Non-Sandboxed App Report: Xcode 4.3.3
| Originator: | CharlesJS | ||
| Number: | rdar://11701519 | Date Originated: | 6/19/2012 |
| Status: | Closed | Resolved: | No |
| Product: | Mac App Store | Product Version: | 1.1.2 (92.8) |
| Classification: | Security | Reproducible: | Always |
Summary: The June 1 sandboxing deadline has come and gone. However, you may be shocked to hear that an application violating many of the sandboxing and general App Store rules has since slipped through the cracks. The application is called "Xcode 4.3.3", by the seller "Apple, Inc.", and the link is here: http://itunes.apple.com/us/app/xcode/id497799835?mt=12 Among other violations, this app violates the rules in the following ways: - It does not appear to be sandboxed, which is shocking since it appears to have been approved on June 11, over a week past the sandboxing deadline. - It puts files in ~/Library/Developer, which to the best of my knowledge is not one of the allowed locations as per the sandboxing guidelines. It can also put a startling amount of files in this directory — at the time of this writing, my ~/Library/Developer has over 15 GB of files in it, all of them put there by this "Xcode" app. Unbelievable. - Upon launching, this app not only requests the user to install additional packages, which I believe is forbidden in and of itself, but then has the temerity to actually install files in /Library, /usr, and even /System — some of OS X's most sacred directories — and, to my utter horror, actually asks for *admin access* to do so !! Clearly this is an egregious breach of the Mac's most fundamental security model, the sort of thing that will surely spell the end of any kind of safety on our platform. In addition, the developer in question, "Apple, Inc.", seems to have a history of doing this sort of thing — I don't even want to go into what their other product, "OS X Lion Installer", does. This developer should probably be given a severe reprimand, along with a stern warning to follow the guidelines or to be ejected from the store. Tough measures such as these are, surely, necessary in the world of terrorism and cyber-crime that we live in today. Steps to Reproduce: 1. Download "Xcode" from "Apple, Inc." from the App Store. 2. Launch it. 3. Notice the massive and flagrant disregard for any kind of operating system security exhibited by this application. Expected Results: App Store apps released after June 1 are supposed to be in the sandbox. Actual Results: The app "Xcode" goes far, far, beyond simply not being sandboxed, and rather seems to spit in the very face of the sandboxing system.
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!
Received the following response:
Hi Charles,
Thank you for contacting us regarding Bug ID# 11701519.
Engineering has provided the following information regarding this issue:
Thanks for the feedback.