Mac App Store Sandboxing

[J. Baker]

It looks like by November 1st, you'll have to read and write to, ~/Library/Containers/<app id>/Data/Library/Application Support/<app name>/ in order for your app to be accepted on the Mac App Store. This of coarse is the equivalent of, ~/Library/Application Support/<app name>.

[WilliamL]

[deleted]

[J. Baker]

~/Library/Containers/<app id>/Data/Library/Application Support/<app name>/

is this a new path structure established in Lion? Are all apps updated to this structure when upgrading to Lion?

Well as November 1st, this will be for Lion if you want accepted on the Mac App Store. It's for security reasons.

[kenmo]

This of coarse is the equivalent of, ~/Library/Application Support/<app name>.

What do you mean that is equivalent?

[J. Baker]

This of coarse is the equivalent of, ~/Library/Application Support/<app name>.

What do you mean that is equivalent?

Maybe wrong choice of word. But that's basically how it would be done before Apple requires the sandboxing way.

[kenmo]

Oh okay. I didn't know if one path was a symbol link for the other, or something.

So for all future purposes, use ~/Library/Containers/<app id>/Data/Library/Application Support/<app name>/, gotcha. Thanks for the info, J.

[J. Baker]

Oh okay. I didn't know if one path was a symbol link for the other, or something.

So for all future purposes, use ~/Library/Containers/<app id>/Data/Library/Application Support/<app name>/, gotcha. Thanks for the info, J.

[WilliamL]

What is an example of 'app id' (as opposed to the 'app name')?

Say for 'TextEdit.app'

[J. Baker]

What is an example of 'app id' (as opposed to the 'app name')?

Say for 'TextEdit.app'

com.apple.TextEdit

As for distributing a sandboxed app, make sure to read "the code signing guide". So your app doesn't get rejected by something simply over-looked.

To request that your application be placed in a sandbox, you must include the following key in your entitlements property-list file at a minimum:

com.apple.security.app-sandbox

In addition to including the preceding key, your entitlements property-list file should include the other keys that reflect which resources your application uses. An application can request access to the Open and Save panels, access to the network, access to a camera (when present), and access to the microphone. You must request the items that your application uses but should not request access to items your application does not use. If you attempt to use a feature for which you do not have an appropriate entitlement, the system denies access and logs an appropriate message to the console. You can use these console messages during debugging to help identify features your application uses.

For a complete list of entitlement keys and information on how to create an entitlements property-list file and apply it to your application, see Code Signing Guide.

[Polo]

I recently sent an iOS app to Itunes connect, I had completely forgotten how paintful it is to go through the certificates, Apple requirements and such...
Hope they'll come up with something simpler at some time!

[J. Baker]

I recently sent an iOS app to Itunes connect, I had completely forgotten how paintful it is to go through the certificates, Apple requirements and such...
Hope they'll come up with something simpler at some time!

Simpilar is nice, but if it weeds out the not so serious developers and helps security, I'm all for it.

[jamirokwai]

Hi,

as I have 5 PB-made Apps approved to the Mac App Store under the name 'quadWorks', I can give you this hint:
My Apps save their configuration to /Users/<User>/Library/Application Support/quadWorks/<App-Name>.

I doubt, this will be enough for Sandboxing my Apps: For the moment, I removed all automatic saving to locations other than /tmp and the above.
When in need of a destination-folder set by the User, the path doesn't matter - at least what I learned from this incident: http://purebasic.fr/english/viewtopic.php?f=19&t=49720

[J. Baker]

I recently had to do an update to my app as I thought Snow Leopard was sand boxing too. I must have read wrong info some where. So just make sure to use the old path for Snow Leopard and the sand box path for Lion and up. The following example code is for PB v4.61.

Code: Select all

If OSVersion() = #PB_OS_MacOSX_Future
  ;GetHomeDirectory() + "Library/Containers/com.<company-name>.<App-name>/Data/Library/Application Support/<App-Name>"
Else
  ;GetHomeDirectory() + "Library/Application Support/<Company-Name>/<App-Name>" ;with or without <Company-Name>
EndIf

[jamirokwai]

Hi there,

it seems, you have to do more for sandboxing your Apps...

1. Use J. Baker's suggestion for using the correct location of the preferences-file.

Code: Select all

If OSVersion() = #PB_OS_MacOSX_Future
  ;GetHomeDirectory() + "Library/Containers/com.<company-name>.<App-name>/Data/Library/Application Support/<App-Name>"
Else
  ;GetHomeDirectory() + "Library/Application Support/<Company-Name>/<App-Name>" ;with or without <Company-Name>
EndIf

2. Create an Entitlement

This minimal file needs to be saved in the same folder where you put your .App-Bundle. If your .App is called ABC.App, call your entitlement ABC.entitlements

Code: Select all

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>com.apple.security.app-sandbox</key>
    <true/>
</dict>
</plist>

Update: You can see the keys here. The entitlements below are examples (some are set to true).
The problem: at the moment, neither Network-Access nor loading or saving is possible with PureBasic.
http://developer.apple.com/library/ios/ ... 95-CH4-SW1

Code: Select all

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>com.apple.security.app-sandbox</key>
	<true />
	<key>com.apple.security.assets.movies.read-only</key>
	<false />
	<key>com.apple.security.assets.movies.read-write</key>
	<false />
	<key>com.apple.security.assets.music.read-only</key>
	<false />
	<key>com.apple.security.assets.music.read-write</key>
	<false />
	<key>com.apple.security.assets.pictures.read-only</key>
	<false />
	<key>com.apple.security.assets.pictures.read-write</key>
	<false />
	<key>com.apple.security.device.bluetooth</key>
	<false />
	<key>com.apple.security.device.camera</key>
	<false />
	<key>com.apple.security.device.firewire</key>
	<false />
	<key>com.apple.security.device.microphone</key>
	<false />
	<key>com.apple.security.device.serial</key>
	<false />
	<key>com.apple.security.device.usb</key>
	<false />
	<key>com.apple.security.files.downloads.read-write</key>
	<false />
	<key>com.apple.security.files.bookmarks.app-scope</key>
	<false />
	<key>com.apple.security.files.bookmarks.collection-scope</key>
	<false />
	<key>com.apple.security.files.user-selected.read-only</key>
	<false />
	<key>com.apple.security.files.user-selected.read-write</key>
	<true />
	<key>com.apple.security.inherit</key>
	<true />
	<key>com.apple.security.network.client</key>
	<true />
	<key>com.apple.security.network.server</key>
	<true />
	<key>com.apple.security.personal-information.addressbook</key>
	<false />
	<key>com.apple.security.personal-information.calendars</key>
	<false />
	<key>com.apple.security.personal-information.location</key>
	<false />
	<key>com.apple.security.print</key>    
</dict>
</plist>

3. Sign your app using this edited app.sh

Call using Terminal.app like this: ./app.sh /path/to/ABC. Do not add the .App or ABC.App

Code: Select all

sudo chmod -R a+xr "$1.app"
codesign -f -s "3rd Party Mac Developer Application: quadWorks" --entitlements "$1.entitlements" "$1.app"
productbuild --component "$1.app" /Applications --sign "3rd Party Mac Developer Installer: quadWorks" "$1.pkg"
sudo rm "$1.app"
sudo installer -store -pkg "$1.pkg" -target /

4. Add your App to iTunes Connect

5. Upload the prepared Application

6. Wait for Apple to approve

6.1. Me is waiting for approval of Tablelizer: http://purebasic.fr/english/viewtopic.php?f=14&t=50328

[J. Baker]

Ok, I had to "chmod -R 755 /Path to/app.sh" for it to work but I get the following...

"cannot read entitlement data"