![]() ![]() Or at least they shouldn't be able to do so without the OS throwing up lots of warnings outside of the app. an app may legitimately need permission to write to any file in your home directory, but it's highly unlikely they'll need permission to write to more than X number of files per second. This is especially problematic since we can assume the average user is a good judge of which apps need which access.Įdit: One way of reducing user acceptance fatigue might to introduce greater granularity into the requested permissions and then tier the permissions requested - e.g. And as the number of apps asking for approval goes up, the more likely users are to simply ignore the warning and approve all. Second, as a corollary of the first, that means you're going to have a lot of apps that legitimately need to ask users to approve broader access. So you're inconveniencing quite a few legit apps which need broader access. I think OS X (and mobile app development in general) shows both that this is great in theory and a net improvement over not having it, but that there are some common pitfalls to address.įirst, there are a handful of apps where this model doesn't work so well - e.g. Isn't this the basic idea behind the sandbox in OS X? ![]() Why can’t we also have something analogous where different files or other system resources are only accessible to applications that have been approved for that access? We have useful access control lists based on concepts of ownership by users and groups and reserving different parts of the filesystem for different people. More generally, I see no reason that we shouldn’t limit applications’ access to any system by default, following the basic security principle of least privilege. It’s hard to encrypt someone’s data and hold it for ransom or to upload sensitive documents if your malware-infected process gets killed the moment it starts poking around where it has no business being. In that context, restricting access to other parts of the filesystem unless explicitly approved would be a useful defence against security vulnerabilities being exploited by data from remote sources. I have often made this argument in the context of sandboxing communications software like browsers and e-mail clients, where it is relatively unusual to need access to local files except for their own data. This may have been both a rookie mistake and a regrettable failure of code review processes, but in any case it simply shouldn’t be possible for an application running on a modern system to wipe out all user data without warning in such a sweeping way. This seems like yet another good example of why robust application-level access control would be a helpful thing to build into modern operating systems, in addition to the typical user-based controls. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |