Wednesday, July 25, 2007

Opening up the iPhone to (useful) apps

One of the earliest gripes on the iPhone was that it would fail because it’s closed to third party ISVs who want to write native software applications. In research papers presented at conferences earlier this year, Mike Mace and I questioned this was the relevant metric: after all, CD players, DVD players and iPods have sold for years without postload software, so if the iPhone is an entertainment device, then the relevant complement would be content not software.

However, the iPhone is getting software too. Since the iPhone day, there have been a few developments (so to speak) on developing software for the iPhone:

  • Apple has posted official information on iPhone development, which in its view is mainly about using Safari on a Mac or Windows machine to prototype web apps that run on the iPhone.
  • The other approved solution is porting Dashboard widgets originally developed for OS X — most of them freeware. Since widgets are just HTML, porting should be relatively easy, and lots of beta widgets have been released. While Apple talked about this at WWDC in June, there’s nothing yet on the developer website.
  • Apple is also not providing a hardware developer note like they have been providing for other computers over the past 20+ years. Is that because the product design is secret, or because they want developers to focus on the publicly supported web-based APIs?
  • As Doug Klein let me know, the weekend after the iPhone release there was an iPhoneDevCamp in SF hosted by Adobe. Since I don’t own an iPhone — and since SF is all of 100km away — I decided not to go, but it sounds like that was a mistake.
  • A hacker at iPhone Dev Wiki has built a “Hello, World” program for the iPhone. (NB: If you failed “C” programming, this is the canonical one-line program for any development system).
There have been some interesting experiments. Does the iPhone have extra storage? iPhoneDrive allows you to use it as a heavy, overpriced USB memory stick. Not enough storage? Brian Landau of Box.net is plugging his freemium remote storage solution, now available for the iPhone.

Apple thus gets a decidedly mixed score for openness to ISVs, but the jury is still out. Will the iPhone eventually be open to native 3rd party apps? And, in the end, will platform-specific apps really matter to adoption?

The one form of app that iPhone users don’t want is malware — viruses, worms or other security exploits. This week some security experts got free press by reporting how they exploited the iPhone’s vulnerabilities. That they were seeking publicity is pretty clear, given the line at the bottom of the web page describing the exploit: “You can contact us at media [at] securityevaluators.com. We can also be reached by phone at 443-270-2296.” They also set an Aug. 2 deadline for Apple to fix the problem before they will release all the details on how to duplicate the exploit.

On the one hand, the iPhone vulnerability could be an inherent problem due to the power of such a mobile device. Vnunet.com quoted the president of encryption firm PGP as saying
“There are so many security issues with the iPhone, because it is not just a phone,” he said. “From an IT guy’s perspective it is a Linux computer with communications built in.”
On the other hand, the report notes that the iPhone runs all Java apps in the single, privileged administrator mode. As a column in Electronic Design pointed out, there's a known fix for this: have multiple protection levels (like two).

This is not rocket science: when I was writing VAX/VMS code back in 1980, us peon ISVs knew there were privileged (system-mode) apps because we couldn’t write them (or, perhaps more accurately, couldn’t install them). Apple’s had people working on security issues for decades, so one has to assume this was a get-it-out-the-door issue. As with any security issue, Apple (like other vendors) will be expected to issue a free field upgrade to solve this problem: it will be interesting to see what the OS update mechanism is for the iPhone.

Also, the iPhone isn’t going to get the free pass on security that OS 9 and X did. Nobody wrote viruses for the Mac because the small market share meant they probably wouldn’t propagate, and almost nobody would care. The iPhone will probably have enough market share among U.S. smartphones (and more than enough visibility) to attract a large supplier of crackers.

The aforementioned “information security” experts included one snarky (but telling) comment on the iPhone’s security priorities:
Q: Does this add credence to Apple's position that 3rd party applications are not allowed on the iPhone for security reasons?

A: We don't think so. Almost all of the security engineering effort on the iPhone seems to have been spent protecting the revenue model, rather than protecting the user (which is, of course, an entirely understandable position). For example, a constrained environment is used to prevent users from loading new ringtones onto the phone, but the applications are not run in a constrained environment to contain damage caused by hackers who exploit them.
If Apple is closing out rival providers of user benefit — but not malicious exploits — that would not only be real proof of a closed platform, but also a sober reality check for Apple’s supposed emphasis on the user experience.

Technorati Tags: , , , ,

No comments: