Clean up your digital carpet with Application Sandboxing

What’s in the “Sandbox”?

  • By sandboxing an app, it’s given a contained storage space and memory. The container has everything the app needs to execute its intended function. Thus, the app is caged.
  • Permissions must be granted by the system, for the app to access anything outside of this container.
  • The sandbox prevents all system resources, applications, intruders and malware from interacting with the containerized app so there is minimal chance for a security attack.
  • If the app is compromised by any malicious content, this cage prevents or lessens the effect of a possible attack on the system.

Sandboxes we usually play in

  • Web pages and browsers: With internet browsing at its peak, browsers execute millions of lines of website code. Thus, bringing the outside activity into devices. Using a sandbox, the code is made to play around in the sandbox making an attack less likely to succeed. Webpages cannot access your files or your webcam unless exclusive permissions are granted.
  • Browser Plug-in content: These are the frills and laces you “add-on” to a web browser. It supports images, videos, animations, like the flash plug-in which allows us to view video and animated content. The plug-ins also run in a sandbox and isolate the actions of the content it views.
  • PDFs and documents: Adobe Acrobat Reader now runs all the PDFs in a sandbox. Any PDF is considered malicious and is prevented from tampering the rest of your system. Microsoft Office allows its sandbox to be turned on or off to disable macros.
  • Mobile Applications: Applications in iOS, Android, Windows, and Mac must seek permission to access anything like the device camera, location, etc. The sandbox also prevents the app from interfering in each other’s personal data.

Android or Mac or iOS or Windows, Sandbox is everywhere


  • In Android devices, sandboxing is achieved by leveraging the Unique User ID (UID).
  • n the Linux kernel, each app has its own UID. Each UID (thus the app) is a separate entity and is prevented from accessing (reading or writing) the data belonging to another app.
  • An advantage of the sandbox being in the kernel is that the sandbox extends to the OS applications and the native code.

MacOS and iOS

  • App sandboxes are built right in macOS at kernel level. This allows you to define how you want the app to interact with the system and provide it with all that is necessary to perform its intended action and nothing more.
  • You can grant additional access to the app using interactions like Open and Save dialogues.
  • In iOS and macOS, apps are sandboxed by making use of entitlements.
  • An entitlement is basically a permission (usually with a default value that disables the capability) that is managed by Apple.
  • The app developer sets entitlements to an app thus restricting its functionality. For example, using an entitlement key to allow read access to the user’s Pictures folder automatically restricts the app’s write access.
  • Since June 2012 sandboxing has been made mandatory for all apps submitted to the Mac app store.


  • Windows UWP apps are sandboxed in a manner like Mac store apps. Analogous to entitlements, UWP apps are designed with capabilities. Capabilities are attached in the app package to allow its access to device features like storage and camera or access music or pictures folder.

The Ah- Yeses!

  • Works against Zero-day threats (an unknown or totally new threat). Once the threat behaviour is understood future attacks can be prevented as well. Much like a vaccine!
  • Cloud-based and on-premise deployment: Cloud-based sandboxes can track the malware even over a period of days. It can also prevent malware from a different region which is otherwise difficult with an on-premise sandbox.
  • Works well with other security programs like antivirus.
    You must now be thinking of sandboxes to be like Captain America’s shield huh? Absolutely not. It just takes a drizzle to mush it all up.

The Oh- Noes!

  • Act as a weak point — the sandbox itself can act as an attack point for bugs. A weak foundation can bring the whole castle down!
  • Sandbox evasion: Sandboxes remain active searching for malware only for a short period of time. Once the time period is over, malware can snoop in.
  • A sandboxed environment is considerably slow as it runs on limited hardware.
  • Sandboxed apps are more complex and hence take more time to develop.
  • The sandbox itself should contain all the files that the application needs to execute.
  • It restricts developer freedom.
  • It creates issues between apps that need to interact with each other

Will the sandbox get washed away?

  • Cyber turbulence is at its peak and malware are as strong as ever.
  • The Meltdown/Spectre vulnerabilities in CPU’s have proven that sandboxes can be ineffective.
    Cisco researches discovered a trojan called GravityRAT. This uses a temperature check of the CPU to determine the presence of antimalware sandboxes.
  • But sandboxes have evolved as well.

Keep your androids safe in a sandbox

Apples prosper in sandboxes



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store



Hexnode MDM is an award winning Enterprise Mobility Management vendor which helps businesses to secure and manage BYOD, COPE, apps and content.