2 Attachment(s)
Sandboxing - Why it doesn't Exist in BB10 - or Anywhere Else
Sandboxing. What is it really? Does any system really give us what people think of when they're told "don't worry, it's sandboxed" ?
What is it about a sandbox that provides security of those inside from what is outside, or the other way around? Nothing really.
Attachment 247722
A more apt analogy might be a playpen.
Attachment 247724
But even this does not provide an real security. A person who gains entry to the house with the intent of doing harm to the baby won't be hampered by a playpen. The baby will have toys inside the playpen. She might throw them out, knock over a lamp that burns the carpet. In the worst case scenario maybe the house burns down. That doesn't mean a playpen isn't of some use. Outside the pen a baby could innocently wander around and fall down stairs. Or enter the kitchen and get burned.
But when we apply the idea of sandboxing to software as a security tool it is immediately compromised by the fact that we want the program contained in the sandbox to still perform useful functions (even if that is to entertain us with a game). To do that input must be routed from the user interface into the sandbox. Output must be routed from the sandbox to the user interface. The program might need to write on file storage, access the network, find someone in the contacts list, dial the phone. By the time we have made our sandbox into a place where useful work may be done, there are so many punctures in the perimeter that we might as well not have bothered.
So what do we do instead? The answer is white listing. You only allow software to run that has been examined and, to some acceptable level, been demonstrated not to behave in a malicious way. All modern smartphones do that to some degree by using their application markets to create a curated ecosystem. This is a fairly gross level of control, but it can be fine tuned by giving fine grain permissions that allow or deny access to various sub-system and APIs. Some permissions may be available only to the device maker, or a few select and trusted third party developers. Some may be more widely available to developers who can justify their use. Some may be controlled by individual users. BlackBerry (and others) has used all of these methods, though arguably BlackBerry was late to the game with their application store front.
In fact, if this Register article is to be believed (and I can find no reason not to), there is very little difference between how an Android application and a BlackBerry 10 native application are treated on the device. In fact as a developer I could write a flashlight application that steals contact data as easily on one platform as on the other. I could also write an application that tried to gain elevated permissions by manipulating bugs in the kernel interface on one as the other. There are some compelling reasons why I would be more successful on an Android device than a BlackBerry 10 device however.
So when you read or hear someone talking about the sandbox and how it makes it OK to run applications, take that with a large helping of salt. If the OS is well written, then it is much less likely that the device will become "infected" with Mal-ware. That does not mean a malicious developer could not make your life very difficult. An application with access to your contacts list, could steal data for spammers and telemarketers. One with access to the telephone system could make calls to premium rate numbers, or send premium rate SMS messages. An application with access the files on the device could do what Cryptolocker has been doing to desktops. As the "internet of things", cloud storage and ubiquitous computing integrate our devices more tightly to each other these are the things we will need to guard against. The sandbox, even if it ever existed, doesn't really help us with that. Ask yourself: where did this application come form, and who has looked at it to ensure it does what it claims, and no more? And: does this application really need all these permissions?