Security Is No Excuse For iPhone Antics

This week, the Federal Communications Commission is asking Apple and AT&T to explain the rhyme-or-reason to the Apple Store approval process, and specifically why the Google Voice application was rejected. I wonder if they can afford to give an honest answer.The only officially sanctioned way to sell iPhone applications is through the Apple Store, and that means getting your software approved by Apple. Apple justifies this we-know-best approach to approval, at least in part, by saying that unauthorized apps could cause both stability and security problems, endangering not just a few users but the entire AT&T network. Yet Apple's approval process for iPhone applications also seems to be tuned for maximizing profits by eliminating any applications that could cut into Apple or AT&T revenues. Even the security and stability argument doesn't hold water that well; after all, there are plenty of inadvertent bugs and security holes already present in Apple's own iPhone software.

Two years ago, Google described an excellent vision for open wireless networks. If wireless providers opened their networks and equipment providers didn't opt for a single vendor lock-in the way Apple did, our wireless hardware and applications would work a lot better. In my ideal world, wireless phone companies should be selling bit pipes, just like residential and commercial Internet access providers. Apple would sell the iPhone and operating system but not be the gatekeeper for what applications users could buy. We're far from that ideal at the moment.

One thing that Apple did right was to require iPhone software have a digital signature, telling the system where the software came from. Apple should not be the sole arbiter of whether software can run on the iPhone, and instead just require that all iPhone apps simply be digitally signed. Then users could get their software from any software maker willing to sign their software. If there is some problem with the software later, that particular application can be blacklisted or the software maker's certificate could even be revoked. Signed applications could be easily checked against a third-party Internet registry of iPhone software. That would be useful to check for security issues and get user ratings or information about battery or bandwidth usage, for example.

Sooner or later, Apple must realize that their current approach doesn't scale. As the sole gatekeeper of iPhone applications, Apple is being swamped with mediocre entries but is it Apple's job to judge quality and value of applications? It takes entirely too long to get an application approved, and by claiming to vet the software they are taking on some responsibility for its quality -- they're selling the app, after all. Apple would be much better off delegating that responsibility to others.