were not sandboxed before the introduction of iOS. They could freely access system files and resources. But then iOS came along in 2007 with sandboxing required for applications right from the start. After its launch in 2011, it became standard for any third-party app on the Mac App Store.
Not all third-party apps are sandboxed, which can pose a significant security risk for MacOS users. So here’s a quick overview of what sandboxing is, why it’s crucial for security, and how to manually run apps in a sandbox on Mac.
What is Sandboxing?
The term “sandbox” is what it sounds like — keeping apps separate by giving each its sandbox area to cavort around in. A sandbox area is a directory that an app uses to store information. It can access some data necessary to function but needs to request access to data or system resources that are not located inside the box.
This approach is based on the idea of least privilege. Sandboxing allows apps only to have access to the data and resources that they need to function. For example, a basic note-taking app doesn’t require access to contacts, email, or even the internet. It depends on the app and what the user wants to do with it, of course.
Developers create sandboxed apps via specific permissions through App Sandbox entitlement. But that’s not really important here since this is about apps that don’t come pre-sandboxed. Luckily, macOS also lets users create a sandbox for apps through sandboxing commands — more on that in a bit.
But if I chose the 'Mac Appstore Distribution' identity or the 'Mac Development' profile then it properly loads the receipt on my development Mac but it does not work on other computer. It starts the app and always exit with the code 173 and nothing else. Is it possible to test IAP in sandbox on a Mac where the application has not been built? The macOS sandbox optionally can be implemented by applications you download online, but is mandatory for any application you download from the Mac App Store. This is just one reason why the Mac App Store doesn’t have all the applications you want.
Why is Sandboxing Important for Security?
People consider sandboxing an app when they:
- Download apps that they can’t trust or whose developers aren’t verified.
- Visit websites that potentially could be malicious and contain malware, drive-by downloads, or malvertising.
Sandboxing doesn’t eliminate the potential for apps or websites to do harm, but it minimizes the damage an app can do. By cutting down on what the app can do and see, users have more control over what the app could exploit. It works not only with malicious apps but also applications with vulnerabilities that outside actors could potentially exploit.
The security benefits are obvious. Restricting access controls limits the number of damage apps can do to the system as well as how much information it can steal. But keep in mind that sandboxed apps tend to be slower and have less functionality than non-sandboxed apps. This is why many developers offer a watered-down sandbox version of their app on the Mac App Store and a full release on their websites.
Moreover, sandboxing apps doesn’t protect against every potential threat they represent. It doesn’t necessarily add to the user’s privacy, either. While sandboxing is essential for security, users still need to use other security tools as well.
Apple: Sandbox those Mac apps. As of March 1, 2012, developers will have to implement sandboxing on their Mac App Store submissions to help keep malware at bay. Mac App Store Sandbox Testing. January 28, 2016 Apple, Mac, OS X Daniel Jalkut. For months, many of us Mac developers have noticed that apps built for Mac App Store submission could no longer be tested using iTunes Connect “sandbox” users. Previously, a sandbox user account could be used to authenticate and download a MASReceipt for a Mac.
Take privacy, for example. Sandboxing does nothing to make a browsing session more private. As anyone who has ever Googled “what is my IP” knows, that’s not something that you can hide by limiting app permissions. So using a VPN is still necessary. The same goes for antivirus software — sandboxing doesn’t eliminate malware; it only inhibits the damage it can do.
How to Run Mac Apps in a Sandbox
Now it’s down to the most crucial part — setting up an app in a sandbox. Keep in mind that this is a process of trial and error. There are some things that every app needs to function, and they aren’t always obvious from the start.
Now how does one actually do it? Sandboxing an app was introduced with the Leopard version of Mac OS X. You can do it in one of two ways:
- By editing the source code of an app
- By executing the “sandbox-exec” command in case of no access to the source code.
Most users prefer using the sandbox-exec command, so here’s a short overview of how that process works:
- Select a predetermined profile or, more likely, create a custom sandbox configuration file. There are some custom profiles under “/usr/share/sandbox” that you can use as examples.
- You can use several operations, filters, and modifiers to write different profiles, most of which are described in Apple’s Sandbox Guide (PDF).
- Choose the appropriate operations, filters, and modifiers to restrict the functions of an app.
- Execute the sandbox-exec command.
You will need to create a separate script for every app that you want to sandbox on your Mac. There are a couple of resources out there for those that wish to sandbox their apps on Mac and need some help. Paolo Fabio Zaino has a good step by step breakdown in his blog post, How to run your Applications in a Mac OS X sandbox to enhance security.
In a Nutshell
Sandboxing an app isn’t a simple process and will take time to master, as it’s a case by case process for each app. But it is worth the effort to ensure security on Mac devices that have third-party apps installed. The risk of malware or exploitable vulnerabilities in third-party apps is too significant to ignore.
Introduced in 2007 and required by 2012, sandboxing is a tool used by macOS to limit the damage that a hijacked app can do. Apple says, “While App Sandbox doesn’t prevent attacks against your app, it does minimize the harm a successful one can cause. macOS app sandboxing protects users by limiting how much trouble an application can cause.
What is macOS App Sandboxing?
Each app gets its own area to play in: a “sandbox.” If the application wants to reach outside its sandbox, it needs to ask the operating system for permission. Depending on the sandbox settings, the OS will either deny or approve the application’s request while providing the least specific information possible to complete the request.
Image credit: Apple
Think of a car. The driver is protected by multiple security features like anti-lock breaks, air bags, crumple zones, and more. In 2007, the time of App Sandboxing’s introduction, no analogous computer systems existed. As the introductory presentation asked, where were the seat belts for computers? Sandboxing protects users like cars protect their drivers: meeting failures with damage-reduction systems. Whether caused by malicious activity or coding errors, damage goes down.
Because sandboxing limits what apps can do, it can restrict developer freedom. Sandbox apps run more slowly and take longer to develop. Thanks to the Mac’s enormous capability, sandbox limits can have a huge impact on the compatibility of various apps. As a result, power users are often driven to choose apps that run outside the sandbox, either for performance or feature issues.
How Does App Sandboxing Work?
Sandboxing is based on the principle of least privilege. In short, systems can do what they need to do but no more. By limiting each part of a system to completing only its declared goal, you reduce the chance of your app being hijacked. For example, there’s no reason for a flashlight app to have access to your contacts list.
Apps can reach outside their sandbox but only with operating system permission. Take the “Save and Open” dialog box in macOS. The app, inside its sandbox, cannot directly access filesystem resources on your hard drive. It cannot, for example, draw an open panel at “~/Documents.” Instead, the app must ask the Powerbox API with NSOpenPanel and NSSavePanel classes to access the panel.
The application cannot see what’s happening inside Powerbox directly. Only the opened or saved file will be accessible to the app. This way the apps can perform critical functions without unnecessary risk.
That functionality is enabled by an entitlement (specifically com.apple.security.files.user-selected.read-write). App developers set entitlements which declare what an app does. Based on the declared entitlements, the operating system permits the application an appropriately-limited level of functionality.
This thought process underlies the entirety of the app sandboxing model and mechanism: apps must declare intention and ask permission from an OS-level boss to accomplish anything dangerous.
Sandboxed Apps vs. Non-Sandboxed Apps
Since June 1st, 2012, all third-party applications distributed through the Mac App Store must be sandboxed. While sandboxing does permit a large range of app functionality, you’ll find that Mac App Store apps are often more limited than their non-sandboxed components. Some developers even maintain two versions: a fully-featured app for direct download and a gimped version for the Mac App Store. Thanks to the greater complexity of sandbox development, adding new functionality to an application is more difficult – if that functionality is even permitted by the OS, that is.
While sandboxed apps can get the benefit of Mac App Store distribution. However, we’ve never wished an app had been in the Mac App Store. That’s more of a curse, perhaps.
Sandboxing can also be extended with security permissions. While an app cannot turn on Accessibility permissions for itself, it can ask the user to do so. Because the app is blocked off from configuring that setting, you could consider Accessibility permissions as outside the app’s sandbox.
To see which of your apps are sandboxed, open Activity Monitor. Then, right-click the column titles to add “Sandbox” to the window.
There are some apps that can simply never exist in a sandbox. In fact, a variety of valuable use cases are prevented by sandboxing. Sandboxing prevents inter-application communication, observation, or modification, significantly limiting how applications can interact. System-wide shortcuts like TextExpander are totally prohibited, since that level of functionality could be permitted by the sandbox.
Is Sandboxing a Good Thing?
While promising, macOS app sandboxing wasn’t executed well. It limited the unique selling points of Mac apps, like speed and enhanced functionality. Apps running outside the sandbox are almost always more capable and faster. From this power user’s perspective, my most-used apps are non-sandboxed. Apps like TextExpander, SnagIt, and TotalFinder are all crucial to my daily work. To avoid similar widespread avoidance, future security systems need flexibility and power balanced with transparency.
Sandbox App Windows 10
You might also like the following posts: