∞ Core found something, but it wasn't a sandboxing security hole

Core Research last week issued an advisory saying it found a security hole in the way Apple sandboxes applications. The problem is what they reported is not actually a security hole.

I’ve done some digging over the past few days and here’s what I found. What Core uncovered was a mechanism that’s only used by Apple for its internal system daemons. This isn’t something that developers would actually use for an application, so it doesn’t affect them — or the user — at all.

In fact, Apple’s documentation doesn’t even point to this mechanism to develop with.

What’s more, this is a blacklist mechanism, meaning that you would have to specify, in detail, everything you didn’t want your app to do. If it’s not specified, then it would be allowed to do it.

This is completely unlike the API that developers will use to sandbox their applications. That is a whitelist API, where you have to specify exactly what you want the app to do — everything else is not allowed.

Core also mentioned that the pre-defined profiles don’t properly limit access, but as far as I can tell, they weren’t supposed to. Not even Apple uses the pre-defined profiles because you must specifically blacklist the things you don’t want it to do.

This has nothing to do with the way the Mac App Store will sandbox apps in 2012. Developers will specify what the app should do and it will work as expected.