3 Perspectives on App Sandboxing

By Tal Zamir. August 15, 2019 App Sandboxing

Many IT organizations use app sandboxing in an attempt to safeguard sensitive information from cybercriminals. It’s a pretty straight-forward concept: contain threats coming from the sandboxed application to prevent them from affecting the OS. 

Kind of like making sure your kids can’t track sand from their outside sandbox into your house, where it would keep showing up in unexpected, hard-to-get-rid-of places.

By executing an application in its own sandbox using virtual machines (VMs) or other application isolation techniques, you restrict its ability to access the system resources and data of the device it’s running on. 

So how effective is app sandboxing? Let’s take a look at what cyber attackers, end-users, and IT administrators think.

The ATTACKER Perspective

App sandboxing definitely frustrates attackers who target an app that employs this technique. It blocks them completely. But persistent attackers know there are many other ways to infiltrate the endpoint. 

Because each app has to be sandboxed individually, it doesn’t protect against vulnerabilities in other versions of the same app, the many unsupported applications, the underlying OS, middleware, malicious external hardware or networks. Cyber criminals can easily trick users into downloading and running malware from email, for instance. And insider threats remain…threatening.   

The USER Perspective

Anything that gives users more freedom is always a plus. With app sandboxing, users have fewer restrictions on what documents they can access. However, the cons of app sandboxing outweigh the pros here. For one thing, there’s significant performance overhead since each instance of the application runs in a separate VM or other containerization solution. Running numerous sandboxed apps on a user’s device slows down machines and what users can do with them. 

But it’s the app compatibility problem that makes sandboxing impractical in real enterprise environments. Separating applications into VMs creates inherent interoperability issues among applications that are reliant upon interacting within a single OS. Because every app is customized to run in the sandbox VM OS, each new version has to be explicitly adapted for that sandbox platform–and that’s not something most IT shops can keep on top of. As a result, users are often surprised with apps that simply don’t work like they used to, or at all.

The IT ADMIN Perspective

There’s not a lot for IT administrators to like about app sandboxing. They spend a lot of time mitigating compatibility issues. And because it’s time-consuming and costly to keep sandboxed apps up to date, security patches are often delayed and security risks rise.   


App sandboxing was all the rage before endpoints became the darling of sophisticated cyber attackers. They may be a good first step for small organizations, but they cause more problems than they solve for enterprises.

What do you think? What pros and cons have you run into with app sandboxing?

We are running a series featuring “3 perspectives” on multiple endpoint solutions. Check out our 3 Perspectives on EPP.

About the Author

Tal Zamir is CTO and Co-Founder of Hysolate. A passionate entrepreneur and veteran R&D leader, Tal brings 15 years of experience in the cyber and IT domains to Hysolate. Tal started his career in the Israeli Ministry of Defense, in which he pioneered multiple mission-critical cyber products. He then joined the leadership team of Wanova – a desktop virtualization startup that was later acquired by VMware. He holds multiple US patents as well as an M.Sc. degree in Computer Science from the Technion.

Share this article: