At the height of the hey.com / apple wars of the summer, hey exec dhh tried the argument that apple was blocking not just new functionality, but also bugfixes. The ‘security fix’ argument stuck because it’s a good argument. See also this banking example.

With a few months of hindsight it seems like hey, epic, et al were tilting at windmills; apple’s stranglehold on software distribution on their hardware isn’t a problem that can be solved well by civilian lawsuits.

But the ‘bug fixes’ argument still has legs. Security is everyone’s problem and safety is a pillar of apple’s brand. (Also I wonder if they’ll one day be found liable for failing to deploy a security fix. But part of the reason I wonder about this is that I’m not a lawyer).

With their app store, apple isn’t just monopolizing distribution on their hardware, i.e. the ability to list your app in their store and show up in searches, rank lists and recommendations. They’re monopolizing updating as well, i.e. the mechanisms by which changes to apps are deployed.

(They’re also monopolizing app review, which has privacy + safety implications that have nothing to do with this post. I’ll speak no more of it).

We should find a way to unbundle distribution from updates. A rich ecosystem of third party update providers would make life better for users and easier for developers.

Easy update problems aren’t being solved

There are a million obvious features for deploying program updates that don’t exist, or that only exist in weird polders like testflight or crashlytics. Updates aren’t rocket science but they aren’t trivial either.

What do you do when an update fails on certain hardware? How do you migrate data, how do you roll back failures? How do you collect data about crashes? How do you inform the user about what’s going on and let them decide when to take dangerous actions?

Small percentage rollout exists but is inconsistent, and other defensive deployment tactics like having prod + canary deploys installed side-by-side require substantial setup and often multiple kinds of distribution (prod in app store, beta via testflight / firebase).

Developers are forced to build this stuff themselves or, on platforms where that’s impossible, survive without it at massive cost in developer and user sweat + tears.

Imagine a world where these software update features worked well and consistently, were ‘cheap but not free’ so providers had the budget to deliver quality, were purchased on a competitive market that rewarded innovation, and didn’t require working with a bad-faith platform operator.

Users don’t love or trust updates

Automatic updates are good in that they close security holes and add functionality.

They’re bad in that they change functionality, add tracking, change settings, in extreme cases brick devices, and introduce bugs or incompatibilities. They’re also opaque – it’s not always clear what’s changing until its too late.

Serious users like corporations and governments are deeply suspicious of updates and audit them. When the department of interior bought DJI drones, they did an expensive verification that the drones weren’t phoning home, and noted that updates would have to be verified again. (They’ve since retired them).

Adding a third party in between the vendor and the end-user is an opportunity to share the cost of security audits across many users, to enforce policies around critical vs optional channels, and to add verification features to confirm that changelogs truly say what changed.

This isn’t just a mobile problem

Update ergonomics are bad on every form factor, not just on mobile where app update is tied to the stores.

Every desktop app store I’ve ever used makes my teeth ache. Not as much, though, as the crackpot ‘self updater daemons’ that come with some software to self-update. They often require rootkit-level permission, they run in the background all the time, they randomly use CPU, they scan your machine.

They seldom tell me what the update is other than ‘fixes and improvements’.

Servers are better because package managers are designed for headless updates, but even there a lot of projects have their own package repos because their release cadence is high or time sensitive.

I’m not an IOT expert but I’m guessing it’s still the wild west and most devices never get updated after shipping. Those that do will be dependent on internet connections, and lacking screens or a consistent management UX, won’t be transparent about what changed or permit rollbacks. There’s also a risk of bricking them.

Routers have been malware vectors in the past, and are headless so more brickable.

Even OS updates might benefit from a third party intermediary in cases where the end-user is security- or uptime-conscious. And also my seldom-opened gaming-only windows laptop is constantly popping update notices in the middle of important business. That msft ‘30% done’ BSOD with the newton’s cradle spinner is slowly radicalizing me, though I’m not sure to what.

Distribution is political, updates shouldn’t be

I recognize that these two things are hard to untangle, but here’s the line we should draw: if a user has my software, they intended to do business with me and should be allowed to continue. App stores can wield their power by regulating new installs, but leave existing installs alone.

The edge case here is ‘apple finds out some app is malware’. To this, I say:

  1. Illegal behavior should be blocked. Platforms can publish their evidence (like any other institution) and use ‘emergency powers’ to remove the bad actor
  2. But notifying users to remove an app gets you 80% of the way there without being as heavy-handed
  3. The OS permission model should be blocking bad behavior. If an app is exceeding its permissions, that’s not a bug in the app, that’s a bug in the OS
  4. Platforms have done a good job innovating the permission model for safety and privacy – for example, granting permissions ‘on feature use’ rather than ‘on install’. Giving users information and safe defaults for every app is better than blocking individual apps.

But my point is, don’t politicize updates. It annoys everyone and will get you into legal trouble.