• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: Sandboxing die.die.die
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Sandboxing die.die.die

  • Subject: Re: Sandboxing die.die.die
  • From: Graham Cox <email@hidden>
  • Date: Thu, 23 Aug 2012 11:06:06 +1000
On 23/08/2012, at 10:45 AM, Todd Heberlein <email@hidden> wrote:

>> Where life is made difficult is with more general access to the file system, which is a perfectly legitimate thing to do. A user stores various media all over the file system and there is no reason why an app shouldn't have access to it.
>
> Except this is how cyber espionage works.
>
> The "Pretty Girls" calendar application is a Trojan horse that, upon reaching a certain date (i.e., after it is approved by Apple), starts reading your Word/Pages document and exfiltrating them off the system.


Understood, but this is the problem with security in general - how to make something secure without inconveniencing legitimate use. It's a hard problem, look at how appalling airport "security" is for the 99.9999999% of legitimate users.

I'm not sure what the solution is, but I do feel that sandboxing as it has been implemented is a poor solution because it is inconveniencing legitimate use (and I mean use, not development, which is SERIOUSLY inconvenienced). Suddenly legitimate users who manage all their photos with iPhoto cannot quickly access those photos with our app because our app cannot access iPhoto's media. They are inconvenienced - they have to find some other way to get their photos into our app. It makes our app less useful than before.

I can't see how penalising these legitimate users to counter a hypothetical threat is striking the right balance.

Once "Pretty Girls" is detected for what it is, its certificate can be revoked and the problem gradually solves itself. If in the meantime the user had experienced data loss or damage then they should have known better than to trust the skanky app in the first place. Obviously that's not ideal but give me common sense over the Gulag any day. Note that because "Pretty Girls" got past Gatekeeper, they were probably MORE likely to trust it than if they had just exercised a sensible amount of caution in the first place. Gatekeeper is like the front door to your house, except automated to let anyone in who waves the right credentials at it. Then they're in your house. In real life I'd prefer to take a look at that person and decide for myself whether they can be trusted. I might get it wrong, but it was my decision. For social engineering attacks, like "Pretty Girls", the only solution is user education.

--Graham


_______________________________________________

Cocoa-dev mailing list (email@hidden)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
References: 
 >Sandboxing die.die.die (From: Graham Cox <email@hidden>)
 >Re: Sandboxing die.die.die (From: Jens Alfke <email@hidden>)
 >Re: Sandboxing die.die.die (From: Kyle Sluder <email@hidden>)
 >Re: Sandboxing die.die.die (From: Alex Zavatone <email@hidden>)
 >Re: Sandboxing die.die.die (From: Graham Cox <email@hidden>)
 >Re: Sandboxing die.die.die (From: Todd Heberlein <email@hidden>)

  • Prev by Date: Re: Sandboxing die.die.die
  • Next by Date: Re: Sandboxing die.die.die
  • Previous by thread: Re: Sandboxing die.die.die
  • Next by thread: Re: Sandboxing die.die.die
  • Index(es):
    • Date
    • Thread