App Store changes on June 1 should have minimal impact

On June 1, Apple will begin enforcing sandboxing requirements for all applications distributed through its Mac App Store service. If you've purchased applications from the Mac App Store, you can expect updates to become available in the next week or two.

Sandboxing is a security measure that restricts applications from unintended resource access. When enabled on an application, the default sandbox gives a program no access to any resources. Developers then enable Apple-supplied entitlements for the sandbox that allow access to printing, the network, and filesystem reading and writing, and other features so their program can work properly. The program running within this sandbox will then make use of these specific resources that are now available to it.

With this setup, if a program crashes, is hacked, or has bugs, then the system can better isolate problematic behavior and keep the program from modifying or accessing data in unintended ways. While a bit of a burden to developers, sandboxing is ultimately a benefit to those who use these applications in OS X.

There is no requirement that mandates an application be sandboxed in order to run in OS X; however, for the security of its App Store customers, Apple is mandating that all applications distributed through the store have sandboxing enabled. The new review process for App Store submissions that will be enabled on June 1 will ensure all applications not only have sandboxing enabled, but also use a conservative entitlement rule set so the program can do what it was built for, and no more.

Apple initially set its sandboxing requirement for March 1, but new entitlement features and the lack of developer readiness had Apple push this date back to June 1, which is just more than 10 days away. As this date nears, the Apple developer community will be releasing updates to its applications in order to comply with the new standards, so expect them to become available in the next week or so.

Many people may have existing applications purchased through the App Store, which are not yet sandboxed, and may wonder if the June 1 requirements will affect their programs if they do not update. Since Apple does not require programs to be sandboxed in order to run in OS X and only imposes a requirement for any new ones distributed through its store, any current application that is not updated will continue to run just fine. The only problem here is you will not be able to maintain support for the non-sandboxed versions of the programs as development on them continues, unless the developer provides builds outside of the App Store.

Conversely, people might wonder what will happen if they do update to a sandboxed version of their favorite programs. For the most part the change will be behind the scenes and have no effect on the application's performance or abilities; however, this may not be true in all cases. There are some reports that Apple's sandboxing rules may restrict features like hot keys and the ways some programs communicate with others. Therefore, in some instances developers will have to implement new behaviors for their programs, or not include features they otherwise might implement.

For example, the popular text editor "TextWrangler" contains a feature called "Authenticated saves" where you can authenticate as another user such as the system root to modify documents not owned by your account (this is a great feature for system admins and troubleshooters and allows you to modify system property lists and other configuration files). Unfortunately the App Store requirements prevent this feature from being available for the program downloaded via the store, so if you want this feature you will need to download the non-sandboxed version from the developer's Web page.

In TextWrangler's case, the program has already complied with the App Store requirements before the June 1 deadline, but others that have not may be updated in the near future, and if there is the rare conflict between the program's existing features and the OS X sandboxing policies, then you might see some changes or disabled functions until the developer can implement a workaround.

These sandboxing requirements from Apple are another step it is taking to enhance OS X security, an aspect of the OS for which Apple has received recent criticism. Many of the security problems seen on computing platform with malware and other hacking attempts happen when outdated and unprotected software is allowed to run after vulnerabilities are found. Sandboxing should help prevent exploits of such vulnerabilities from affecting more than the program itself. However, we will have to see how the more widespread adoption of Sandboxing pans out.

So far only a few of Apple's programs have been sandboxed (specifically TextEdit and Preview), and we have seen several instances where these programs have not behaved properly either by causing odd crash dialogs or by improperly flagging edited files. After June 1, if you update a program and are experiencing similar odd problems with it not performing as it used to (saving files or settings, or accessing features), then it may be from the sandboxing routines. While such problems will likely not be widespread, there is the possibility they may happen.

Questions? Comments? Have a fix? Post them below or e-mail us!
Be sure to check us out on Twitter and the CNET Mac forums.