On the desktop (OS X), developers can choose to opt in to App Sandboxes or not. More than just protecting files, applications can be cut off from accessing the network, the user's camera, and other resources. This may not sound like a good idea to the individual developer, but the end result is providing greater security to the user. If every app worked within an app sandbox, it would greatly limit the amount of damage any one malicous app could inflict upon other applications and the user's system in general.
App Sandboxing is such a good idea that Apple decided to make it the only way to create iOS applications. Although the implementation behind sandboxing applications in iOS is slighly different than OS X, the intent and the result is basically the same. Every iOS application is contained on the user's hard drive in an application bundle. The application bundle contains the code which the application needs to run, as well as static resources (images, video files, etc. that do not change) as well as data files which the application may create, or modify at runtime.
Only allowing one application to access files whithin its own sandbox has obvious drawbacks: no files can be shared between applications. Recently Apple has eased this limitation somewhat; applications which are created by the same developer (or the same team) can share resources. This exception is provided by a mechanism known as entitlements.
Entitlements are what Apple uses to define privledges an application has or does not have. There are entitlements for being able to install a test version of an application, entitlements for allowing an application to access Apple Push Notification Services, entitlements for allowing apps to access in-store purchases, entitlements for enabling iCloud, and many others. Of interest to us is the entitlement which allows applications to share data. This entitlement is what Apple calls the "com.apple.security.application-groups" entitlement.
The concept behind more than one application being part of a group which trusts each other is called an "App Group". The app group must have an identifier (a uniquely identifying string). When you create an app group, Xcode does the following with the com.apple.security.application-groups entitlement:
- adds the App Group entitlement to your entitlements file
- adds the App Group entitlement to your App ID
- adds the App Group Containers entitlement to your App ID
The Mac (OS X) App Sandbox Design Guide states
The container is in a hidden location, and so users do not interact with it directly. Specifically, the container is not for user documents. It is for files that your app uses, along with databases, caches, and other app-specific data.
In the iOS world, the user is not exposed directly to the file system, but instead applications manage files on behalf of the user. Even developers do no specify absolute file locations. Developers just ask the Operating System for the location of a folder, such as the documents directory. In the case of a shared directory between apps in an app group, the location of the shared container may be found by calling this method:
- (NSURL *)containerURLForSecurityApplicationGroupIdentifier:(NSString *)groupIdentifier
Provided that we have correctly provisioned our application with the correct App ID, App group ID, and entitlements, calling this one line of code is all we need to do to access files which are shared inside the app group.
References
Configuring App GroupsNSFileManager Class Reference
Entitlement Key Reference
App Sandbox Design Guide
I am really enjoying reading your well written articles. It’s hard to come by experienced people about this subject, but you seem like you know what you’re talking about! Thanks.
ReplyDeleteJava Training in Chennai
Java Training in Velachery
Java Training in Tambaram
Java Training in Porur
Java Training in OMR
Java Training in Annanagar