About App Sandbox

沙盒是在受限的安全环境中运行应用程序的一种做法,这种做法是要限制授予应用程序的代码访问权限。

沙盒技术提供对资源的严格控制,沙盒通过限制对内存、系统文件和设置的访问,沙盒可以让企业可通过执行潜在恶意代码而发现其活动和意图,而不会影响主机设备。沙盒技术对进入企业网络的代码进行的这种分析意味着,即使是零日漏洞利用都可以被发现——通过分析代码的恶意意图。

About App Sandbox

App Sandbox is an access control technology provided in macOS, enforced at the kernel level. It is designed to contain damage to the system and the user’s data if an app becomes compromised. Apps distributed through the Mac App Store must adopt App Sandbox. Apps signed and distributed outside of the Mac App Store with Developer ID can (and in most cases should) use App Sandbox as well.

At a Glance

Complex systems will always have vulnerabilities, and software complexity only increases over time. No matter how carefully you adopt secure coding practices and guard against bugs, attackers only need to get through your defenses once to succeed. While App Sandbox doesn’t prevent attacks against your app, it does minimize the harm a successful one can cause.

A non-sandboxed app has the full rights of the user who is running that app, and can access any resources that the user can access. If that app or any framework it is linked against contain security holes, an attacker can potentially exploit those holes to take control of that app, and in doing so, the attacker gains the ability to do anything that the user can do.

Designed to mitigate this problem, the App Sandbox strategy is twofold:

  1. App Sandbox enables you to describe how your app interacts with the system. The system then grants your app the access it needs to get its job done, and no more.
  2. App Sandbox allows the user to transparently grant your app additional access by way of Open and Save dialogs, drag and drop, and other familiar user interactions.

App Sandbox is not a silver bullet. Apps can still be compromised, and a compromised app can still do damage. But the scope of potential damage is severely limited when an app is restricted to the minimum set of privileges it needs to get its job done.

App Sandbox is Based on a Few Straightforward Principles

By limiting access to sensitive resources on a per-app basis, App Sandbox provides a last line of defense against the theft, corruption, or deletion of user data, or the hijacking of system hardware, if an attacker successfully exploits security holes in your app. For example, a sandboxed app must explicitly state its intent to use any of the following resources using entitlements:

  • Hardware (Camera, Microphone, USB, Printer)
  • Network Connections (Inbound or Outbound)
  • App Data (Calendar, Location, Contacts)
  • User Files (Downloads, Pictures, Music, Movies, User Selected Files)

Access to any resource not explicitly requested in the project definition is rejected by the system at run time. If you are writing a sketch app, for example, and you know your app will never need access to the microphone, you simply don’t ask for access, and the system knows to reject any attempt your (perhaps compromised) app makes to use it.

时间: 2024-10-20 11:14:02

About App Sandbox的相关文章

iPhone:4.7 5.5 4 3.5 对应的各个设备屏幕尺寸对应的像素及App上线信息

Shared App Information You can access these properties from the App Details page in the App Information section. This information is shared across any platform added to the app. Property Description Editable Primary Language The language you use to e

为你的MacOS App添加开机自启动(Swift)

猴子原创,欢迎转载.转载请注明: 转载自Cocos2Der-CSDN,谢谢! 原文地址: http://blog.csdn.net/cocos2der/article/details/52104828 关于Mac下如何给自己App添加开机自启动功能,你可以了解下Mac Developer Library中的说明. There are two ways to add a login item: using the Service Management framework, and using a

ios 删除系统从相册压缩的视频

iOS的沙盒机制,应用只能访问自己应用目录下的文件.iOS不像android,没有SD卡概念,不能直接访问图像.视频等内容.iOS应用产生的内容,如图像.文件.缓存内容等都必须存储在自己的沙盒内.默认情况下,每个沙盒含有3个文件夹:Documents, Library 和 tmp.Library包含Caches.Preferences目录.               上面的完整路径为:用户->资源库->Application Support->iPhone Simulator->

NSFileManager文件管理者

iOS的沙盒机制,应用只能访问自己应用目录下的文件.iOS不像android,没有SD卡概念,不能直接访问图像.视频等内容.iOS应用产生的内容,如图像.文件.缓存内容等都必须存储在自己的沙盒内.默认情况下,每个沙盒含有3个文件夹:Documents, Library 和 tmp.Library包含Caches.Preferences目录.               上面的完整路径为:用户->资源库->Application Support->iPhone Simulator->

Unity3D各平台Application.xxxPath的路径

前几天我们游戏在一个同事的Android手机上启动时无法正常进入,经查发现Application.temporaryCachePath和Application.persistentDataPath返回空字符串.便花时间认真研究了一下Unity3D的路径问题.我们常用的是以下四个路径: Application.dataPath Application.streamingAssetsPath Application.persistentDataPath Application.temporaryCa

iOS学习笔记——文件操作(NSFileManager)

iOS的沙盒机制,应用只能访问自己应用目录下的文件.iOS不像android,没有SD卡概念,不能直接访问图像.视频等内容.iOS应用产生的内容,如图像.文件.缓存内容等都必须存储在自己的沙盒内.默认情况下,每个沙盒含有3个文件夹:Documents, Library 和 tmp.Library包含Caches.Preferences目录.               上面的完整路径为:用户->资源库->Application Support->iPhone Simulator->

iOS——文件操作NSFileManager (创建、删除,复制,粘贴)

iOS——文件操作NSFileManager (创建.删除,复制,粘贴) iOS的沙盒机制,应用只能访问自己应用目录下的文件.iOS不像android,没有SD卡概念,不能直接访问图像.视频等内容.iOS应用产生的内容,如图像.文件.缓存内容等都必须存储在自己的沙盒内.默认情况下,每个沙盒含有3个文件夹:Documents, Library 和 tmp.Library包含Caches.Preferences目录.               上面的完整路径为:用户->资源库->Applicat

iOS学习笔记(十七)——文件操作(NSFileManager)

http://blog.csdn.net/xyz_lmn/article/details/8968213 iOS的沙盒机制,应用只能访问自己应用目录下的文件.ios不像Android,没有SD卡概念,不能直接访问图像.视频等内容.iOS应用产生的内容,如图像.文件.缓存内容等都必须存储在自己的沙盒内.默认情况下,每个沙盒含有3个文件夹:Documents, Library 和 tmp.Library包含Caches.Preferences目录.               上面的完整路径为:用户

什么是Entitlement

Entitlement(权限),可以想象成App里用于描述该App可以调用哪些服务的字符串.苹果的操作系统(mac os或者iOS)会通过检查这个串,决定这个应用是否可以调用相关功能.比如iCloud权限,推送服务,健康服务等. entitlement[英][?n?ta?tlm?nt][美][?n?ta?tlm?nt]n.授权; 应得权益; 命名.被定名; 复数:entitlements About Entitlements Entitlements confer specific capabi