And so the iOS-ification of Mac OS X continues. Apple has just announced that all applications submitted to the Mac App Store have to use sandboxing by March 2012. While this has obvious security advantages, the concerns are numerous – especially since Apple’s current sandboxing implementation and associated rules makes a whole lot of applications impossible.
Apple announced the deadline on its developer website. “As of March 1, 2012 all apps submitted to the Mac App Store must implement sandboxing,” Apple writes, “Sandboxing your app is a great way to protect systems and users by limiting the resources apps can access and making it more difficult for malicious software to compromise users’ systems.”
The advantages are obvious: a sandboxed application cannot wreak havoc on the system, and thus, the user has far less chance of causing damage to his or her system. The gist is basically that any Mac OS X application can only access the data in its own application bundle (like on iOS), and that in order for the application to do anything beyond that, it has to receive special and explicit permission from Apple, dubbed an entitlement.
Software developer Pauli Olavi Ojala is very concerned about this. He lists all the entitlements, and it’s a shot list – and for each of these, you must receive permission from Apple. You have to actually make your case to do the things listed in the entitlements, and if the App Store reviewer disagrees with you, you’re out of luck. And for anything not listed in the entitlements?
“Need to access hardware using something else than USB, for example Thunderbolt, FireWire or Bluetooth? Tough luck (just because these interfaces are on your Mac doesn’t mean Apple wants anyone to use them via 3rd party software),” Ojala writes, “Need to communicate with processes that your app didn’t directly start, or perhaps take screenshots? Not going to happen. Maybe you’d like to read and write files in a known location on a network disk? Not possible, unless you pop up the Open/Save dialog for every file.”
Another problem is plugins. Many applications – especially professional applications like Aperture, Photoshop, Final Cut Pro, and so on, all use plugins. In the sandboxed world, plugins are impossible, since applications can’t even see them, let alone execute them. AppleScript is in a similar position.
Pauli Olavi Ojala is not the only developer who is worried about sandboxing on Mac OS X. Back when Lion was released, sandboxing was one of the improved features under the hood, and it was Apple’s original intention to mandate sandboxing starting November 2011 (they apparently decided to postpone it). Back then, too, did several developers raise little red flags.
“I think that Apple would have a lot more developer enthusiasm for this feature if it wasn’t so clear to many of us that our apps will be forced to lose features in order to adopt sandboxing,” Daniel Jalkut wrote in September, “And while users may be happy about the prospects of improved security with the sandbox, I think there will be less excitement about the diminished functionality of apps whose features don’t fit nicely into the sandbox confines.”
Jason Snell is concerned as well, expressing the fear that the Mac App Store sandboxing will cause a dumbing down of the Mac application ecosystem. “Not only does this approach risk turning the Mac App Store into a wasteland of arcade games and one-trick-pony apps, it risks dumbing down the Mac app ecosystem as a whole,” he argues, “While developers can always opt out of the Mac App Store, they’re reluctant to do so. Not only are they afraid that Apple will one day make new Macs unable to run apps that don’t come from the App Store, but they realize that if their competitors are in the Mac App Store, they risk losing sales. It’s generally too expensive to develop two separate versions of an app, so the net result of tighter App Store restrictions could be that Mac apps everywhere – on and off the store – will actually become less powerful.”
And this is the core issue, of course. At this point in time, you can still easily install applications outside of the Mac App Store, but the fear (and, let’s face it, the expectation) is that Apple will one day make this harder – only to make it impossible a little later. I’m pretty sure Mac OS X will get a switch first – off by default – to only allow App Store applications. In the release after that, the switch will be on by default. One release later still, and the switch is relegated to some obscure command line command.
This is exactly one of the prime reasons why I decided against replacing my wrecked (somebody bumped a remote control on the display – long story) MacBook Air 11.6″ with another MacBook Air, instead opting for an Asus Zenbook. At least with Windows, there’s generally little penalty in sticking to an older release of Windows (Windows 8, after all, is moving in similar directions), while on the Apple side of things, both Apple and developers alike tend to drop old releases right when the new one comes around the corner.
All in all, it seems that after the first major signs of iOS-ification in Lion, Apple is going full steam ahead with the process of turning Mac OS X into the same kind of ‘My First Operating System’ iOS has been designed to be from the get-go. Call me stodgy, old-fashioned, and bah-humbug, but I find this a very detrimental development, and a clear sign that computers are becoming less powerful instead of more powerful. Windows 8 has me worried for the exact same reasons.
The total disdain and often downright animosity towards more knowledgeable computer users seems to be prevalent in both Redmond and Cupertino, and as far as I’m concerned, this will only have one outcome: more refugees towards Linux.
Goshdarnit, not all of us are satisfied with fancy Twitter applications and weather checkers alone.
As usual, sandboxing Apple’s profits from competing products, instead of protecting user from security threats.
Can you please update the article, it’s misleading and misinformed.
The sandboxing requirement is not something new.
The initial deadline was November, it was pushed to March because apparently things aren’t clear and some aren’t ready.
Furthermore, yes there are drawbacks by making sandboxing mandatory across the board, however the benefits far outweigh the costs.
You clearly didn’t read my article. Please read before accusing me of things, okay?
Graçias.
No I didn’t read the entire article; it’s a big rant with a small amount of useful content. The title and introduction are still misleading; it should be clear in one of these instances that this is not an introduction of the sandboxing requirement. This has been set in motion for a few months now and it’s just getting an extension. You mention it a good 7 paragraphs into the article. Most people will probably skip it, it’s just bad journalism.
Edited 2011-11-04 00:12 UTC
Thom, your usual overreacting to critics is severely harming your reputation. I suggest you cool down a little and try more gentle replies in the future. If you can’t respect your readers, your readers won’t respect you.
People respect Thom?
Strongly disagree! If impersonated stupidity shouts in your face, you should be able to call it just that!
Just a comment; if what you wanted to say was “thanks” in Spanish, it is spelled “Gracias”, with “c” instead of “ç”. The “c con cedilla” (“ç”) does not belong to the Spanish alphabet though “c” represents the same phonemes that “ç” when written with “e” or “i”. In Spanish the “ç” has been substituted by “z” when used with a, o and u and by “c” when used with e and i.
Whatever, if you tried to say “thanks” in other language than Spanish, then forget my pedantic comment
¡Gracias!
Thanks for the clarification – I don’t actually speak Spanish (I’m more Germanic-language oriented), so I don’t know any of this stuff. I can understand French and Italian pretty well, but Spanish has always been way more difficult, for some reason
.
…with Thom for a change.
This is not good news for most things. OS X as iOS makes sense in a lot of ways, but certainly not all ways.
I like the idea of buying an app that will run on any “iDevice”, including the new TV’s when they turn up, I like the idea of one set of tools and coding once for all things.
Sandboxing is great for a lot of apps, and not having the ability to talk to standard devices on your Mac is just plain dumb, security be damned. Have restrictions like that will play into the hands of the big time guys and make computing for the guys in the garages basically impossible (unless they are writing simple apps). Apple will soon stop us downloading apps to the OS without AppStore, sadly you can see it coming. MS will do the same. I was sure this wasn’t the case, but now I believe it just might be, lets hope we are wrong.
I think a lot of “us” might start using Linux / BSD / {insert cool non restrictive OS here} a lot more.
iOS is great for “most of them”, but not good for “most of us”. I have an iPad 2 here that I basically never use. I know a lot of people who love them, but I’m certainly not one of them, OS X on a laptop kills it (presently).
Linux is kind of going to gain traction by default, now. Microsoft and Apple, at the consumer side, are making a concerted effort to turn their backs on the professional market. Sure, Microsoft might still keep their server offering vaguely professional, but who the hell is going to know how to use it, once Metro has vomited all over Windows’ desktop versions? Pretty much the only reason windows is considered “easy” to use is it’s ubiquity, and I’m sure that’s all that keeps it in the server room, and in cubicles, too.
Professionals who want a UI that hasn’t been butchered, and who want to run more than just what Apple and Microsoft let them, will turn to some form of Linux. This won’t happen overnight, it may not even happen during Window’s 8’s shelf life, but I think the bile the two major players are forcing on us will turn more people to Linux.
I’m not quite sure Linux will be a good refuge.
The designers at the biggest desktop Linux proponents (Gnome and Canonical) love copying all things Apple and Windows, so I wouldn’t be surprised to see this sort of evolution there too.
(Yes, I’ve tried KDE, Xfce, LMDE and whatnot. I won’t enter a discussion about this, I’m just not going to use those. Neither will Joe Sixpack.)
I do not share your certainty that the App Store model will become the only method of installing software on Macs. I actually think it’s more likely that the iOS ecosystem will end up with an usupported jailbreak mode first (not that I think that’s likely). The truth is, there’s a reason why the PC spawned the computing revolution. The computing industry started out totally cowboy, where everyone had to write all their own software (1950s-70s). When PCs from various makers first started to come out, there was a flirtation with locking things down for the sake of making computing more accessible, such as PCs that used ROMs or cartridges for apps, and purpose-specific word processors that only supported one task. (1980s). Ultimately, people started getting more sophisticated and demanded more flexibility, and the marketplace met them halfway: even Apple embraced more freedom with what you could do with your computer. (3rd and 4th generation Macs were much more open than 1st generation ones). I think there’s a decent chance the same cycle is repeating itself on the mobile front.
Apple may miss the party out of hubris and greed, and Microsoft may backslide because they never met a bad idea they didn’t like, but I think that the freedom of a general-purpose PC, handheld or not, is too powerful to hold back. Personally, I think Apple will come around. A sandboxed App Store is a beautiful thing for people’s grandmas and cubicle drones who would gladly install malware because it lets them make their cursor into a penis shape, and it has its value.
Looking at newest shell developments (KDE aside) they are already ahead of competition.
Of course you can always fire up xterm and feel right at home, but you can do it on OSX as well.
But… but… but… I’ve been told Apple started the computer revolution?!? 😉
RT.
I LOL’d at your response. But to give Apple’s PR machine credit, I was using the term PC generically to mean Personal Computer, and the Apple ][ was right in there with the rest of them. Apple has always straddled the line between user freedom and a “just works” ethos that’s sometimes anathema to user freedom. The Apple ][ was freer, then the Mac backslid, then later Macs were freer, then iOS was a backslide.
And that, dear sir, is 99.99% of computer users. We tend to forget that.
Try looking for or encouraging alternatives for applications, Google needs to learn that same lesson.
That’s okay (just kidding about that) cause I’m gonna use the mac app store on the 12th of never anyway. How do any of you find lion? Is it much better? I didn’t update because it doesn’t really seem to be much improvement to me.
Downgraded to Snow Leopard on both my Macs after a week or so. Some things are firmly in the WTF camp but you can just ignore them (I’m looking at you, LauncPad); others are a bit more worrisome like tons of warnings in /var/log/system.log about deprecated functions — from Apple’s applications, no less!
But the real deal breaker for me is that Screen Sharing is completely broken unless you happen to use only Macs.
If the Mac has been freshly rebooted you can connect from any other OS with your VNC client of choice, but good luck after that. You just get the login screen, possibly with no user list or input field to type your password and, even when you do, the screen freezes before you can finish typing.
Of course you can close the connection and try again. And again. And again. If Screen Sharing doesn’t lock altogether you might even get in. Eventually. And no, the problem are not the VNC clients, since they are working fine with Snow Leopard.
That said, I realize that this probably is not a big deal for people that are not working in an heterogeneous environment — or that not everybody gets irritated by Lion “features” as easily as I do. In other words, the usual “your mileage may vary” disclaimer apply.
RT.
I agree that this will send a lot of users in search of greener pastures in Linux… only to run screaming back to Windows. If it’s true that Apple doesn’t respect power users and developers, it’s even more true that OSS doesn’t respect normal users. The instability and the plethora of arcane, hacky “fixes” for issues that never should have appeared in the final release of many Linux distros are every bit as annoying as the dumbing down of the Microsoft and Apple products. And that’s assuming users can even manage to install Linux on top of their “Secure Boot” BIOS.
(By the way I am an 8 year user of Linux on the desktop almost exclusively. But frankly I’m not satisfied with the state of GNU/Linux or Microsoft or Apple at the moment.)
“this will only have one outcome: more refugees towards Linux.”
Unfortunately, Linux appears to be heading in the same direction with GNOME Shell but slower and less obvious.
What’s wrong with developers lately?
how is gnome-shell in any way related to an app store?
gnome-shell eats kittens. like the app store.
Then I eat kitties with sauce:
http://imagebin.org/182455
My first reaction was laughing at apple’s childish decision of making everything the produce a toddler-proof toy. But then I realized that I am using a mac to browse the article. Oh my!
Luckily apple hasn’t disable third party installers yet. So I can still install most of the software I use. Unfortunately I have this bad feeling that the perverts at apple will eventually take this precious ability away from us.
apple can see how far they get with their stranglehold. good for them. in the mean time, my favorite app stores remain cdrom.com and download.com and sourceforge.net
Going back to the IIe’s, IIGS’s, Mac SE’s and Classics I can soundly say FUCK YOU APPLE!!!
I’m sticking with Linux and Haiku, just waiting on Mate Desktop PPA https://launchpad.net/~amanas/+archive/mate-desktop to be finished for Ubuntu Studio since XFCE is no substitute for Gnome2.
Most software does not need to go outside of a well-designed sandbox. Even complex stuff such as web browsers and IDEs can work fine within the boundaries of a sandbox.
The real problem here is that Apple, not the user, is in control of what gets allowed in the end. Which is ironical, given that mandatory software sandboxing puts the user back in control of what untrusted software does, and as such pretty much negates the need for such application stores.
Which kind of reveals true motives behind the decision.
With this decision they could as well subscribe to Google vision of combining HTML5, WEBGL and NACL to convert majority of apps to the WEB.
In sandboxed form they will not have much more abilities.
I for one welcome the change. Apple is one of the only companies which can actually pull off having the majority of its desktop apps use sandboxing by default, making it a technology which actually benefits the user because its being used instead of being an interesting concept ignored by almost everyone.
The PC world we have now is a very different place than what it was 20, 30 years ago. We used to have these puny standalone machines in front of us which could barely run one app at the same time, with little room on them to store any of our data. Back in those days, the personal computer was basically a glorified crossbred between a typewriter and a calculator. These days we have boxes filled with more system resources than most will ever use, and they’re storing a ton of personal information, and are mostly available on a global network, the internet.
Yet the basic concept that applications use to run really hasn’t changed all that much from the first computers. In all that time, the bottom line remained, when an app has certain privileges to execute, there’s no telling what its doing on your machine.
As stated earlier, there’s already been a tech around to fix it for quite some time now. Its just that in the world of an uncurated platform, developers tend to be lazy and take the easiest route to get things done. This is no longer possible with the Mac App Store, since it combines technical requirements with the ability to bring your applications to market in a digital way.
I’m not saying the rules for sandboxing applications in the Mac App Store are perfect. There more than probably are things that need further adjustments. We saw the same thing with the App Store for iOS devices. Some people cried foul when it launched, calling the approval process and the rules it tried to impose draconian. But really it turned out to be a such a huge success, that others are copying this model. It made finding and installing software on your devices a breeze, and it strongly discourages piracy, which together with the low unit price of apps makes people much more inclined to buy software instead of copying it.
Apple was the first one to actually try and pull this off on such a big scale. On the App Store, they did well enough that both users and developers benefitted. I seriously doubt apps on the iOS platform would have been such a huge deal if it weren’t for the App Store. I’d say give them some credit for actually trying to make this change for the better happen. Nothing is ever perfect from the first round to go, thats why we humans developed reason, to be able to communicate any concerns one may have with another, and when it makes sense, I’m sure the policies will change. The App Store policies changed as well to facilitate things it didn’t anticipate, so I’m certain the same is the case with the Mac App Store.
Edited 2011-11-04 08:05 UTC
Deep down inside I would like to retort with something along the lines of “if you’re too stupid to use a computer you probably shouldn’t be allowed to use one”, but that wouldn’t get me very far, so I’ll try with some good old fashioned reasoning instead. 😉
Looking at the list of “entitlements” in Pauli’s article it should be obvious that there are plenty of perfectly legit, non trivial applications that need way more than that, so what’s a developer to do? And no, the “sell your application on your own as you did before” argument doesn’t cut it: either the App Store is really important and you’d be a fool not to be there, or it isn’t — but then all the people waxing lyrical about the importance of the App Store should eat their own words and go hide under a rock.
But wait, there’s more: these “entitlements” are not automatic. That is, that list is not just a list of what an application can do, a developer must still “convince” Apple that his application really needs to, say, interact with a USB device or connect to remote server. Simply put: even more power to the reviewers and plenty of uncertainty for the developer — and let’s not forget that when it comes to the App Store(s) neither transparency nor consistency have a stellar record.
In other words, it could be said that this is the same old excuse that we’re being offered each time we’re presented with a large, bitter pill to swallow: it’s for the children! it’s for your own protection! it’s for the common good! and so on. This is supposed to look reasonable and even “good” on the surface, but when you start thinking about the implications, or about that bit of freedom (no matter how tiny) that you are going to give up for a bit more “safety” in return, you better ask yourself: is it really worth it?
For my part, I will continue to avoid the App Store as much as I can and if a day will come when the only applications that can be installed are those sanctioned by Apple, I’ll just sell my Macs and move somewhere else.
RT.
Edited 2011-11-04 11:36 UTC
I think the Mac App Store is especially a big deal for the consumer market. For corporations deploying apps there are better tools available. They typically use prepared system images, app server services, ASR or some other deployment tools to roll out applications.
Having both instead of either/or does not need to be problematic : The ISO you use from a corporate vendor probably won’t be the issue when you’re installing your legitimate pro apps. The biggest danger in getting uninvited guests on your system is mostly in small, unknown tools which you happen to need “on the fly” and you download off the internet. To this the Mac App Store offers a safe alternative to uncurated sites. So both can complement each other.
I generally prefer “For the advancement and greater good for humanity”. Get over it and enjoy the new world.
I think there’s enough empirical evidence to say there is, seeing as to how popular non curated systems get infected by filth like keyloggers, spyware, and botnets so easily.
One has to think about which freedom one prefers. The freedom to be able to tinker with your device until infinity, or the freedom to have a device which works predictably so it does the job you’re set up to do. Apple has always been about the latter.
Edited 2011-11-04 18:57 UTC
iOS AppStore was a new thing. there was no “big scale” or “change” anything. This is a major change to an existing software delivery process.
They may be able to fine tune it to have it work as well as iOS, but this will have a lot more veteran MacOS developers up in arms.
Sure there was. Other mobile platforms before it didn’t have App Stores and allowed you to install your apps freely. There never were as much apps written for it, though.
It wouldn’t be the first time Apple uprooted it platform to make a change for the better. In the last 20 years, they changed processor architectures twice (first from m68k to PowerPC, then from PowerPC to Intel), Moved to a whole other OS (Classic to OSX), deprecated an entire developer API (With carbon not going 64 bit), and axed countless other developer technologies (GameSprockets, OpenDoc, …)
Each and every one of these changes required developers for the platform to retool their apps in a significant way. Each announced change was met with mixed reactions. So this moaning isn’t new at all and will happen every time Apple decides to change something. And each time some developers throw in the towel and call it quits.
The impact of each and one of these changes on the viability of the platform have been neglible. Stuff gets rewritten conforming the new way of doing things, and gaping holes leave a space for newer, more modern apps to spring up, apps that wouldn’t have seen the light of day if the legacy app using obsolete code still was around.
Also, its not like developers weren’t aware of these rules. It was announced that this would be a requirement the first day the Mac App Store was launched. The only reason why it wasn’t imposed from day one is to offer developers a grace period to adjust their apps on the store.
Really? My Sharp Zaurus PDAs beg to differ. The Sidekick from Danger begs to differ.
Revisionist history much?
Most other mobile platforms
Happy now?
There was a commonly used iOS app store before that AppStore arrived on the iOS scene? Now that is big news to me…
And that would be the case if these restrictions would add something beneficial, like the move from Carbon to Cocoa. However, this move is ill thought-out and brings only new restrictions not functionality(as it stands today).
You raise some interesting points.
First, I agree with you that it’s difficult for a legacy operating system to make application sandboxing mandatory. Some compatibility will be broken, sooner or later. However, OS vendor control on applications is not the only way to do that. You can also do it the Microsoft way, by pushing an OS release that breaks compatibility, but is advantageous in other ways, like Windows x64 breaks DOS compatibility. At some point, everyone will use the new release, although it can take some time.
True, but name me one digital protection scheme which hasn’t been compromized. Whenever there’s software, there’s bugs, and whenever there’s bugs, there’s exploits. DVD Copy protection, Blu-Ray, SSL Certificates are all living proof of this.
To what benefit? Android leads the pack by far in terms mobile OS exploits.
It makes it far more easier for the bulk of the non-tech users to find their software, since the Mac App Store is installed and available by default on the system.
For a couple of apps, yes. for many others, no. If you’re a heavy user of a certain productivity suite to do the grunt of your work, the chance is big you already know the app you’re going to install. But there generally won’t be many of these apps sitting on your system. For most of the smaller utilities, where you are looking for a solution for a functionality you are missing, a centralized system which lists the available software is more beneficial. And often times, one gets to know newer, better alternatives when searching apps on a big app aggregator, you wouldn’t have had the same convenient list of available applications with just a few keystrokes while using search engines like Google.
I think uncurated payment over the internet is currently not without its quirks, they’re a mixed bag in terms of user experience at best. There might be delays between the purchase and the availability of the application to the end user because of limited resources in purchase processing at the application vendor, vendor-provided payment systems might not be up to par to security precautions and are more prone to be compromised and their information harvested, or worst of all, the vendor might not deliver on the goods at all, because of scam schemes or because they just went out of business. The Mac App Store eliminates all these. It offers a streamlined and predictable purchase and install process that is not available at this level on other software aggregators on the internet.
Edited 2011-11-04 19:35 UTC
I’d argue that DVD and Blu-Ray encryptions are broken by design, like many other forms of DRM, because they rely on distributing a “secret” copy of the decryption key with every single device and software that can playback them. In such circumstances, it is obvious that the decryption key will be leaked by someone at some point.
SSL Certificates have a bit of this “secret known by a large crowd” problem too : in an organization that is large enough to validate hundreds of websites a day, can people really guarantee that no employee will ever go rogue and use his certification authority for nefarious purposes ? Come on…
To the best of my knowledge, there is no such known flaw with the design of sandboxing in itself. What requires extreme care is the default permission set which every software gets, because it cannot be easily changed after a release. But pretty much every other kind of flaw can be fixed with OS updates without any loss of compatibility among API-compliant software.
This is why I’m talking about the quality of the implementation. On Android, the default sandbox settings are very restrictive, so that pretty much every application requires special security permissions, needs to get out of the sandbox. As a consequence of that, the dialog used to confirm those permissions is very subtle and frequent, and as such few users bother checking it.
Then there are exploits which avoid the sandbox altogether. Those rely on the fact that system components, which are most likely to be exploited, are not sandboxed properly themselves. I don’t know Android well enough to tell what kind of vulnerability it has, but on iOS there was a vulnerability that allowed root access to iDevices by opening a specially crafted PDF file. My question is : why is the PDF reader able to get root access to the device at all ? With proper sandboxing, an exploit in the PDF reader would only allow a cracker to have a look at the PDF reader’s private data, which is a much, much less interesting trick.
Fair point, but doesn’t this argument also hold for other repository systems where you can freely add other software sources to your OS beyond the vendor-provided one ?
It will also put you in front of heaps of thousands of different software to do the same thing, with no quick way of deciding what works best for your purposes except for relatively flawed indicators such as “featured” or “frequently downloaded” (also known as “popular” in some circles).
So since exploring everything and making informed choices is not envisionable for most people in such centralized systems, you end up relying on others (magazines, websites, relatives…) to do the work for you. Which is why I say that word of mouth remains the #1 way of finding software even in big centralized software libraries.
This is the positive side of things. The negative side of things is that if there’s a lot of choice you’ll end up going through a lot of uninteresting garbage (for you !) before finding what you’re looking for.
As an aside, I rarely use Google or iterative repository exploration to choose software myself. I only do that for stuff which I’m not deeply interested in. For stuff which I care more about, I try to find a good website/magazine/book/specialist on that matter and to follow its advice. But you may argue that I’m not part of “non-tech users”, and as such may work differently.
Fair point. Centralization does allow for some performance optimization.
Which is why I’m a PayPal advocate : the transaction is managed by a large third party which is specialized in managing online transactions and as such can take the right decisions as far as security is concerned.
Now, you may argue that it is the same thing with Apple. Yet there is a difference. Apple are the developers of Mac OS and own many large software on the Mac platform, they are not a neutral third-party when it comes to taking decisions about what software gets allowed on their platform. PayPal are only a banker, and as such don’t give a damn about what transactions they process as long as it financially benefits their business (which is largely unrelated to desktop/mobile software). Also, Paypal don’t want the bad PR of banning important customers unless they really can’t avoid doing otherwise, while Apple are crazy enough to do it anyway (“Zomg ! Images of prehistoric women WITH BREASTS ??? BURN !!!”).
Vendors only get out of business once, and it takes a finite and short time to do that, so I believe this is a relatively minor concern. About scam, when you buy something on Apple’s App Stores, you have to make a purchase decision based on a description that has been written on the software’s vendor. If it’s incorrect, I don’t know if you can get a refund from Apple, but PayPal do have a refund policy when the vendor doesn’t provide the expected good.
Edited 2011-11-04 21:15 UTC
The biggest problem when it comes to security is software bugs. The bulk of exploits are based on the fact that there’s a bug in the software that facilitates buffer overruns which allows one to execute code. The only way of making sure your system isn’t compromised is to unplug it from the network and write the software it runs yourself. However, this doesn’t tend to be a desirable use case these days. 🙂 Bottom line : Everything which is software is breakable. The point with running sensible security measurements is that you need to minimize the risks as much as possible.
As with any software implementation, its bound to have bugs and thus its exploitable. If the zero-day bug gets discovered by someone looking for them who has ill intentions, most of the time this information just gets sold in black markets online and it ends up in the hands of malware writers which exploit them in their code.
Point is it doesn’t have to have to be exploitable, a bug which allows for improper code execution is enough.
Not necessarily. If memory is written outside the applications heap, its more than likely to have full access to the system allowing the malicious code (not the app itself) for any anything it wants to do.
Sure it does, and in the desktop space, there’s been quite a few of them : tucows, download.com, versiontracker and macupdate are just a few. But these are merely aggregators not App Stores. They offer no guarantee of the purchase process and in most cases even about the availability of the listed application.
Not if you know what functionality you’re looking for. You might search for an unrar app, a VNC client, an RSS Reader, … Doing those searches conveniently pops up a list of all available apps allowing you to pick the one with the functionality and price point you find appropriate for your needs.
You’re more likely being served in a better way if you just consult the app ratings and read the user reviews in the App Store. Why wait 2 months for a published magazine to pick up a newly released app? This used to be my methodology of working in the past, but now we’re talking about the nineties, when broadband wasn’t among us yet and magazines with CD-ROMs were still a huge deal.
You browse trough the list, you look at the user ratings, reading the reviews and description, and look at the screenshots. I don’t see much difference in the selecting process. When you like something its a quick trip to the the buy button and you have it working. Instant gratification. The barrier can’t get much lower than this.
As far as I know, buffer overruns are not a fatality, and protections exist against them : read-only code and canaries at the CPU level, fixed-length buffers at the API level… But I agree with your general point that every software implementation is breakable, which is why careful testing of critical code and regular updates are so important.
Wait a minute…
On x86 CPUs, and I’m pretty sure it’s the case on ARM too, there’s a MMU and memory protection. When this feature is used to implement processes, the net result is that every software lives in a “private” chunk of RAM, and only communicates with other software through controlled communication channels.
So if a given software runs amok, it should only run amok within the boundaries of what it’s allowed to do. Am I correct ?
Fair point : there is a trade-off between general usage convenience and decentralization. A centralized system gives an unreasonable amount of power to the repository owner, but also means centralized knowledge about software availability.
Ratings and reviews are a mixed bag, in my experience. Sometimes they work, sometimes they don’t.
Let’s talk about ratings, first. While it is very easy to give binary ratings to stuff which you feel is excellent or extremely bad, it is much harder to express mixed feelings in a rating, and if a large number of people do it the information is likely to be averaged away. Typically, I take a rating that is less than “perfect” as a warning, but it doesn’t give me much more information without an attached written reviews.
As for reviews themselves, when you’re dealing with a small and informed user base, such as on some computer hardware websites, they can be very helpful. But when the user base grows, there is a growing number of parasites who post poor-quality reviews, or stuff which does not even qualify as a review (the “I have a big dick” or “First” variety of comments). On frequently reviewed software, the noise often ends up erasing the insightful information, unless you’re ready through 4 pages of comments to get an idea about each piece of software.
To fight this tendency, some websites which use ratings and reviews, like Amazon, have a way for users to say “this review is insightful” or “this review did not help”, which in my experience works quite well. But I don’t think Apple have this in their stores.
This is why I also mentioned websites and relatives, which in the Internet age are sure much faster than magazines
Magazines still have their use though, as they can provide higher-quality reviews than other solutions for “big” software which doesn’t change a lot in time such as office suites, image and video editors, CAD tools…
Again, you’re right that centralization does have its good sides, including convenience for everyday use.
Paypal is also a lot more complex and it doesn’t offer you the guarantee that the vendor is genuine. The Mac App Store is all about one-click purchasing to make the purchase experience as simple as possible.
If you know a bit about Apple as a company, you know that Apple makes money off its hardware. They’re a product company, selling solutions to customers, but when it comes to making money, its the devices, the hardware that makes the money, not the software. The software is an unique selling point for their hardware. Which is the main reason they do low-cost software and bundle entry level apps for free and ship low cost upgrades unlike companies which view themselves as software companies and try to maximize profits on their software products.
Granted, they did several pro apps as well, but if you know what happened behind the scenes of these products and how Apple ended up with them, its more that Apple rolled into them than anything else. Apple never planned to do Final Cut Pro. It was a project at Macromedia from the creator of Premiere before Macromedia refocused on serving the internet application space and ended up merging with Adobe. Apple took it off Macromedia’s hands because they knew it was a good product, they wanted it on their platform badly in order to ensure hardware sales, but nobody was interested in bringing Final Cut to market for their platform. They tried selling it for two years after they bought it, but still nobody was interested. They eventually just kept it and sold it themselves at a reduced price because of the positive effects it would have on their hardware sales.
Apple aren’t all that interested in competing with with their app providers just for the sake of getting more software sales. There’s no money (and gain) for Apple to do all the software for their platform. Its not what they’re about. Apple chooses to do a few products as well as they can and ignore the rest so total software dominination does not fit in this vision. They tend to do entry level consumer apps to provide entry level solutions to their customers, and are happy leave the pro stuff to others. Suites like iWork basically is AppleWorks for the 21st century, an entry level app. As a testament to this, apple never did a fully fledged productivity suite for their platform, unlike some of their competitors like Sun or Microsoft did.
You can always consult the CD-ROMs of magazines for apps which display prehistoric women with breasts… Oh wait. 🙂
I was only giving some examples, big and small, to illustrate my argument that everything else is a mixed bag and what makes a centralised purchase store better.
A bit, sure, but a lot ?
Billing with a typical app store : Click buy, enter password, payment done.
Billing with paypal : Click buy, check that you are actually on paypal and that the bill is correct, enter password, payment done.
The extra visual scan is pretty quick.
What I agree is more uncertain is what happens after payment, the part which does not depend on Paypal themselves. Some vendors redirect you to a download link, some vendors send you an e-mail, some vendors manually check incoming orders… This would benefit from a bit of uniformization. But nothing there which user experience guidelines and vendor-provided software distribution tools couldn’t fix.
What do you mean by that ? If I see a nice RSS reader on the Mac App Store, download it, run it, and it turns out that it’s actually a basic program which displays a silly picture of a cat with subtext “you got owned !”, what is the difference ?
It is a given that purchases are simpler, what I’m wondering about is if it’s worth the cost of putting a single entity in control of anything a computer may run.
When I see Apple banning the Wikileaks app from un-jailbroken iOS, Google forcefully removing apps from users’ devices from a distance, or Apple remotely bricking iPhone prototypes… I believe that the amount of control which we let others have on cellphones is scary. Current mobile OSs are an evil dictator’s dream toy, is that really the future we want on every computer in the long run ?
I think that Apple may be biased about which software they choose to allow on their platform even if they do not write competing software.
As an example, non-tech users’ vision of hardware is affected by the software that runs on it. So if some iPhones or Mac are known to run questionable software, it may affect people’s decision to buy or not buy this hardware. Therefore, Apple may be tempted to allow or disallow the existence of some software on their platform, depending on what they believe will maximize sales. And I guess this is what they do when they play morality guardians and ban stuff that contains nudity or illegal material on their own free will.
I don’t think this is a sane behavior. It is fine for an OS vendor to advice for and against specific software, but not to ban stuff altogether from people’s sight as happens of iOS and may happen on Mac OS at some point. For a flawed real-world analogy, I would understand that my favorite book shop does not have a book I like on its shelves, but if the owner refused taking orders of books she doesn’t like, I’d find another book shop.
Maybe others would disagree with that though.
Well, wasn’t the point of these magazine apps to introduce on-device content that is updated from the web on the fly instead of going through this kind of bulky procedures ?
Since Android most exploits are actually social engineering exploits*, not technical ones, iPhone leads in phishing exploits by a wide margin.
On the technical exploits side iOS and Android are on equal footing.
* – the one’s that you are counting.
I don’t know under which rock you have been hiding, you might want to read up on this to review your opinion.
http://reviews.cnet.com/8301-19512_7-20096832-233/android-malware-u…
http://www.phonearena.com/news/Android-security-issues-soaring-warn…
http://www.computerweekly.com/Articles/2011/10/28/248306/Android-no…
Are you having issues at understanding the word “technical”? Or are you the type of person that thinks that all malware is based on technical exploits?
PS: You might have had issues with that rock over your had also http://downloadsquad.switched.com/2011/01/07/iphone-users-most-vuln…
PPS: Not a single link that you provide lists a single bug. While I can list at least 2 vulnerabilities(1 remote and 1 local) in Android and 2 remote code execution vulnerabilities in iOS.
Edited 2011-11-05 16:09 UTC
Second, although the implementation is more than perfectible, Android showcases that sandboxing can be introduced on a new OS without draconian OS vendor control.
Third, you state that vendor-controlled application stores make it easier to find and install software. I believe this is quite a suspicious statement. Finding good software in huge repositories is actually quite long and difficult, and word of mouth remains the main way of discovering new software with or without app stores. As for installation itself, it is made easy not by the use of app stores themselves, but by the standard application packages they use. You are right that application stores are better for paying applications, though, but I don’t know up to which point (PayPal is a universal mean of buying software on the internet, and software can use the same kind of DRMs as app stores to reduce piracy).
Finally, as for iOS owing its success to its App Store, I’m again quite skeptical. The first iPhone sold extremely well without having it, and Unix repositories, which are extremely close ancestors, have never allowed the Linux desktop to get a strong foothold outside of the corporate world, so I’m not sure there is a clear-cut relationship between both.
non-biased article here: http://arstechnica.com/apple/news/2011/11/apple-pushes-back-sandbox…
I appreciated this link.
Again, my only advice to Thom on this article would be to include other opinions, if there are any. The link above indicates that great Mac developers like Agile (makers of the uber cool 1Password) are cool with sandboxing, even if it does mean some trade offs.
I would have appreciated more context on what sandboxing is, how many other operating systems use it, etc..
It seems to me that Apple won’t disapprove of an ftp application, because accessing a remote server is within its basic functionality.
On the other hand, if I submit a JPG to PNG converter utility and it needs to access a remote server every time it starts up, probably a poorly designed program and a security risk. Is that the idea behind sandboxing? Or is it more about keeping apps within their own boundaries to minimize bugs and other issues?
http://en.wikipedia.org/wiki/Sandbox_(computer_security)
Meh, displaying bias to ramp up outrage generates more page views.
Apple bashing is a sport around here.
It’s covertly biased against the changes. Don’t even think it’s not biased.
I can understand Apple taking this route. As users download stuff from the Apple owned app store Apple doesn’t want them to download any malware and have it become their problem too.
Most apps probably will have no problem living in a sandbox and it’s more secure for the user’s system.
But I would mind if the app store became the only way to install software.
Apple has proven that it’s going to do whatever the heck it wants to, complaints by techies be damned, and keep on raking in the cash.
This latest move makes sense from a security stand point. Ideally, all apps should be sand boxed. You kind of get that with Java and .Net apps (or any other VM, mangaged code runtime/language).
However, it’s a bit of double edged sword because sand boxing can cause huge limitations on what apps can do. Ultimately, this has the potential of reducing the value of the Mac platform. If all apps on a Mac can do is simple games or twitter type apps, then real useful stuff like Photoshop will be well, less useful. This won’t affect the average user who just browses the web or plays games. But it will push away the professional market, or just general productivity workers.
In short, it could reduce the Mac platform to just games and web browsing. Well, iOS is essentially there already.
I could, and almost did, ramble on about this subject including the still poor security in Windows and the “not for prime time” Linux distros.
Security is a need. Computers do not live in Mayberry (TV show from a long time ago) where the biggest crime is a parking ticket. Computers live in the worst neighborhood on the planet.
Microsoft says that viruses are the fault of users. That arrogant and ******* mentality needs to be cut from Microsoft.
Viruses are not like burglars that are visible. Viruses are like invisible creatures that don’t need the doors and maybe windows we use to get into our houses or where we work. Viruses are more like Radon that seeps into your house and kills you or at least can make you very sick.
Choosing Linux, at least for most people, is like moving to a remote part of Alaska where you have to do pretty much everything for yourself. Linux is getting closer but it is not there yet and most people want to live in cities and not in remote Alaska.
That is only one of the reasons they turn to Windows. The other is that you can’t go into best buy, pick a computer and say, “I want Linux on this” and right then and there take it out of the store and turn it on and it, “just works”. Linux isn’t available like that and it doesn’t, “just work” for most people.
So people are stuck with Windows or maybe Macs. As Macs become more popular the virus writers are taking it more seriously and Apple has to take viruses more seriously also.
Since Apple doesn’t currently review all programs on Macs in the Mac App Store like it does for iOS devices, the only way to protect users more is sand boxing. It’s only logical.
No. I’m not 100% acquainted on the technical details on the matter, but its my understanding that there are several types of buffer overflows one can exploit to get root on a system, depending on the system and architecture. On Android/ARM for example, it remains entirely possible to wield a browser vulnerability to get malicious code shell access, after which its relatively trivial to gain root and do all sorts of nasty stuff.
My comments on Apple as a software vendor still apply. This isn’t a big deal when there is no conflict of interest.
Last time I checked, they have a thumbs up-thumbs down style of rating for reviews.
What I miss the most about those times were the in-depth editorials about things you wouldn’t have thought of, the gems they hand picked for you. However, I still ended up dumping my magazine subscriptions after I got online because most of the information in them was so horribly out of date. Lets hope initiatives like NewsStand can bring back the great editiorials of the past to a wider audience again.
Its not only the purchase process, but the whole setup of the thing. Before you say “But…” I’d like you to consider your joe sixpack neighbour which doesn’t know a lot about computers, or your aunt Emma who just happens to have this sort of need. Its these small things that we techies take for granted that a lot of normal users find very intimidating and which hamper them from what they’re set out to do.
The type of application you mention will never make it trough the App Store’s reviewal process, it will simply get rejected for “not working as advertized”. Thus you will never find an application like that on the App Store. Which kind of proves the point for a curated market place. Its also the same kind of editorial you find in quality magazines or websites.
I’m more of an optimist than you are, I don’t see the future as Orweillian as you do. I’m just not a proponent of the “one OS for every device” like so many Android zealots seem to lust for. They think that for Android to win everyone else in the game needs to lose. I’m much more a proponent of a diversified platform approach. I know, developers are lazy and would prefer just to have to code for one platform, but I’m looking at it from a user perspective. And having used technology for over twenty years now I can attest that when one single platform dominates, it stifles innovation and the end user ends up being the culprit. The desktop PC space can testify for this.
I don’t know where you’re at, but in my country I know a lot of shops that will simply refuse to take orders for rare stuff for various reasons… Shop owners decide what to carry and what they don’t carry, and what they place in their front windows.
IMO NewsStand offers a much better approach for magazines.
It is my understanding that in such a case, you actually need at least two vulnerabilities. One to make the web browser execute arbitrary code, and one to make this code break through the OS-level isolation of the web browser. The second vulnerability lies not in the web browser itself, but in system software which it relies on, system software that does itself run as root. But I am not a computer security expert either, so I guess we’re stuck there.
Just like having nuclear weapons around is not a big deal as long as no homicidal maniac get his hands on one…
Is it used frequently ? I may have missed it on Mac OS, as I’ve mostly deal with the iOS app store.
I don’t think that online publishing will ever address the time it takes to write a good article. While everyday news can be reported in a day or two, good full-length articles can take weeks or even months to write. Which makes magazine-style publishing only suitable for stuff that has a slow publication rate (“big apps”), and can be well-grasped by monthly publications.
But…
This is, as I said before, not about app stores but the standard packages they use.
The other day, I bought Osmos for Fedora Linux, which happens to use standard software packages. I clicked a link on the developer’s website, ended up on a Paypal page, checked everything, entered a password, received download links for my OSs by mail, downloaded and opened the right file, clicked the “install” button, and that was it.
Let’s examine each individual step :
-Finding the developer’s website : Everyone knows how to use a search engine, some people even abuse this knowledge
-Clicking a link : Knowing this is a prerequisite of Internet usage
-Using paypal : Requires a small amount of training, but not more than using an application store
-Accessing an e-mail account : Like clicking a link, pretty much a prerequisite of modern web surfing
-Downloading a file and clicking an “install” button : Pretty much a prerequisite of internet usage.
So that leaves one “techie” task to our Joe sixpack : remembering which OS he runs. Frankly, acquiring such a limited amount of knowledge is like learning how to use an alarm clock : you bump on stuff once or twice, then you are able to do what you want.
This is a very rough review process that they have though. There are tons of applications on iOS which barely work at all, exhibit terrible performance or crashes, and still pass the App Store review process. Conversely, legit demos of commercial software, which allow users to try before buy, are not welcome on the App Store. And then there is this : http://www.destructoid.com/lugaru-shamelessly-resold-without-consen…
There are several important differences, though.
First, quality magazines and websites tend to focus on a small range of reviewed applications, and take a lot of care in reviewing them. While Apple employees just run new software for five minutes, check that it has no obvious flaw, and jump to the next one. They don’t have the time to do more.
Second, if you discover that a website’s review process is flawed (like, I don’t know, they are paid by companies to write positive reviews of some software and negative reviews of others), you can just ditch that website and find another one of better quality. With Apple’s system, if Apple’s review process is flawed and ditches legit software (such as demos), there is no way you will ever get that software on your device through another mean, except if you feel like letting suspicious jailbreak code drill through your device’s software protections.
While I think I would be a proponent of a “one OS for every device” strategy, I believe that I do not put the same meaning in those words.
For me, “one OS for every device” means that manufacturers do not have to reinvent computer usability each time a new device comes out. Cell phones behave like tablets, which behave like laptops and desktops and any future gimmicks which we don’t know yet. The way users interface with the device changes slightly, but the overall behavior is the same. So like on those funky WebOS demos that were around a while ago, I can receive a mail on my cellphone while I’m on my way home, then put the cellphone on a dock, take a tablet, and continue reading my mail in a more comfortable fashion. Then reply on the laptop. And everything keeps a consistent feeling.
I do not want one OS to rule the whole computer world, but I want OSs to broaden their hardware and software horizons a bit. To this end, computers with locked-down hardware and software should also disappear, or at least become a minority.
In France, most smaller book shops will let you order any book that they don’t have in store, provided that it’s in the standard publishing circuit.
Edited 2011-11-05 17:50 UTC
The net result is the same, a compromised device.
I don’t think the App Store has the capacity to nuke the planet.
Its still early days for the Mac App Store. I also think it will get off the ground slower, because its not an only way street like with iOS devices. I do think it’ll gain popularity other time as new users flock in and discover it.
I don’t see Aunt Emma installing Osmos on her Linux box in the forseeable future though.
Let’s examine each individual step and find out what can go wrong with our friend Joe Sixpack when he wants to purchase an app online :
-Finding the developer’s website : He ends up on a phishing site, which looks vaguely similar to the original one. Because he isn’t that bright as we are he doesn’t notice the difference.
-Using paypal : The site states only supports credit card, which requires him to enter his card details, which obviously gets stolen
-Downloading a file and clicking an “install” button : The installation installs a trojan, which infects his system with a keylogger after which it phones home to a remote C&C center to take on jobs in relaying email messages for spam and scam attempts.
[
I know I’m being overly sarcastic here, but you wouldn’t believe the amount of questions I get on a regular basis from my customers if its “safe” to buy from a certain website. And even on trusted sites like Ebay, there are still scams going on. As a techie, I know where to look, like checking the WHOIS database of a site, examining security certificates and googling for info about said site, but a lot of users don’t know how to do this. At least now I can say “buy from the App Store and you’ll be okay”.
Really? I never came across a software on the App Store which didn’t work as advertized. Granted, I haven’t tried all of them, I’m not that rich.
Sure they are. Gameloft, for example, publishes both free demos and paid versions of their games.
Apple had this app pulled fairly quickly though.
I’m not saying there isn’t headroom for improvement in Apple’s reviewal process. The people who do it are mortals like you and me. However, especially for smartphones, I think its a good move to make, because of the added dangers of smartphones when compared to PCs.
I don’t share your view. Microsoft tried this approach (Windows Everywhere) to the smartphone and tablet market. It never became a success. It took a new way of doing things (iOS) which reinvented the basic concepts on how to deal with apps on a UI level for such a product to become usable. Other devices require other ways of doing things in order to be truly useful for the masses. If they don’t succeed in this, they primarily end up being geek toys.
The publishing cirquit in itself is also already a reviewing process.
But the probability is much, much weaker. And if instead of crafting gigantic system components running as root you design the OS as a set of small components with limited responsibility and security permissions, the amount of chained exploits that one must use in order to, say, use a web browser to install a rootkit, becomes quite large.
I don’t know it it would be enough to reduce the likeliness of being hacked to a “good enough” level, but I think it’s worth trying. Even more since such modularization would also benefit code cleanness, stability, and maintainability.
Isn’t there an app for that yet ?
This is debatable, but I don’t want to go into this right now
I just needed an OS which I use regularly, and where there are standard packages for software installation. OSX also qualifies with its DMG packages, but that’s not the best example of an easy-to-use installation package around (Mounting an image disk and dragging and dropping stuff around ? Why can’t I just double-click that downloaded file to get stuff installed ?)
I disagree with this one to some extent. If you know what you’re looking for, ending up on a phishing site is quite hard. If I take Google, Yahoo, or Bing and type “Osmos (game)”, “Trine”, or “SpaceChem”, the first link will be the developer’s website.
I give you that search engines do get hacked from time to time, though. It would be great if we didn’t rely on them so much. But the internet has just grown that big…
I can tell
I have got a credit card for exactly 3 months before it was stolen, without doing anything obviously stupid with it. Credit cards on the internet is a mean of payment that is broken and insecure at a fundamental level, it shouldn’t be used anymore. I wish kids would get told that, perhaps it would motivate bankers to come up with a mean of payment that actually works in the Internet age…
This actually cannot exist on a well-implemented sandboxed OS. If Joe Sixpack downloads a keylogger installer, he will have at some point to confirm that he gives this piece of software the right to sniff other software’s input. Unlike with UAC/Android bullshit where privilege elevation warnings are an everyday annoyance, this is the first time that Joe sees this message when installing a game, so chances are high that he will feel that this is suspicious and cancel the installation.
And I think that this is lipstick on a pig. By doing this, you basically say to your users “you don’t know what is good and you can’t learn, so let Apple do that stuff for you”. But at some point, everyone who spends time on the Internet needs to learn how to discriminate the legit from the scam, be it to a basic extent. Buying train tickets, books, doing online banking… Should all that also be done through the App store ?
I have, on iOS. Maybe there is a strong distinction between the iOS and Mac implementations of the App Store concept and I should take more care in specifying which one I’m talking about…
Then either this set of rules is wrong/not respected, or there is a strong difference between the iOS and Mac app stores and we should both specify what we’re talking about : http://en.wikipedia.org/wiki/Mac_app_store
Are you talking about the extra amount of personal information that phones usually store ? But then, software really should not have access to that information under normal circumstances, and good sandboxing would do the trick.
Windows was not designed to run on anything but a desktop to begin with. As soon as you specify control position and size in pixels by hand, assume the existence of a “hover” functionality, or fill toolbars without taking care of what happens when window sizes are reduced, your software is already dead as far as cross-device portability is concerned.
And then there is also a serious bloat problem with desktop Windows, which is why phone-oriented releases tend to be based on the inferior and incompatible Windows CE version.
Reinvented on a UI level, really ? Icons, pointers, menus, toolbars, tabs… Current mobile OSs, iOS included, looks more like a set of tweak to the desktop UI paradigms than a reinvention of GUI design to me.
Because it hasn’t been tried doesn’t mean that it is impossible. If you consider interactions with software at a more abstract level than we currently do, there is no theoretical reason why cross-device portability could not be significantly improved…
But then, I suppose that I should shut up and go back to coding my OS, which aims at experimentally proving this point once I reach the “GUI” part, given that computers still allow running alternative OSs at that time
Fair enough.
If you’re already blown off your socks and find this improbable, you should really have a look at how the stuxnet worm works. THAT is scary stuff. If you haven’t, it basically targetted specific Siemens controllers of nuclear purification machinery in a certain country. The worm needed to bridge a great distance over the internet, overcome the fact that these machines were not connected to a LAN (so it spread over USB as well), and needed to insert itself into the controller to cause havoc. And it all needed to do it on autopilot, remain undetected and not cause too much collateral damage in the process. Talk about digital warfare. If you read about how it achieved this, the kinds of exploits I mentioned earlier are kindergarten material.
There was iNuke by ThePlanet, Inc. on the App Store for a short period, but Apple pulled the kill switch on it. Only minor countries got nuked.
Downloading in Safari will automount the dmg and take out the application for you. For installing system components, you can create .pkg and .mpkg packages. And ofcourse, the App Store already puts the app in the right place for you. Come to think of it, I think not having installers on Mac is better, since contrary to windows, Mac apps don’t need all the .dll stuff in the right places to run properly; It also makes clear to the user that running an app won’t leave any potential nasty stuff spread around your system.
I wouldn’t mind seeing dedicated software put out by these services to make the process more streamlined. Some of the more important services, like banking transactions for companies, use this approach.
I was referring to the iOS App Store. I don’t know the reasoning behind disallowing demos of the Mac App Store, but I don’t think its a good idea to disallow them.
The access to personal information is just a minor one. Then again, not an unimportant one. Bigger dangers I think are the fact that smartphones have location-based functionality. This can be exploited for all sorts of nasty things. Another thing is that smartphones are basically tiny computers which are mostly always always-on always-connected devices. There will also a great many more of them than desktop PCs. The fact that they’re mobile also makes them harder to crack down. Can you imagine a botnet on millions of smartphones? Last but not least smartphones are able to generate additional cost. And whenever there’s cost, there’s a potential for malicious profit. Thats why I think you need tighter control on smartphone OSes than you need on Desktop PC’s. So I think its really crucial that you run up-to-date software on a modern smartphone and have the mechanisms in place to facilitate that. Since the risk for disaster is many times bigger than desktop computers.
Spot on. thats why other devices need other approaches when it comes to UI. But it doesn’t stop at just the primary controls. Building a good tablet or smartphone UI is completely different than building a good Desktop app. You can’t just “slap on” fixes for these basic controls and call it a day. You need to reimagine the app entirely.
The primary reason for this is that Windows isn’t modular enough and it being a jack of all trades. When you try too do too much, you tend to suck at everything.
Sure, reinvented. The basic building blocks are the same. But they took it down to the building block level and rearranged them in a way which would work well on mobile devices. A lot of the UI conventions and methodology that make sense on a desktop computer don’t make sense at all on a mobile app. Mobile apps don’t have windows, they work fullscreen. They use other input methods, like you said, they don’t use a mouse, so everything tailored towards having a mouse becomes obsolete. This doesn’t just include the obvious things like mouseover. It trickles down trough the entire concept of the UI, since the graphical UI’s from personal computers were built towards serving the mouse as a pointing device. If you break down your house and rebuild it from the ground up with the same bricks, thats rebuilding to me. Its not “tweaking your current house” by a wide margin. A good tablet app makes a bad desktop app, and a good desktop app makes a bad tablet app, so its crucial to reimagine it.
Interesting idea, I’d like to see that in action sometime.
I agree that software protections which are good enough against everyday desktop and mobile threats will be insufficient against targeted attacks with colossal financial and human means like Stuxnet. When you’re facing this sort of attacks, you need NASA-like permanent code auditing and warfare-like financial and human means to achieve good security.
However, I also believe that that the average desktop/mobile user is not likely to have to worry about this anytime soon.
Hmmm… Which version of OS X are we talking about here ? I think that on the (admittedly a little old) 10.5 machines which I’m used to, Safari automatically mounts and opens dmgs but does not do anything else.
I really, really do not like Windows-like installers, but I see the value in standard packages whose installation goes a bit beyond copying a folder at a standard location. File associations, applications which start on system boot, security permissions… All that benefits from being managed at once during “installation” time.
I see a value in having sensitive stuff such as banking managed by web services myself. When a vulnerability is discovered in a piece of code which handles financial transactions, you really want that vulnerability to be fixed immediately, and nothing beats web-based services for ease of updating
But I guess that the risk is small for extremely simple applications which are just an I/O peripheral for a big cloud service.
Alright, I give you this one
In this light, smartphones are indeed a quite “dangerous” piece of tech that must be handled with care.
You are right that cross-device portability, if possible, would be about much more than basic UI fixes. I’ve not started full work on that yet, but an interesting path to study, in my opinion, would be to start with a relatively abstract theory of human-computer interactions, then gradually specialize it towards the kind of devices and users which the OS or application wants to target.
Like, if we went extremely far on the “abstract” end of the spectrum, a basic clock application’s UI would transmit a periodically updated text information to the user. And an SMS inbox would ask the user to pick an object from a list of items that are defined by a set of characteristics (Sender, short description, reception date, read/not read), where items which are not read are highlighted by the UI.
This is to be contrasted with the current approach to UI design, which at the other extreme aims at describing every single detail of the user-software interaction, and as such is extremely vulnerable to a change of hardware, be it only a move to a different screen size.
Of course, there are less extreme approaches in the middle, with both some control and some flexibility. And then there is the multiscalar approach, where developers start by designing their UI at a very general level, then define the specifics of some forms of interaction which they specifically focus on (keyboard, finger, mouse and voice input, screen and voice output…)
And when you do too little, people just say “meh” and move along
I guess that defining reasonable goals for a product must be one of the hardest tasks of engineering !
Well, they do have windows, in the sense of a private display which the application may put its UI into without other software interfering. It just happens that these windows are not resizable, full screen, and as a consequence are hard to close and can only be switched using the operating system’s task switcher. Which makes multi-windows interfaces impractical. But those ought to disappear anyway
And although they do not have a mouse, they still have pointer-based UIs. Only this time, the pointer is a huge greasy finger instead of being a pixel-precise mouse, so hovering actions must not be a vital part of the UI, and controls must be made bigger to be usable. Since controls are bigger and screens are smaller, less controls can be displayed at once, and some controls must either go of be only accessible through scrolling. But this does not have to be fully done by hand, UI toolkits could do a part of the job if the widget set was designed with cross-device portability in mind…
Edited 2011-11-06 16:38 UTC
I’m not sure if you aware of how the black hat industry works. Make no mistake, this is a multi million dollar industry. There are people out there that make a living out of it. There are people who do nothing all day but to find these zero-day bugs. And when they find them, they sell them on the black market, for hundreds or thousands of dollars. These aren’t the kinds of bugs that come to light by patches. The black hat industry has moved beyond that. These are bugs that aren’t known by their respective vendors and aren’t patched in any of their products. This information is then bought by malware writers, who exploit them in their malicious code for keylogging, botnets, whatever. There’s not a hair on my head that thinks black hats are not capable of writing Stuxnet-like functionality. Don’t underestimate these guys, they’re way smarter than you think.
Opening safe files is an option you can turn off and on in the options; it also works with zip files.
True. On a Mac, .pkg/.mpkg packages do that. They actually are little more than a bundle of an archive files and some xml data to describe its contents. it supports scripting, resources, …
Its an interesting train of thought, but I still think there would be a lot of human design based decisions to be made for the different devices, and I don’t know if the net gain of letting the computer do this would be greater than just redesigning the UI yourself, especially on iOS devices, where its trivial to set up an UI.
It has to have the functionality to support the use cases for the device. Everything else is just clutter. After defining the goals of your app, you need to design the practical implementation of the functionality. As a user, I really appreciate it when a lot of thought has gone into this process. Some UI’s which are basically displays of underlying functionality. These tend to be very tedious and time consuming to work with. There are others which actually take the effort to make the translation between a simple user interaction and the underlying technology. A lot of thought can go into the process of trying to come to grips with how these interactions should present itself to the user, and in some cases, it takes an order of a magnitude more effort than it takes to actually write the code behind it.
You’re looking at it from a developer perspective, I’m looking at it from a user perspective. As a user I don’t care if there’s a windowing technology behind it or not. I don’t see it, I don’t use it, so it doesn’t exist. Desktop computers have windowing functionality (The classic Mac OS even had way too many of it) There are more differences than that. Some popups, like authorizations, are modal, some others, like notifications, are non-modal. They way they display these things is different as well. But these are just individual elements, and in the grand scheme of things, trivialities.
Try to think a little bit further than the practicalities of the UI elements and think about the overall user experience instead of the engineering challenges. Good tablet apps are layed out differently than good desktop apps. This is not a coincidence. Some of those differences are based on the different platform characteristics, as you mentioned. But other reasons have to do with the fact that the use cases for these apps differ greatly. I’m convinced that when you are designing UI’s, you have to start from the user experience and define these use cases properly to be able to come to an application design thats truly empowering your users.
I don’t think that black hat guys are stupid or not capable to pull out top-quality exploits. For all I know, Stuxnet may just have been the American government hiring some black hats. But it is a fact that the more information about an exploit spreads, the most likely it is to reach the ears of developers, who will then be able to patch it.
So if a black hat has a high-profile, Stuxnet-like exploit at hand, won’t he rather sell it for a hefty sum of money to high-profile malware editors which will then use it to attack high-profile targets, than sell it for the regular price to a random script kiddie who will use it to write yet another fake antivirus that displays ads, and attempts to steal credit card information ?
Indeed, these are relatively close to what can be found on Linux. Now, personally, what I’d like to see is something between DMGs and this variety of packages. A standard package format which does not require root access for standard installation procedures and has an extremely streamlined installation procedure for mundane and harmless software, but still has all the bells and whistle of a full installation procedure when it is needed.
Oh, sure, I’m not talking about making UI design disappear, just changing a bit the balance of what’s easy and what’s difficult in it in favor of making software work for a wider range of hardware and users.
Adopting a consistent terminology, designing good icons, making good error messages, avoiding modals like pest, many ingredients of good UI design as it exists today would remain. But making desktop software scale well when the main window is resized or designing for blind people would be easier, whereas a price for this would be paid in terms of how easy it is to mentally perceive what you are working on during design work, making good IDEs even more important.
This is not as trivial as you make it sound, though. Sometimes, the same use cases can be supported with more or less functionality, and there is a trade-off between comfort and usability.
Take, as an example, dynamically resizable arrays in the world of software development. Technically, all a good C developer needs in order to do that is malloc(), free() and memcpy(). But this is a tedious and error-prone process, so if resizing arrays is to be done frequently (as with strings), stuff which abstracts the resizing process away such as realloc() becomes desirable.
But that was just a parenthesis.
Well, we totally agree that UI design really is tedious and important stuff, and will remain so for any foreseeable future
By this logic, a huge lot of computer technology does not exist, until the day it starts crashing or being exploited, out of being treated as low-priority because users don’t touch it directly
More seriously, I see your point. Mine was just that if you took a current desktop operating system, set the taskbar to auto-hide, and used a window manager which runs every app in full screen and doesn’t draw window decorations, you’d get something that’s extremely close in behaviour to a mobile device, and all software which doesn’t use multiple windows wouldn’t need to be changed a tiny bit. So full screen windows are not so much of a big deal as far as UI design is concerned, in my opinion.
And mobile OSs have modal dialogs and notifications too. No, seriously, I don’t see what’s the deal with windows on mobile devices. AFAIK, the big differences, as far as UI design is concerned, is that there is a very small amount of screen estate and that touchscreens require very big controls to be operated. But you talk about this later, so…
And this is precisely an area where I wanted to go. Is there such a difference in use cases between desktops and tablets ? I can use a desktop as well as a tablet to browse the web, fetch mail, or play coffee-break games. And given some modifications to tablet hardware, such as the addition of an optional stylus, and the addition of more capable OSs, tablets could be used for a very wide range of desktop use cases.
Now, there is some stuff which will always be more convenient on a desktop than on a tablet, and vice versa, because of the fundamental differences in hardware design criteria. But in the end, a personal computer remains a very versatile machine, and those we have nowadays are particularly similar to each other. Except for manufacturers who want to sell lots of hardware, there is little point in artificially segregating “tablet-specific” use cases and “desktop-specific” use cases. That would be like turning laptop owners who play games in derision because they don’t have “true” gaming hardware, which I hope you agree would be just wrong. Everyone should use whatever works best for them.
I don’t think android exploits are really that “high profile” and if there’s money to be made, I don’t think blackhats really care about what profile it has. Its all about return of investment. The more of the same systems there are in the market, the more interesting an exploit becomes, since your attack surface increases by a great margin.
To give you an example : Suppose I’m a malware writer, and I write a worm that at a certain night every month at 2 am, silently calls an overseas toll number, allowing me to connect $1 from the call. I wrote the app, but I need some clever exploits to insert it into the system. Suppose its not one hack but a collection of pretty neat hacks, and after shopping around, it sets me back $25K to have them. Then I write the worm and release it, and its able to infect a little 100.000 smartphones. Since the call is sporadic and it only costs a couple of dollars, its improbable that people will discover it right away. Hardly anyone checks every call every month. So over the course of a year, I collect a cool 5.8 million dollers. Say check their bill once every few months and 1% discovers it every month, thats still $3,8M. Say 4% check it every month, thats still $1,3M. Still quite a nice a nice investment. Say the exploit costs me 5 times as much, or even 25 times as much, its still a nice investment. I don’t know if the numbers are realistic because i’m not a black hat, I just wanted to show that kind of potential a dominating smartphone platform has.
I’m not quite sure what you mean with “between” the two. A .dmg is a virtual disk file describing the content of a disk volume, a .pkg is an installation description for a bill of materials that is read by an application and executed. Both can be combined with eachother. .pkg files are scriptable, extensible with programming, and combinable into metapackages. You can make them as simple or as complicated as you like. You can specify in your .pkg if the application requires authentication or not. If you’re just installing in a users home folder, you can do so without authentication..
The best user interaction designs are often the ones who have a novel way at doing things and with an ingenious simplicity. Take the iPod, for example. The click wheel is an inherently simple design, much simpler than having buttons. Its still a lot faster to navigate around your device than it is with buttons although buttons are more complicated.
I think they are. UI’s aren’t flat surfaces. Every good UI has depth. The important things are on the surface of the UI, the less important stuff is tucked away deeper. A good UI balances what needs to be where on the frequency of the use case. If manipulations are many, you better make it obvious on the surface of the UI. If its infrequent, its better to tuck them away deeper, so its not in the way to clutter with the important stuff. Although our post pc devices do similar things, I think their use cases can differ greatly, because of circumstantional circharacteristics. So I think to tune them well towards to their intended use, their UIs need to be different as well. I’ll give you some examples :
Consider mail. When I’m using mail on my desktop, I want to have all the tools at my fingertips to be able to be most productive in my mail client. All the “Power tools”, like sorting, moving and labeling my email, advanced editing functionality,… need to be right where I want them. A smartphone does mail too, but thats just about where the similarities end. Email on a smartphone is more a way to keep you up-to-date on your inbox, and shoot the occasional short reply if things can’t wait. No sane person is going to do lengthy emails on their smartphones or do mailbox maintenance, that stuff’s just way too tedious on a tiny screen. Now tablets are somewhat in the middle between smartphones and desktop computers, but I still don’t think people will want to do a lot of mailbox management on a tablet, because its still too tedious. A tablet is more something to take with you when you’re on the move or in the coutch and when you need more comfort while doing email and you tend to do more than just skimming your imbox and typing a short reply. So the use case for mail on a tablet will be somewhere between those smartphones and PC’s. You’ll want a couple of features more than on a smartphone, but less than on a desktop.
Another example is the Garageband application. Garageband is a sequencer which shipped with a Mac for a while now, and has a version for iPad and now iPhone. The mobile versions are essentially a visual multitrack recorder with extras thrown in. The desktop version is more of an editing, polishing and export tool. So you can record your jams your iPhone or iPad, transfer your recordings on your desktop computer, clean it up and export it. This “software on an standardized platform replacing dedicated appliances” approach works really well to turn the post pc devices into truly versatile tools. Controlling virtual appliances with a mouse has always been awkward but they make a lot more sense on a post PC device. The biggest mistake one could make in terms of the tablet form factor is to look at it as PC in a frame. We both know that technically, thats what it is. But its this technical myopia that has caused tablets to be a dud in the market place and to come forward with a compelling solution until the iPad came along.
Hence there should be more phone OSs which are better designed to make the task harder and reduce the return on investment !
Hah, if only ARM stuff was based on a standard and open platform like x86/PC… People have no problem with trying new OSs on phones on tablet yet, so that would be a great chance for alternative OSs…
Well, on the Mac platform, DMGs are typically used for simple software which can be installed through a mere drag and drop in the Applications folder, whereas PKGs are here for the more sophisticated installation stuff (plugins, system components, file associations…)
I wish there was something that was as straightforward as or simpler than DMGs for everyday software, but still flexible enough to adapt itself to more sophisticated use cases.
Really ? Guess not many developers are aware of this possibility, because I don’t think I’ve ever met a PKG which didn’t require typing in a root password, in the default OSX user account setup where users can freely move stuff inside of the “Applications” folder…
Heh
There you are talking about the dying breed of specialized devices which are carefully tailored towards a specific goal. I agree that very nice stuff can be made this way, as every coffee machine out there can attest, but as time passes these devices tend to be “swallowed” by more general-purpose devices which achieve more functionality at the same financial cost, even though usability is sacrificed a bit…
What if UI designers took some time to explain this balance to the machine, as an example by numerically quantifying the “usefulness” of each control, so that they can be tucked deeper automagically as screen size is reduced and they begin to take too much screen estate with respect to the benefit they bring ? This early build of the Office Ribbon shows how it could work in practice : http://www.sunflowerhead.com/msimages/RibbonScaling.wmv
A similar strategy could also be applied at a second level, to remove functionality from the UI altogether when even hiding it in the depth of nested menus make the whole UI too complex…
Well, on a desktop, I use Thunderbird in for e-mail, because I like its streamlined interface : http://imageshack.us/photo/my-images/827/67647447.png/
If I wanted to make this work on tablet, here’s a list of stuff which I would start with :
-> Remove windows decorations
-> Replace the menu bar with a toolbar-activated menu that fills the whole screen.
-> Depending on screen estate, replace the flat 3-part folder selection/mail selection/mail display layout with a 2-part layout with folder selection -> mail selection drill down on the left and mail display on the right, or a full screen folder selection -> mail selection -> mail display drill down.
-> Hide stuff which is not frequently used in the folder selection behind a “more…” option, and increase control size for touchscreen friendliness
-> Reduce the amount of sorting criteria in mail selection, and remove sorting altogether if the display is too small
-> Displace the toolbar to the bottom of the screen for better finger accessibility.
-> Hide status bar when nothing is happening, hide tab bar when multiple tabs are not shown.
At this level, I think we’d already get a pretty nice tablet app, and I don’t think anything I’ve mentioned so far couldn’t be done by a machine with a bit of help from the UI designer for deciding which optimization should be applied first and when each optimization should be applied is concerned.
But then how about seamlessly using tablets as extra displays for virtual appliances when editing a mix on the desktop box ? Or doing some quick editing on the go before perfecting the mix at home ? This way, you’d get the comfort of a tablet for virtual appliance control and portability, and the number-crunching power and heavy peripherals of a home studio desktop for the heavy-duty work.
Well, sorry for being stubborn, but again I wonder if people have tried hard enough. A tablet will never run software designed for mouse input well, even with a stylus, but software which was designed to be cross-platform to begin with… Why not ?
ARM as a platform is more open than x86; since you can license the CPU design from ARM Holdings and go bake your own processor if you want to. Someone ported Android to the iPhone a while ago, but as far as I remember there was still a lot of breakage so it wasn’t really usable.
You can always build a self-installer in your application to install the necessary components when you launch the application for the first time. Office for Mac takes this approach.
I’ve built installers in the past without this. Its just a matter of editing the XML file. You can even build installers with bash scripting by replicating the approprate structures and using the command line archiving tool to make the bill of materials. I’ve made auto package scripts like this in the past. The structure of packages is quite open (they’re basically just bundles) and the required files are human readable XML so its quite trivial to do.
Applications can equally be “carefully tailered towards a specific goal”. Applications can act like virtual devices just like the specific device, with touch, this works really well. With a mouse they’re awkward to use.
You’re the wrong guy to talk to about the Ribbon as I’m not a big fan of it, I think its a clunky way of doing things.
If I remember correctly there’s already an App for extending your diplay. 🙂 You can run an app on the tablet and use it as an extra display to extend your desktop. Now if one had dedicated software which would allow for touch based plugins on the tablet to work seamlessly with the main app on the desktop, that would give way to some really interesting applications.
You can already edit in Garageband on iOS ofcourse. Handy for throwing away a track which you know to be shitty. I just don’t see a lot of people doing their mastering on a tablet though.
You’d still trade off a certain level of potential which makes the tablet a better way of doing things than the mouse-driven desktop. It might be beneficial for a tablet version of a business app.