How can an application tell silently if it's running in the sandbox?

Question

I am writing an app that can run sandboxed or not.

I like to keep my code independent on whether I later codesign it for sandboxing or not, i.e. I want to have having a constant in my code (or in the build environment) that I have to change for my code to know whether it'll be built for a sandbox or not.

Naturally, I need to use different APIs in some cases in my code depending on whether the app is sandboxed or not.

So, I like to have code in my app that dynamically detects whether it's running in the sandbox or not. And I like to do this without getting a message in the console log. I.e, trying to access a file that's inaccessible in the sandbox is not a good solution because that'll cause a log entry which in turn would irritate users of my app, thinking there's something wrong.

Answer 1

    import Foundation // For String/CFString bridging
    import Security

    if
        let task = SecTaskCreateFromSelf(nil),
        let value = SecTaskCopyValueForEntitlement(task, "com.apple.security.app-sandbox" as CFString, nil),
        let isSandboxed = value as? Bool
    {
        print("sandbox: \(isSandboxed)")
    }

Answer 2

I use this :

// Determine if an application is running in sandboxed mode
func IsSandboxed() -> Bool {
    let dir = NSHomeDirectory()
    let bundleName: String = NSBundle.mainBundle().bundleIdentifier as String!
    if dir.containsString("Library/Containers/" + bundleName) {
        return true
    }
    return false
}

Answer 3

As you've mentioned, applications that are sandboxed are code signed. You can check for the presence of this with the commandline call to 'codesign'.

Therefore, if your program can call out to the commandline with: -

codesign -d --entitlements :- <path to executable>

Retrieve the output from the command and search for the string: -

com.apple.security.app-sandbox

If the string exists, the running executable is sandboxed. Do this once in an initialisation function at the start of your application and store a flag that you can then test for later on.

-------EDITED ----------------

I've not tested it myself, but just came across this article which includes code to check if the app is sandboxed. The full code can be found on github here.

---- EDIT 2 --------------

I've finally checked the code in the aforementioned article and can confirm that it works as expected.

Answer 4

I found a much simpler trick now:

I get the path to the Preferences folder. If it looks something like this, I'm sandboxed:

/Users/<user>/Library/Containers/<bundle_id>/Data/Library/Preferences

That's enough for my needs, I just want to avoid seeing console msgs. Should Apple ever change the path and my test fails, then the worst I'll see is a console msg about a denied operation. I can live with that.