Tuesday, January 8, 2013

LuckNews is a Signed and Sandboxed application. What does that mean?

This article is a little technical and provides some insight into the technology Apple is providing in order to make their platform more secure.  I'm publishing this article in order to make my customers more comfortable in running applications they download from the Apple App Store, including LuckNews.

In order to publish application on the Apple App store, Apple requires that the applications be signed and that they "run in a sandbox."  What does that mean and why are they enforcing these requirements?

If you have been using computers for a while you will be aware of the problem with computer viruses and malware.  I won't go into any detail about these pieces of software aside to mention that they are bad and you want to avoid downloading them.  The Apple platform has generally avoided most of the virus and malware problem - this has largely been a Windows issue.  However, time moves on and the developers of these corrupt pieces of software continue to advance.  Apple clearly wants to stay ahead of the game by trying to make their platform more secure, hoping to avoid the problem in the future as well as they have done in the past.

The two pieces, signing and sandboxes, are related in that they provide for a more secure environment, although the problems they address are separate.  I'll take each one in turn.

Application Signing.  Apple requires that all applications submitted to the App Store be code signed by their developers.  Signing is a process that results in your knowing that the application you are running is exactly the same application the developer submitted to the store.  Signing an application is a process where a strong cryptographic signature is calculated for all of the different pieces of the application and recorded in the application bundle.  For example, there are more than 20 files that make up the LuckNews application and each of them has a cryptographic signature stored in the application bundle.  What this mean is that once an application is signed the operating system is able to compare the application as it exists on your system with the signatures and if any single byte has been modified it will know and refuse to run the application.  This means that nobody is able to modify the application in-between the developer publishing it and your running it.  If a file is modified the application and signatures won't match and the application will refuse to run.  If someone tried to remove all the signatures the application will refuse to run.  Essentially - if the application is modified at all, the operating system won't run it.  If the application is properly signed (and all App Store apps are), and it runs, then you (and I) know it has not been modified.  The signature also identifies the developer.  Once an application is signed Apple would be able to trace the application back to the developer who signed it which means anonymous developers can't get software onto your system (unless you explicitly allow unsigned applications to run, which is not the default setting.)

This is cool.  If you only run properly signed applications then you know no third party has been able to get into the middle of the process and modify a program in some manner the developer did not intend.  I want to write the most stable and safe programs I am able, and code signing makes me feel good in that if an application has my signature on it, I know it hasn't been modified by anybody else.

Running in a Sandbox.  The second piece of the puzzle answers the question: Ok, I know you wrote the program and it hasn't been modified, but how do I know it won't wipe out my system anyway?  Applications that run in a sandbox run in a constrained environment where they have limited access to the system.  A sandbox is a special directory that has a name related to the application.  (Look in your home directory for the Library/Containers directory, this is where the sandboxes reside.)  The sandbox directory contains all the files the application is able to directly access without your explicit permission.  The sandbox is where LuckNews stores its RSS Subscription list and the Article contents.  Anything outside of the Sandbox, which includes the whole rest of the system, is not accessible by LuckNews unless you give it permission via the Open or Save File dialogs.  This means that if some malicious developer signed an application and you ran it thinking it was safe, as long as it ran in a sandbox (i.e. was downloaded from the App Store) it would not be able to alter your files or read them and send them across the network - it just doesn't work and this is enforced at the Mac OS kernel level.

The sandbox is designed to limit the damage an application is able to do, either accidentally or by intent.  LuckNews runs with two sandbox exclusions, called entitlements: it can access the network and it does so in order to update its RSS/Atom subscriptions, and secondly it is able to access files outside of the sandbox as long as you have allowed this via the Open or Save File dialogs.  For example, LuckNews is not able to access the camera, your photos, music, movies, address book, calendars, bluetooth, firewire, microphone, USB or your location (the actual list is longer, LuckNews is very constrained.)  Some applications can do those things as that makes sense for some applications, but in order to get outside the sandbox the developer needs to explicitly request the capability required and this request is reviewed by Apple to ensure that it makes sense.  The capability is encoded into the application and is therefore covered by the application signature which enforces that the capabilities not change.

LuckNews performs a very limited set of file and network operations, and I have been careful in its development.  However it essentially contains an entire web browser - when viewing news articles I am  using a large piece of software that I didn't write, which is included and supported by Apple, that you use when running Safari, but which must be multiple millions of lines long.  If something in that software decided to go berserk and try to attack your system (this is extremely unlikely, I only raise it as an example,) it wouldn't be able succeed in an attack as the sandbox limits the files it is able to access to only the files you allow via the Open and Save file dialog.  That is pretty cool.

I generally like the sandbox constraint, although it does make developing some applications difficult.  This can be seen for example in how LuckNews accesses old RSS Subscriptions that may may be present in the Mail application before an upgrade to Mountain Lion (10.8.)   In the old days, when I wrote that feature it would be an easy matter to simply test for the presence of the old RSS subscription files and if they were present offer to import them into LuckNews.  However, since these files reside outside of the LuckNews sandbox, I am not able to perform that test.  This meant that I had to find another way to solve the problem which is the rather awkward approach where you are presented with an Open File dialog and you need to navigate to the proper directory - this is how LuckNews obtains permission to read those files.  Please try to see the positive in that awkwardness (the sandbox working to ensure your safety) rather than its lameness.

In summary:
  • signing ensures that the application you run is the application I worked on and published
  • the fact that an applications run in a sandbox should give you comfort in that the application is not able to exceed the restricted set of permissions set up by the operating system, unless explicitly requested by the developer and approved by Apple.  
The first is straightforward 100% awesome, the second can be awkward but is generally good, in my opinion.

Hopefully these technologies will keep the Mac free of viruses and malware for many years to come.

No comments:

Post a Comment