Personal computers started out simple. So simple that you could just type in programs and run them, save them, and even give them to your friends. But over time, things got more complicated. A lot more complicated.
To a kid growing up in the 1980s, the idea that the maker of your computer would actively stop you from using software it didn’t approve of would have seemed beyond the pale. It certainly would’ve been a deal-breaker. And yet so many of today’s computing devices are locked down–for some good reasons, but also a lot of bad ones.
What do we want the world to look like in the future? Is the destiny of the most important invention of the last half-century, the computer, to become a series of locked-down devices controlled by the giant companies that designed them? Should the iPhone be the model for all future devices?
If Apple’s locked-down approach in the App Store era is our future, it’s a bleak one indeed. But there’s good news: Apple has also built a system that provides security, flexibility, and responsibility while letting device owners run the software they want to run.
It’s called the Mac. When we consider the future of computing devices, the Mac is the model we should aspire to, not the iPhone.
Original sin
When Apple introduced the iPhone in 2007, it was completely locked down. The only apps on it were the ones that came with the operating system, and while everyone immediately assumed that someday third-party software would come to the device, in the interim, Steve Jobs extolled the virtue of the open web as a “sweet solution” for people who wanted their phones to do a bit more.
But Apple didn’t make this decision out of some sort of strategy. The iPhone came together quickly and was still being put together in the months leading up to its ship date. Apple was still struggling internally with building apps that would work and had no time to build any sort of infrastructure to allow other parties to write software for the device. (That didn’t stop people from doing it anyway.)
A year later, Apple announced the App Store. And there’s a lot to commend the App Store for: It got regular people used to buying and downloading software in a way that had never happened before. Despite Apple’s frequent claims to the contrary, there was plenty of software for sale on the internet before the App Store, but you couldn’t buy and run it with the ease of buying a single from iTunes.
Apple
(Yes, the App Store was a hastily rewritten version of the system Apple used for iTunes, a decision that sealed the fate of Apple’s software platform as a hit-driven marketplace backed by systems designed for record companies to upload music.)
The App Store was brilliant. It created an entire app economy and allowed software developers to build sustainable businesses. The problem with the App Store is that Apple decided it would be the only way anyone could distribute software for the iPhone.
There’s absolutely nothing fundamental in the App Store concept that requires it to be the only pathway for software on the iPhone. But limiting things to the App Store gave Apple complete control of its new software platform, which in those early days was very much still under construction. I understand why Apple had that impulse, why it wanted to protect what it was building, and why it didn’t want the iPhone to be defined by software in any way that Apple didn’t agree with.
But over time, the inevitable happened: Apple used the exclusivity of the App Store and its total control over the platform to extract money through rent-seeking and to bar businesses from admitting that the web existed outside their apps. Perhaps worst of all, the App Store’s exclusivity allowed Apple to essentially treat app developers as Apple employees, forcing them to follow Apple’s guidelines and please Apple’s approval apparatus before their apps would be allowed to be seen by the public. Whole classes of apps were banned entirely, some publicly, some silently.
The problem of the Mac
A few years later, Apple began planning how to bring the Mac into the App Store universe. However, macOS was designed in a much earlier era and didn’t offer the level of lockdown that Apple built into iOS. Rather than attempting to lock down the Mac and make it more like iOS, the company wisely chose a different path.
Today’s macOS is a reflection of that decision, and it’s undeniably the right one–not just for the Mac but for every computing device we own.
Here’s how Apple did it: They launched the Mac App Store, yes. It’s a curated library of apps that follow Apple’s specific security and privacy rules. Those rules are so strict that lots of apps just can’t be in the App Store, despite occasional attempts by Apple to expand the rules in order to get back in the store. (Those rules sometimes contract again after expanding, driving existing App Store apps back into the wilderness.)
But this is the beauty of software on the Mac: If your app doesn’t fit in the App Store, you just… don’t put it there and sell it yourself. You lose the showcase of Apple’s curated library, but you can still make a business on the outside.
Foundry
Today’s computing world is also more dangerous than the one in which macOS was originally devised, so Apple cleverly built a multi-tiered approach to running software on macOS. (Never let anyone tell you that there’s no way Apple could open up iOS to software beyond the App Store. The very smart people at Apple have already solved the problem, and they did it for the Mac.)
Here’s how it works: At the center of the circle of trust are App Store apps. These are the most blessed of Mac apps because they conform to Apple’s specific App Store standards and have been individually reviewed by App Store staff members. A Mac can be set to only run apps from the App Store, though it’s not the default.
One level out is what are called notarized apps. These apps live outside the App Store–you can just download ’em from the internet!–but they’ve gone through an automated validation process by Apple. Developers have to be registered with Apple, and then they send their app through an Apple server, which scans it for malware and other irregularities, and then cryptographically signs (or “notarizes”) the app.
Notarized apps are not as safe as App Store apps, but they’re guaranteed to be from app developers known to Apple, have passed some basic scans, and are guaranteed not to have been tampered with after leaving the developer, because any changes would break Apple’s cryptographic signature. macOS is happy to open these apps by default, without any warning beyond a notification on first launch that the software was downloaded from the Internet. Most Mac apps you download outside the App Store these days are notarized.
In the early days of notarization, the fear was that Apple might use the process to create another App Store approval process. You can see how that might happen: Apple could decide to reject apps because they aren’t in a category that Apple likes or because they use private Apple APIs that the company would prefer third-party developers not access. But in practice, Apple has kept to its promise to limit how it processes these apps.
Apple also keeps a “kill switch” in reserve, by which it can stop particular apps from launching, or even remove all apps from a single developer if they’re found to be dangerous. It’s another pathway that’s ripe with potential for abuse, but Apple has kept its promises and limited its use of these pathways to stomp out malware.
However, the danger does exist that Apple could tighten the screws at any time. I’m troubled by its initial refusal to notarize emulators on iOS in the EU, because–while Apple seems to have backed off–it’s a move that points out that notarization of apps is only benign because Apple allows it to be so.
Still, even if Apple were to tighten those screws, macOS continues to offer alternatives for software distribution. At the edge of the circle are non-notarized apps, apps that don’t need to be from registered developers and that Apple has never processed and signed. Some of these apps are from open-source projects that refuse to pay for an Apple developer account; others are operating in gray legal areas.
The important thing is that you can still run these apps. A few years ago, at one of the last in-person WWDC events, an Apple representative stood on stage and said that Apple will never stop users from running code they want to run on their Macs, and we all need to hold them to that.
Unfortunately, running these apps is getting harder. While I understand that Apple sees them as a vector for malware, spyware, and other nefarious things, it’s also gone too far in making them hard to run. As of macOS Sequoia, launching one of these apps requires you to attempt to launch them and fail, then visit the Gatekeeper section of System Settings to lower your security level, click through a stern warning, and enter in an administrator password. There’s no setting for users to opt out of this dance–you have to do it for every non-notarized app you install.
Still, Apple hasn’t broken that promise: If you want to run a non-notarized app, you can do it. Apple won’t stop you. It may scare you, cajole you, and hide the button that allows you to run that app in the basement in a disused lavatory behind a door with a sign on it that says “Beware of the Leopard,” but it will let you run it.
IDG
The Mac is the model
In the European Union, iPhone and iPad users can now use apps that bypass the App Store. Unfortunately, the options are limited and require a third-party app store, which seems to miss the point. In building these systems mandated by EU regulations, Apple has used its work on macOS as the foundation. Non-App Store apps come from recognized developers and are notarized by Apple.
This is an important moment. Apple has built two separate models for running software on our devices. In one, there’s a gradient of trustworthiness that strongly encourages users to stick to the safe, well-lit paths–but allows competitors to go their own way and users to make different decisions than Apple would prefer they make. And, yes, at the extremes, users can behave in ways that might open them up to danger, but only after many warnings. It’s a very good system. Apple built it that way because it cares about the Mac, the Mac ecosystem, and Mac users.
Of course, the other model is the one we’re familiar with from iOS: There’s only one layer and Apple entirely controls it. Even though we’re spending thousands of dollars to own devices that can run software developed by clever people from all over the world, Apple believes that only it should be able to determine what kinds of apps are allowed, that it should always be cut in on the revenue of every financial transaction inside those apps, and that if it doesn’t like anything about a developer’s app, it can demand it be changed or the app made to disappear into oblivion.
That both of these approaches come from the same company is… kind of staggering, to be honest. One path provides security, safety, curation, and a reasonable opportunity for Apple to define its platform and work with partners, but tempered with the prospect of competition. The other approach has evolved from a simple way to get software onto a new platform using a mechanism used to sell pop music singles into a way to exert total control, including deciding what apps we’re allowed to use and forcing Apple into every financial transaction on its platform.
I know which Apple-built approach should be the model for the future of software on computing devices. The good news is that Apple has already built it. The era of top-down control of our devices needs to end. The Mac is the model.