Sandboxing #36
Comments
|
Why do you want the app to be sandboxed? The only advantage I can think of is submitting it to the MAS, but Apple doesn't accept any apps related to torrents. |
|
What about security? :) |
|
How much would Sandboxing affect security for an app like Catch? Personally I don't think its worth the effort. |
|
Well that's the cool part, the effort is almost zero. As soon as a version of Sparkle compatible with sandboxing comes out, we just need to update to it and flip the sandboxing switch. No code changes needed in Catch. We're already mostly covered because the feed checker service inside Catch is sandboxed - it only has outgoing network access + temporary access to the download folder that is passed from the main app. The feed checker service is the most vulnerable part of the app as it's exposed to data coming from the network and contains a parser. So if it is compromised, it can't change any files outside the download folder or start a server (among other things). But the service does have a backchannel to the main app. So it'd be nice if the main app had no privileges at all. All it needs is access to the download folder, which is granted via powerbox. So even if someone could manage to forge a malicious feed which would cause the main app to misbehave, it would be mostly harmless. Long story short, we wait on Sparkle and then we get extra security for free :) |
|
Whelp. The Transmission ransomeware shit is now making me push for Sandboxing. Sorry for questioning you mate. Keep up the good work! |
|
No need to apologize, it was a legitimate question :) |
|
For reference, the status of Sparkle 2 (the sandboxing release) is tracked at sparkle-project/Sparkle#1523 |
Currently, the feed checker service is sandboxed, but the main app isn't.
Whenever Sparkle supports sandboxing, we can adopt it in the app as well. Right now the app needs network access so Sparkle can check for updates, but they're slowly turning it into an xpc service with its own entitlements.
The app would only need an entitlement for access to the Downloads directory, which is the default save path for torrent files. Access to other directories would be granted via Powerbox. All networking is already done by the service.
Existing users that already have a custom folder in their preferences would need to re-select it. Luckily this should be self-correcting, because with sandboxing this folder would be inaccessible, and will thus cause the preferences window to pop up on launch with an error icon next to it. I think users would be able to figure out what to do at this point, especially if we add a warning to the release notes, so the transition shouldn't be too bumpy.
The text was updated successfully, but these errors were encountered: