I have a question regarding the Mac App Store. I am planning to release a software with admin privileges to achieve its core functionality, but according to Apple -
2.27 - Apps that request escalation to root privileges or use setuid
attributes will be rejected.
I must seek other ways to achieve this. I am thinking of distributing the app without the need to use root privileges, and offering users an option to download my helper app which will be distributed for free on my website. Some interprocess communication sorcery between my app and the helper seems to fit the bill. But to make things even better -
2.16: Apps that download or install additional code or resources to
add functionality or change their primary purpose will be rejected
You see, I would only need to offer a link to my website which in turn suggests users to download the helper. So my question is, is my approach to this going to elude Apple's dreadful rejection?
You should have a look at Awaken, an OS X app distributed with the App Store and that also offer the possibility to download a helper (which requires the user to authorize the elevation of privileges).
That's apparently the same situation as yours, and it was accepted on the App Store.
Related
I have some basic skills in Xcode (Obj-C and Swift) and I want to write a single application for doing some administration stuff on client Macs. (For example: setting the Software Update Server ULR, switching on Remote Administration, showing network traffic etc.) What is the proper way to gain administrator privileges? I'd just like to avoid repeating password prompts. Can/should the whole application be elevated?
I prefer Swift, but cannot find a good tutorial or any up-to-date documentation. As I will be the only person to use this application, the security concerns may be different.
As many sources state on the internet, you need to have your app Sandboxed to be able to deploy it in the App Store.
Furthermore, it is impossible to use the accessibility api (AXUIElement.h) when sandboxed,according to this.
However, some apps still seem to use this api. One of these apps is Cinch. In the installation procedure of Cinch you need to give Cinch rights to use the accessibility API, so clearly they are using this API.
After checking out the binary from the app store with the following command:
codesign --display --entitlements - /Applications/Cinch.app
It seems the app is not sandboxed:
Executable=/Applications/Cinch.app/Contents/MacOS/Cinch
(only line in output).
So my question is, how is it possible to circumvent this requirement. Do you need to negotiate with Apple to achieve this? Are there special rules? Do you need to bribe a staff member? Or is my terminal command wrong?
Irradiated submitted Cinch to the App Store in 2011 before sandboxing was needed and didn't do any substantial updates since then. As soon as they add new functionality or features, they'll need to sandbox the app.
Apple wrote to the developers in February 2012:
Starting June 1 2012, if you have an existing app on the Mac App Store that is not sandboxed, you may still submit bug fix updates without sandboxing your app. In addition, if you have technical issues that prevent you from sandboxing your app by June 1, let us know.
and in May 2012:
If you have an existing app on the Mac App Store that is not sandboxed, you may still submit bug fix updates after June 1.
It is quite surprising for an app from the App Store to not be sandboxed.
If you do not develop a competing app maybe you could contact them directly. Maybe they will tell you how they've done it. You might also get your answer in a shorter amount of time as (at least in my view) not many developers would have done this.
http://www.irradiatedsoftware.com/about/
If I make an application for Mac OS X am I required to put it on the Mac app store or can I distribute it, on my website, for free?
And what about Windows?
Thanks
No there is no such requirement you are free to distribute your program however you want.
You may wish to use the App store as a method of distribution, but to do that you have to conform to various apple requirements.
I'm not sure what the equivalent would be for Windows, but again, there is no such requirement. Think of the millions of independent apps that have no affiliation to any centralized store, I would say the majority still fall in this category.
2018 Update - With increasing security concerns, and a desire to replicate the success of the iOS App Store, Apple have been making it harder and harder to run apps from outside the store. You can get digital certificates, and become a trusted developer, but it’s clear the future is the AppStore or broke if you want users to be able to easily run your app. Note that it remains, and likely always will, very possible to install and run any unauthorised app with a simple trip to settings, it’s just that’s clearly a big deterrent for many users, as it should be.
You dont have to distribute it over the Mac App Store right now but that might change with the next OS X, make sure to check this out: https://developer.apple.com/library/mac/#documentation/Security/Conceptual/CodeSigningGuide/Introduction/Introduction.html
you can distribute it however you'd like. It does not need to be in the Mac App store. Same thing for Windows.
For those distributing Mac apps outside the Mac App Store, how are you planning to support updating and sandboxing? I'm guessing most people's answers for the time being is that they're not, but I hope that eventually non-MAS apps could be sandboxed just like MAS apps.
To use Sparkle, your app would need network access, which could be granted, as well as the ability to overwrite itself in Applications. Currently you could do this with the com.apple.security.temporary-exception.files.absolute-path.read-write entitlement, but that's not a good solution. It will likely go away, and even if it doesn't there's little point in sandboxing an app if you're going to give it full filesystem read-write access as well as network access.
Has anyone already gone down this path and found a good solution? I ask because I try to keep my MAS build and my non-MAS build as identical as possible, and I'm currently looking at having my MAS build sandboxed and my non-MAS build not.
In a conversation started by #chockenberry on twitter, #andy_matuschak responded favorably to creating an XPC service for Sparkle.
I have a pull request open on GitHub that actually creates the XPC service. Hopefully, this will get incorporated into Sparkle soon.
We actually have two versions of our app: one for our own web site and one for the app store.
I recommend using Sam Deane's approach which you can find in his GitHub repository. It works well for us.
Not yet.
As of 1.15 Sparkle does not support sandboxing, and the patch that is floating around has a vulnerability that allows complete bypass of sandbox security.
the license agreement for the Mac Developer Program explicitly states that I am not to implement my own copy protection process in my Mac app.
Yet, in the developer documentation, Apple also says this:
You can add receipt validation code to
your application to prevent
unauthorized copies of your
application from running.
I am confused here. Does the Mac App Store provide any form of built-in copy protection for Mac apps? The above statement from Apple would seem to indicate that it does not.
The statement suggests that if I do not implement these receipt checks, then unauthorised copies of my Mac App CAN run on other Macs.
I'm not allowed to implement (or rather, keep an existing) copy protection, but I am expected to verify receipts manually, using various fragments of code and pseudo-code provided by Apple, simply to provide the most basic level of protection. Is this interpretation correct?
Is this a miscommunication from Apple, or is this really how things are done?
Ref: http://developer.apple.com/devcenter/mac/documents/validating.html
Thanks.
(Please note that I'm not after a debate on the philosophy of copy-protection or the merits of Apple's approach. Rather, I'm just interested in the technical requirements for getting a Mac app on to the App Store.)
Yes, you are correct. It's their way or the highway.