On 23/08/2012, at 10:45 AM, Todd Heberlein <todd_heberl...@mac.com> wrote:
>> Where life is made difficult is with more general access to the file system, >> which is a perfectly legitimate thing to do. A user stores various media all >> over the file system and there is no reason why an app shouldn't have access >> to it. > > Except this is how cyber espionage works. > > The "Pretty Girls" calendar application is a Trojan horse that, upon reaching > a certain date (i.e., after it is approved by Apple), starts reading your > Word/Pages document and exfiltrating them off the system. Understood, but this is the problem with security in general - how to make something secure without inconveniencing legitimate use. It's a hard problem, look at how appalling airport "security" is for the 99.9999999% of legitimate users. I'm not sure what the solution is, but I do feel that sandboxing as it has been implemented is a poor solution because it is inconveniencing legitimate use (and I mean use, not development, which is SERIOUSLY inconvenienced). Suddenly legitimate users who manage all their photos with iPhoto cannot quickly access those photos with our app because our app cannot access iPhoto's media. They are inconvenienced - they have to find some other way to get their photos into our app. It makes our app less useful than before. I can't see how penalising these legitimate users to counter a hypothetical threat is striking the right balance. Once "Pretty Girls" is detected for what it is, its certificate can be revoked and the problem gradually solves itself. If in the meantime the user had experienced data loss or damage then they should have known better than to trust the skanky app in the first place. Obviously that's not ideal but give me common sense over the Gulag any day. Note that because "Pretty Girls" got past Gatekeeper, they were probably MORE likely to trust it than if they had just exercised a sensible amount of caution in the first place. Gatekeeper is like the front door to your house, except automated to let anyone in who waves the right credentials at it. Then they're in your house. In real life I'd prefer to take a look at that person and decide for myself whether they can be trusted. I might get it wrong, but it was my decision. For social engineering attacks, like "Pretty Girls", the only solution is user education. --Graham _______________________________________________ Cocoa-dev mailing list (Cocoa-dev@lists.apple.com) Please do not post admin requests or moderator comments to the list. Contact the moderators at cocoa-dev-admins(at)lists.apple.com Help/Unsubscribe/Update your Subscription: https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
