There are currently over 1.2 million apps available in both the Google Play and Apple App stores (the respec- tive o cial marketplaces for the Android and iOS operating systems)1, 2. Our research provides two large-scale analysis tools to aid in the detection and analysis of mobile malware. Then again newer OS X releases, such as El Capitan, sandbox apps that come from the App Store. If you download from the web, the app may or may not sandbox itself. Not the same as sandboxie, but OS X and Windows are different worlds. Apple will require all Mac App Store apps to implement sandboxing restrictions by next March. The goal is increased security and a simpler interface. But these potential advantages come with costs.
The specific steps you take to adopt App Sandbox are unique to your app, but the access control mechanisms used by App Sandbox to protect user data remain consistent:
The Need for a Last Line of Defense
You secure your app against attack from malware by following the practices recommended in Secure Coding Guide. But despite your best efforts to build an invulnerable barrier—by avoiding buffer overflows and other memory corruptions, preventing exposure of user data, and eliminating other vulnerabilities—your app can be exploited by malicious code. An attacker needs only to find a single hole in your defenses, or in any of the frameworks and libraries that you link against, to gain control of your app’s interactions with the system.
App Sandbox is designed to confront this scenario head on by letting you describe your app’s intended interactions with the system. The system then grants your app only the access your app needs to get its job done. If malicious code gains control of a properly sandboxed app, it is left with access to only the files and resources in the app’s sandbox.
To successfully adopt App Sandbox, use a different mindset than you might be accustomed to, as suggested in Table 2-1.
Entitlements and System Resource Access
An app that is not sandboxed has access to all user-accessible system resources—including the built-in camera and microphone, network sockets, printing, and most of the file system. If successfully attacked by malicious code, such an app can behave as a hostile agent with wide-ranging potential to inflict harm.
When you enable App Sandbox for your app, you remove all but a minimal set of privileges and then deliberately restore them, one-by-one, using entitlements. An entitlement is a key-value pair that identifies a specific capability, such as the capability to open an outbound network socket.
One special entitlement—Enable App Sandboxing—turns on App Sandbox. When you enable sandboxing, Xcode creates a
.entitlements property list file and shows it in the project navigator.
Sandbox App Free
If your app requires a capability, request it by adding the corresponding entitlement to your Xcode project using the Summary tab of the target editor. If you don’t require a capability, take care to not include the corresponding entitlement.
You request entitlements on a target-by-target basis. If your app has a single target—the main application—you request entitlements only for that target. If you design your app to use a main application along with helpers (in the form of XPC services), you request entitlements individually, and as appropriate, for each target. You learn more about this in External Tools, XPC Services, and Privilege Separation.
You may require finer-grained control over your app’s entitlements than is available in the Xcode target editor. For example, you might request a temporary exception entitlement because App Sandbox does not support a capability your app needs, such as the ability to send an Apple event to an app that does not yet provide any scripting access groups. To work with temporary exception entitlements, use the Xcode property list editor to edit a target’s
.entitlements property list file directly.
Note: If you request a temporary exception entitlement, be sure to follow the guidance regarding entitlements provided on the iTunes Connect website. In particular, file a bug asking for the functionality that you need, and use the Review Notes field in iTunes Connect to explain why your app needs the temporary exception. Be sure to provide the bug number.
macOS App Sandbox entitlements are described in Enabling App Sandbox in Entitlement Key Reference. For a walk-through of requesting an entitlement for a target in an Xcode project, see App Sandbox Quick Start.
Container Directories and File System Access
When you adopt App Sandbox, your application has access to the following locations:
These policies are detailed further in the sections that follow.
The App Sandbox Container Directory
The app sandbox container directory has the following characteristics:
Thanks to code signing, no other sandboxed app can gain access to your container, even if it attempts to masquerade as your app by using your bundle identifier. Future versions of your app, however—provided that you use the same code signature and bundle identifier—do reuse your app’s container.
For each user, a sandboxed app’s container directory is created automatically when that user first runs the app. Because a container is within a user’s home directory, each user on a system gets their own container for your app.
The Application Group Container Directory
In addition to per-app containers, in macOS 10.7.5 and 10.8.3 and later, an app can use the
com.apple.security.application-groups entitlement to request access to one or more shared containers common to multiple apps produced by the same development team. The entitlement is an array of group identifier strings, each of which names a different group to which the app belongs. Group containers are intended for content that is not user-facing, such as shared caches or databases.
Note: Apps that are members of an application group also gain the ability to share Mach and POSIX semaphores and to use certain other IPC mechanisms in conjunction with other group members. See IPC and POSIX Semaphores and Shared Memory for more details.
An app’s sandbox is automatically enlarged to include all of the app’s group containers. The containers themselves are stored in
~/Library/Group Containers/<application-group-id> , where <application-group-id> is the name of a group, as specified in one of the entitlement’s group identifier strings. Group identifiers must begin with your development team ID, followed by a period.
Beginning in macOS 10.8.3, your app can obtain the path to a group container by calling the
containerURLForSecurityApplicationGroupIdentifier: method of NSFileManager with a valid group identifier.
Note: In macOS 10.9, calling this method creates the group container directory automatically, along with
Library/Preferences , Library/Caches , and Library/Application Support folders within that group container directory.
In previous versions, although the group container directory is part of your sandbox, the directory itself is not created automatically. Your app must create this directory as shown in Listing 2-1:
Listing 2-1 Creating an app group container directory
You should organize the contents of this directory in the same way that any other Library folder is organized, using standard folder names--Preferences , Application Support
The Sandbox Download For Pc, and so on—as needed.
For more details, see Adding an Application to an Application Group in Entitlement Key Reference.
Powerbox and File System Access Outside of Your Container
Your sandboxed app can access file system locations outside of its container in the following three ways:
Apple Sandbox
The macOS security technology that interacts with the user to expand your sandbox is called Powerbox. Powerbox has no API. Your app uses Powerbox transparently when you use the
NSOpenPanel and NSSavePanel classes. You enable Powerbox by setting an entitlement using Xcode, as described in Enabling User-Selected File Access in Entitlement Key Reference.
When you invoke an Open or Save dialog from your sandboxed app, the window that appears is presented not by AppKit but by Powerbox. Using Powerbox is automatic when you adopt App Sandbox—it requires no code change from the pre-sandbox version of your app. Accessory panels that you’ve implemented for opening or saving are faithfully rendered and used.
Note: When you adopt App Sandbox, there are some important behavioral differences for the
NSOpenPanel and NSSavePanel classes, described in Open and Save Dialog Behavior with App Sandbox.
The security benefit provided by Powerbox is that it cannot be manipulated programmatically—specifically, there is no mechanism for hostile code to use Powerbox for accessing the file system. Only a user, by interacting with Open and Save dialogs via Powerbox, can use those dialogs to reach portions of the file system outside of your previously established sandbox. For example, if a user saves a new document, Powerbox expands your sandbox to give your app read/write access to the document.
When a user of your app specifies they want to use a file or a folder, the system adds the associated path to your app’s sandbox. Say, for example, a user drags the
~/Documents folder onto your app’s Dock tile (or onto your app’s Finder icon, or into an open window of your app), thereby indicating they want to use that folder. In response, the system makes the ~/Documents folder, its contents, and its subfolders available to your app.
If a user instead opens a specific file, or saves to a new file, the system makes the specified file, and that file alone, available to your app.
In addition, the system automatically permits a sandboxed app to:
After a user has specified a file they want to use, that file is within your app’s sandbox. The file is then vulnerable to attack if your app is exploited by malicious code: App Sandbox provides no protection. To provide protection for the files within your sandbox, follow the recommendations in Secure Coding Guide.
By default, files opened or saved by the user remain within your sandbox until your app terminates, except for files that were open at the time that your app terminates. Such files reopen automatically by way of the macOS Resume feature the next time your app launches, and are automatically added back to your app’s sandbox.
To provide persistent access to resources located outside of your container, in a way that doesn’t depend on Resume, use security-scoped bookmarks as explained in Security-Scoped Bookmarks and Persistent Resource Access.
Related Items
The related items feature of App Sandbox lets your app access files that have the same name as a user-chosen file, but a different extension. This feature consists of two parts: a list of related extensions in the application’s
Info.plist file and code to tell the sandbox what you’re doing.
There are two common scenarios where this makes sense:
In both scenarios, you must make a small change to the application’s
Info.plist file. Your app should already declare a Document Types (CFBundleDocumentTypes ) array that declares the file types your app can open.
For each file type dictionary in that array, if that file type should be treated as a potentially related type for open and save purposes, add the key
NSIsRelatedItemType with a boolean value of YES .
To learn more about file presenters and file coordinators, read File System Programming Guide.
Open and Save Dialog Behavior with App Sandbox
Certain
NSOpenPanel and NSSavePanel methods behave differently when App Sandbox is enabled for your app:
In addition, the effective, runtime inheritance path for the
NSOpenPanel and NSSavePanel classes is different with App Sandbox, as illustrated in Table 2-2.
Because of this runtime difference, an
NSOpenPanel or NSSavePanel object inherits fewer methods with App Sandbox. If you attempt to send a message to an NSOpenPanel or NSSavePanel object, and that method is defined in the NSPanel , NSWindow , or NSResponder classes, the system raises an exception. The Xcode compiler does not issue a warning or error to alert you to this runtime behavior.
Security-Scoped Bookmarks and Persistent Resource Access
Your app’s access to file-system locations outside of its container—as granted to your app by way of user intent, such as through Powerbox—does not automatically persist across app launches or system restarts. When your app reopens, you have to start over. (The one exception to this is for files open at the time that your app terminates, which remain in your sandbox thanks to the macOS Resume feature).
Starting in macOS 10.7.3, you can retain access to file-system resources by employing a security mechanism, known as security-scoped bookmarks, that preserves user intent. Here are a few examples of app features that can benefit from this:
Two Distinct Types of Security-Scoped Bookmark
Security-scoped bookmarks, available starting in macOS 10.7.3, support two distinct use cases:
Using Security-Scoped Bookmarks
To use either type of security-scoped bookmark requires you to perform five steps:
The first step in the preceding list, requesting entitlements, is the prerequisite for using either type of security-scoped bookmark. Perform this step as follows:
You can request either or both of these entitlements in a target, as needed. These entitlements are available starting in macOS 10.7.3 and are described in Enabling Security-Scoped Bookmark and URL Access.
With the appropriate entitlements, you can create a security-scoped bookmark by calling the
bookmarkDataWithOptions:includingResourceValuesForKeys:relativeToURL:error: method of the NSURL class.
When you later need access to a bookmarked resource, resolve its security-scoped bookmark by calling the the
URLByResolvingBookmarkData:options:relativeToURL:bookmarkDataIsStale:error: method of the NSURL class.
In a sandboxed app, you cannot access the file-system resource that a security-scoped URL points to until you call the
startAccessingSecurityScopedResource method on the URL.
When you no longer need access to a resource that you obtained using security scope (typically, after you close the resource) you must call the
stopAccessingSecurityScopedResource method on the resource’s URL.
Calls to start and stop access are not nested. When you call the
stopAccessingSecurityScopedResource method, you immediately lose access to the resource. If you call this method on a URL whose referenced resource you do not have access to, nothing happens.
Warning: If you fail to relinquish your access to file-system resources when you no longer need them, your app leaks kernel resources. If sufficient kernel resources are leaked, your app loses its ability to add file-system locations to its sandbox, such as via Powerbox or security-scoped bookmarks, until relaunched.
![]()
For detailed descriptions of the methods, constants, and entitlements to use for implementing security-scoped bookmarks in your app, read NSURL Class Reference, and read Enabling Security-Scoped Bookmark and URL Access in Entitlement Key Reference.
Note: The Core Foundation framework also provides equivalent C functions for working with security-scoped bookmarks. https://dqtiajw.weebly.com/news-ticker-app-mac.html. For details, see the documentation for
CFURLCreateBookmarkData , CFURLCreateByResolvingBookmarkData ,CFURLStartAccessingSecurityScopedResource , and CFURLStopAccessingSecurityScopedResource in CFURL Reference.
App Sandbox and Code Signing
In order to adopt App Sandbox, you also adopt code signing. Without a code signature, many of the features of App Sandbox, such as restricting your app to its own file system container, make little sense, because the system cannot unambiguously identify your app. More fundamentally, entitlements, including the one that activates App Sandbox in the first place, are physically stored in an app’s code signature. An app that is not code signed has no way to even ask to be put into a sandbox. Put simply, unsigned code is not sandboxed, regardless of what entitlements you request in the target build settings.
Modern Xcode makes it easy to adopt code signing for your app. You provide your developer program credentials, and Xcode handles most of the rest automatically. For more about code signing, including descriptions of both how it works and how you use it, read Code Signing Guide.
macOS enforces a tie between an app’s container and the app’s code signature. This important security feature ensures that no other sandboxed app can access your container. The mechanism works as follows:
macOS’s enforcement of container integrity impacts your development and distribution cycle. This is because, in the course of creating and distributing an app, the app is code signed using various signatures. Here’s how the process works:
For testing and debugging, you may want to run both versions of your app: the version you sign and the version Apple signs. But macOS sees the Apple-signed version of your app as an intruder and won’t allow it to launch: Its code signature does not match the one expected by your app’s existing container.
If you try to run the Apple-signed version of your app, you get a crash report containing a statement similar to this:
The solution is to adjust the access control list (ACL) on your app’s container to recognize the Apple-signed version of your app. Specifically, you add the designated code requirement of the Apple-signed version of your app to the app container’s ACL.
To adjust an ACL to recognize an Apple-signed version of your app
The container’s ACL now includes the designated code requirements for both versions of your app. macOS then allows you to run either version of your app.
You can use this same technique to share a container between (1) a version of an app that you initially signed with a development identity, such as the one you used in App Sandbox Quick Start, and (2) a released version downloaded from the Mac App Store.
You can view the list of code requirements in a container’s ACL. For example, after adding the designated code requirement for the Apple-signed version of your app, you can confirm that the container’s ACL lists two permissible code requirements.
To display the list of code requirements in a container’s ACL
For more information about working with App Sandbox container access control lists and their code requirements, read the man page for the
asctl (App Sandbox control) tool.
External Tools, XPC Services, and Privilege Separation
Some app operations are more likely to be targets of malicious exploitation. Examples are the parsing of data received over a network, and the decoding of video frames. By using XPC, you can improve the effectiveness of the damage containment offered by App Sandbox by separating such potentially dangerous activities into their own address spaces.
Your app can also launch existing helper apps using Launch Services, but only if certain conditions are met.
Important: While a child process spawned by an app (using
fork , for example) simply inherits its parent’s sandbox, helper apps do not. Therefore, if you are submitting your app to the Mac App Store, verify that any embedded helper apps are also individually sandboxed.
To do this, run the following command on each embedded executable in your app bundle and confirm that each one has an App Sandbox entitlement:
where <executable-path> is the complete path to an executable binary in your app bundle.
The sections below explain these concepts in more detail.
XPC Services
XPC is an macOS interprocess communication technology that complements App Sandbox by enabling privilege separation. Privilege separation, in turn, is a development strategy in which you divide an app into pieces according to the system resource access that each piece needs. The component pieces that you create are called XPC services.
You create an XPC service as an individual target in your Xcode project. Typically, each service gets its own sandbox—specifically, it gets its own container and its own set of entitlements. In fact, if you are distributing your app in the Mac App Store, XPC services must be sandboxed. For apps distributed elsewhere, for example using Developer ID, sandboxing XPC services is optional, but strongly recommended.
Note: In rare cases, your app might have a small piece of functionality that cannot be sandboxed. Rather than abandon App Sandbox altogether, you might relegate the ineligible code to an XPC service that is not sandboxed. It is easier to secure a smaller piece of code than a larger one, and in this way, the bulk of your app enjoys the benefits of App Sandbox.
In addition, an XPC service that you include with your app is accessible only by your app. These advantages add up to making XPC the best technology for implementing privilege separation in an macOS app.
By contrast, a child process created by using the
posix_spawn function, by calling fork and exec (discouraged), or by using the NSTask class simply inherits the sandbox of the process that created it. You cannot configure a child process’s entitlements. For these reasons, child processes do not provide effective privilege separation.
To use XPC with App Sandbox:
The life cycle of an XPC service, and its integration with Grand Central Dispatch (GCD), is managed entirely by the system. To obtain this support, you need only to structure your app’s bundle correctly.
For more on XPC, see Creating XPC Services in Daemons and Services Programming Guide.
Launching Helpers with Launch Services
A sandboxed app is allowed to launch a helper using Launch Services if at least one of these conditions has been met:
If none of these conditions have been met, you'll see errors like the following:
The results are the same whether you use Launch Services directly (by calling
LSOpenCFURLRef , for example) or indirectly (by calling the launchApplicationAtURL:options:configuration:error: method in NSWorkspace , for example).
In addition, upon failure, in OS X 10.7.5 and earlier, you will also see a bogus
deny file-write-data /Applications/Main.app/Contents/Resources/Helper.app sandbox violation. This error has no functional impact and can be ignored.
IPC and POSIX Semaphores and Shared Memory
Normally, sandboxed apps cannot use Mach IPC, POSIX semaphores and shared memory, or UNIX domain sockets (usefully). However, by specifying an entitlement that requests membership in an application group, an app can use these technologies to communicate with other members of that application group.
Note: System V semaphores are not supported in sandboxed apps.
UNIX domain sockets are straightforward; they work just like any other file.
Any semaphore or Mach port that you wish to access within a sandboxed app must be named according to a special convention:
For example, if your application group’s name is
Z123456789.com.example.app-group , you might create two semaphores named Z123456789.myappgroup/rdyllwflg and Z123456789.myappgroup/bluwhtflg . You might create a Mach port named Z123456789.com.example.app-group.Port_of_Kobe .
Note: The maximum length of a POSIX semaphore name is only 31 bytes, so if you need to use POSIX semaphores, you should keep your app group names short.
Is There A Sandbox App For Mac Os
To learn more about application groups, read The Application Group Container Directory, then read Adding an Application to an Application Group in Entitlement Key Reference.
Copyright © 2016 Apple Inc. All Rights Reserved. Terms of Use | Privacy Policy | Updated: 2016-09-13
Not every Mac user knows that there is a pre-installed utility on their machine that allows them to manually restrict access to the operating system resources. It is called Sandbox.
When to Use Sandbox
Sandbox is best used when running applications that you don’t trust, such as those that you have downloaded from unverified sources and that require you to execute them even if you haven’t yet verified whether or not they are legit.
It can also be used when a certain app requires access to external websites, triggering you to download more files or content that may corrupt your browser and plugins.
Take note, though, that using Sandbox does not mean you no longer need antivirus software for your Mac. The truth is, it works in conjunction with an antivirus.
Problems with Sandbox
Unfortunately, “Sandbox-ing “apps is not as easy as running a program. It takes several trial-and-error attempts before you can master it. While some apps may crash when Sandboxed, especially when restrictions are applied, others become so corrupted that they no longer work as they should.
Apart from apps crashing and becoming corrupted, another problem that users have encountered when using Sandbox is that they can’t delete Sandbox files on Mac. When trying to delete them, they are greeted with the “Can’t delete ‘.sandbox’ files: com.apple.WebKit.WebContent.Sandbox / com.apple.WebKit.Networking.Sandbox” error message.
Password keeper mac app. The good news is that many have found success in removing Sandbox files. We’ll discuss that below.
How to Remove Sandbox Files on Mac
If you have no idea how to remove Sandbox files, the solutions below could be of great help.
1. Delete the Sandbox App.
There are two easy ways to delete the Sandbox app. You can drag-and-drop it to the Trash folder or use the Launchpad interface.
Drag-and-Drop to the Trash Folder
As with other Mac apps, you can easily drag-and-drop Sandbox to the Trash folder to delete it. Here’s how:
Using the Launchpad Interface
Apps that are preinstalled on your macOS and those that are downloaded from the App store automatically appear under Launchpad. From Launchpad’s interface, you can permanently delete apps that you don’t need or that are wreaking havoc on your system.
Here’s how to delete Sandbox:
2. Remove Traces of the Sandbox App from Your Mac.
Some Mac users believe that leaving invalid files and folders on their hard drive won’t do any harm to their system. But actually, that depends. In most cases, these files may not consume much space, hence they won’t cause problems. However, it is more practical to get rid of any traces of them, especially if you are going to perform a fresh installation of macOS or if you wish to reclaim valuable disk space.
To remove all traces of the Sandbox app from your Mac, follow these steps:
3. Install a Trusted Mac Cleaning Tool.
Oftentimes, errors arise due to cache and unnecessary files that have accumulated on your Mac over time. Thus, make it a habit to delete them regularly to prevent them from causing more damage to your system.
Of course, you can delete unnecessary files the manual way. Go through each folder on your system and delete those that you suspect are malware or viruses. But take note that this can be very time-consuming, especially if you have a multitude of folders.
Your best option is to download and install a Mac cleaning tool. With it, you can automate the entire process of deleting unwanted files and save time. You can also avoid the possibilities of deleting important system files.
4. Consult an Expert.
If all else fails, your best option is to take your Mac to the nearest Apple Repair Center. Have it checked and fixed by certified Apple technicians. You can also reach out to the online support team of Apple here.
Sandbox Mac OsSummaryBest Sandbox App
There is no such thing as a perfect app or tool for Macs. Every now and then, errors surface, which may affect your overall experience and productivity. However, these issues should not keep you from using your Macs. After all, Apple continuously releases updates in an effort to fix common Mac problems and better your experience.
So, the next time you encounter problems with Sandbox, just sit down and relax. Take a deep breath and run through the solutions we have listed above. Everything will be alright.
Have you experienced problems when using Sandbox on your Mac? How did you deal with them? Share with us below!
Is There A Sandbox App For Mac Windows 10![]()
If you’re running into errors and your system is suspiciously slow, your computer needs some maintenance work. Download Outbyte PC Repair for Windows, Outbyte Antivirus for Windows, or Outbyte MacRepair for macOS to resolve common computer performance issues. Fix computer troubles by downloading the compatible tool for your device.
See more information about Outbyte and uninstall instructions. Please review EULA and Privacy Policy. Comments are closed.
|
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |