Wishing for more Sandboxes

2017-06-19

I'm starting to wish that nearly all desktop apps ran in a very tight sandbox the same way they do on iOS.

Windows is trying to do this with the Windows store and Apple is trying to do it with the Mac App Store. The problem is two folder. One is they started with unsandboxed systems and so have decades of legacy software that expects to be unsandboxed. The other is they've conflated sandboxes and their app stores. Those 2 things should be separated.

Apps like Photoshop, Lightroom, Microsoft Word, gIMP, Blender, Maya, etc should not need system wide access.

To be clear I am **NOT** suggesting that there should be an app store or there should be an approval process for apps. Rather I'm suggesting that the OS should default to running each app in a sandbox with that app unable to get outside its sandbox without user permission. The permission system should be designed well (like I think it mostly is on iOS) so a native app should not be able to access your entire hard drive by default. It should not be able to read files from other apps by default. It should not be able to use your camera or mic or get GPS info by default. It should not be able to supply notifications by default or read your contacts. All of those things should be requested of the user at use time like iOS does (and I think Android is in the process of doing).

This might seem unrelated but it came up recently when a user on Stack Overflow asked how to make an Electron app from their HTML5 WebGL game. There are a few steps but over all it's pretty easy. If you're not familiar with Electron it's basically a version of Chrome that you can bundle as an app with your own HTML/CSS/JavaScript but unlike a normal webpage your JavaScript can access native features like files, OS level menus, OS level networking, etc.

And there in is the issue. The issue is it's common to use 3rd party scripts in your HTML5 apps. Maybe you're including JQuery or Three.js from a CDN. Maybe like many mobile apps you're downloading your HTML/CSS/JavaScript from your own servers like myautoupdatingapp.com. By doing that you've just made it possible for the people controlling the CDN or that hacks your server or the people that buy your domain to own every machine that's running your app. This is something that's not true with a browser doing the same thing because the browser does not allow JavaScript to access all those native things. It's only Electron that does this.

This means I have to trust every developer using Electron to not do either of those things.

On the other hand, this is exactly what iOS was designed to handle. You don't have to trust the app to the same level because the OS doesn't let the app read and write files to the entire machine. The OS doesn't let the app access the camera or the mic without first asking the user for permission.

This isn't the first time this kind of thing has happened. I'm sure there's plenty of other cases. One for me is XBMC/Kodi where there are plugins but no sandbox which means every plugin could be hacking your system. Many of those plugins are for websites that are arguably doing questionable things so why should I trust them not to do questionable things to my machine?

I'd even take it so far as I wish it it was easier to do this in the terminal/shell. If I'm trying out a new project there is often a build step or setup step or even the project itself. Those steps often allow code to run, code I don't want to have to trust. Of course in those cases I could run them in a VM and maybe I should start doing that more. I'm just wishing that that was easier than it is today. Like it kind if wish it was an OS level thing. I'd type something like

mkdir test & cd test & start VM

or

mkdir test & cd test & start standbox

Then I could

git clone someproject .
./configure
make

or

git clone somejsproj .
npm install

And not have to trust the 1000+ contributors above that they weren't doing something bad intentionally or unintentionally.

Unfortunately without a push by Apple and/or Microsoft it's unlikely the big software companies like Adobe are going to switch to their apps to the sandboxed systems.

IMO both companies need to separate their sandboxes (good) from their stores (bad). They then need to make it harder to run un−sandboxed apps. Not impossible, some apps probably need system level access if they provide system level services. But, they need to start making it the normal that the apps themselves are sandboxed.

Comments

iPhone rant

2015-12-12

I'm still using an iPhone. I just got a 6S+ W...T...F..!! APPLE!!

(more...)
Comments

Is Free Lunch a Positive?

2013-06-04

Many companies, especially in the bay area, offer free lunch for their employees. They take it as an article of faith this is a good thing. Here's one presentation that takes that position. Me, I'm not so sure.

(more...)
Comments

Thoughts on asm.js vs PNaCl

2013-06-01

Google has been working on Native Client (NaCl) and Portable Native Client (PNaCl) for a while now. Firefox recently announced and released asm.js. Here's a few random personal thoughts with no particular conclusion

(more...)
Comments

Why Apple needs to open up iOS

2012-05-29

I understand the positive arguments for keeping so many things about iOS closed. Examples: It provides a more consistant user experience. It lets Apple control more of the over all quality. Etc.. I also understand some of the negative arguments for keeping it closed. Apple makes money on the app store and media sales so why would they let a different bookstore, music store or app store in.

But I think there's a bigger picture argument. It goes something like this

(more...)
Comments

Why Android and iPhone Both Suck

2012-01-02

Most people get used to one and hate the other. I hate both.

(more...)
Comments

WebGL Security and Microsoft Bullshit

2011-06-21

Disclaimer:

1) I work at Google on Chrome 2) Nothing I say here represents my employer in anyway. This my own opinion.

It's frustrating to see how bad Microsoft can really be. I'm one of Microsoft's biggest fans. I still think Windows7 is better than OSX or Linux⭐️. I play more XBox 360 games than any other console. I was hopeful for Win7 Phone and am hopeful for Windows 8. I was on Microsoft's side in the Java lawsuit, the Internet Explorer lawsuit and several others. I think Visual Studio's debugger is way better than anything I've used on OSX or Linux. I think C# is way more awesome than Java. I was really happy when they started IE9 development and started actually competing.

So imagine my disappointment when I start seeing the FUD from Microsoft about IE9 vs other browsers. Cherry picking benchmarks, cherry picking conformance tests and generally basically lying.

(more...)
Comments

Should Nintendo, Microsoft and Sony open their platforms?

2011-04-21

Apple has clearly shown that an effectively open market ⭐️ can be hugely successful. Games on iOS are reaching more people than they did on any other platform. On top of that they make lots of money for both Apple and game developers. You might be thinking that RockStar gets $60 for every copy of GTA4 but more likely they get 10−15% of wholesale. For a $60 game wholesale is around $28. So they make at best $2.80 to $4.20 a unit. If they sold GTA4 on iPhone for $5 Apple would take 30% leaving them $3.50 right in the middle of that range. EA has been successful with the Sims 3 on iOS priced at $10 showing that games will sell at $10 on iOS.

(more...)
Comments

Apple to Ban another 100+ existing games from iPhone

2010-04-12

Apple's recent announcement that iPhone apps must not be written in anything other than C, C++, Objective C or WebKit JavaScript and must not use any layer to access the OS has been widely reported as being a shot against Adobe Flash.

That may be true but it also means that applications written with Unity3D, Torque and Unreal will also be banned.

All of those systems are exactly the equivalent of Flash. They each use a C/C++ code base engine to allow people to write games in another language that runs cross platform. For Unity3D that language is C# or any language that runs in Mono. For Torque that language is TorqueScript, for Unreal that language is UnrealScript.

โ€œ3.3.1 โ€” Applications may only use Documented APIs in the manner prescribed by Apple and must not use or call any private APIs. Applications must be originally written in Objective-C, C, C++, or JavaScript as executed by the iPhone OS WebKit engine, and only code written in C, C++, and Objective-C may compile and directly link against the Documented APIs (e.g., Applications that link to Documented APIs through an intermediary translation or compatibility layer or tool are prohibited).โ€

Here's a list of 42+ SHIPPING games on iPhone built on Unity. http://unity3d.com/gallery/game−list/

Here's a list of 68+ SHIPPING games on iPhone using Torque http://www.torquepowered.com/games/torque−2d−iphone

I'm sure there are countless others as well as several Unreal games in development.

Section 3.3.1 has effectively banned all of these games.

That also doesn't account for the hundreds or thousands of games not using a commercial engine but still using a language other than C/C++ as their core language. Many games use languages like Lua or GameMonkey or custom languages.

For example, all the LucasArts adventure games use the SCUMM engine which also effectively violates section 3.3.1 above.

Comments

Little Big Planet's Disconnect

2008-12-24

I skimmed this post on Brainy Gamer about Little Big Planet and Creativity.

That and some of JC Barnett's comments got me thinking, ....

As amazingly cool as LBP's level editing is, does anyone except game creators and game creator wannabes care?

(more...)
Comments
older