Apple’s getting a lot of press this week about their forthcoming 10.8 “Mountain Lion” update to Mac OS X. One of its key features will be a security feature called “Gatekeeper” that will allow users to avoid launching apps from developers who are not registered with Apple. If you are not already familiar with Gatekeeper, read Steven Frank’s writeup to get up to speed. You should also check out Wil Shipley’s post from this past November, where he argued for something very much like Gatekeeper.

I am excited about Gatekeeper not only because it will improve security on the Mac but because of how it will achieve this goal. Apple, as the authority in the OS X environment, will convey information to Mac users about who developed a particular application, empowering them to protect themselves. Compare this to the status quo of the App Store, where security is completely out of users’ hands, and Apple uses its discretion to protect users from software it judges unfit for consumption.

Who vs. What

Simply establishing the identities of software developers is a major step for increasing security, because bad actors can either be immediately shut down, or at least prevented from further propagating on the platform. If “Hawt Dawg Industries” is discovered to be a malware developer, Apple can flip a switch and any user who trusts Apple’s opinion about such things can automatically prevent their Macs from trusting software from that vendor.

If somebody knocks on your door in the middle of the night, the first thing you’re liable to ask is “Who are you?” That’s Gatekeeper. Sometimes, the “who” is all the information you need. But if there’s any doubt, the next bit of information you’ll pry for is “What do you want?” That’s the sandbox. At least, it’s what the sandbox will be, after Apple fixes it.

The Broken Sandbox

At its best sandboxing is a means for app developers to faithfully state their intentions in a manner that can be evaluated by users, and also be reliably enforced by the operating system. So if your new “Fun on Facebook” app declares its intention is to connect to the web, you might judiciously allow it. If it says it needs to write files to the root of the filesystem, you’d be wise to search for another app.

Sandboxing on the Mac works by providing developers with a standardized list of “entitlements” which are clear descriptions of things it would like to do on your Mac. Examples include: access the internet, read files from your Pictures folder, print things on your printer.

The number one broken thing about sandboxing as it stands today, is the list of entitlements is simply too limited. Many apps on the App Store, including my own, will need to have their functionality considerably diminished, or in some cases made outright useless, in order to accommodate the available list of entitlements that sandboxing offers.

To stretch the stranger-at-your-door metaphor a little further, imagine the visitor is your trusted plumber, who’s come to fix a leaking pipe. In response to “What do you want?” he’s a bit tongue-tied. There’s no “entitlement” for fixing pipes, so he’s forced to say “I’m here for a chat.” When you reluctantly let him in the door he informs you that actually, due to recent legal changes, he’s no longer allowed to fix your pipes.

The impending state of the Mac App Store is very much like this. A great number of apps provide useful services to grateful customers, but as those services don’t fit the mould of Apple’s sandboxing entitlements, they will be effectively barred from the store within a few weeks. If you want to hire somebody to “fix the leaky pipe,” you’ll have to look outside the store, where apps are not sandboxed at all, and where Apple is in no position to improve users’ knowledge about the “what” of an app.

Saving Face

Gatekeeper is extremely simple, yet is likely to be extremely effective. Some exasperated developers who have been frustrated by the sandbox limitations are hopeful that all this attention on Gatekeeper might indicate a change of heart on Apple’s part. Will they see the error of their ways and ditch sandboxing in favor of Gatekeeper’s elegance?

One problem with this approach is that Apple would appear as though it had stumbled in its strategy. It spent the greater part of a year selling the idea of sandboxing and all of its merits, then two weeks before its grand debut, jumps ship for a completely different approach? Smooth move, Apple.

But a more important problem is that abandoning sandboxing would mean the significant engineering investment, both by Apple and by developers who have refactored their apps to satisfy sandboxing requirements, would have been a waste. There is such great value in sandboxing technology, we just need to finish the job of mining it out.

What should Apple do about all this? Gatekeeper and the Mac App Sandbox are both technologies that stand to improve security on the Mac by labeling apps with useful information about their developers and their functionality. The extent to which security is improved is very much tied to how widely adopted these technologies are. If the vast majority of developers agree to sign their apps with Gatekeeper certificates, then the vast majority of users will leave the Gatekeeper “safe” mode enabled.

Embrace, Expand, and Empower

Apple should embrace the utility of sandboxing by shifting their focus away from sandboxing only Mac App Store titles, to a strategy that would sandbox virtually every Mac app, inside the store or out. Given the current limitations of sandboxing, a significant number of developers will not adopt the technology, so its usefulness to users and to the security of the platform will be diminished. Apple can turn that around so that sandboxing is a worthy counterpart to Gatekeeper, and a technology that any developer in his or her right mind would feel foolish not to incorporate.

To increase adoption, Apple should expand the current list of entitlements until it covers every reasonable behavior that users expect from Mac apps. A good test for this is any app that is currently available in the Mac App Store. Having been approved by Apple’s own reviewers, and purchased by Apple’s own customers, the merit of these apps should be considered implicit. If a Mac App Store app’s reasonable behavior cannot be achieved in the confines of the sandbox, it should be considered a sandboxing bug, and a new entitlement should be added.

Finally, Apple should take a cue from its own Gatekeeper approach. By incorporating sandbox information about apps into the forthcoming app security preference pane, they will empower users to understand application intentions. Along with the proposed options controlling the “who” of apps, users would be given reasonable defaults pertaining to the “what” of apps. For power users, these settings would be configurable on an entitlement-by-entitlement basis. The sheer transparency will be yet another motivation for developers to adopt sandbox, and for users to demand sandboxing from their developers.

Imagine a future where the majority of Mac apps are signed with Gatekeeper certificates, and an accurate list of entitlements. Users will be protected by smart default settings, and by the knowledge of who their apps come from, as well as what they intend to do. Developers will be protected from their own unintentionally destructive mistakes, and from impostors selling software purported to be authentic. And Apple? Apple will be remembered as the huge, clever computer company that solved the software security problem on two fronts, without pissing off developers or customers. Much.

(This piece was inspired by a lunchtime chat with my friend Paul Kafasis. Thanks, Paul!)

By now I am somewhat famous for my slowness in adopting the iOS platforms for my major apps: MarsEdit and Black Ink. The truth is I have been working on these releases for years, but it’s also true that work has been intermittent as I refocus on Mac versions of my apps and on other commitments in my life.

One of those other commitments has been raising a small family. My son, Henry, will become a big-brother in a matter of hours or days, and in honor of that I’ve decided to update my only shipping iOS app: Shush.

Shush 1.0 was a simple, dare I say embarrassingly simple, project that came out of our interest as new parents in Harvey Karp’s Happiest Baby on the Block techniques for soothing infants in the first few months of life. Among the bag of tricks is shushing the baby, creating white noise with your mouth: “Shhh.” While this trick worked for us, it became a little exhausting to make the noise for as long as it seemed helpful to Baby Henry.

For the new baby, I anticipate using Shush again, so I decided to give it a facelift. I had imagined over the years since I first released it that it would be fun to have it embrace some of the iPhone’s playfulness and provide a highly skeuomorphic television-set style design. This is Shush 2.0:

Don’t get me wrong: I know I won’t win any graphic-design awards for this, although it represents a peak of my skills in that area. Those of you who remember Shush 1.0 will probably consider this at least slightly more visually appealing. I tried to maintain the simplicity of Shush 1.0 while livening up the interface. I actually simplified a bit by removing the “Start/Stop” button. To turn Shush 2.0 off, you just slide the volume to its lowest position. To make the TV metaphor work, Shush is locked to landscape orientation. But I positioned the slider so it would be easily and intuitively navigated with the thumb while “holding the phone wrong” in an upright position.

Also new in this release are Shush’s ability to make static noise in the background while you continue to use your iPhone or iPad. I imagine this will be handy especially for parents who want to produce that sweet, soothing static, but would also like to so catch up on Instapaper, Twitter, or whatever while they’re cradling the baby.

Finally, that skeuomorphic television static actually provides something of a hypnotic animated effect. Some users may find the visual display useful either for lulling themselves or for distracting and amusing a baby. From a technical standpoint I’m particularly proud of the effect. Inspired by a suggestion from Mike Ash, I implemented the static animation as an OpenGL Shader, so it runs almost entirely on the iPhone’s GPU. This means it is extremely efficient and not liable to slow down your phone or gobble up your battery. If you don’t like the TV static or just want to save even more power while Shushing, you can put the display to sleep and Shush keeps on Shushing.

I hope you enjoy Shush 2.0. Let me know if you give it a try or have feedback about my decisions in redesigning this simple application. To answer the inevitable question: yes, MarsEdit and Black Ink are still under development for iOS!

If learning to program is even a minor goal for you, Code Year (via Brent Simmons) might be just the encouragement you need. They promise to email you on a weekly basis with coding lessons to help you achieve your goal.

I’m one of those computer programmers who downplays the difficulty of the profession, because “if I can do it, anybody can do it!” On the other hand, I have faced challenges that made me question whether I’m vaguely qualified for the job. What it boils down to is that programming is both incredibly simple and impossibly hard, like so many important things in life.

There was a time when nobody knew how to write literary prose. The geniuses who invented it shared their special tool with a few friends, and they relished in their private, elite communications. Eventually monks, politicians, and academics joined the club. Now, we judge a society’s overall level of intellectual advancement by the literacy rate: the percentage of people who have learned to read and write.

Literacy isn’t about becoming a Hemingway or a Chabon. It’s about learning the basic tools to get a job done. I think programming — coding — is much the same. You don’t have to be the world’s best programmer to develop a means of expressing yourself, of solving a problem, of making something happen. If you’re lucky, you’ll be a  genius, but you start out with the basics.

Long ago, it would have been ridiculous to assume a whole society could be judged by its ability to read and write prose. It feels ridiculous now, to assume that we might use computer programming as a similar benchmark. Yet it may happen.

Did you always mean to learn another language, but never did? By all means, learn Spanish, French, or Chinese. But learn to code, too.

I enjoyed Joshua Topolsky’s rebuttal to the high-fives exchanged between John Gruber and MG Siegler about the Galaxy Nexus allegedly being less polished than iPhones are. I didn’t pick up on some of the cringe that Joshua pointed out, in particular the implication that rich people who have “nicer” stuff will always enjoy some impossible to crack understanding of the finer things in life.

And yet John and MG are totally right. You either see it or you don’t. This is egalitarian, relating to all facets of life, in every nuanced area of preference or priority. For whatever details a given person appreciates and values, far more people will be disinterested and be unlikely to even distinguish differences. How about those Android aficionados? They’ll point to the flexibility afforded by true multitasking, freedom to install unapproved apps, etc. They shake their heads at silly iPhone lovers, hold their phones up high and take pride in these qualities. To them, these are the finer points. This is the “polish.” The rest of us just don’t see it.

For many of us who make, use, or write about software for a living, polish is all about removing from the software as many jarring behaviors as possible. Sweating the small stuff. It’s exactly the details like the persistently stuttering scrolling that MG points out that continue to make Android products appear less polished to us. It’s seriously unnerving. It’s a big freaking deal to us, while other people just don’t see it.

It doesn’t have to relate to expense, and isn’t restricted to a premium class of product. It’s also, of course, not restricted to vision. I can imagine some of my wine-loving friends holding up a $15 bottle of something precious they’d discovered, while expressing disdain for a $200 bottle of swill that somebody else just adores. Nor does it need to be something “high class.” I’m sure a number of hard-working farmworkers could explain to me in agonizing detail why I picked the absolute worst rake and shovel for my garden.

If you’ve got a taste for something, a nose for something, an eye for something, an ear for something, a feel for something, and you find a product that soothes that sense, then you have a special gift: the ability to cast judgement on inferior efforts. Other folks? They’ll either sense it too, or they won’t.