Cyber Essentials
DashboardSign Out

Lesson 8.4 — Application sandboxing: how app store controls work and what to check for Option B

This lesson explains how application sandboxing works as the underlying mechanism behind Option B (application allow-listing and app store controls) in the Cyber Essentials Malware Protection control.

What You'll Be Able to Do

By the end of this lesson, you will be able to:

  • explain what application sandboxing is and how it relates to Option B under Cyber Essentials 2026
  • review trusted app sources and app store controls
  • check app permission controls
  • identify sideloading
  • rooting and jailbreaking risks
  • review MDM/MAM controls

Why This Matters

The 2026 Cyber Essentials scheme recognises two malware protection options: anti-malware software (Option A, for Windows and macOS) and application allow-listing including app store controls (Option B, for all device types). Sandboxing is not a separate third option — it is the technical foundation that makes Option B effective on mobile and tablet platforms.

The most common problems are:

  • assuming mobile devices are automatically safe;
  • relying on sandboxing while allowing sideloading from unknown sources;
  • allowing rooted or jailbroken devices;
  • allowing unsupported OS versions;

The Core Rule

Cyber Essentials 2026 has two malware protection options: anti-malware software (Option A, for Windows and macOS devices) and application allow-listing including app store controls (Option B, for all device types including mobiles and tablets).

Sandboxing is not a separate third option. It is the underlying mechanism that makes Option B effective on mobile platforms — iOS and Android restrict what apps can access by design, which is sandboxing in practice.

What the CE Assessor Looks For

A strong position shows:

  • devices using sandboxing are identified;
  • operating systems are supported and updated;
  • apps come from trusted or approved sources;
  • sideloading is blocked or controlled;
  • rooted or jailbroken devices are blocked from organisational access;
  • app permissions are restricted or reviewed;

Common Mistakes

  • assuming mobile devices are automatically safe;
  • relying on sandboxing while allowing sideloading from unknown sources;
  • allowing rooted or jailbroken devices;
  • allowing unsupported OS versions;
  • ignoring BYOD;
  • ignoring app permissions;

Copy This

Keep this rule visible:

For mobile devices using Option B, prove that only approved apps can be installed and that the platform restrictions preventing unknown code from accessing organisational data, other apps, sensitive device features or the local network are intact.

Quick Checklist

Before moving on, make sure you can say yes to these:

  • [ ] How many malware protection options does Cyber Essentials 2026 formally recognise?
  • [ ] What does application sandboxing do on a mobile device?
  • [ ] Name four resource types that sandboxing should restrict.
  • [ ] Why is sideloading a risk?
  • [ ] Why are rooted or jailbroken devices a problem?

Your Action

Do this now — it takes 10–20 minutes.

Check app store settings on all mobile devices. Confirm that only official app store installations are permitted. Record in Section MP.

Key Takeaway

For mobile devices using Option B, prove that only approved apps can be installed and that the platform restrictions preventing unknown code from accessing organisational data, other apps, sensitive device features or the local network are intact.

Your Workbook Activity

Complete: Application sandboxing and mobile app protection review record

Next Lesson

In the next lesson: Final malware protection review: coverage, evidence, exceptions and common failures

Up next

Final malware protection review

Run final malware protection validation and evidence checks before submitting answers.