Sandboxing

Sandboxing is a software management strategy that isolates applications from critical system resources and other programs. It provides an extra layer of security that prevents malware or harmful applications from negatively affecting your system.

Without sandboxing, an application may have unrestricted access to all system resources and user data on a computer. A sandboxed app on the other hand, can only access resources in its own "sandbox." An application's sandbox is a limited area of storage space and memory that contains the only resources the program requires. If a program needs to access resources or files outside the sandbox, permission must be explicitly granted by the system.

For example, when a sandboxed app is installed in OS X, a specific directory is created for that application's sandbox. The app is given unlimited read and write access to the sandboxed directory, but it is not allowed to read or write any other files on the computer's storage device unless it is authorized by the system. This access is commonly granted using the Open or Save dialog box, both of which require direct user input.

Sandboxed App Limitations

While sandboxing provides added security for users, it can also limit the capabilities of an application. For example, a sandboxed app may not allow command line input since the commands are run at a system level. Utilities such as backup programs and keyboard shortcut managers may not be granted sufficient permissions to function correctly. For this reason, some programs cannot be sandboxed.

NOTE: OS X has supported sandboxing since OS X Lion, which was released in 2011. The Mac App Store has required apps to be sandboxed since March 2012. Windows does not natively provide app sandboxing, but some apps (such as Microsoft Office programs) can be run in a sandboxed mode. Additionally, several Windows utilities allow you to run apps in a sandbox, preventing them from affecting the system or other applications.