David Heinemeier Hansson

April 9, 2021

The App Store is broken because it wasn't designed to work

When Kosta Eleftheriou first started revealing scam upon scam in the App Store, I have to admit I didn't quite get it. How were all these multi-million dollar scams being allowed into the App Store in the first place? And why weren't they being expediently removed when scores of customers complained in their 1-star reviews?

The answer turns out to be as simple as it is depressing: Apple's App Store was never designed to work. At least not in the way the company purports that it does. Apple presents the App Store as a highly curated, secure mall of apps which have been thoroughly vetted, and that you can safely install without any due diligence. But it's not and you shouldn't.

As part of Epic's lawsuit against Apple, we've come to learn that app reviewers typically review 50-100 apps per day. Some times spending less than a minute reviewing an individual app. We've also learned that these reviewers are hired without any technical background, let alone any particular expertise with the iOS or macOS platforms.

There's a term for a practice like this: security theater.

That's not because of individual failings amongst app reviewers, but because nobody could possibly provide real security reviews with a workload like that. Even if they were highly qualified, which, in the case of app reviewers, they're also not.

Apple's own actual security people know this all too well. Patrick McGee from the Financial Times reports:

A senior Apple engineer compared the defences of its App Store against malicious actors to “bringing a plastic butter knife to a gunfight”, according to legal documents released on Thursday.

This really should have been obvious in retrospect. Apple brags that they have millions of applications in the App Store. How could they possibly review all of them properly up front?

The App Store is far more akin to the general internet than it is to any traditional software store. It's impossible to preemptively vet all of the internet, so security on the internet is instead based on hardened browsers, isolated processes, restricted device access, and other system-level protective techniques.

This is also how Apple manages macOS. You can install whatever software you'd like on your Mac, but the operating system provides a depth of protections to ensure apps don't get access to data it shouldn't. This model works! Apple's macOS is not overrun with security exploits and malware. No, it's not foolproof, and bad software does exist, but as Kosta has extensively documented, so too does it in the iOS App Store.

The key benefit Apple derives from using overworked and under-qualified personnel to review apps is business model enforcement and competitive leverage. App reviewers don't need any technical chops to threaten apps with expulsion from the store lest they pay up nor do they need security expertise to deny apps that are being Sherlocked.

And as with security theater elsewhere, Apple can externalize the cost of the performance. App developers are the ones suffering from the inconsistent, capricious, and infuriating decisions made by reviewers who might at most spend a few minutes reviewing the work that took months or years to complete. That is a recipe for resentment.

The vague App Store guidelines – that are interpreted differently depending on which reviewer you happen to be assigned – are not meant to provide smooth, consistent passage through a rigorous but fair security and safety review process. They're meant to give Apple the cover to do whatever they want, whenever they want, to whomever they please. It's the essence of absolutist rule.

It does not have to be like this! It's completely within reach for Apple to admit that the current approach is broken. I know admitting mistake is not an institutional virtue at Apple, but if the company could finally come to realize that the butterfly keyboard was fundamentally bust, I have some faith that they might come to realize the same about the absolutist App Store regime.

Apple needs to admit that they can't have millions of apps and project a picture of perfect safety. They should focus on the system-level protections like they do with their browser and with their entire macOS operating system. Then drop the security theater that's seeding cynicism.

Apple must accept their unique and critical position as the dominant maker of pocket computers in the US. Treat that role with the respect of a common carrier. Embrace net neutrality principles and treat all app makers the same regardless of business model or competitive standing with Apple's own offerings.

I want to believe that Apple doesn't actually want to be this monopolist bully. Steve Jobs’ original vision for the iPhone was that developers would make apps that ran via the web. No gatekeeping, safety provided by system-level protections. Apple should re-embrace the principles behind that vision applied to our native app world.

The tragedy of Darth Apple can still end in redemption. There's good underneath that monopoly mask. Take it off, Tim.

IMG_8410.PNG