Sandbox Transparency

Apple’s sandboxing technology provides a mechanism for developers to specify “entitlements” that an app needs in order to provide functionality that users want. For example, on the Mac, an app can specify the entitlements to “print” and to “make network requests.” This system of granular privilege designation is a great baseline both for developers, to avoid accidentally overstepping intended bounds, and for users, to protect against apps intentionally or accidentally causing harm.

One of the biggest problems with Apple’s approach to sandboxing is that the accountability component has been left entirely to Apple itself. Developers are held accountable for the specific entitlements they request only when they distribute software through the iOS or Mac App Stores. In the review process, Apple may determine that a specific entitlement requested from an app is inappropriate for that app’s domain, and demand that the developer remove the entitlement before being approved. Or, in rare cases, they may approve an entitlement that other developers are not typically granted.

Yesterday, Gizmodo reported that Uber had been granted an entitlement for their iOS app that allowed them to capture an image of an iPhone’s screen at any time, even when the Uber app was not the active app on the phone. This is a big deal, because users don’t typically expect than an iPhone app that is not active might have the ability to eavesdrop on anything they are doing.

I have long felt that the sandboxing infrastructure on both iOS and Mac should be used to more accurately convey to users specifically what the apps they install are capable of doing. Currently the sandboxing system is used primarily to identify to Apple what a specific app’s privileges are. The requested entitlements are used to inform Apple’s decision to approve or reject an app, but the specific list of entitlements is not easily available to users, whose security is actually on the line.

I think the next step for sandboxing, on both iOS and the Mac, is to expose the list of entitlements that apps possess, in a way that is reasonably understandable to all users, and even more open to scrutiny by power users. Any user who is wary of an app should be able to examine its entitlements so that any unusual privileges can be evaluated. With this level of transparency, you can bet that Uber’s ability to arbitrarily record the screen would have been revealed much earlier.

Being more transparent with entitlements would also pave the way for overcoming an unfortunate side-effect of sandboxing: the elimination of whole classes of power-user level apps. If users were empowered to know what the privileges of an app are, through a combination of user prompting and an interface for inspecting entitlements, then it would be reasonable to grant more indulgent entitlements to developers.

Mac apps such as TextExpander essentially became unqualified for the Mac App Store with the advent of sandboxing, because they require access to system services such as monitoring the user’s keyboard input, in order to provide valuable macro text substitution. If entitlements were transparent across the board, and users were consistently informed about the extent of an application’s capabilities, it would empower users to make more reasonable decisions about the software they run. It would empower them to allow apps like TextExpander that are currently disallowed by the App Store’s sandboxing policies, and to reject apps like Uber that may be unexpectedly allowed to capture footage of users’ activity even while running other apps.