Clean up your digital carpet with application sandboxing

Jayden Traoré

Jan 6, 2020

8 min read

Beaches are my favourite. But it’s been some time now since I visited one. My last visit to Myrtle Beach is a wonderful memory, but I can manage to find myself some sand in my pockets even today. As much as fun it was to play around in the sand, dragging it around is indeed a nuisance. No wonder people “box” it for their kids to play in.
In the digital world, you wouldn’t want to drag in any malware and soil your system, right?
Enter Application Sandboxing.

What’s in the “Sandbox”?

Application sandboxing is all about giving an app the least number of permissions in a system. This is done such that it has all that is necessary to execute its core functions and nothing more. Consider a voice recording app seeking access to the device camera. Hmm… something fishy right. If the app is sandboxed it cannot access the camera unless permission is granted.

  • By sandboxing an app, it’s given a contained storage space and memory. The container has everything the app needs to execute its intended function. Thus, the app is caged.
  • Permissions must be granted by the system, for the app to access anything outside of this container.
  • The sandbox prevents all system resources, applications, intruders and malware from interacting with the containerized app so there is minimal chance for a security attack.
  • If the app is compromised by any malicious content, this cage prevents or lessens the effect of a possible attack on the system.

Sandboxes we usually play in

We have been living and playing in sandboxes for a long time now. Never knew it eh! So, it has kept you safe and sound till now.
Some of the sandboxed content we commonly use are

  • Web pages and browsers: With internet browsing at its peak, browsers execute millions of lines of website code. Thus, bringing the outside activity into devices. Using a sandbox, the code is made to play around in the sandbox making an attack less likely to succeed. Webpages cannot access your files or your webcam unless exclusive permissions are granted.
  • Browser Plug-in content: These are the frills and laces you “add-on” to a web browser. It supports images, videos, animations, like the flash plug-in which allows us to view video and animated content. The plug-ins also run in a sandbox and isolate the actions of the content it views.
  • PDFs and documents: Adobe Acrobat Reader now runs all the PDFs in a sandbox. Any PDF is considered malicious and is prevented from tampering the rest of your system. Microsoft Office allows its sandbox to be turned on or off to disable macros.
  • Mobile Applications: Applications in iOS, Android, Windows, and Mac must seek permission to access anything like the device camera, location, etc. The sandbox also prevents the app from interfering in each other’s personal data.

 App Sandbox

Android or Mac or iOS or Windows, Sandbox is everywhere


  • In Android devices, sandboxing is achieved by leveraging the Unique User ID (UID).
  • In the Linux kernel, each app has its own UID. Each UID (thus the app) is a separate entity and is prevented from accessing (reading or writing) the data belonging to another app.
  • An advantage of the sandbox being in the kernel is that the sandbox extends to the OS applications and the native code.

MacOS and iOS

  • App sandboxes are built right in macOS at kernel level. This allows you to define how you want the app to interact with the system and provide it with all that is necessary to perform its intended action and nothing more.
  • You can grant additional access to the app using interactions like Open and Save dialogues.
  • In iOS and macOS, apps are sandboxed by making use of entitlements.
  • An entitlement is basically a permission (usually with a default value that disables the capability) that is managed by Apple.
  • The app developer sets entitlements to an app thus restricting its functionality. For example, using an entitlement key to allow read access to the user’s Pictures folder automatically restricts the app’s write access.
  • Since June 2012 sandboxing has been made mandatory for all apps submitted to the Mac app store.


  • Windows UWP apps are sandboxed in a manner like Mac store apps. Analogous to entitlements, UWP apps are designed with capabilities. Capabilities are attached in the app package to allow its access to device features like storage and camera or access music or pictures folder.

The Ah- Yeses!

  • Works against Zero-day threats (an unknown or totally new threat). Once the threat behaviour is understood future attacks can be prevented as well. Much like a vaccine!
  • Cloud-based and on-premise deployment: Cloud-based sandboxes can track the malware even over a period of days. It can also prevent malware from a different region which is otherwise difficult with an on-premise sandbox.
  • Works well with other security programs like antivirus.
    You must now be thinking of sandboxes to be like Captain America’s shield huh? Absolutely not. It just takes a drizzle to mush it all up.

The Oh- Noes!

  • Act as a weak point – the sandbox itself can act as an attack point for bugs. A weak foundation can bring the whole castle down!
  • Sandbox evasion: Sandboxes remain active searching for malware only for a short period of time. Once the time period is over, malware can snoop in.
  • A sandboxed environment is considerably slow as it runs on limited hardware.
  • Sandboxed apps are more complex and hence take more time to develop.
  • The sandbox itself should contain all the files that the application needs to execute.
  • It restricts developer freedom.
  • It creates issues between apps that need to interact with each other

Will the sandbox get washed away?

  • Cyber turbulence is at its peak and malware are as strong as ever.
  • The Meltdown/Spectre vulnerabilities in CPU’s have proven that sandboxes can be ineffective.
    Cisco researches discovered a trojan called GravityRAT. This uses a temperature check of the CPU to determine the presence of antimalware sandboxes.
  • But sandboxes have evolved as well.

“Smart” sandboxes and AI sandboxes can match the system configurations, drivers and applications more accurately. Thus, they can understand malware behaviour, better. Software containers have developed over the years and are the successors to sandboxes. Since sandbox is used for testing how a file will behave when released to the system, evasion techniques have proven to be quite successful. Containers, on the other hand, do no weighing. It considers all files as potential threats and cages them. Chroot jails in Linux is similar and can limit the directory access.

Keep your androids safe in a sandbox

Mobile device management vendors now focus on app sandboxing and containerization by allowing enterprises to configure a Profile owner mode in Android Enterprise, which maintains personal and work apps separate. This OS-level container is supported in Android 5.0 and above devices. The work apps will have a briefcase icon on it. Users can simultaneously use their personal and work apps without having any clash. They can even turn off the work profile temporarily. The applications in the work profile will be fully managed while the personal apps and data are left untouched. This helps draw a clear- cut difference as to what is managed and what is not, by isolating the work apps in an encrypted sandboxed environment. Application management in devices helps to blacklist, whitelist and configure an app to pre-define its behaviour. Hexnode offers you powerful app management features to sandbox your applications, leaving the rest of the device untouched.

Apples prosper in sandboxes

Don’t want your employees mixing up their work and personal life? Don’t want apps mixing up data? This can be achieved via the implementation of Managed Open-In for Apple devices. This feature is powered by Apple’s VPP for application distribution. They use a set of policies that restrict data (attachments or documents) from managed sources from being accessed in unmanaged destinations and vice versa. They prevent managed applications from accessing unmanaged contact accounts and unmanaged applications from reading from managed contact accounts. Managed Open-In can also be used as a data loss prevention technique for iOS devices.

Sandboxing alone can never assure you 100% protection. But it sure can act as an additional layer of security when deployed along with protections like anti-virus. In this era of “Cyber- insecurity” you better have anything and everything you can possibly lay hands on to protect your device and data. Like they say, “A single twig breaks but a bundle of twigs is strong.”

Jayden Traoré

Product Evangelist @ Hexnode. Sometimes, I have the feeling I live in a story: a magnificent story written by a mediocre writer living off coffee and technology.

Share your thoughts