SandboxViolation appearing in device console logs

Context

During normal usage of a secured app, most often during app start and login, there may be a number of device console log messages stating SandboxViolation, such as:

Feb 16 15:00:02 iPad-Pro kernel(Sandbox)[0] <Notice>: SandboxViolation: SecuredAppName(11910) deny(1) process-fork
Feb 16 15:00:02 iPad-Pro kernel(Sandbox)[0] <Notice>: SandboxViolation: SecuredAppName(11910) deny(1) sysctl-read kern.proc.all.0
Feb 16 15:00:02 iPad-Pro kernel(Sandbox)[0] <Notice>: SandboxViolation: SecuredAppName(11910) deny(1) sysctl-read kern.proc.all.0


Issue

During the lifetime of a Blue Cedar protected app, a number of security-related steps are performed. These include getting proper paths for Data at Rest whitelisting/blacklisting and verifying if a device is jailbroken. The code executed may trigger behavior that Apple does not allow for a sandboxed app.

Solution

In practice, these log messages are expected. For example, in testing if a device is jailbroken, the injectable intentionally tries to perform an action that iOS prohibits. These log messages do not indicate any negative or impacting behavior for secured apps, nor are there known security issues or vulnerabilities that are exposed from triggering these sandbox violations.