Despite a number of cogent arguments against it, Apple is going through with the requirement for apps in the Mac App Store to be sandboxed. A number of Mac developers have already spoken up about the policy, but Apple’s going through with it anyway. Initially set to go into effect this month, Apple has moved the deadline to March 1, 2012. Does Apple really know better than independent developers here, or is it just being a bully in its own sandbox?
The basic concept isn’t bad: Apple wants to restrict applications to a “sandbox” that limits their access to system resources, as a security measure. If applications distributed through the Mac App Store are compromised, it limits the damage they can do to a user’s machines.
So this sounds good in theory, but it’s tying the hands of a lot of developers in terms of being able to distribute through the App Store. But is it actually going to work, is it necessary and will there be more restrictions down the road for apps not in the App Store?
What’s Restricted
Apple is restricting most things by default, and only giving developers “entitlements” to a limited set of system resources. This includes things like access to a user’s movies, iTunes folder, built-in microphone and/or camera, the Downloads folder, address book, calendar and so on. Essentially, the resources that Apple’s powers that be have determined to be of most interest and valid targets for developers.
Note that all of these resources are “entitlements,” which means that developers have to request access to them. It’s not up to the user, it’s got to pass muster before an app ships through the Mac App Store. More on that in a moment.
Pauli Olavi Ojala works on Conduit and Radi. Today he writes about the problems with the Mac App Sandbox and the kind of applications it will limit. According to Ojala, it will prohibit all manner of applications and plugins being distributed via the app store. (Plugins because they’d need to be placed in another app’s container or directory structure, which is already a no-no.)
If an application wants access to, say, the Thunderbolt port? Nope, that’s not allowed. It also means that backup software isn’t allowed in the App Store, obviously. It will, of course, rule out apps like VMware’s Fusion or Parallels. Of course, a lot of applications are already locked out of the App Store.
Dumb and Dumber… Apps
Even the “entitlements” that Apple has carved out are not guaranteed to developers. I see this as both good and bad. Having Apple as the arbiter of whether you can access a system resource or not is sub-optimal when developers have a legitimate need to access that resource. Then again, there’s legitimate concern that some shops will ship software that goes peeking into corners that it shouldn’t. Does a game need access to my contacts? Does a productivity app really need access to my microphone or camera?
But Apple’s vision here seems to be a world of apps that don’t and can’t really talk to one another and that’s, well, not optimal. As Andy Ihnatko writes about not being able to interact with the Preview app: “why on Earth wouldn’t Apple’s own utility for viewing, modifying, and converting images and PDFs be a superstar of scriptable apps?!?” Why indeed?
I’m wondering if, for instance, applications like Evernote will have to be pushed out of the App store – or completely hobbled to live in it. Evernote is a pretty popular app on Mac OS X. One of the best features of Evernote is the ability to grab Web pages. Evernote kind of has to “talk” to the other apps to be able to do that.
If Ojala is right, Evernote wouldn’t even be able to take screenshots. At all. There’s no entitlement for that.
Security Theater
All of these restrictions remind me a bit too much of the security rules for flying today. Only 3 ounces of liquid. No nail clippers. And so on. But you can buy a couple of bottles of high-proof alcohol (that would make for excellent weapons) in the duty free and take them on the plane.
So there’s a lot of applications that are out there that can be exploited, and what’s the protection from those? Worse, what’s the protection from applications that are malware in the first place?
Apple’s Way or The Highway
To sum up, Apple has gotten a lot of its users used to finding software via the App Store. First via iOS, then with the Mac App Store. Then the company has steadily tightened restrictions and grabbed for more revenue for the apps distributed via the iOS App Store.
Now the company is essentially dumbing down the applications that can be distributed via the App Store. I really have to wonder whether there will be a day when Mac OS X is like iOS: The only way to install applications on a stock system will be through the App Store.
I’m trying to avoid looking at this as a black and white issue, because it’s not as simple as “restrictions bad, freedom good.” As we’ve seen with Android, developers can and do abuse app stores. Having a gatekeeper is not always a bad thing. But this tips the scales. Apple is being overly restrictive, at least as far as I’m concerned.
We no doubt have quite a few Mac users and developers in the audience: What do you think about the new rules? Is Apple getting it right, or should they back off?