Linked by Thom Holwerda on Thu 3rd Nov 2011 22:54 UTC
Mac OS X And so the iOS-ification of Mac OS X continues. Apple has just announced that all applications submitted to the Mac App Store have to use sandboxing by March 2012. While this has obvious security advantages, the concerns are numerous - especially since Apple's current sandboxing implementation and associated rules makes a whole lot of applications impossible.
Thread beginning with comment 496020
To read all comments associated with this story, please click here.
Comment by frderi
by frderi on Sat 5th Nov 2011 13:47 UTC
frderi
Member since:
2011-06-17


So if a given software runs amok, it should only run amok within the boundaries of what it's allowed to do. Am I correct ?


No. I'm not 100% acquainted on the technical details on the matter, but its my understanding that there are several types of buffer overflows one can exploit to get root on a system, depending on the system and architecture. On Android/ARM for example, it remains entirely possible to wield a browser vulnerability to get malicious code shell access, after which its relatively trivial to gain root and do all sorts of nasty stuff.


Fair point : there is a trade-off between general usage convenience and decentralization. A centralized system gives an unreasonable amount of power to the repository owner, but also means centralized knowledge about software availability.


My comments on Apple as a software vendor still apply. This isn't a big deal when there is no conflict of interest.



some websites which use ratings and reviews, like Amazon, have a way for users to say "this review is insightful" or "this review did not help", which in my experience works quite well. But I don't think Apple have this in their stores.


Last time I checked, they have a thumbs up-thumbs down style of rating for reviews.


Magazines still have their use though, as they can provide higher-quality reviews than other solutions for "big" software which doesn't change a lot in time such as office suites, image and video editors, CAD tools...


What I miss the most about those times were the in-depth editorials about things you wouldn't have thought of, the gems they hand picked for you. However, I still ended up dumping my magazine subscriptions after I got online because most of the information in them was so horribly out of date. Lets hope initiatives like NewsStand can bring back the great editiorials of the past to a wider audience again.


A bit, sure, but a lot ?


Its not only the purchase process, but the whole setup of the thing. Before you say "But..." I'd like you to consider your joe sixpack neighbour which doesn't know a lot about computers, or your aunt Emma who just happens to have this sort of need. Its these small things that we techies take for granted that a lot of normal users find very intimidating and which hamper them from what they're set out to do.


What do you mean by that ? If I see a nice RSS reader on the Mac App Store, download it, run it, and it turns out that it's actually a basic program which displays a silly picture of a cat with subtext "you got owned !", what is the difference ?


The type of application you mention will never make it trough the App Store's reviewal process, it will simply get rejected for "not working as advertized". Thus you will never find an application like that on the App Store. Which kind of proves the point for a curated market place. Its also the same kind of editorial you find in quality magazines or websites.


Current mobile OSs are an evil dictator's dream toy, is that really the future we want on every computer in the long run ?


I'm more of an optimist than you are, I don't see the future as Orweillian as you do. I'm just not a proponent of the "one OS for every device" like so many Android zealots seem to lust for. They think that for Android to win everyone else in the game needs to lose. I'm much more a proponent of a diversified platform approach. I know, developers are lazy and would prefer just to have to code for one platform, but I'm looking at it from a user perspective. And having used technology for over twenty years now I can attest that when one single platform dominates, it stifles innovation and the end user ends up being the culprit. The desktop PC space can testify for this.


For a flawed real-world analogy, I would understand that my favorite book shop does not have a book I like on its shelves, but if the owner refused taking orders of books she doesn't like, I'd find another book shop.


I don't know where you're at, but in my country I know a lot of shops that will simply refuse to take orders for rare stuff for various reasons… Shop owners decide what to carry and what they don't carry, and what they place in their front windows.


wasn't the point of these magazine apps to introduce on-device content that is updated from the web on the fly instead of going through this kind of bulky procedures ?


IMO NewsStand offers a much better approach for magazines.

Reply Score: 0

RE: Comment by frderi
by Neolander on Sat 5th Nov 2011 17:41 in reply to "Comment by frderi"
Neolander Member since:
2010-03-08

No. I'm not 100% acquainted on the technical details on the matter, but its my understanding that there are several types of buffer overflows one can exploit to get root on a system, depending on the system and architecture. On Android/ARM for example, it remains entirely possible to wield a browser vulnerability to get malicious code shell access, after which its relatively trivial to gain root and do all sorts of nasty stuff.

It is my understanding that in such a case, you actually need at least two vulnerabilities. One to make the web browser execute arbitrary code, and one to make this code break through the OS-level isolation of the web browser. The second vulnerability lies not in the web browser itself, but in system software which it relies on, system software that does itself run as root. But I am not a computer security expert either, so I guess we're stuck there.

"Fair point : there is a trade-off between general usage convenience and decentralization. A centralized system gives an unreasonable amount of power to the repository owner, but also means centralized knowledge about software availability."

My comments on Apple as a software vendor still apply. This isn't a big deal when there is no conflict of interest.

Just like having nuclear weapons around is not a big deal as long as no homicidal maniac get his hands on one...

Last time I checked, they have a thumbs up-thumbs down style of rating for reviews.

Is it used frequently ? I may have missed it on Mac OS, as I've mostly deal with the iOS app store.

What I miss the most about those times were the in-depth editorials about things you wouldn't have thought of, the gems they hand picked for you. However, I still ended up dumping my magazine subscriptions after I got online because most of the information in them was so horribly out of date. Lets hope initiatives like NewsStand can bring back the great editiorials of the past to a wider audience again.

I don't think that online publishing will ever address the time it takes to write a good article. While everyday news can be reported in a day or two, good full-length articles can take weeks or even months to write. Which makes magazine-style publishing only suitable for stuff that has a slow publication rate ("big apps"), and can be well-grasped by monthly publications.

Its not only the purchase process, but the whole setup of the thing. Before you say "But..." I'd like you to consider your joe sixpack neighbour which doesn't know a lot about computers, or your aunt Emma who just happens to have this sort of need. Its these small things that we techies take for granted that a lot of normal users find very intimidating and which hamper them from what they're set out to do.

But... ;)

This is, as I said before, not about app stores but the standard packages they use.

The other day, I bought Osmos for Fedora Linux, which happens to use standard software packages. I clicked a link on the developer's website, ended up on a Paypal page, checked everything, entered a password, received download links for my OSs by mail, downloaded and opened the right file, clicked the "install" button, and that was it.

Let's examine each individual step :
-Finding the developer's website : Everyone knows how to use a search engine, some people even abuse this knowledge
-Clicking a link : Knowing this is a prerequisite of Internet usage
-Using paypal : Requires a small amount of training, but not more than using an application store
-Accessing an e-mail account : Like clicking a link, pretty much a prerequisite of modern web surfing
-Downloading a file and clicking an "install" button : Pretty much a prerequisite of internet usage.

So that leaves one "techie" task to our Joe sixpack : remembering which OS he runs. Frankly, acquiring such a limited amount of knowledge is like learning how to use an alarm clock : you bump on stuff once or twice, then you are able to do what you want.

The type of application you mention will never make it trough the App Store's reviewal process, it will simply get rejected for "not working as advertized". Thus you will never find an application like that on the App Store. Which kind of proves the point for a curated market place.

This is a very rough review process that they have though. There are tons of applications on iOS which barely work at all, exhibit terrible performance or crashes, and still pass the App Store review process. Conversely, legit demos of commercial software, which allow users to try before buy, are not welcome on the App Store. And then there is this : http://www.destructoid.com/lugaru-shamelessly-resold-without-consen...

Its also the same kind of editorial you find in quality magazines or websites.

There are several important differences, though.

First, quality magazines and websites tend to focus on a small range of reviewed applications, and take a lot of care in reviewing them. While Apple employees just run new software for five minutes, check that it has no obvious flaw, and jump to the next one. They don't have the time to do more.

Second, if you discover that a website's review process is flawed (like, I don't know, they are paid by companies to write positive reviews of some software and negative reviews of others), you can just ditch that website and find another one of better quality. With Apple's system, if Apple's review process is flawed and ditches legit software (such as demos), there is no way you will ever get that software on your device through another mean, except if you feel like letting suspicious jailbreak code drill through your device's software protections.

"Current mobile OSs are an evil dictator's dream toy, is that really the future we want on every computer in the long run ?"

I'm more of an optimist than you are, I don't see the future as Orweillian as you do. I'm just not a proponent of the "one OS for every device" like so many Android zealots seem to lust for. They think that for Android to win everyone else in the game needs to lose. I'm much more a proponent of a diversified platform approach. (...)

While I think I would be a proponent of a "one OS for every device" strategy, I believe that I do not put the same meaning in those words.

For me, "one OS for every device" means that manufacturers do not have to reinvent computer usability each time a new device comes out. Cell phones behave like tablets, which behave like laptops and desktops and any future gimmicks which we don't know yet. The way users interface with the device changes slightly, but the overall behavior is the same. So like on those funky WebOS demos that were around a while ago, I can receive a mail on my cellphone while I'm on my way home, then put the cellphone on a dock, take a tablet, and continue reading my mail in a more comfortable fashion. Then reply on the laptop. And everything keeps a consistent feeling.

I do not want one OS to rule the whole computer world, but I want OSs to broaden their hardware and software horizons a bit. To this end, computers with locked-down hardware and software should also disappear, or at least become a minority.

I don't know where you're at, but in my country I know a lot of shops that will simply refuse to take orders for rare stuff for various reasons… Shop owners decide what to carry and what they don't carry, and what they place in their front windows.

In France, most smaller book shops will let you order any book that they don't have in store, provided that it's in the standard publishing circuit.

Edited 2011-11-05 17:50 UTC

Reply Parent Score: 1

RE[2]: Comment by frderi
by frderi on Sat 5th Nov 2011 19:22 in reply to "RE: Comment by frderi"
frderi Member since:
2011-06-17

It is my understanding that in such a case, you actually need at least two vulnerabilities. One to make the web browser execute arbitrary code, and one to make this code break through the OS-level isolation of the web browser. The second vulnerability lies not in the web browser itself, but in system software which it relies on, system software that does itself run as root. But I am not a computer security expert either, so I guess we're stuck there.


The net result is the same, a compromised device.

Just like having nuclear weapons around is not a big deal as long as no homicidal maniac get his hands on one...


I don't think the App Store has the capacity to nuke the planet. ;)


Is it used frequently ? I may have missed it on Mac OS, as I've mostly deal with the iOS app store.


Its still early days for the Mac App Store. I also think it will get off the ground slower, because its not an only way street like with iOS devices. I do think it'll gain popularity other time as new users flock in and discover it.


The other day, I bought Osmos for Fedora Linux, which happens to use standard software packages. I clicked a link on the developer's website, ended up on a Paypal page, checked everything, entered a password, received download links for my OSs by mail, downloaded and opened the right file, clicked the "install" button, and that was it.


I don't see Aunt Emma installing Osmos on her Linux box in the forseeable future though. ;)


Let's examine each individual step and find out what can go wrong with our friend Joe Sixpack when he wants to purchase an app online :
-Finding the developer's website : He ends up on a phishing site, which looks vaguely similar to the original one. Because he isn't that bright as we are he doesn't notice the difference.
-Using paypal : The site states only supports credit card, which requires him to enter his card details, which obviously gets stolen
-Downloading a file and clicking an "install" button : The installation installs a trojan, which infects his system with a keylogger after which it phones home to a remote C&C center to take on jobs in relaying email messages for spam and scam attempts.
[

I know I'm being overly sarcastic here, but you wouldn't believe the amount of questions I get on a regular basis from my customers if its "safe" to buy from a certain website. And even on trusted sites like Ebay, there are still scams going on. As a techie, I know where to look, like checking the WHOIS database of a site, examining security certificates and googling for info about said site, but a lot of users don't know how to do this. At least now I can say "buy from the App Store and you'll be okay".


The type of application you mention will never make it trough the App Store's reviewal process, it will simply get rejected for "not working as advertized". Thus you will never find an application like that on the App Store. Which kind of proves the point for a curated market place.
This is a very rough review process that they have though. There are tons of applications on iOS which barely work at all, exhibit terrible performance or crashes, and still pass the App Store review process.


Really? I never came across a software on the App Store which didn't work as advertized. Granted, I haven't tried all of them, I'm not that rich. ;)


Conversely, legit demos of commercial software, which allow users to try before buy, are not welcome on the App Store.


Sure they are. Gameloft, for example, publishes both free demos and paid versions of their games.



Apple had this app pulled fairly quickly though.


First, quality magazines and websites tend to focus on a small range of reviewed applications, and take a lot of care in reviewing them. While Apple employees just run new software for five minutes, check that it has no obvious flaw, and jump to the next one. They don't have the time to do more.

Second, if you discover that a website's review process is flawed (like, I don't know, they are paid by companies to write positive reviews of some software and negative reviews of others), you can just ditch that website and find another one of better quality. With Apple's system, if Apple's review process is flawed and ditches legit software (such as demos), there is no way you will ever get that software on your device through another mean, except if you feel like letting suspicious jailbreak code drill through your device's software protections.


I'm not saying there isn't headroom for improvement in Apple's reviewal process. The people who do it are mortals like you and me. However, especially for smartphones, I think its a good move to make, because of the added dangers of smartphones when compared to PCs.


I do not want one OS to rule the whole computer world, but I want OSs to broaden their hardware and software horizons a bit. To this end, computers with locked-down hardware and software should also disappear, or at least become a minority.


I don't share your view. Microsoft tried this approach (Windows Everywhere) to the smartphone and tablet market. It never became a success. It took a new way of doing things (iOS) which reinvented the basic concepts on how to deal with apps on a UI level for such a product to become usable. Other devices require other ways of doing things in order to be truly useful for the masses. If they don't succeed in this, they primarily end up being geek toys.


In France, most smaller book shops will let you order any book that they don't have in store, provided that it's in the standard publishing circuit.


The publishing cirquit in itself is also already a reviewing process.

Reply Parent Score: 1