Mac Sandboxing & GateKeeper: Bitter Medicine,Tasty Poison, or Does It Just Not Matter?

Apple has two features in Mountain Lion that are going to greatly affect consumers, although most of them will never be aware it’s happening.  For most people, if it’s noticed at all it’ll be seen as a great security feature.  For power users, it will be a harbinger of very strict restrictions to come.

Welcome to Gate Keeper and Sandboxing.

With Mountain Lion, and starting with its predecessor, Lion, Mac OS has slowly been walling off its computer garden in a similar fashion to the way they started out with in their iOS devices.  Each application locked off by itself, each ideally coming from “trusted” sources.  For some this means the ability to not have to worry and let the computer help take care of you.  For others it’s a sign that the beginning of the end of useful applications for the mac platform.  What exactly does Sandboxing and Gatekeeper do, and how directly or indirectly does it affect you?


Let’s start out with Sandboxing as that happened first.  Sandboxing has been around a long time, and first came to Mac with Lion back in June 2012.  It is a method which prevents applications from going outside their respective boundaries.  The idea behind this is pretty straight forward.  Any programs has to rely on itself to get done what it needs.  It can play within a little kingdom and do what it wants, so long as it stays within its boundaries.  And be definition of staying inside it’s box, it can’t effect, negatively or positively, other applications.  This is a huge advantage if you are looking for a stable system. All applications sold in the mac app store have to be sandboxed in order to be there.

There are also other advantages besides just keeping other programs from crashing.  Sandboxing can help keep a system clean from malware (since it won’t corrupt other programs), and even “helpful” programs from changing around things in other programs. Remember all those toolbars that would get installed in your browser when you installed a simple program?  Ya, this helps that other program from reaching out of its sandbox into your browsers.

The upside of this whole system is if a program crashes, it (shouldn’t) be able to effect everything else you have running.  This has always been the case in iOS.  iOS apps have always been on lockdown.  On the Mac you’re in a similar situation.  If an app crashes it (say iChat), it can’t effect other programs (like Mail).  The other programs will keep running.

But the pendulum swings back the other way as well and there are a huge disadvantage to this sort of system.  Anyone trying to move a file from one app to another in iOS has run into this.  Any app that is Sandboxed by definition can’t directly interact with other programs.    One program can’t link to another to say write short snippets of text, or pull data from another app.  In some cases this means loosing some functionality, for others this means a full on broken app.

Take TextWranger from Bare Bones Software, Inc..  At its heart it’s a very simple, but very powerful text program.  I’ve been using it for a very long time cause frankly it’s one of the best text programs out there (not talking word processor… talking straight up text coding).  TextWranger now has to come in 2 flavors: One full featured version available on its website, and a watered down version to allow for the sandboxing in the App Store. The full version can make use of things like a full command line interface.  Under Sandboxing this isn’t allowed.  Consumers have to decide between the ease of the App Store, or the full power of unrestricted apps.

Granted that’s minor compared to other apps.  One app I also use is AudioHijack.  It’s a program that runs in the background, allowing me to record either individual audio from an app, or from the entire system.  This sort of functionality isn’t allowed at all by a sandboxed app.  The whole point of the app is to interface with other programs.  To be placed in a sandbox would be the entire point of the app would be turned off.

Now I realize most of you don’t user higher end text programs, or Audio recording software.  But what about iTunes controllers (such as Tagalicious, or CoverSutra), FTP or file browsers (Transmit or CyberDuck), system-wide utilities (TextExpander), the list goes on.  You might end up surprised how many of your programs you are currently using will have their functionally reduced, or simple not allowed in the App Store.


GateKeeper joined the ranks of “protecting your computer” with the introduction of Mountain Lion.  It allows for 3 (well.. 3.5, more on that in a bit) settings:  Mac App Store only, Mac App Store & identified developers, and “Anywhere”.  Again like it’s older brother Sandboxing, the whole point of GateKeeper is to keep out unwanted or poorly programmed apps from effecting your computer.

So what does these settings actually mean?

  • Mac App Store ONLY – As expected this means that you can only install apps from the Mac App Store.  This means no downloaded programs, programs from CD, or really anything unless it’s sitting in Apple’s online Store.
  • Mac App Store & identified developers – This setting is the default when you install Mountain Lion.  This means any company that has taken the time to be part of Apple’s certified program (meaning they pay the $99 a year) can make apps that can be installed.  This includes everything in the App Store along with any app that has this certificate.  This includes your Microsoft Office, Adobe Creative Suite and pretty much most of the “normal” programs out there.
  • Anywhere – As expected this is everything… just like the old days.

Now two point of interests.  First I mentioned it’s 3.5, not just 3 settings.  The reason behind this is you can override these settings for a specific app by app basis.  If you double-click an app that doesn’t fall into this category, it pops up a warning saying it’s not allowed.  BUT, if you right-click (opt click) and choose open it will give you a warning and let you open it anyway.  Very useful for if you want to keep your system under lock down, but still let a handful of “naughty” apps in.

Second is that I did not say “take care” but “help take care” when I first described GateKeeper.  This is because although Apple requires a company to register, and even follow certain rules, that doesn’t mean they do.  Apple doesn’t check every company that registers and pays the $99 to be in the mac developer program.  They can’t run a program through all it’s paces in the Mac App Store to make sure everything is on the up and up.  You still need to be careful of these programs, even if they are signed or in the App store.

That being said it’s still a deterrent for a company to go through the trouble of paying their dues only to be pulled shortly after Apple gets all the complaints of malicious software.  You aren’t as likely to get something negative from a signed app, verses an unsigned one.

The Sky is falling?

Now that I’ve got all the Doom and Gloom over with, some upside.  As I stated before, all this loss of freedom does come with a lot of protection and security that we haven’t seen in computers for a long time.  Even if some of that security is just a white picket fence.  There are definite advantages to GateKeeper, Sandboxing the apps, and a lot of other features Apple is baking into their installation system for Apps.  They can help keep out malware, protect your other applications, and keep your computer running smoothly.

But here’s where you need to start thinking about the trade offs between security and freedom.  Yes, at the moment Apple isn’t forcing you to require all programs be bought through the app store and on lock down.  Yes, it’s simple enough to have an app that can be vetted to be installed under these restrictions.  And yes, even if Apple were to lock it down like you do under iOS, you most likely could always Jail-Break the computer.

But should we need to worry about these things?  Are computers this open platform that we’ve grown a custom to, or should we accept they are “growing up” and becoming much more locked down?  Are things like Sandboxing, GateKeeper, and locked down system what the public needs to keep things running, or is it simply a sign that computers are being dumbed down for the average consumer.  Perhaps they need to be dumbed down so the average consumer can use them.  I’m not really sure anymore.

Chances are for the average user, they won’t notice much of anything has changed.  They’ll see that their computer is running smoother, and there are fewer programs to choose from (although those apps will be easier to use and install).  For them, the changes might be a just bitter medicine that’s required to keep them safe from themselves and others. Perhaps it’s only the geeks and nerds on the edge pushing things that are complaining or even noticing the change.

Categories: Tech with Tasel

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: