Shutting Down a Service with 500M Requests per Month
danielamitay.com> your app uses public APIs in a manner not prescribed by Apple
What an enraging way to phrase this. I understand Apple's desire to shut this down, but they make their contempt for app developers obvious at every possible turn.
That seems like an incredibly petty way to view it.
Apple's not out to get you. In fact, I'm glad they did this. That iHasApp looks creepy as hell, and it pisses me off that other devs were using it to basically spy on me. It reduces my trust in all apps.
Yeah, this reminds me of the recent(ish) realization that a javascript could check a link's applied style to determine if it had :visitied, letting advertisers trivially run test a very large list of links to fingerprint and profile anybody who visits a webpage.
Mozilla patched that information leak. I don't remember anyone accusing them of "contempt for web developers."
I'm no longer using iOS regularly, but the fact that Apple can and does police apps that violate a user's expectation of privacy is one of the strong points of the platform.
Mozilla didn't start white-listing web sites which it determined didn't snoop on the :visited property, and black list all other sites. Instead, it fixed the API.
Right, they did it by blocking javascript access to computed CSS styles so that it doesn't return :visited rules.
In Apple's case, the more secure options would either be "an app must include a perapproved list of which other apps are authorized to see that it is installed", or popups for permissions like "Image Editor wants to know if you have Dropbox."
Since Apple has both the authority and the manpower to approve or disapprove of apps, they chose to not take either and to stick with the version that gives the best user experience, while also allowing devs to continue checking installed apps when they need to as appropriate for cross-app interaction.
I guess it sucks from iHasApp's perspective, but I don't have any more sympathy for them than any other spyware developer. Just because Win32 apps aren't sandboxed and can read arbitrary data out of my home folder doesn't mean it's an OK thing to do.
To be fair I think there is an easy workaround on blocking the javascript from reading computed CSS styles. I wrote a potential hack around that here: http://ckluis.com/black-hat-badassery/
To be clear - I have no problem with this service getting shut down, as it's clearly intended to violate the user's privacy. But to say you must use APIs as "prescribed" by Apple is way too broad and subjective.
I'm sure the iOS developer Terms of Service forbids this at some level. If not, then update it. Then say you're shutting this down because it violates the TOS.
That's a good way to get a million page TOS.
https://developer.apple.com/app-store/review/guidelines/
> We will reject Apps for any content or behavior that we believe is over the line. What line, you ask? Well, as a Supreme Court Justice once said, "I'll know it when I see it". And we think that you will also know it when you cross it.
What would you think of "don't use our APIs in such a way that, if your users found out you had used them that way, they'd want that API removed to force you to stop"? That's essentially what's being discussed here.
Technical people are accustomed to looking at the technical limitations of a problem space and then coming up with a solution. If the person managing the game then says "rule violation: you can't do stuff I don't like" it seems unfair.
The better way is to design the API in such a way that it can't be "abused". It's Apple's fault that iHasApp was able to do what it did, and it's Apple's fault that Facebook continues to do what iHasApp did.
While I'll agree with your second point about designing the API in a more safe way, the first one I'm not as sure about. You could make that same argument in favor of malware authors against Big Bad Microsoft walling them out with new Windows Defender definitions.
If something is stealing my personal information and sending it off to advertisers, I'm entirely happy to have the OS vendor give them the boot.
Only devs seeking private information about users will be harmed by this. It's OK for Apple to have contempt for devs like that.
I'm totally for this being blocked.
My concern is that this, like everything, will be applied unevenly. For instance, Twitter's app does this, and probably won't be yanked from the app store.
Privacy.
Fuck enumerating the apps that users have installed.
That's not what the API is for, and no user in their right mind would want that to happen.
So why is this kosher? https://support.twitter.com/articles/20172069
one guess
So it's opt-in with a default of off.We will notify you about this feature being turned on for your account by showing a prompt letting you know that to help tailor your experience, Twitter uses the apps on your device. Until you see this prompt, this setting is turned off and we are not collecting a list of your apps. If you do not see Tailor Twitter based on my apps in your account settings, app graph collection is not occurring for your account.second, some partners are more equal than others...
Twitter and Facebook also have similar solutions. Have they been shut down too?
Twitter and Facebook have extensive OS level integrations put together by Apple.
"Too big to fail"
I think at least Facebook's usage would fall under the category of facilitating inter-app communication. They just communicate with almost every app out there.
Wouldn't be surprised if they pay for the privilege.
The obvious lesson is that you shouldn't build a service that skirts right on the edge of "Apple definitely won't like this."
Well at least you kept your sense of humor about it all. It will probably help your chances at employment (or investment of your own business) going forward. Nothing wrong with pushing the barriers a little bit.
I want to be outraged on your behalf over this but I can't really summon it forth. While I understand the ever-present engineer desire to "see if it can be done", no good can really come from this sort of service in my opinion. I guess chalk it up to an interesting technical exercise and that's it.
It's a shame you had to bring this down but it looks like you saw it coming and enjoyed the ride. I think the posts that characterize you as unethical are just not willing to cope with the disillusion that technology is a two sided coin. The information was there and you used it. I commend you on seizing on the opportunity and wish you best of luck in the future.
Sorry, no. Technology is a two sided coin, mostly unable to be ethical or unethical. The people using technology, however, are surely able to fall somewhere in the spectrum. The OP is using this technology for (imo obviously) unethical reasons and is capable of being judged by that decision.
Well I certainly don't disagree that he's capable of being judged. And you're right - it's simply my opinion that what he did was not unethical.
Thanks for sharing. Must be tough. But Iam sure you'll move onto bigger and better things in the future.
You are an unethical person. I'm pleasantly surprised Apple shut this down.
I don't even think you should be surprised. I don't see how anyone could condone the privacy violation this app commits.
Of course this app should be banned, should have never made it to the appstore to begin with. And the developer should be ashamed of himself. With all the discussions around the NSA & privacy these days, it's tone-deafness & insensitive for a developer not to see the obvious problems iHasApp creates.
Do you really suppose ad providers in millions of apps do anything differently? Do you think Apple's own iAd relevancy engine that allows them to charge premiums to advertisers does anything differently?
It seems odd to be outraged at a practice employed by the very knight in shining armor that just shut them down.
I share your concern that this functionality could be abused, but disagree with your attempt to treat this as black-and-white or as a matter of personal character.
There are both ethical reasons and unethical reasons why an app-developer would want to know the other apps chosen by their users. On the up side, one could use the knowledge to prioritize improvements/integrations/compatibility with other apps. On the down side, one could punitively react to the presence of competing apps.
Assessing the ethics of how the functionality is used requires greater openness and transparency by everyone. Unfortunately, in a culture as closed as Apple's (eg http://www.pcmag.com/article2/0,2817,2375476,00.asp or https://developer.pidgin.im/wiki/WhyNoiOSVersion ), you are unlikely to see that kind of openness.
I completely agree. This is tantamount to spying on users. It's basically equivalent to some random game reading your entire contacts list and sending it to the company.
I am ignorant of what iHasApp means in terms of users. Much less the ethics of it all. Why is what iHasApp did considered unethical?
From https://github.com/danielamitay/iHasApp:
> The iHasApp iOS Framework allows you to detect installed apps on a user's device. Detection results can be in the form of an array of detected appIds, or an array of appDictionaries from the iTunes Search API.
I'd also bet you a coffee that you could pretty reliably uniquely fingerprint devices this way. I don't bear OP any ill will for writing iHazApp, but I can certainly see why many would be uncomfortable with it.
Very, very skeptical of this. Apps that people have installed tend to be similar apps.
For some subset maybe. But I guarantee you that there is not one other person on Earth that has the same set of apps installed on their phone that I do. The chances of that are astronomically tiny.
Maybe we should make an app where you put in all the apps that you have on your iPhone to find your perfect match. We'll call it appxappxappxappxappxappxappxapp.
You can filter it down even more by reading carrier information which you can access without permissions:
http://iosdevelopertips.com/core-services/carrier-informatio...
I disagree. For a related piece of work, see https://panopticlick.eff.org
I'm running a browser with only two (what I believe are common) add ons installed and a fairly uninteresting system config on common hardware. This is enough (combined with other "safe" metadata) to uniquely identify me! Compare this to iPhones, which frequently have dozens of apps installed and expose comparable device metadata.
Presumably parent is offended by the privacy violation. It allows developer of app A to know I have app B installed, which can be used to target adds etc.
While unlikely, it could be used for worse. Let's say a local or niche publication has an app and can detect if any of its subscribers are also using Grindr, Tinder, or some sort of app that signifies, to them, some cardinal sin on the part of the subscriber. That could be used to blackmail/shame/harass people.
Huh, how does this service's behavior differ from what the Twitter App Graph does?
Why do people continue to use MM for "million", especially outside of the context of money?
M is often used to mean 1,000 from the Roman Numeral, so using it to mean "one million" is confusing.
It's not just finance, but in other contexts too, such as online marketing CPM = Cost Per Thousand.
MM then is used to denote a thousand thousands, or one million. In online marketing sometimes you'll see CPMM = Cost Per Million.
k is used for 1000, M for millions... damn americans.
Unless you're talking about kilobytes, in which case k = 1024.
Unless you're a strict follower of the IEC standard, in which case k = 1000, and what I was talking about was a kibibyte.
Standards are hard. It's not just the Americans' fault
blame the brits, not the americans.
Can we just blame one person instead of an entire country?
Blame Todd. Todd did this to us.
Blame the accountants. We're engineers et al. We use SI.
K, not k.
Actually, he's right; the abbreviation for kilo (thousand) is lower-case k. The abbreviation for mega (million) is upper case M. (Lower case m is milli (thousandth).)
When, whether talking about money or not, have you ever seen someone write 100M to mean "a hundred thousand"? That would be completely ridiculous. Roman numerals are not used for that.
It's used exactly like that in finance all the time.
http://www.accountingcoach.com/blog/what-does-m-and-mm-stand...
That guy's response makes no sense to me. I worked in finance and banking for five years and didn't even once see M used to represent thousand. Perhaps times have changed and that used to be common. k (thousand) and M, m or MM (millions) were used though.