Application-level sandboxing on devices

What is claimed is: 1. A system, comprising: a processor configured to: receive, by an operating system executing on a device, a request to launch an application; determine that a stored copy of the application should be automatically executed within an application-level sandbox provided by a third party host application each time it is launched, until a triggering event takes place; execute the stored copy of the application in the application-level sandbox provided by the third party host application, wherein the third party host application provides a framework layer that provides hooking functionality for monitoring system calls made by the application; monitor behavior of the application during execution of the application in the application-level sandbox; and determine that the triggering event has taken place and take an appropriate action including by executing the stored copy of the application outside of the application-level sandbox; and a memory coupled to the processor and configured to provide the processor with instructions. 2. The system of claim 1 , wherein the processor is further configured to detect malicious behavior during the monitored execution of the application in the application-level sandbox. 3. The system of claim 2 , wherein the processor is configured to detect the malicious behavior at least in part by detecting attempted malicious network activity. 4. The system of claim 3 , wherein the processor is further configured to block at least a portion of the attempted malicious network activity. 5. The system of claim 3 , wherein the attempted malicious network activity includes an unauthorized attempt to exfiltrate data from the device. 6. The system of claim 3 , wherein the attempted malicious network activity includes an attempt to contact a known malicious domain. 7. The system of claim 1 , wherein the application-level sandbox is configured to log data during the execution of the application in the application-level sandbox. 8. The system of claim 7 , wherein the system is configured to transmit collected data to a remote server for analysis. 9. A method, comprising: receiving, by an operating system executing on a device, a request to launch an application; determining that a stored copy of the application should be automatically executed within an application-level sandbox provided by a third party host application each time it is launched, until a triggering event takes place; executing the stored copy of the application in the application-level sandbox provided by the third party host application, wherein the third party host application provides a framework layer that provides hooking functionality for monitoring system calls made by the application; monitoring behavior of the application during execution of the application in the application-level sandbox; and determining that the triggering event has taken place and take an appropriate action including by executing the stored copy of the application outside of the application-level sandbox. 10. The method of claim 9 , further comprising detecting malicious behavior during the monitored execution of the application in the application-level sandbox. 11. The method of claim 10 , wherein the detecting malicious behavior includes detecting attempted malicious network activity. 12. The method of claim 11 , further comprising blocking at least a portion of the attempted malicious network activity. 13. The method of claim 11 , wherein the attempted malicious network activity includes an unauthorized attempt to exfiltrate data from the device. 14. The method of claim 11 , wherein the attempted malicious network activity includes an attempt to contact a known malicious domain. 15. The method of claim 9 , wherein the application-level sandbox is configured to log data during the execution of the application in the application-level sandbox. 16. The method of claim 15 , further comprising transmitting collected data to a remote server for analysis. 17. A computer program product embodied in a tangible, non-transitory computer readable storage medium and comprising computer instructions for: receiving, by an operating system executing on a device, a request to launch an application; determining that a stored copy of the application should be automatically executed within an application-level sandbox provided by a third party host application each time it is launched, until a triggering event takes place; executing the stored copy of the application in the application-level sandbox provided by the third party host application, wherein the third party host application provides a framework layer that provides hooking functionality for monitoring system calls made by the application; monitoring behavior of the application during execution of the application in the application-level sandbox; and determining that the triggering event has taken place and take an appropriate action including by executing the stored copy of the application outside of the application-level sandbox. 18. The computer program product of claim 17 , further comprising computer instructions for detecting malicious behavior during the monitored execution of the application in the application-level sandbox. 19. The computer program product of claim 17 , wherein the application-level sandbox is configured to log data during the execution of the application in the application-level sandbox. 20. The computer program product of claim 19 , further comprising computer instructions for transmitting collected data to a remote server for analysis.