Month: January 2018

The App Store’s Giant Pool of Money

Two announcements last week paint a highly contrasted view of the state of the App Store for developers. On Thursday, Apple announced record-shattering App Store revenue over the Christmas holiday week:

App Store customers around the world made apps and games a bigger part of their holiday season in 2017 than ever before, culminating in $300 million in purchases made on New Year’s Day 2018. During the week starting on Christmas Eve, a record number of customers made purchases or downloaded apps from the App Store, spending over $890 million in that seven-day period.

“We are thrilled with the reaction to the new App Store and to see so many customers discovering and enjoying new apps and games,” said Phil Schiller, Apple’s senior vice president of Worldwide Marketing. “We want to thank all of the creative app developers who have made these great apps and helped to change people’s lives. In 2017 alone, iOS developers earned $26.5 billion — more than a 30 percent increase over 2016.”

At the bottom of the press release, Apple says that developers have earned a total of over $86 billion from the App Store. What’s really remarkable is the App Store’s rate of growth: over 30% of revenue since its launch was earned by developers solely in the past year.

On Friday, though, Panic announced the imminent discontinuation of Transmit for iOS. Cabel Sasser:

Transmit iOS made about $35k in revenue in the last year, representing a minuscule fraction of our overall 2017 app revenue. That’s not enough to cover even a half-time developer working on the app. And the app needs full-time work — we’d love to be adding all of the new protocols we added in Transmit 5, as well as some dream features, but the low revenue would render that effort a guaranteed money-loser. Also, paid upgrades are still a matter of great debate and discomfort in the iOS universe, so the normally logical idea of a paid “Transmit 2 for iOS” would be unlikely to help. Finally, the new Files app in iOS 10 overlaps a lot of file-management functionality Transmit provides, and feels like a more natural place for that functionality. It all leads to one hecka murky situation.

As Sasser points out, there are lots of reasons why Transmit may not have been successful enough to pay for its development. Perhaps it was too niche, but Sasser also says that Prompt — Panic’s SSH client — is doing fine. Perhaps its niche is better served by Coda for iOS, which supports the same file transfer protocols as Transmit, but also includes a full website editor. Maybe people using iOS devices — even iPads — don’t really want to use a file transfer app in isolation.

Therefore, sad as it is, I don’t think that Panic’s announcement is necessarily an indictment of the economics of the App Store on its own; but, it is a reminder of that nagging feeling I’ve long had that the environment of the App Store is, for whatever reason, not conducive to smaller developers.

It’s not just independent developers of utility apps that are struggling in the App Store, either. Simogo, a two-person game development studio that built its business on iOS games beginning in 2010, announced last month that their next game would be for consoles after a frustrating 2017:

This year, a lot of time we had planned to spend on our current project, ended up being spent on just making sure that our games would not be gone from the app store. Because sadly, the platform holder seems to have no interest in preservation of software on their platform. We can criticize and be angry and mad about it all we want, but we don’t think that any efforts we put in can change that direction. So, instead, we’re thinking a lot about how we can find ways to preserve our games, and our own history, because it is inevitable that our mobile games will be gone sometime in a distant, or not so distant future, as iOS and the app store keeps on changing and evolving. We don’t have a definitive answer, or any final ideas how this would be possible, but we’ll keep on thinking about it, and try to come up with solutions, and we welcome any input and ideas on this from you too!

And, though these criticisms have often originated from smaller developers, there’s evidence that the App Store is also frustrating for even the most recognizable of companies. Lukas Mathis:

Well, Nintendo’s new console is doing really well, their good iOS game «disappointed» Nintendo, while their shitty manipulative gambling-based mobile games seem to be doing well enough. And now, great iOS devs are leaving the platform.

Maybe Apple makes too many changes every year, and developers simply can’t keep up with those changes and add new capabilities. Maybe some developers are supporting their apps on more platforms than they are actually capable of. Maybe users too frequently demand that developers build and rapidly update apps for all of Apple’s platforms for free. Of course, it’s probably a combination of these factors and plenty more besides.1

I don’t think it would be fair to point out these criticisms of the App Store without also pointing to areas where Apple has made attempts at improvement. Two years ago, Phil Schiller was put in charge of the App Store; a few months later, the average amount of time an app spent in review dropped from a week to just two days. In iOS 11, Apple debuted a new version of the App Store that separated games from other types of apps, and introduced a news-like Today tab that spotlights all kinds of apps.

But something is clearly still not right in the App Store economy if developers are finding it as difficult as they are — generally speaking — to make a living building apps for one of the world’s biggest platforms. Making progress on this, I think, ought to be one of Apple’s highest priorities this year. 2018 marks the tenth anniversary of the App Store and, while they may generally be averse to marking historical milestones, it would be a shame if independent developers had less hope of a successful career this year than they did in 2008. Based solely on the revenue and growth Apple announced last Thursday, there should be hope for developers. The giant pool of money is clearly there; unfortunately, smaller developers simply aren’t seeing enough of it. Whether that change must start with things Apple controls, or developers, or users, I don’t know, but it would be a shame if the App Store becomes the place for virtually all users to download Facebook Messenger, Google Maps, and a manipulative game — and that’s it.

  1. Would smaller developers make a lot more money if Apple’s cut of App Store revenue worked more like a progressive tax policy instead of a flat rate? ↥︎

Twitter Obliquely Responds to Complaints About Their Handling of Donald Trump’s Account blog.twitter.com

Twitter:

There’s been a lot of discussion about political figures and world leaders on Twitter, and we want to share our stance.

No, there has been a lot of discussion about a world leader on Twitter.

Twitter is here to serve and help advance the global, public conversation. Elected world leaders play a critical role in that conversation because of their outsized impact on our society.

Blocking a world leader from Twitter or removing their controversial Tweets, would hide important information people should be able to see and debate. It would also not silence that leader, but it would certainly hamper necessary discussion around their words and actions.

Is there a difference in context if the world leader tweets an apparent threat to start a nuclear war from their personal account instead of their work account? I’m not being facetious; I’d actually like to know.

Also, it’s worth mentioning that I — and many others — are blocked from reading Donald Trump’s tweets. Doesn’t that conflict with Twitter’s desire to make sure discussion doesn’t get “hampered”?

Update: A Twitter spokesperson refused to comment on these questions beyond what was already in their blog post.

The Internet Association Will Participate in Legal Action Against the FCC’s Rollback of Net Neutrality Rules recode.net

Tony Romm, Recode:

The Washington, D.C.-based Internet Association specifically plans to join a lawsuit as an intervening party, aiding the challenge to FCC Chairman Ajit Pai’s vote in December to repeal regulations that required internet providers like AT&T and Comcast to treat all web traffic equally, its leader confirmed to Recode.

Technically, the Internet Association isn’t filing its own lawsuit. That task will fall to companies like Etsy, public advocates like Free Press and state attorneys general, all of which plan to contend they are most directly harmed by Pai’s decision, as Recode first reported this week.

As an intervener, though, the Internet Association still will play a crucial role, filing legal arguments in the coming case. And in formally participating, tech giants will have the right to appeal a judge’s decision later if Silicon Valley comes out on the losing end.

The Internet Association’s members include Amazon, Facebook, Google, Microsoft, Netflix, and Twitter. That’s a lot of weight to be thrown behind someone else’s legal action; but, with powerful companies like those as members, I don’t see any reason why the Association couldn’t file its own suit. They should.

Mark Zuckerberg To Do Job theguardian.com

Julia Carrie Wong, the Guardian:

Amid unceasing criticism of Facebook’s immense power and pernicious impact on society, its CEO, Mark Zuckerberg, announced Thursday that his “personal challenge” for 2018 will be “to focus on fixing these important issues”.

Zuckerberg’s new year’s resolution – a tradition for the executive who in previous years has pledged to learn Mandarin, run 365 miles, and read a book each week – is a remarkable acknowledgment of the terrible year Facebook has had.

“Facebook has a lot of work to do – whether it’s protecting our community from abuse and hate, defending against interference by nation states, or making sure that time spent on Facebook is time well spent,” Zuckerberg wrote on his Facebook page. “We won’t prevent all mistakes or abuse, but we currently make too many errors enforcing our policies and preventing misuse of our tools.”

To be fair, that’s more than Jack Dorsey has pledged to do this year at the raging dumpster fire that he’s ostensibly in charge of.

Apple’s Custom Mac Processors macworld.com

Jason Snell, Macworld:

The T2 processor isn’t doing the heavy lifting in the iMac Pro—that’s the Intel Xeon processor with between 8 and 14 processor cores. The T2 is the brain behind that brain, running the subsystems of the iMac Pro from a single piece of Apple-built silicon. The result is a simplified internal design that doesn’t require multiple components from multiple manufacturers.

On most Macs, there are discrete controllers for audio, system management and disk drives. But the T2 handles all these tasks. The T2 is responsible for controlling the iMac Pro’s stereo speakers, internal microphones, and dual cooling fans, all by itself.

This is a great look at what the T2 does in the iMac Pro. It’s notable just how different it is compared to the T1’s functionality in recent MacBook Pro models.

I also collected a few tidbits about it last month after the first press and user previews of the iMac Pro began appearing around the web, and they — combined with Snell’s piece — paint an interesting picture about the future of the Mac. It sounds like there are plenty of additional tasks that could, at some point, be enabled by Apple’s custom silicon in their desktop and notebook products. In an article last year for Bloomberg, Mark Gurman and Ian King suggested that Power Nap could be made more efficient by porting it to Apple’s custom silicon. And, of course, “Hey, Siri” is likely to be coming to the Mac with a future MacOS update.

FCC Prepares to Weaken Their Definition of Broadband techdirt.com

Karl Bode, Techdirt:

As such, we engage in this endless tug of war depending on how grossly-beholden the current FCC regulators are to regional telecom duopolies. Regulators not blindly loyal to giant ISPs will usually try to raise the bar to match modern needs, as Tom Wheeler did when he bumped the standard definition of broadband to 25 Mbps down, 4 Mbps up back in 2015. Revolving door regulators in turn do everything in their power to manipulate or ignore real world data so that the industry’s problems magically disappear.

Case in point: the FCC is expected to vote in February on a new proposal that would dramatically weaken the standard definition of broadband. Under the current rules, you’re not technically getting “broadband” if your connection in slower than 25 Mbps down, 4 Mbps up. Under Pai’s new proposal, your address would be considered “served” and competitive if a wireless provider is capable of offering 10 Mbps down, 1 Mbps up to your area. While many people technically can get wireless at these speeds, rural availability and geography make true coverage highly inconsistent.

This move, like most of the others made by Ajit Pai and the rest of the Republicans running the FCC, is indefensible. Who, anywhere, thinks that a lower standard for what constitutes “broadband” is what we need at a time when higher-bandwidth consumer services are growing?

Of course, in the near future, you can bet the FCC will begin touting how rapidly and widely they expanded broadband access under this administration.

Researchers Discover Three Major Security Flaws in CPUs nytimes.com

Cade Metz and Nicole Perlroth of the New York Times have what is perhaps the best high-level summary of the flaws:

The two problems, called Meltdown and Spectre, could allow hackers to steal the entire memory contents of a computer. There is no easy fix for Spectre, which could require redesigning the processors, according to researchers. As for Meltdown, the software patch needed to fix the issue could slow down computers by as much as 30 percent — an ugly situation for people used to fast downloads from their favorite online services.

[…]

According to the researchers, including security experts at Google and various academic institutions, the Meltdown flaw affects virtually every microprocessor made by Intel, which makes chips used in more than 90 percent of the computer servers that underpin the internet and private business operations.

The other flaw, Spectre, affects most other processors now in use, though the researchers believe this flaw is more difficult to exploit. There is no known fix [for] it.

Though there are two names, there are three flaws in total: CVE-2017-5754 is Meltdown, while CVE-2017-5753 and CVE-2017-5715 are, collectively, known as Spectre. If you want to see the effects of these bugs, Michael Schwarz — one of the researchers who discovered Meltdown — posted a short demonstration.

A 30% performance hit for Meltdown patches sounds pretty rough, but initial reports from some of the first patches indicates that there’s little to no noticeable difference. Microsoft updated their Azure cloud hosting service and isn’t generally seeing performance degradation, and I haven’t noticed any differences after updating to MacOS 10.13.2 and subsequently 10.13.3, both of which include fixes for Meltdown.

Chris Duckett, ZDNet:

While there have been concerns that patching the flaw could hit performance by a double-digit percentage, Linus Torvalds told ZDNet it will depend on workload.

“I think 5 percent for a load with a noticeable kernel component (eg, a database) is roughly in the right ballpark,” he said. “But if you do micro-benchmarks that really try to stress it, you might see double-digit performance degradation.”

In addition, modern JavaScript engines run very close to the metal — as it were — and it’s possible to trigger an attack using similar vulnerabilities with a malicious webpage. Google has promised a Chrome update within a few weeks with a patch.

There’s an official website answering many questions you may have about these bugs, with now-de rigeuer logos attached to major security flaws.

Update: Brian Krebs:

Leaving aside the brilliance of the people that found this Intel bug, may I submit that perhaps coining threat names and invoking cute icons is a gratuitous and disingenuous way to get people to care about an impossibly arcane flaw that they in all likelihood can’t do much about?

I’ve flitted between whether giving bugs names and logos is helpful or harmful. The KRACK WiFi bug was disclosed on the same day last year as a potentially more harmful flaw in the RSA encryption library, but the latter didn’t have a catchy name:

I get why security researchers are dialling up the campaigns behind major vulnerabilities. CVE numbers aren’t interesting or explanatory, and the explanations that are attached are esoteric and precise, but not very helpful for less-technical readers. A catchy name gives a vulnerability — or, in this case, a set of vulnerabilities — an identity, helps educate consumers about the risks of having unpatched software, and gives researchers an opportunity to take public credit for their work. But, I think the histrionics that increasingly come with these vulnerabilities somewhat cheapens their effect, and potentially allows other very serious exploits to escape public attention.

In this case, these are very serious bugs: it’s possible to exploit them in relatively passive ways, the effects can be very damaging, and — as far as Spectre goes — there’s no way to fix it without a complete change in processor design. If these bugs had remained as CVE numbers, it’s unlikely that many people outside of the computer security world would know about them.

But does that matter? As far as I can figure out, there’s no proof that these branding efforts encourage consumers or software vendors to update their software any quicker. And, as noted above, there’s nothing consumers can do about the Spectre vulnerabilities until they buy a new computer or phone — and perhaps not for another generation or two. The branding of vulnerabilities has, absolutely, made the efforts of security researchers more notable, and there is a reasonable argument to be made for the value of that; it also makes everyone more aware that the technology they rely upon is not as secure as we want to believe it is.

Update: Contrary to some of the reporting above, Intel says that Meltdown and Spectre can be patched with software and firmware updates.

January 1 Marks Twenty Years of No New Works Entering the Public Domain in the U.S. law.duke.edu

Duke University’s Center for the Study of the Public Domain:

Current US law extends copyright for 70 years after the date of the author’s death, and corporate “works-for-hire” are copyrighted for 95 years after publication. But prior to the 1976 Copyright Act (which became effective in 1978), the maximum copyright term was 56 years—an initial term of 28 years, renewable for another 28 years. Under those laws, works published in 1961 would enter the public domain on January 1, 2018, where they would be “free as the air to common use.” Under current copyright law, we’ll have to wait until 2057. And no published works will enter our public domain until 2019. The laws in other countries are different—thousands of works are entering the public domain in Canada and the EU on January 1.

The good news is that this is, theoretically, the last year since 1998 where no new works will enter the public domain in the United States. The bad news is that you can bet that Disney will — as everlobby hard to extend that public domain drought for several more years.

A Malfunctioning Roof Heating Element and the Broken Coverage of Apple’s Problems archdaily.com

Last week, a post caught fire alleging that there was a major design flaw in Apple’s new Chicago store: a large amount of snow built up on its roof, causing the area around the store to be closed off for safety reasons. Nick Statt of the Verge transformed this observation into an assertion that “Apple’s flagship Chicago retail store wasn’t designed to handle snow”. That would be a major oversight for Apple and Foster + Partners, which designed the store, but both companies have buildings located in snowy regions.

According to an Apple spokesperson, though, the cause was a technical malfunction in the roof heating system, which was installed to prevent snow buildup.

I get that stories about Apple tend to attract a gravitas that is associated with few other companies. Despite being the most valuable publicly-traded company in the world, they are seemingly always teetering on the brink. The story about the Chicago store’s roof came in at the tail end of a river of honestly-earned negative press for Apple: a series of pretty nasty bugs, a delayed HomePod release, and poorly-communicated device throttling when a recent iPhone’s battery has degraded.

In the rush to report problems and apparent controversies, though, it’s worth taking a step back and exercising skepticism. Could there have been another reason for the buildup of snow on the Chicago store’s roof? Adam Selby recognized that the roof could be heated, for example.

Rene Ritchie of iMore wrote about the biggest problems facing Apple in 2018:

Apple gets told it’s wrong all the time. Doesn’t matter if it’s iPhone or AirPods. The minute Apple announces anything new or different, some percentage of coverage and customers race to tell the company how limited, expensive, and just plain stupid it is. Then, more often than not, a few or many months later, that product breaks records in sales and satisfaction, and goes on to lead the industry for years to come.

[…]

When you’re told you’re wrong over and over again only to be proven right over and over again, you stop paying attention. You begin to think that if you just weather the initial storm, everyone will inevitably come to see what you saw, and then you can move forward together. You can get on with making faster cars.

But even if that’s true nine out of ten times — even 99 out of 100 times — there are those few times when it’s not true. When it’s just flat out wrong. And you never see it coming.

This is Apple’s risk when experimenting with each update, but it is also a risk for users and writers when controversy is seen where none exists. If everything is a top-priority grade-A indication of Apple’s failings, then nothing is.

Anger But No Action After Equifax Breach politico.com

Martin Matishak, Politico:

Some industry leaders and lawmakers thought September’s revelation of the massive intrusion — which took place months after the credit reporting agency failed to act on a warning from the Homeland Security Department — might be the long-envisioned incident that prompted Congress to finally fix the country’s confusing and ineffectual data security laws.

Instead, the aftermath of the breach played out like a familiar script: white-hot, bipartisan outrage, followed by hearings and a flurry of proposals that went nowhere. As is often the case, Congress gradually shifted to other priorities — this time the most sweeping tax code overhaul in a generation, and another mad scramble to fund the federal government.

If you think those invested in Equifax’s trustworthiness and reputability would have punished the company, there’s bad news there, too: the stock has regained over 50% of the value it lost in the days after Equifax announced that they had been breached, and it’s basically flat compared to the same time last year.

The mountain of lawsuits directed at Equifax is, sadly, the biggest chance consumers have at getting the company to pay for their incompetence — “sad” because these lawsuits are very expensive and, had proactive legislation been in place already, completely unnecessary.

Some Advertiser Scripts Found to Use Browser Password Manager for User Tracking freedom-to-tinker.com

Gunes Acar, Steven Englehardt, and Arvind Narayanan of Princeton’s Center for Information Technology Policy:

The underlying vulnerability of login managers to credential theft has been known for years. Much of the past discussion has focused on password exfiltration by malicious scripts through cross-site scripting (XSS) attacks. Fortunately, we haven’t found password theft on the 50,000 sites that we analyzed. Instead, we found tracking scripts embedded by the first party abusing the same technique to extract emails addresses for building tracking identifiers.

The image above shows the process. First, a user fills out a login form on the page and asks the browser to save the login. The tracking script is not present on the login page. Then, the user visits another page on the same website which includes the third-party tracking script. The tracking script inserts an invisible login form, which is automatically filled in by the browser’s login manager. The third-party script retrieves the user’s email address by reading the populated form and sends the email hashes to third-party servers.

Russell Brandom, the Verge:

The plugins focus largely on the usernames, but according to the researchers, there’s no technical measure to stop scripts from collecting passwords the same way. The only robust fix would be to change how password managers work, requiring more explicit approval before submitting information.

I’m not sure if I’ve come across these scripts specifically, but on a few occasions, I have been surprised to see a Face ID indicator appear while visiting a website, without explicitly tapping in a login form. I appreciate automatically-filled forms, but I do wish browsers would ask my permission first before handing over my email address and password.

Also, I think it’s worth pointing out how deliberate this is on the part of the trackers in question. Someone had to write the code to track users in this manner. Moreover, someone who manages them had to approve of this tracking mechanism. I can think of no circumstance under which someone could consider this kind of tracking ethical or morally sound.