Mac App Store’s Sandbox Loophole

| Ted Landau's User Friendly View

There's a loophole that allows apps sold in the Mac App Store to circumvent Apple's sandboxing restrictions. When developers do this, users may be misled into buying apps they would have otherwise not purchased (as I detail in a trio of comments below). So far, Apple has not done much to prevent any of this. This may change soon.

Data Rescue

To understand what's going on, let's first look at the current status of Prosoft Engineering's Data Rescue. This is a superb data recovery utility that dates all the way back to before the advent of Mac OS X. While the "golden age" of disk utilities on the Mac may be behind us (as I have argued previously), programs such as Data Rescue still have value. Unfortunately, Apple makes it all but impossible for these utilities to be included in the Mac App Store (MAS).

As Prosoft explains on their website, the major obstacle is a restriction in Apple's sandboxing policy. In particular, Apple asserts that a Mac App Store program cannot have "admin access nor ask the user for admin access on their behalf."

In order to recover data from an internal startup drive, Data Rescue requires admin access. However, prior to OS X 10.8 Mountain Lion, admin access was not needed to recover data from external drives. This provided Prosoft with a means to get a limited version of Data Rescue (called Data Rescue 3 External Drive Recovery) into the Mac App Store. The MAS version worked only with external drives. If you needed to recover data from an internal drive, you were directed to get the "full" version from Prosoft's website.

App Store page for Data Rescue

With Mountain Lion, Apple upped the ante. Now, admin privileges are required even for access to external drives. This rendered the Mac App Store version of Data Rescue essentially useless. My understanding is that Apple also requires that Mac App Store apps be compatible with the latest version of OS X, currently Mountain Lion. Data Rescue 3 External Drive Recovery loses on this count as well.

As a result, the Data Rescue 3 External Drive Recovery page in the Mac App Store now states that the "Special App Store version" is not compatible with OS X 10.8 Mountain Lion at all. You are directed to "the full version of Data Rescue 3" on the company's website for a compatible version.

Other data recovery utilities

Other disk utility companies, facing the same obstacles, have taken similar paths.

Softote Studio's Data Recovery Free is still in the Mac App Store despite clearly stating that the app is "not compatible with Mountain Lion." The utility's page in the MAS directs the user to the company's website in order to "download a new version" that supports Mountain Lion.

However, a few paragraphs later, the app's MAS page states: "The free edition only can recover external drive, not system run drive." As this app has not been updated since the release of Mountain Lion, I strongly suspect the statement is false; the unenhanced free edition probably cannot recover data from any drive.

Leawo Software's Data Recovery Pro similarly instructs users to go its website, "if you need to recover data from system hard drive." From there, you'll find that you can download "a free plug-in called Data Recovery Helper."

CleverFiles' Disk Drill Media Recovery is more circumspect (I'm tempted to say "sneaky"). Its MAS page states: "Now compatible with Mac OS X 10.8 (see instructions in the app)! Disk Drill recovers data from internal AND external disks!"

App Store page for Disk Drill

If you purchase and launch the Disk Drill app, a message informs you that "You might not find any of your disks visible in Disk Drill Media Recovery if you are running Mountain Lion." The work-around for this is to click a link that takes you to CleverFile's website. This page walks you through the sandbox-related explanation of how changes to Mountain Lion prevent the utility from working. You are then instructed to download additional software to get the Mac App Store version to work with Mountain Lion.

The Mac App Store loophole

As I see it, there are two problems with what these data recovery companies are doing:

First, Apple prohibits "apps that link to external mechanisms for purchases or subscriptions to be used in the app." This is to prevent developers from circumventing the 30% cut of all sales that developers must pay to Apple. These drive utility companies appear to have side-stepped this "external site" restriction.

The companies do this either by offering an additional download at no charge or by directing users to a website from the app's page in the Mac App Store rather than from within the app itself. Either way, this strikes me as a gray area at best.

Second, as already noted, Apple insists that all software in the Mac App Store be compatible with Mountain Lion. Without the external additions, the data recovery software in the Mac App Store does not meet this criterion. While there may be some room for debate here, I consider these apps to be in direct violation of Apple's policy.

So far, Apple has not taken any action against these programs and they remain for sale in the Mac App Store. Sources tell me that Apple is getting ready to make a move here, but that remains to be seen.

More generally, Apple's lack of enforcement on this matter opens up a loophole that allows any Mac App Store app to completely circumvent all sandboxing restrictions. To see how, imagine this situation:

As a developer, you have an app that performs 20 actions. Nineteen of these actions clearly violate Apple's sandboxing policies. If submitted to the Mac App Store, the app will certainly be rejected. You still would like the advantage of having your app in the Mac App Store. What can you do?

You can create an app that does only one thing, that one thing that is not in violation of sandboxing. After the app is accepted to the Mac App Store, you change the text on the app's MAS page to direct users to your website to download a free addition. This addition adds the other 19 otherwise prohibited actions. Voila! Your MAS app has succeeded in bypassing Apple's sandboxing restrictions.

Based on the current situation with disk utilities, Apple is not actively blocking this loophole. To be consistent with its own policies, I believe that Apple should. For starters, unless Apple wants to change its guidelines, all of these disk utility programs should be removed from the Mac App Store.

The endgame

Let's assume Apple eventually takes action here and closes the loophole. Where does this leave us? What exactly is Apple's endgame regarding disk utilities and similar software that can't make it into the Mac App Store due to sandboxing? I see three main possibilities:

• Apple's policy could be to direct users to external websites for software, such as disk utilities, that is not eligible for the Mac App Store. While Apple may do this in the short run, I doubt it will emerge as a permanent position. Apple wants to promote the Mac App Store as much as possible. I don't see the company regularly suggesting that customers venture outside the Store.

• Apple could create a special section of the Mac App Store where, after careful scrutiny, selected apps that require serious exceptions to sandboxing would be allowed. This could be a win-win compromise. Developers get their previously banned programs in the Mac App Store…customers get MAS access to a wider range of software…and Apple gets to keep its restrictions largely in place. Still, I doubt we will ever see this happen. Apple has never shown the slightest hint that it wants to provide this type of exception. It's about as likely as Apple shifting gears and condoning jailbreak apps on iOS devices. Unless Apple finds itself under intense pressure (legally or via customer protest), it will not budge here.

• Apple could stick to its guns and permanently ban all software from the Mac App Store that cannot be sandboxed. Additionally, it could stop making any outside-of-the-store recommendations. When customers ask about disk utility software, for example, Apple would direct them only to solutions that Apple provides — notably OS X Recovery. Currently, Apple continues to sell software such as Data Rescue 3 in the online Apple Store. I anticipate these third-party programs will be eventually dropped from the online Store.

Less likely but also possible, Apple could modify a future version of OS X so that all software, even software not sold in the Mac App Store, must meet sandboxing requirements before it can run on a Mac. This would effectively put in an end to third-party disk utilities.

To one degree or another, this third option is the direction that I believe Apple is heading.

Comments

graxspoo

And, eventually as apps that actually do anything of use abandon the App Store, users will stop looking there for software and the whole thing will go down in flames, is my hope.

furbies

I hope that Apple does as Ted suggests, and has a special section of the MAS for those Apps that need ‘admin’ access.

Normally when installing an App. If the App wants admin access, I go whoa there fella. Why do you need that ? Now sometimes there’s a reason, but it has to be a damned good one. Little Snitch has a reason. Some silly chess game doesn’t.

iJack

“Apple’s lack of enforcement on this matter opens up a loophole that allows any Mac App Store app to completely circumvent all sandboxing restrictions.”

So what?  Why does this bother you so much?

We’ve lived without sandboxing for more than a quarter century, so what’s the panic now?  Lots of people use non-sandboxed third-party software, and always will.  Are you bothered that Apple aren’t getting their cut, or are you as controlling as the Cupertino sonsabitches that came up with this ‘feature?’

I don’t care if Apple gets so big, it becomes a country, but what I put on my Mac is my own goddam business.  Not theirs, and certainly not yours.

Ted Landau

iJack:

I think you’ve missed the subtext of what I wrote. I don’t mind that sandboxing gets circumvented. I am actually happy about it.

My major point was that if Apple wants to have rules, they should enforce them. If the rule is stupid, they should abandon the rule, not fail to enforce it.

Even worse, inconsistently enforcing a rule causes greater problems for developers, especially the honest ones. The honest ones play by the rules while they watch those with less integrity get away with breaking them. In this regard, I object to developers who claim that their program is “compatible with Mountain Lion,” when it really is not.

James Katt

I seriously doubt that Apple will require that ALL apps be sandboxed. Period.

After all, Mac OS X is a UNIX operating system.

After all, requiring all apps be sandbox obviously limits user choices.  For example, Microsoft Office, Parallels and Adobe Photoshop can’t exist as would many utility programs.

I believe the current state will remain:

1. Users will decide what level of security they want.  This level of security will determine what apps can run. There are three levels:  sandboxed only, signed-apps only, or any app can run.

2. The Mac App store will sell only sandboxed apps.

3. Non-sandboxed apps will be sold outside the Mac App store - AS ALWAYS HAS BEEN DONE.

Developers that are circumventing Apple’s Mac App rules are simply being too greedy and lazy.  They are lazy because they don’t want to do what developers historically did:  Market and Advertise themselves.  They are trying to hitch a free ride on Apple’s coats.

iJack

I got your subtext, Ted.  I even quoted it.  However, I think you failed to demonstrate how a failure to enforce the rules across the board “causes greater problems for developers,” or even that what these “sneaky” developers is are doing is dishonest.  When did using a loophole become dishonest?

Users get what they asked for from the App Store, and if they want more, there is a place to go, which place would exist with or without the App Store.  It’s the difference between tax avoidance and tax evasion.

But my real question remains; why are you so bent out of shape by it?  Isn’t that something developers can take up with Apple?

Ted Landau

James:

I don’t see how running on UNIX precludes requiring sandboxing. The iPhone runs on a UNIX system and it is completely sandboxed.

As for Adobe and Microsoft (and Apple itself for that matter), Apple can always make a few exceptions for the big guys. At least during a period of transition.

Finally, while I believe Apple is most likely headed in this general direction, I am certainly not 100% confident of how far Apple will go down this road. And, although less likely in my view, the other two possibilities remain.

iJack:

By referring to “honest’ developers, I may have misspoke a bit…in the sense that I did not mean to imply that other developers were “dishonest” to a level equivalent to criminal “tax evasion.”

However, when a developer claims that a Mac App Store app is compatible with Mountain Lion when it is in fact not—or when a developer’s App Store page continues to state that the app works with external drives when it in fact does not—I do consider these to be a form of dishonesty.

My article was partly written to alert users to these practices. The article was also partly written on behalf of developers who don’t play that game. I’m not sure why you see this as a problem.

Finally, your original comment still strikes me as missing the subtext. For example, when you say “Are you bothered that Apple aren’t getting their cut, or are you as controlling as the Cupertino sonsabitches,” you seem to suggest that I have a level of support for Apple’s policies that I simply do not have and did not intend to imply. FWIW, if you look at any number of my past articles, this will be readily apparent.

Ted Landau

One more point…

When a customer buys an app at the Mac App Store, part of his thinking may be that he is glad to be getting the security protection that the Store promises. If the customer then has to go outside the Store to get a fully functional version of the product, he is losing that protection. If the customer knew this was how things were going to work before purchasing the product, he might have decided not to buy it. That’s why, once again, if a developer does not make all of this clear in advance of a purchase, it is a form of dishonesty.

CleverFiles

Ted, and everyone reading this great article, Apple IS TAKING action against this. Apple reps contacted us, and we spoke with them for 2 weeks. Unfortunately, we HAVE to obey to sandboxing requirements. I hope that this will change for apps like Disk Drill in the nearest future. Until then, the app-store edition of our data recovery app will not work on Mountain Lion out-of-the-box.

The more important problem that you did not highlight here is _how_ Apple changed the game rules, silently (see the discussion of dev forum) leaving thousands of our paying customers with a non-working solution IF they upgrade their OS X to 10.8. In addition, unfortunately, it seems like Apple does not care. What we did is an attempt to keep our clients happy.

Moreover, we never changed the description of the app _after_ the version was approved by Apple (unlike Prosoft). Apple’s review process was completely followed step-by-step with the actual release of Disk Drill Media Recovery and the way we are bypassing Mountain Lion’s limitations was in fact APPROVED by Apple. Only within 2-3 weeks after the updated build had appeared on MAS were we contacted by the app review team with the request to reconsider what we did.

The problem is much deeper than just sandboxing, and the actual plans of Apple are still not obvious to software developers who supported the platform for years.

Log-in to comment