What is this "sandbox" that the developers keep talking about lately? And how is it utilized to make apps better for the end user?

Let's say you have a beautiful garden with a well-manicured lawn, shimmering koi pond and brilliant bands of flowering plants. Now imagine some jerk shows up and starts dumping trash, ripping out flowers and pouring toxic waste into the water--it would take months to clean and would never look the same.

But if there was a way to contain the damage, say by building a small box around the perpetrator, cleanup would be a breeze and the rest of your garden would stay pristine.

Replace "jerk" with "malware" and "garden" with "Mac," and you've got the essence of sandboxing, a security measure that, in Apple's own words, "protects the system by limiting the kinds of things an application can do, such as accessing files on disk or resources over the network." So if, for example, your favorite music player suddenly decides it wants to randomly trash files on your system, the virtual sandbox will prevent it from doing that.

How? Basically, sandboxing restricts apps (even Apple's) to their designed function, so, using the example above, the player would only have access to the songs in your "Music" folder (and even then, likely only read access). As you might assume, this is a load of work for developers, particularly Mac staples that have enjoyed unfettered access to the OS for years. Somewhat in response to the outcry, Apple has since pushed the deadline for compliance back several times (from November 2011 to March and now to June) and expanded the number of "entitlements" (the list of functions apps are allowed to carry out).

Sandboxing only applies to apps downloaded through the Mac App Store, so that leaves a whole landscape of potential malware. To address this--and possibly limit the headaches for developers following the rules--Apple plans to implement a new system called Gatekeeper in Mountain Lion that requires apps to acquire a "digital signature" to ensure a freshly downloaded app is going to do what it says (once its already been launched, however, Gatekeeper lets its guard down). By default, Mountain Lion refuse apps not downloaded from the Mac App Store or an "identified developer," but that can be turned off.

So what does all this mean for you? Not much. Basically, all of this runs in the background and is virtually invisible to the user (save the occasional "Are you sure you want to open…" dialog box).