How to Run Mac Apps in a Sandbox and Why You Should Do So

macOS third-party applications were not sandboxed before the introduction of iOS. They could freely access system files and resources. But then iOS came along in 2007 with sandboxing required for applications right from the start. After its launch in 2011, it became standard for any third-party app on the Mac App Store.

Not all third-party apps are sandboxed, which can pose a significant security risk for MacOS users. So here’s a quick overview of what sandboxing is, why it’s crucial for security, and how to manually run apps in a sandbox on Mac.

What is Sandboxing?

The term “sandbox” is what it sounds like — keeping apps separate by giving each its sandbox area to cavort around in. A sandbox area is a directory that an app uses to store information. It can access some data necessary to function but needs to request access to data or system resources that are not located inside the box.

This approach is based on the idea of least privilege. Sandboxing allows apps only to have access to the data and resources that they need to function. For example, a basic note-taking app doesn’t require access to contacts, email, or even the internet. It depends on the app and what the user wants to do with it, of course.

Developers create sandboxed apps via specific permissions through App Sandbox entitlement. But that’s not really important here since this is about apps that don’t come pre-sandboxed. Luckily, macOS also lets users create a sandbox for apps through sandboxing commands — more on that in a bit.

Why is Sandboxing Important for Security?

People consider sandboxing an app when they:

• Download apps that they can’t trust or whose developers aren’t verified.
• Visit websites that potentially could be malicious and contain malware, drive-by downloads, or malvertising.

Sandboxing doesn’t eliminate the potential for apps or websites to do harm, but it minimizes the damage an app can do. By cutting down on what the app can do and see, users have more control over what the app could exploit. It works not only with malicious apps but also applications with vulnerabilities that outside actors could potentially exploit.

The security benefits are obvious. Restricting access controls limits the number of damage apps can do to the system as well as how much information it can steal. But keep in mind that sandboxed apps tend to be slower and have less functionality than non-sandboxed apps. This is why many developers offer a watered-down sandbox version of their app on the Mac App Store and a full release on their websites.

Moreover, sandboxing apps doesn’t protect against every potential threat they represent. It doesn’t necessarily add to the user’s privacy, either. While sandboxing is essential for security, users still need to use other security tools as well.

Take privacy, for example. Sandboxing does nothing to make a browsing session more private. As anyone who has ever Googled “what is my IP” knows, that’s not something that you can hide by limiting app permissions. So using a VPN is still necessary. The same goes for antivirus software — sandboxing doesn’t eliminate malware; it only inhibits the damage it can do.

How to Run Mac Apps in a Sandbox

Now it’s down to the most crucial part — setting up an app in a sandbox. Keep in mind that this is a process of trial and error. There are some things that every app needs to function, and they aren’t always obvious from the start.

Now how does one actually do it? Sandboxing an app was introduced with the Leopard version of Mac OS X. You can do it in one of two ways:

• By editing the source code of an app
• By executing the “sandbox-exec” command in case of no access to the source code.

Most users prefer using the sandbox-exec command, so here’s a short overview of how that process works:

1. Select a predetermined profile or, more likely, create a custom sandbox configuration file. There are some custom profiles under “/usr/share/sandbox” that you can use as examples.
2. You can use several operations, filters, and modifiers to write different profiles, most of which are described in Apple’s Sandbox Guide (PDF).
3. Choose the appropriate operations, filters, and modifiers to restrict the functions of an app.
4. Execute the sandbox-exec command.

You will need to create a separate script for every app that you want to sandbox on your Mac. There are a couple of resources out there for those that wish to sandbox their apps on Mac and need some help. Paolo Fabio Zaino has a good step by step breakdown in his blog post, How to run your Applications in a Mac OS X sandbox to enhance security.

In a Nutshell

Sandboxing an app isn’t a simple process and will take time to master, as it’s a case by case process for each app. But it is worth the effort to ensure security on Mac devices that have third-party apps installed. The risk of malware or exploitable vulnerabilities in third-party apps is too significant to ignore.