Linked by Thom Holwerda on Thu 3rd Nov 2011 22:54 UTC
Mac OS X And so the iOS-ification of Mac OS X continues. Apple has just announced that all applications submitted to the Mac App Store have to use sandboxing by March 2012. While this has obvious security advantages, the concerns are numerous - especially since Apple's current sandboxing implementation and associated rules makes a whole lot of applications impossible.
Permalink for comment 496069
To read all comments associated with this story, please click here.
RE[2]: Comment by frderi
by frderi on Sat 5th Nov 2011 19:22 UTC in reply to "RE: Comment by frderi"
Member since:

It is my understanding that in such a case, you actually need at least two vulnerabilities. One to make the web browser execute arbitrary code, and one to make this code break through the OS-level isolation of the web browser. The second vulnerability lies not in the web browser itself, but in system software which it relies on, system software that does itself run as root. But I am not a computer security expert either, so I guess we're stuck there.

The net result is the same, a compromised device.

Just like having nuclear weapons around is not a big deal as long as no homicidal maniac get his hands on one...

I don't think the App Store has the capacity to nuke the planet. ;)

Is it used frequently ? I may have missed it on Mac OS, as I've mostly deal with the iOS app store.

Its still early days for the Mac App Store. I also think it will get off the ground slower, because its not an only way street like with iOS devices. I do think it'll gain popularity other time as new users flock in and discover it.

The other day, I bought Osmos for Fedora Linux, which happens to use standard software packages. I clicked a link on the developer's website, ended up on a Paypal page, checked everything, entered a password, received download links for my OSs by mail, downloaded and opened the right file, clicked the "install" button, and that was it.

I don't see Aunt Emma installing Osmos on her Linux box in the forseeable future though. ;)

Let's examine each individual step and find out what can go wrong with our friend Joe Sixpack when he wants to purchase an app online :
-Finding the developer's website : He ends up on a phishing site, which looks vaguely similar to the original one. Because he isn't that bright as we are he doesn't notice the difference.
-Using paypal : The site states only supports credit card, which requires him to enter his card details, which obviously gets stolen
-Downloading a file and clicking an "install" button : The installation installs a trojan, which infects his system with a keylogger after which it phones home to a remote C&C center to take on jobs in relaying email messages for spam and scam attempts.

I know I'm being overly sarcastic here, but you wouldn't believe the amount of questions I get on a regular basis from my customers if its "safe" to buy from a certain website. And even on trusted sites like Ebay, there are still scams going on. As a techie, I know where to look, like checking the WHOIS database of a site, examining security certificates and googling for info about said site, but a lot of users don't know how to do this. At least now I can say "buy from the App Store and you'll be okay".

The type of application you mention will never make it trough the App Store's reviewal process, it will simply get rejected for "not working as advertized". Thus you will never find an application like that on the App Store. Which kind of proves the point for a curated market place.
This is a very rough review process that they have though. There are tons of applications on iOS which barely work at all, exhibit terrible performance or crashes, and still pass the App Store review process.

Really? I never came across a software on the App Store which didn't work as advertized. Granted, I haven't tried all of them, I'm not that rich. ;)

Conversely, legit demos of commercial software, which allow users to try before buy, are not welcome on the App Store.

Sure they are. Gameloft, for example, publishes both free demos and paid versions of their games.

Apple had this app pulled fairly quickly though.

First, quality magazines and websites tend to focus on a small range of reviewed applications, and take a lot of care in reviewing them. While Apple employees just run new software for five minutes, check that it has no obvious flaw, and jump to the next one. They don't have the time to do more.

Second, if you discover that a website's review process is flawed (like, I don't know, they are paid by companies to write positive reviews of some software and negative reviews of others), you can just ditch that website and find another one of better quality. With Apple's system, if Apple's review process is flawed and ditches legit software (such as demos), there is no way you will ever get that software on your device through another mean, except if you feel like letting suspicious jailbreak code drill through your device's software protections.

I'm not saying there isn't headroom for improvement in Apple's reviewal process. The people who do it are mortals like you and me. However, especially for smartphones, I think its a good move to make, because of the added dangers of smartphones when compared to PCs.

I do not want one OS to rule the whole computer world, but I want OSs to broaden their hardware and software horizons a bit. To this end, computers with locked-down hardware and software should also disappear, or at least become a minority.

I don't share your view. Microsoft tried this approach (Windows Everywhere) to the smartphone and tablet market. It never became a success. It took a new way of doing things (iOS) which reinvented the basic concepts on how to deal with apps on a UI level for such a product to become usable. Other devices require other ways of doing things in order to be truly useful for the masses. If they don't succeed in this, they primarily end up being geek toys.

In France, most smaller book shops will let you order any book that they don't have in store, provided that it's in the standard publishing circuit.

The publishing cirquit in itself is also already a reviewing process.

Reply Parent Score: 1