App Store Success Lessons
Could an app store work for desktop computers? It may sound crazy, but think about it. The model has proved wildly successful for the iPhone, but that doesn't necessarily translate into the desktop realm. There are compelling arguments both for and against the idea.
First, let's consider Apple's iPhone app store as a model. Sure, it's not the only app store in town, but by pretty much any measure, it's been the most successful to date. (And yes, there have been various complaints about Apple's application approval process, but that's not the focus of this column.)
The iPhone is a closed platform, at least for users who play by Apple's rules and don't "jail break" their phones . In other words, the only way to get applications for your iPhone is to purchase them via Apple's iTunes system. And all iPhone apps must pass a vetting process.
Apple publishes a list of application requirements to developers through its iPhone Development Program. These consist of a set of fairly basic rules, such as requiring application developers to use only published application programming interfaces.
Once approved, applications receive a digital signature and are placed in the app store for purchase (for fee or for free). That digital signature is at the core of the system; only signed applications can be used on a (non-jail-broken) iPhone.
Of course, signed software is no guarantee that there's nothing malicious inside, or even that the app won't do any harm on an iPhone inadvertently. What a digital signature does provide is a tamper-evident seal, along with some degree of accountability of who wrote a particular app. Those are good things, but they don't guard against all security woes. Nonetheless, there are rules and restrictions that developers have to comply with if they want their apps to be sold through the Apple app store. In fact, it's restrictive enough to make success of the app store seem unlikely. After all, other app stores had been launched in the past (mostly for similarly specialized platforms), and they all pretty much floundered, never attaining the critical mass necessary to attract enough developers. And yet, with over 2 billion downloads of its more than 100,000 applications, the Apple app store been a huge popular success.
But is that success translatable to an app store for desktop PCs? Is there a point in trying it? Well, one problem with the current open system in place for PC applications is that desktop PCs have serious security problems. So, is the iPhone more secure as a result of the app store system?
Thus far, we've seen only a smattering of malware targeted at the iPhone. (One notable recent attack only affected jail-broken phones, which clearly is not an issue to anyone legitimately using the app store.) But, while the early results do look pretty good for Apple, the truth is that we probably need more time before we can really answer the question properly.
All right, say that you do accept that Apple's app store model has done good things for the iPhone's security. Does that present a sufficiently compelling argument to produce a more general-purpose computer app store platform? Desktop PC users have very different requirements than those of mobile smart phone users, but it's still worth considering.
One argument against a centralized app store is that no single outlet can meet all the needs of all users. But that doesn't seem to have hampered the iPhone's adoption rate much. With its "there's an app for that" mantra, Apple seems to be meeting a great number of users' needs. A general app store would need to get past the initial growth period before the masses could be assured that it would have all the apps they want, but the Apple experience provides compelling evidence that this could happen. (Though a general-purpose app store would lack Apple's one big advantage: Its iPhone was a huge hit, and the app store provided the only way for users to get apps for it.)
In the end, it's version management that makes me think a general app store is worth a shot. Let's face it, most computer users, even in corporate environments, aren't particularly good at keeping their systems and application software up to date with patches and new releases. With an app store, out-of-date software (including unpatched security vulnerabilities) would be pretty much a thing of the past.
It's clear from Apple's example, however, that an app store requires massive commitment to succeed. Still, a world where every single desktop PC is patched and running nothing but the latest versions of software sure sounds appealing.
With more than 20 years in the information security field, Kenneth van Wyk has worked at Carnegie Mellon University's CERT/CC, the U.S. Deptartment of Defense, Para-Protect and others. He has published two books on information security and is working on a third. He is the president and principal consultant at KRvW Associates LLC in Alexandria, Va.