On 23/08/2012, at 10:45 AM, Todd Heberlein <todd_heberl...@mac.com> wrote:

>> Where life is made difficult is with more general access to the file system, 
>> which is a perfectly legitimate thing to do. A user stores various media all 
>> over the file system and there is no reason why an app shouldn't have access 
>> to it.
> 
> Except this is how cyber espionage works.
> 
> The "Pretty Girls" calendar application is a Trojan horse that, upon reaching 
> a certain date (i.e., after it is approved by Apple), starts reading your 
> Word/Pages document and exfiltrating them off the system.


Understood, but this is the problem with security in general - how to make 
something secure without inconveniencing legitimate use. It's a hard problem, 
look at how appalling airport "security" is for the 99.9999999% of legitimate 
users.

I'm not sure what the solution is, but I do feel that sandboxing as it has been 
implemented is a poor solution because it is inconveniencing legitimate use 
(and I mean use, not development, which is SERIOUSLY inconvenienced). Suddenly 
legitimate users who manage all their photos with iPhoto cannot quickly access 
those photos with our app because our app cannot access iPhoto's media. They 
are inconvenienced - they have to find some other way to get their photos into 
our app. It makes our app less useful than before.

I can't see how penalising these legitimate users to counter a hypothetical 
threat is striking the right balance.

Once "Pretty Girls" is detected for what it is, its certificate can be revoked 
and the problem gradually solves itself. If in the meantime the user had 
experienced data loss or damage then they should have known better than to 
trust the skanky app in the first place. Obviously that's not ideal but give me 
common sense over the Gulag any day. Note that because "Pretty Girls" got past 
Gatekeeper, they were probably MORE likely to trust it than if they had just 
exercised a sensible amount of caution in the first place. Gatekeeper is like 
the front door to your house, except automated to let anyone in who waves the 
right credentials at it. Then they're in your house. In real life I'd prefer to 
take a look at that person and decide for myself whether they can be trusted. I 
might get it wrong, but it was my decision. For social engineering attacks, 
like "Pretty Girls", the only solution is user education.

--Graham


_______________________________________________

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Reply via email to