Monday 24 May 2010

Sandboxed vs. Trust, sandboxing wins

One of the most basic principles on Windows, in order to prevent malware, is that you trust your software provider. There are many trust mechanisms, including driver signing, website signing, remembering whether a file was downloaded or was produced locally etc. The idea is, that if you can trace the origin of the file, you can make the provider liable. If you need to break the trust chain, for instance if you download an unsigned setup.exe file that you want to install, you need to confirm that you want to do that.

On the other hand, we have sandboxing techniques. JavaScript originally had a lot of access to the local browser, for instance, one web page could access info from another web page. Obviously, this had to be changed, each untrusted web page must be isolated from other web pages. Google Chrome even added a second sandboxing layer inside the code, so that if there are bugs in the JavaScript API implementation, the JavaScript could probably not break through the second layer. This has given Google Chrome a very good security record. Other IT technologies also implement sandboxing or are in effect sandboxing: virtual machines, managed code. Google NaCl can also be considered a kind of sandboxing, although it's basically native code "at least as safe as javascript".

Web apps have grown to be extremely popular, despite being expensive to develop and often with low usability. The main reason is that they are very simple to deploy: you don't need to install anything and it works everywhere, and data is saved on the server. This is not entirely true: You need to install an adequate browser, which means that it doesn't work everywhere, and even server/client software often only stores data on the server. So, why are web apps different?

Here is the key: Web apps are usually much easier to install/configure, and you can use web apps from untrusted sources.

Both iPhone and Android solved these parameters for local apps: It is almost easier to install an app than to bookmark a good web app, simply because the search for a good app is guided using the app store/market, and installation is as simple as bookmarking a web page. Using software from untrusted sources is handled using sandboxing. I have no idea if the provider of my currency exchange rate app is evil or not, but it cannot access anything except the internet connection, so it cannot be used to wiretap on me. I am completely sure that it will not know my location, for instance. Android Market still requires signatures, but it does not need to be a signature with trust - the security is in the sandbox.

In addition to being at least as easy as web apps, iPhone and Android apps provide better usability because they are designed for the user interface hardware, and they provide better functionality because they can work offline and with access to hardware, if you permit it.

Most Android and iPhone users that I know, have more apps installed on their phone than on their computer. The reason is not that the apps on the phone are smaller - but there is an inherent problem with Windows app: If you don't trust them, you won't install them on a computer that needs to be safe. Many IT departments lock down Windows computers so that you cannot install anything. Many employees in large organizations don't have the possibility to install even small simple apps, so web apps are their only choice - the browser is the only widespread sandboxing system on Windows.

The future is sandboxed.


deksden said...

Generally - agree! the future is sandboxing with customized permissions for apps

LDS said...

It is not true that people have more Apps on their phones than their PCs. It's is more difficult to install cracked applications on iPhones than a PC.
Company PCs are locked down to avoid more issues than "untrusted" applications - namely people playing or doing their own activities instead of doing what they are paid for.
Sandboxed protect you, but as their name implies, they also threat you like a child, forbidding a lot, impacting flexibility. Face it, the huge success of PCs is due to flexibility. Take it away, and you have a console, not a PC.

unused said...

The iPhone at least, and probably the Android too, have no concept of an untrusted app. The App Store approves each app, making it trusted.

Additionally, I have had apps cause problems in other apps on my iPod Touch. Turns out it wasn't as sandboxed as we are lead to believe.

Lars D said...

Apple does add some trust through reviews and sign-up mechanisms, but that is also why it sometimes takes more than a month for a respectable company to get a bugfix published - I guess they need to improve on that. With Android, you can publish an app immediately without any approval process, so that you can serve your users much faster. However, this also means that the security is 100% in the sandbox.

It also means that if you install an app that is permitted to read your contacts and have internet connectivity, it is potential spyware. If you need to solve a task that requires both internet access and access to contacts, it can be solved by using 2 apps, one that accesses the contacts, and then you can share the contact info with the internet app using the built-in sharing mechanism. This puts the user in control of what goes from one sandbox to another, similar to copy & paste except that only one app gets access to the data.