Wishing for more Sandboxes

I’m starting to wish that nearly all desktop apps ran in a very tight sandbox the same way they do on iOS.

Windows is trying to do this with the Windows store and Apple is trying to do it with the Mac App Store. The problem is two folder. One is they started with unsandboxed systems and so have decades of legacy software that expects to be unsandboxed. The other is they’ve conflated sandboxes and their app stores. Those 2 things should be separated.

Apps like Photoshop, Lightroom, Microsoft Word, gIMP, Blender, Maya, etc should not need system wide access.

To be clear I am **NOT** suggesting that there should be an app store or there should be an approval process for apps. Rather I’m suggesting that the OS should default to running each app in a sandbox with that app unable to get outside its sandbox without user permission. The permission system should be designed well (like I think it mostly is on iOS) so a native app should not be able to access your entire hard drive by default. It should not be able to read files from other apps by default. It should not be able to use your camera or mic or get GPS info by default. It should not be able to supply notifications by default or read your contacts. All of those things should be requested of the user at use time like iOS does (and I think Android is in the process of doing).

This might seem unrelated but it came up recently when a user on Stack Overflow asked how to make an Electron app from their HTML5 WebGL game. There are a few steps but over all it’s pretty easy. If you’re not familiar with Electron it’s basically a version of Chrome that you can bundle as an app with your own HTML/CSS/JavaScript but unlike a normal webpage your JavaScript can access native features like files, OS level menus, OS level networking, etc.

And there in is the issue. The issue is it’s common to use 3rd party scripts in your HTML5 apps. Maybe you’re including JQuery or Three.js from a CDN. Maybe like many mobile apps you’re downloading your HTML/CSS/JavaScript from your own servers like myautoupdatingapp.com. By doing that you’ve just made it possible for the people controlling the CDN or that hacks your server or the people that buy your domain to own every machine that’s running your app. This is something that’s not true with a browser doing the same thing because the browser does not allow JavaScript to access all those native things. It’s only Electron that does this.

This means I have to trust every developer using Electron to not do either of those things.

On the other hand, this is exactly what iOS was designed to handle. You don’t have to trust the app to the same level because the OS doesn’t let the app read and write files to the entire machine. The OS doesn’t let the app access the camera or the mic without first asking the user for permission.

This isn’t the first time this kind of thing has happened. I’m sure there’s plenty of other cases. One for me is XBMC/Kodi where there are plugins but no sandbox which means every plugin could be hacking your system. Many of those plugins are for websites that are arguably doing questionable things so why should I trust them not to do questionable things to my machine?

I’d even take it so far as I wish it it was easier to do this in the terminal/shell. If I’m trying out a new project there is often a build step or setup step or even the project itself. Those steps often allow code to run, code I don’t want to have to trust. Of course in those cases I could run them in a VM and maybe I should start doing that more. I’m just wishing that that was easier than it is today. Like it kind if wish it was an OS level thing. I’d type something like

mkdir test & cd test & start VM

or

mkdir test & cd test & start standbox

Then I could

git clone someproject .
./configure
make

or

git clone somejsproj .
npm install

And not have to trust the 1000+ contributors above that they weren’t doing something bad intentionally or unintentionally.

Unfortunately without a push by Apple and/or Microsoft it’s unlikely the big software companies like Adobe are going to switch to their apps to the sandboxed systems.

IMO both companies need to separate their sandboxes (good) from their stores (bad). They then need to make it harder to run un-sandboxed apps. Not impossible, some apps probably need system level access if they provide system level services. But, they need to start making it the normal that the apps themselves are sandboxed.