App Store Sandboxing
User interaction and expectations of sandboxed applications.
Design in progress
Implementation in progress
- Principle: In the case of single user systems, we're not really trying to protect the system from the user by sandboxing. We're protecting the user (and data) from apps. General concept when thinking about the Desktop UX sandboxing use case.
- Principle: The concept of 'privacy' is the way users should see security. Privacy is the user-facing 'feature' that security/sandboxing provides. Obviously it provides more technical features than just that, but these other aspects are assumed by the user.
- Want: We need a clear model of what an application is, and make sure that matches what the user expects. We need to present which application is which in a consistent way. Obviously need a way to consistently identify an application.
- Application capabilities should be clear before the user installs not necessarily after or during the installation process.
- Certain capabilities should be configurable after the fact. Good example is location services.
- User expects as a given: App is completely uninstallable. When app is uninstalled, it should not be possible for it to continue to effect the system, whether maliciously or by accident.
- App install and uninstall should be atomic.
- Clear separation to the user between what is the OS (in the UX sense) and what applications are. Apps should not be able to pretend whether my design or maliciously to be the OS.
- Open question: What to do with app data or content when uninstalled.
- Privileged file chooser: App asks user to open a file through the file chooser and the app only has access to the document chosen.
- Concept of foreground and background apps. Background apps have less capabilities than foreground apps.
- Some discussion of target applications, but had a hard time pinning this down.
- W^X was brought up as desirable.
- Privacy is the main feature which makes them want apps that use these technologies. Security is used to implement privacy.