In an email to developers today obtained by iClarified, Apple has informed them that all apps submitted to the Mac App Store must implement sandboxing by March 1st, 2012. Originally Apple had told developers that the sandboxing requirement would take place this month. It isn’t entirely clear why Apple has delayed the introduction of this requirement but it does give developers a few more precious months to implement the restriction and resolve all issues that it might cause for their app.
In the email Apple notes; “Sandboxing your app is a great way to protect systems and users by limiting the resources apps can access and making it more difficult for malicious software to compromise users’ systems”. For those who aren’t familiar with the technical ‘feature’, John Siracusa has a great (and in-depth) discussion of the feature in his Mac OS X 10.7 Lion review on Ars Technica. In short, sandboxing restricts the number of actions that an app can do so that if the software is compromised, the amount of damage it can do is greatly minimised.
In Lion, the sandbox security model has been greatly enhanced, and Apple is finally promoting it for use by third-party applications. A sandboxed application must now include a list of “entitlements” describing exactly what resources it needs in order to do its job. Lion supports about 30 different entitlements which range from basic things like the ability to create a network connection or to listen for incoming network connections (two separate entitlements) to sophisticated tasks like capturing video or still images from a built-in camera.
In its email to developers, Apple also notes that if an app requires access to “sandboxed system resources”, the developer must also include justification for why it needs those entitlements when submitting the app to the Mac App Store. Finally, Apple notes that it is willing to offer developers additional, temporary, entitlements if the app is being re-engineered for sandboxing – but only on a short-term basis.