Tuesday 11 December 2012

Sandboxing

It's too hard to keep a computer clean when you try out new apps, eventually uninstalling them, and it's also difficult to set up a computer just right to run certain programs. On phones, most apps are standalone, but they can interact with standard data stores found on the device, like call logs, SMS, plain old data files or online servers. On a desktop, programs are much more obviously not sandboxed away from each other. So creating such protected sandbox areas is probably going to be difficult. It would be good, though, especially for running conflicting versions of the same program.

Even once you do it, however, you still have a problem of permissions or managing the sandboxes. You can't have one per app, because some of them need to access certain data. You can't just have one big sandbox for everything, because that's not a sandbox any more. Someone has to manage the sandboxes manually while the system keeps all the relevant firewalls in place. That's a pain for users.
And even if you could get all that correct - properly sandboxed groups of apps - users will stomp it all to bits anyway. App writers will ask for more permissions than they need, because that lets them make more money in new and different ways. Users will grant those permissions, because they are blind to any question above a "Yes" button on the screen. That destroys any benefits that a sandboxing regime might have had in the first place.

That problem will never go away, unless we know what data is most important, and granting access to that data for programs is proportionally painful. Your entire contact database, plus the permissions to broadcast it over the internet at any time should not be hidden behind a simple "Yes" prompt. The operating system needs to understand the dangers for you and protect you from them by asking permission in other, more complicated ways.

Mokalus of Borg

PS - There are programs that can help you do this for your PC.
PPS - I recommend Sandboxie.

No comments: