The Internet was designed to evolve in a distributed fashion. Individual machines which were connected to the Internet were given the power to decide who people should talk to for a service in which they are interested. In the entire design of the network layer, there were no gatekeepers except for very basic functionality such as allocation of Internet Protocol addresses and root servers for resolving top-level domains like .com, .org, and .net. Anyone could connect to the Internet and start providing or consuming a service.
As a result, the Internet saw rapid growth in the 1990s and 2000s. Many services such as emails, websites, and chats came up and became an important part of the Internet ecosystem. They enabled the sharing of information and e-commerce. To access a website, all we needed was a web browser. The standardisation of protocols and languages made this easy. In the beginning, Yahoo provided a directory of websites under various categories. As the number of websites exploded, a search engine, Google, came up to quickly provide a list of web pages that matched our search queries.
Ceding control
And then came mobile devices. When Apple came up with the iPhone, everyone began porting their websites so that these sites could be easily viewed on small hand-held devices. Apple also urged third-party developers to build web applications (apps) that could run on its Safari browsers. But then developers wanted the same control over the devices that Apple had. They wanted the ability to ship native apps on these hand-held devices. Apple opened the App Store for third-party native code on July 10, 2008.
Apps are software programs that can run natively on mobile phones. Running untrusted software and that too natively is a big security nightmare. With direct access to the machines, apps can exploit local privilege escalation vulnerabilities and get control over the devices. This is something that cannot be exploited remotely. Understanding the risk of running untrusted native code, Google’s security team came up with a wonderful sandbox called Native Client in 2009. With few changes to the software, it can run safely on user devices. But none of that materialised and the app stores continue to allow apps as usual.
Web standards, on the other hand, evolved into accepting JavaScript as a safe-enough language to do client side computing. Supported by browsers, it became the standard for running untrusted software on users’ machines. It presented a decent sandox that eliminated a lot of security threats so that people could browse untrusted websites without much danger. Over time, JavaScript matured, hardened, and presented a decent way to run untrusted code.
But businesses loved the apps. It meant they could run their native code on millions of machines, unhindered. They started pushing their users to install their apps rather than providing their services through the standardised browser. The users were told that the apps would provide a far more “immersive” experience than a website could ever give. But to get such an experience, users needed to cede control over their SMSs, photos, videos, and location. They also had to lose the controls that a web browser provided, such as blocking advertisements.
The gatekeepers, app stores, tried to allay the fears of users that these apps are safe. Yet, newspapers are filled with stories on how app stores contain apps with malware, or commit financial frauds, or even steal private information. Apps were wonderful for everyone except the users who have been at the receiving end of various unscrupulous apps. Developers can publish their apps on app stores and get users to install their apps (untrusted native code) on their phones just because the app stores say they are safe.
A decade ago, I had highlighted these security issues with the apps and why web browsers are a better alternative. But people loved apps, businesses loved apps, and now the app stores love apps because they can impose an app tax ranging from 15% to 30%. The businesses, which loved apps for the control they got over the users, are now enraged. They believe that they had only signed up to get control over the users and not to share revenue.
Anti-trust cases have been filed across the globe against organisations such as Google for abusing their dominant position. Even when Epic Games won its court cases, there was little succour as Apple kicked out Epic Games from its App Store. Google lost its Play Store case against the Competition Commission of India, which ruled that Google is abusing its dominant position and fined it ₹1,337 crore. But Google came back with a rehashed version of the app tax calling it User Choice Billing and started removing apps from the Play Store.
A raging battle
The battle between businesses and app stores is far from being settled. It seems unlikely that the app stores will easily leave out the lucrative revenue coming from the app tax. Instead of rethinking whether we need to go back to web services accessible on a web browser, businesses want an app store that doesn’t have any app tax. Some have even advocated an Indian app store in national spirit.
Irrespective of how this battle between app stores, business, and courts pans out, it should be clear to the users that apps are not the way they should have chosen to access Internet services. The “immersive” experience was drowning the users earlier and is now drowning businesses. In the end there will be only two winners, the ones that control the app stores: Apple and Google.
Sushant Sinha has done his PhD in Computer Science from the University of Michigan, Ann Arbor, and currently runs the Indian Kanoon website that is a search engine for Indian law