Advertisement

App-ocalypse soon: Apple extends sandboxing deadlines, but restrictions loom

Erica Sadun
Senior Writer
Updated ·6 min read

Image: Shutterstock

Apple issued a three month extension on application sandboxing today, giving devs a little more breathing room before new rules take over. June 1 2012 is now the enforcement date. We've been having many discussions about Mac development in the TUAW backchannel over the last week.

The introduction of GateKeeper and the notion of signed apps, sandboxing, and developer IDs have us talking about where Apple is taking the Mac, and will be moving Mac development in general. Overall, we think things are moving towards a win for consumers and better opportunities for devs. Read on to learn more about these technologies, and how they affect developers and App Store.

GateKeeper is Apple's new approach to making your Mac safer by giving you control over which applications may download and run on your computer. With GateKeeper, developers sign apps to authenticate them with the OS -- both apps that you purchase from the Mac App Store and, at the developer's option, also apps you purchase elsewhere.

With Mountain Lion, you choose which apps are allowed to run. You'll be able to disable GateKeeper and run apps from anywhere if you like, although this is not the default setting.

The thing is this: Apple continues moving towards a more controlled, less open, more appliance-like concept of what a Mac means. That redefinition is causing ripples, affecting app development more and more. Applications can do fewer things, access fewer system resources, and control other apps less than they did in the past.

Developers who choose to enroll in the Mac development program pay a $99/year fee just as those who enroll in the iOS development program do. Once enrolled, they can sign their apps as identified developers -- as well as gain access to early beta versions of unreleased operating systems.

When the iPhone SDK first debuted, many people including yours truly complained about what couldn't be done with the APIs: what files could be accessed, what routines could be called, and so forth. Coming from a general computing background, one learns to expect to build whatever one can imagine. If the building blocks are there, then why not build whatever tools you need? That all ties into a background of fully open computing.

Apple's policy split the dev community into the jailbreak world and the App Store world, with many people crossing over depending on what they were building. Under jailbreak, developers gain full access to the entire iOS file system and run apps in a fully privileged mode. This gives devs a much broader development vocabulary to work with. The jailbreak world became known for its innovation, with Apple mining those forward-looking ideas and free R&D and bringing them into successive iterations of their operating system.

At the same time, developers had to change. If they wanted to market through App Store, they had to relinquish product ideas that wouldn't work within the more closed-off system that App Store submission required and look instead for opportunities of development that were allowed.

No one can look at App Store today, with its countless apps, and say that Apple denied developers opportunity. It's just a somewhat different opportunity than many developers expected. It's an opportunity that restricted certain kinds of applications, most typically OS enhancements and utilities (which have flourished on other mobile platforms with less oversight of developer access). Overall, Apple has provided better tools, better marketing, and better sales avenues than had existed before. The end result has been apps that are significantly better than previous generations.

And now, Apple is doing the same thing for the Mac.

This is emotionally hard for some long-term devs like me. We want Linux-y freedom for whatever we want to build and distribute. Now, with sandboxing (a technique that restricts application access to full system files; all apps that are not sandboxed will be removed from the Mac App Store starting June 1st [Update: Older apps will still be on the store and allowed bug fixes- Ed.]) and GateKeeper (limiting apps to those that are signed and authenticated), Apple is setting a new default: software consumers will expect to be protected, and will expect that any item being delivered to them will comply with Apple policies.

We developers have two choices: either opt in to Apple's signing (developer IS) and/or distribution system (App Store), or limit ourselves to only those customers savvy enough to opt out to the "all's fair" system. It's essentially a Mac jailbreak--just without all the pain of waiting for the next untethered release. (Speaking of which, yes, it would be lovely if this idea goes exactly back to the iPhone, so we don't have to wait on those exploits and releases.)

Apple's brave new world for the Mac gets that there are "power" users and "consumers." And it also gets that the latter category vastly outnumbers the former. As it builds new and better operating systems that retain desktop functionality, it is shaping computing to match consumer needs and wants, not developers.

Not everything is roses. Some devs are complaining--with good reason--that Apple's approach to proprietary technologies will prevent them from selling off the App Store for iCloud features, for example. If you want to tie into those APIs, you won't be able to go to third party merchandising storefronts to sell your software. App Store-exclusive features will tie developers further into Mac App Store and to Apple's 30% cut. Those Apple-specific technologies will continue to grow over time.

What's more, developers must continue putting pressure on Apple to extend entitlements, allowing apps to grow the kinds of resource access they are allowed under Apple's sandbox system. The current set of entitlement restrictions seems unnaturally limited.

Just as iOS's App Store has responded to developer requests, the Mac environment will have to soften restrictive rough edges over time. A passionate and involved developer community will help those changes happen. Community-sourced advocacy such as Tim Burks' Open Radar project allow developers to cooperatively brainstorm and strategize about which access issues are the most important to them.

In the end, this is going to be an amazing end-point for consumers. You can talk about "what has existed for a generation," but that means things like Microsoft Word. There is no way anyone can argue that MS Word was an amazing end-point for general consumers.

It's a wake-up call for devs who have stuck with Apple through the dark years. Apple is changing up the game. Devs have to change it up too. And if Apple's success with iOS App Store is any indication there will be more opportunity and better chances at creating a living than ever before.

Thanks, Remy "Psy" Demerest, Kyle Kinkade, |Agent