Apple’s getting a lot of press this week about their forthcoming 10.8 “Mountain Lion” update to Mac OS X. One of its key features will be a security feature called “Gatekeeper” that will allow users to avoid launching apps from developers who are not registered with Apple. If you are not already familiar with Gatekeeper, read Steven Frank’s writeup to get up to speed. You should also check out Wil Shipley’s post from this past November, where he argued for something very much like Gatekeeper.
I am excited about Gatekeeper not only because it will improve security on the Mac but because of how it will achieve this goal. Apple, as the authority in the OS X environment, will convey information to Mac users about who developed a particular application, empowering them to protect themselves. Compare this to the status quo of the App Store, where security is completely out of users’ hands, and Apple uses its discretion to protect users from software it judges unfit for consumption.
Who vs. What
Simply establishing the identities of software developers is a major step for increasing security, because bad actors can either be immediately shut down, or at least prevented from further propagating on the platform. If “Hawt Dawg Industries” is discovered to be a malware developer, Apple can flip a switch and any user who trusts Apple’s opinion about such things can automatically prevent their Macs from trusting software from that vendor.
If somebody knocks on your door in the middle of the night, the first thing you’re liable to ask is “Who are you?” That’s Gatekeeper. Sometimes, the “who” is all the information you need. But if there’s any doubt, the next bit of information you’ll pry for is “What do you want?” That’s the sandbox. At least, it’s what the sandbox will be, after Apple fixes it.
The Broken Sandbox
At its best sandboxing is a means for app developers to faithfully state their intentions in a manner that can be evaluated by users, and also be reliably enforced by the operating system. So if your new “Fun on Facebook” app declares its intention is to connect to the web, you might judiciously allow it. If it says it needs to write files to the root of the filesystem, you’d be wise to search for another app.
Sandboxing on the Mac works by providing developers with a standardized list of “entitlements” which are clear descriptions of things it would like to do on your Mac. Examples include: access the internet, read files from your Pictures folder, print things on your printer.
The number one broken thing about sandboxing as it stands today, is the list of entitlements is simply too limited. Many apps on the App Store, including my own, will need to have their functionality considerably diminished, or in some cases made outright useless, in order to accommodate the available list of entitlements that sandboxing offers.
To stretch the stranger-at-your-door metaphor a little further, imagine the visitor is your trusted plumber, who’s come to fix a leaking pipe. In response to “What do you want?” he’s a bit tongue-tied. There’s no “entitlement” for fixing pipes, so he’s forced to say “I’m here for a chat.” When you reluctantly let him in the door he informs you that actually, due to recent legal changes, he’s no longer allowed to fix your pipes.
The impending state of the Mac App Store is very much like this. A great number of apps provide useful services to grateful customers, but as those services don’t fit the mould of Apple’s sandboxing entitlements, they will be effectively barred from the store within a few weeks. If you want to hire somebody to “fix the leaky pipe,” you’ll have to look outside the store, where apps are not sandboxed at all, and where Apple is in no position to improve users’ knowledge about the “what” of an app.
Gatekeeper is extremely simple, yet is likely to be extremely effective. Some exasperated developers who have been frustrated by the sandbox limitations are hopeful that all this attention on Gatekeeper might indicate a change of heart on Apple’s part. Will they see the error of their ways and ditch sandboxing in favor of Gatekeeper’s elegance?
One problem with this approach is that Apple would appear as though it had stumbled in its strategy. It spent the greater part of a year selling the idea of sandboxing and all of its merits, then two weeks before its grand debut, jumps ship for a completely different approach? Smooth move, Apple.
But a more important problem is that abandoning sandboxing would mean the significant engineering investment, both by Apple and by developers who have refactored their apps to satisfy sandboxing requirements, would have been a waste. There is such great value in sandboxing technology, we just need to finish the job of mining it out.
What should Apple do about all this? Gatekeeper and the Mac App Sandbox are both technologies that stand to improve security on the Mac by labeling apps with useful information about their developers and their functionality. The extent to which security is improved is very much tied to how widely adopted these technologies are. If the vast majority of developers agree to sign their apps with Gatekeeper certificates, then the vast majority of users will leave the Gatekeeper “safe” mode enabled.
Embrace, Expand, and Empower
Apple should embrace the utility of sandboxing by shifting their focus away from sandboxing only Mac App Store titles, to a strategy that would sandbox virtually every Mac app, inside the store or out. Given the current limitations of sandboxing, a significant number of developers will not adopt the technology, so its usefulness to users and to the security of the platform will be diminished. Apple can turn that around so that sandboxing is a worthy counterpart to Gatekeeper, and a technology that any developer in his or her right mind would feel foolish not to incorporate.
To increase adoption, Apple should expand the current list of entitlements until it covers every reasonable behavior that users expect from Mac apps. A good test for this is any app that is currently available in the Mac App Store. Having been approved by Apple’s own reviewers, and purchased by Apple’s own customers, the merit of these apps should be considered implicit. If a Mac App Store app’s reasonable behavior cannot be achieved in the confines of the sandbox, it should be considered a sandboxing bug, and a new entitlement should be added.
Finally, Apple should take a cue from its own Gatekeeper approach. By incorporating sandbox information about apps into the forthcoming app security preference pane, they will empower users to understand application intentions. Along with the proposed options controlling the “who” of apps, users would be given reasonable defaults pertaining to the “what” of apps. For power users, these settings would be configurable on an entitlement-by-entitlement basis. The sheer transparency will be yet another motivation for developers to adopt sandbox, and for users to demand sandboxing from their developers.
Imagine a future where the majority of Mac apps are signed with Gatekeeper certificates, and an accurate list of entitlements. Users will be protected by smart default settings, and by the knowledge of who their apps come from, as well as what they intend to do. Developers will be protected from their own unintentionally destructive mistakes, and from impostors selling software purported to be authentic. And Apple? Apple will be remembered as the huge, clever computer company that solved the software security problem on two fronts, without pissing off developers or customers. Much.
(This piece was inspired by a lunchtime chat with my friend Paul Kafasis. Thanks, Paul!)