Monday, 24 May 2010

Sandboxed vs. Trust, sandboxing wins

One of the most basic principles on Windows, in order to prevent malware, is that you trust your software provider. There are many trust mechanisms, including driver signing, website signing, remembering whether a file was downloaded or was produced locally etc. The idea is, that if you can trace the origin of the file, you can make the provider liable. If you need to break the trust chain, for instance if you download an unsigned setup.exe file that you want to install, you need to confirm that you want to do that.

On the other hand, we have sandboxing techniques. JavaScript originally had a lot of access to the local browser, for instance, one web page could access info from another web page. Obviously, this had to be changed, each untrusted web page must be isolated from other web pages. Google Chrome even added a second sandboxing layer inside the code, so that if there are bugs in the JavaScript API implementation, the JavaScript could probably not break through the second layer. This has given Google Chrome a very good security record. Other IT technologies also implement sandboxing or are in effect sandboxing: virtual machines, managed code. Google NaCl can also be considered a kind of sandboxing, although it's basically native code "at least as safe as javascript".

Web apps have grown to be extremely popular, despite being expensive to develop and often with low usability. The main reason is that they are very simple to deploy: you don't need to install anything and it works everywhere, and data is saved on the server. This is not entirely true: You need to install an adequate browser, which means that it doesn't work everywhere, and even server/client software often only stores data on the server. So, why are web apps different?

Here is the key: Web apps are usually much easier to install/configure, and you can use web apps from untrusted sources.

Both iPhone and Android solved these parameters for local apps: It is almost easier to install an app than to bookmark a good web app, simply because the search for a good app is guided using the app store/market, and installation is as simple as bookmarking a web page. Using software from untrusted sources is handled using sandboxing. I have no idea if the provider of my currency exchange rate app is evil or not, but it cannot access anything except the internet connection, so it cannot be used to wiretap on me. I am completely sure that it will not know my location, for instance. Android Market still requires signatures, but it does not need to be a signature with trust - the security is in the sandbox.

In addition to being at least as easy as web apps, iPhone and Android apps provide better usability because they are designed for the user interface hardware, and they provide better functionality because they can work offline and with access to hardware, if you permit it.

Most Android and iPhone users that I know, have more apps installed on their phone than on their computer. The reason is not that the apps on the phone are smaller - but there is an inherent problem with Windows app: If you don't trust them, you won't install them on a computer that needs to be safe. Many IT departments lock down Windows computers so that you cannot install anything. Many employees in large organizations don't have the possibility to install even small simple apps, so web apps are their only choice - the browser is the only widespread sandboxing system on Windows.

The future is sandboxed.