MAC App sandboxing 하기

맥앱스토어가 더이상 샌드박스를 적용하지 않는 앱의 경우에는 허용하지 않겠다는 발표아래 샌드박싱을 하는 방법을 퍼와 포스팅합니다. 

https://developer.apple.com/library/mac/#documentation/Security/Conceptual/AppSandboxDesignGuide/AppSandboxQuickStart/AppSandboxQuickStart.html#//apple_ref/doc/uid/TP40011183-CH2-SW3 
에서 퍼왔으며 생각보다 간단하니 천천히 따라하시면 될 듯 합니다. 

(맥 Developer 인증서가 없이 자체 인증서 생성으로 테스팅이 가능합니다. Sandbox가 적용되어 있는 iOS앱처럼 (숨겨져있는) 라이브러리에 앱 폴더가 정상적으로 만들어지네요)

* 애플뉴스 : 맥앱에 sandbox가 켜져있어야 맥앱스토어에서 사용이 가능하다(https://developer.apple.com/news/index.php?id=11022011a)

App Sandbox Quick Start

In this Quick Start you get an OS X app up and running in a sandbox. You verify that the app is indeed sandboxed and then learn how to troubleshoot and resolve a typical App Sandbox error. The apps you use are Xcode, Keychain Access, Activity Monitor, and Console.

Create the Xcode Project

The app you create in this Quick Start uses a WebKit web view and consequently uses a network connection. Under App Sandbox, network connections don’t work unless you specifically allow them—making this a good example app for learning about sandboxing.

To create the Xcode project for this Quick Start . . .

1. In Xcode 4, create a new Xcode project for an OS X Cocoa application.

   • Name the project AppSandboxQuickStart.

   • Set a company identifier, such as com.yourcompany, if none is already set.

   • Ensure that Use Automatic Reference Counting is selected and that the other checkboxes are unselected.

2. In the project navigator, click the MainMenu nib file.

   The Interface Builder canvas appears.

3. In the Xcode dock, click the Window object.

   The app’s window is now visible on the canvas.

4. In the object library (in the utilities area), locate the WebView object.

5. Drag a web view onto the window on the canvas.

6. (Optional) To improve the display of the web view in the running app, perform the following steps:

   • Drag the sizing controls on the web view so that it completely fills the window’s main view.

   • Using the size inspector for the web view, ensure that all of the inner and outer autosizing contraints are active.

7. Create and connect an outlet for the web view in the AppDelegate class. In Xcode, use the following specification:

   Outlet connection source	The WebView object of the MainMenu nib file.
   Outlet variable location	The interface block of the AppDelegate.h header file.
   Outlet name	webView
   Storage	weak

   At this point, if you were to build the app, Xcode would report an error because the project doesn’t yet use WebKit but does have a web view in the nib file. You take care of this in the next step.

8. Add the WebKit framework to the app.

   • Import the WebKit framework by adding the following statement above the interface block in theAppDelegate.h header file:

     #import <WebKit/WebKit.h>

   • Link the WebKit framework to the Quick Start project as a required framework.

9. Add the following awakeFromNib method to the AppDelegate.m implementation file:

   - (void) awakeFromNib {

   [self.webView.mainFrame loadRequest:

   [NSURLRequest requestWithURL:

   [NSURL URLWithString: @"http://www.apple.com"]]];

   }

   On application launch, this method requests the specified URL from the computer’s network connection and then sends the result to the web view for display.

Now, build and run the app—which is not yet sandboxed and so has free access to system resources including its network sockets. Confirm that the app’s window displays the page you specified in the awakeFromNib method. When done, quit the app.

Enable App Sandbox

You enable App Sandbox by selecting a checkbox in the Xcode target editor.

In Xcode, click the project file in the project navigator and click the AppSandboxQuickStart target, if they’re not already selected. View the Summary tab of the target editor.

To enable App Sandbox for the project . . .

1. In the Summary tab of the target editor, click Enable Entitlements.

   An entitlement is a key-value pair, defined in a property list file, that confers a specific capability or security permission to a target.

   When you click Enable Entitlements, Xcode automatically checks the Code Sign Application checkbox and the Enable App Sandboxing checkbox. Together, these are the essential project settings for enabling App Sandbox.

   When you click Enable Entitlements, Xcode also creates a .entitlements property list file, visible in the project navigator. As you use the graphical entitlements interface in the target editor, Xcode updates the property list file.

2. Clear the contents of the iCloud entitlement fields.

   This Quick Start doesn’t use iCloud. Because Xcode automatically adds iCloud entitlement values when you enable entitlements, delete them as follows:

   • In the Summary tab of the target editor, select and then delete the content of the iCloud Key-Value Store field.

   • Click the top row in the iCloud Containers field and click the minus button.

At this point in the Quick Start, you have enabled App Sandbox but have not yet provided a code signing identity for the Xcode project. Consequently, if you attempt to build the project now, the build fails. You take care of this in the next two sections.

Create a Code Signing Certificate for Testing

To build a sandboxed app in Xcode, you must have a code signing certificate and its associated private key in your keychain, and then use that certificate’s code signing identity in the project. The entitlements you specify, including the entitlement that enables App Sandbox, become part of the app’s code signature when you build the project.

In this section, you create a code signing certificate. This simplified process lets you stay focused on the steps for enabling a sandbox.

Important A code signing certificate that you create as described in this Quick Start is not appropriate to use with an app you intend to distribute. Before you work on sandboxing an app you plan to distribute, read “App Sandbox and Code Signing.”

To create a code signing certificate for testing App Sandbox . . .

1. In Keychain Access (available in Applications/Utilities), choose KeyChain Access > Certificate Assistant > Create a Certificate.

   Certificate Assistant opens.

   Note: Before you invoke the “Create a Certificate” menu command, ensure that no key is selected in the Keychain Access main window. If a key is selected, the menu command is not available.

2. In Certificate Assistant, name the certificate something like My Test Certificate.

3. Complete the configuration of the certificate as follows:

   Identity type	Self Signed Root
   Certificate type	Code Signing
   Let me override defaults	unchecked

4. Click Create.

5. In the alert that appears, click Continue.

6. In the Conclusion window, click Done.

Your new code signing certificate, and its associated public and private keys, are now available in Keychain Access.

Specify the Code Signing Identity

Now, configure the Xcode project to use the code signing identity from the certificate you created in the previous task.

To specify the code signing identity for the project . . .

1. View the Build Settings tab in the project editor.

   Take care that you are using the project editor, not the target editor.

2. In the Code Signing section, locate the Code Signing Identity row.

3. Click the value area of the Code Signing Identity row.

4. In the popup menu that opens, choose Other.

5. In the text entry window that opens, enter the exact name of the newly created code signing certificate, then press <return>.

   If you’re using the suggested name from this Quick Start, the name you enter is My Test Certificate.

Now, build the app. The codesign tool may display an alert asking for permission to use the new certificate. If you do see this alert, click Always Allow.

Confirm That the App Is Sandboxed

Build and run the Quick Start app. The window opens, but if the app is successfully sandboxed, no web content appears. This is because you have not yet conferred permission to access a network connection.

Apart from blocked behavior, there are two specific signs that an OS X app is successfully sandboxed.

To confirm that the Quick Start app is successfully sandboxed . . .

1. In Finder, look at the contents of the ~/Library/Containers/ folder.

   If the Quick Start app is sandboxed, there is now a container folder named after your app. The name includes the company identifier for the project, so the complete folder name would be, for example,com.yourcompany.AppSandboxQuickStart.

   The system creates an app’s container folder, for a given user, the first time the user runs the app.

2. In Activity Monitor, check that the system recognizes the app as sandboxed.

   • Launch Activity Monitor (available in /Applications/Utilities).

   • In Activity Monitor, choose View > Columns.

     Ensure that the Sandbox menu item is checked.

   • In the Sandbox column, confirm that the value for the Quick Start app is Yes.

     To make it easier to locate the app in Activity monitor, enter the name of the Quick Start app in the Filter field.

Tip If the app crashes when you attempt to run it, specifically by receiving an EXC_BAD_INSTRUCTION signal, the most likely reason is that you previously ran a sandboxed app with the same bundle identifier but a different code signature. This crashing upon launch is an App Sandbox security feature that prevents one app from masquerading as another and thereby gaining access to the other app’s container.

You learn how to design and build your apps, in light of this security feature, in “App Sandbox and Code Signing.”