How do you produce new applications in such an environment ("No peeking in other files")?
To a first approximation, you don't. You can't for iOS on an iPhone. You need the "messier" environment of a, errm, uh, real computer. For iOS, you'll need to run xcode, which means you'll need a Mac. (I understand there are ways to get around this to use Windows, but I'd be surprised if you could do it from say, an iPad).
I believe this is generally possible for Android using something like AIDE, but I do not know how practical it is. I can't see writing a lot of Java without a proper keyboard, but of course you can always plug one int.
There is a lot of confusion around this issue. I think several issues are mixed up here.
First, it's the job of the operating system to authorize or prevent access to a resource. It has nothing to do with the development environment. If that was the case it would be trivial for malware to bypass restrictions, wouldn't it? You won't assume that a malware writer or a dishonest coder will play nice!
The key issue here is the operating system security model. We have grown used to the Unix security model and others inspired on it. The thing is, it's obsolete for our current applications.
Unix is a multi user operating system. It was conceived to allow different users to share a computer and to offer some simple protection to their resources (files, processes, etc). So Bob could prevent Alice reading his files.
Now the threat model is different. Unix based computers are mostly single user workstations. And the risk is a security problem in an application program (the typical text processor security issue) giving an attacker access to your other files.
While many people discussing security focus on how hard it is to achieve superuser access to a Unix system, reality is different. It has become irrelevant if all the attacker wants is to read your files, use your computer to send spam, mine crypto currency or a myriad other uses. The miscreant wants to be able to do the same you would do as a regular user.
Can this problem be fixed? Of course. But it's a matter of operating system architecture, not of just clever tricks and patches. Unfortunately, as Pike rightly lamented, operating systems research is largely being ignored. Systems such as Plan 9 (using name spaces) or Amoeba (using capatibilities) offered some tools to tackle this problem.
We should go from a multi user operating system to a
multi application operating system in which an application doesn't get automatic access to all the resources owned by the user running it.
This is a superficial example of one possible model.
Imagine you are running Photoshop. You want to open one of your photographs. So you select File -> Open, and a directory listing appears. You select a file and press "Open", so you open it.
In the "traditional" multi user operating system this is what happens when the user wants to open a file.
- The user selects File->Open
- The application creates a file selection window
- The user selects a file and presses "Open"
- The application opens it. Note that the application can open any file it "wants" in this case.
The file selection dialog is part of the application process, running with the same privileges, hence with access with all the files. It's very convenient for many developers because they can implement their own file selection window. But of course it has a problem: this doesn't give us that isolation between applications.
Now, imagine a "multi application" OS.
- The user selects File->Open
- The application sends a message to the OS asking for a file to be opened.
- The OS opens a file selection window which is not a part of the application process.
- The user selects a file and presses the "open" button.
- The OS creates an authorization for the application to open that particular file. Let's say it´s some kind of "ticket".
- The application opens the "ticket".
Something similar would happen if the user picked up the file icon and dragged it onto the application icon. The trusted part of the OS would deliver a message to the application. "Open this file" but instead of giving a classical file descriptor as a parameter it could be an authorization ticket.
It's a bit more complicated than this of course, because the OS should have adequate controls for UI automation operations done from any application. But the core mechanism would still be something of the sort.
Actually there is some evolution towards this model. I remember when Apple was ridiculed because iOS doesn't separate processes in different user ids. The truth is, it uses other mechanisms which means that the user id is irrelevant. Also they are applying harder controls on OS X based on sandboxes.
A question remains, however: a sandbox is what I call an "a posteriori" security measure. You have a set of resources and you establish some protection measure as an afterthought. Actually I would rather prefer the "a priori" approach in which everything is protected unless access is explicitly granted.
But that means you need a complete overhaul of the security model and it would surely be painful for many application developers. There is a lot of inertia right now.