First, I’d suggest reading Michael Tsai’s blog post on the hot key issue. I think he’s got the best post out there. I just wanted to expand a little bit to the comments I wrote relative to my post on the topic earlier this week. Part of the issue was that in a lot of the early news and commentary on the issue it really wasn’t clear what was meant by hot keys. Michael assumes it was just calls to RegisterEventHotKey. Which in hindsight is probably the more sensical interpretation to have taken. So I probably screwed up interpreting it a bit more broadly. (Although others did as well – which probably why there was so much confusion)
Most of what makes hot keys potentially dangerous are already no-nos with the sandbox. The problem is with key loggers or the like. A key logger could simply set up regular keys as hot keys, save that they were typed, and then create an event for the front window with one of the CGEventxxx calls. (Caveat – while I’m a programmer, I’ve not done much Mac application coding. I primarily have done lower level stuff.) My understanding though is that this isn’t a danger since you can’t do CGEventPost calls in Mac App Store apps.
My original post really isn’t about this sort of potential malware. I think the mere act of having to go through hoops and have a real business to sell at the app store eliminates most malware. What’s left over isn’t going to be heavily limited if it manages to get through the approval process. It’s true Apple apparently has some program that scans for what APIs are used during the approval process. However that still only gets you so far.
While I do think the sandbox will limit malware I honestly don’t think it’s the main justification for the shift. Rather I think Apple just truly wants applications to be more independent. This is partially to avoid one application causing (despite the best of intentions) trouble in an other application. I honestly think Apple’s basic mindset – for better or worse – was set by how Flash behaved in Safari. I think they looked at that and thought that they’d like to lock things down more.
The problem is, of course, that for most of us we want our Mac to do a whole lot more than our iPhone or iPad does. I think Apple was a bit naive in all this but has been listening to developer feedback. The problem is that Apple introduced the Mac Apps Store before figuring out how they’d like to limit things. Needless to say this has led to a slew of headaches and upset developers with Apple pushing their deadlines back and back again. Not to mention seriously changing the “holes” allowed in the sandbox.
What Apple’s really after though are the following:
- Limit what a malformed document can do within an application. (Witness what happens with Acrobat on Windows)
- Limit how one application can modify an other. (Most users just don’t understand a separate application suddenly changing how it looks or behaves)
- Have things behave in a predictable consistent fashion
Now I think sandboxing does help a little with regard to malformed documents. To a point. There will still be crashes and I’m sure hackers will figure out how to make use of even sandboxed applications. But it will be harder if those applications have pretty severe limits where they can write on the file system.
The bigger issue to my mind are the second and third points. Yes hot key trapping typically is used within an application just to affect that application and in a fairly limited way. And yes, it is pretty common. My understanding though (and here’s where my ignorance of writing Cocoa code might be coming out) is that there typically are multiple ways to get that functionality. You don’t just need to use the hot key mechanism. (Now a moot point since apparently Apple’s still going to allow it)
Where you absolutely need the hot key mechanism is to fundamentally change how things behave. That is it’s not just a way for a key to do something within a particular application but globally. Now typically applications using hot keys for this do a lot more. For instance macro programs like Quikeys or Keyboard Maestro generate new events for things like mouse actions, typing or more. Key loggers obviously could do this as well. (I don’t think they actually do work that way – although maybe I’m wrong)
Now macro programs are already not going to be allowed at the MAS. And my thinking really wasn’t ultimately about malware either. What I was worried about was trapping keys that users expect to behave in a predictable fashion. Since hot keys are a global intercept there is the potential to really thoroughly confuse naive users.
I know that any power user will be rolling their eyes at this point. The one thing I have realized after using an iPad and watching my wife and kids use it is just how important simplicity is for many users. It’s just not for me. I want all those cool macro programs and programs that provide new system level functionality. And I don’t mind installing them. In fact I try not to buy from the MAS both because more of the money goes to the developer but also because I want that external ecosystem to flourish. Naive users though don’t want to have to understand nuance with a program. They just want to buy it and have no surprises. It’s completely understandable to me for Apple to seek to provide that.