Staff Members,
A few days ago, Aaron wrote:
We will be moving to a manual verification process wherein all apps
and app updates will need to be submitted to us, and they will only be
allowed to become public when they have been verified by us.
I am sure, many app developers will pity this to be necessary, although
we all are aware why it is the case. There likely are many questions
arising, which need your attention, before App Central again can be a
place of many useful apps. And I know you already have taken some active
steps in that regard. Still, here is a couple questions, which came to
mind, when reading the above quoted message.
Even if you don't have answers at the moment, or have reasons for not
leaving all answers in the open community, you may just want to consider
them in your further process.
1. What will the VERIFICATION be like?
Is it only going to be a quick "security" scan, like with ten different
AntiVirus and AntiMalware programs? In the case we recently saw, I don't
know if that kind of verification would be enough. This kind of
Anti-software, mainly will check for bad programatic behavior.
2. You likely will be running the app, on some kind of testing computer,
as part of such verification. How much work will you be able to put into
this testing, upon each app?
Ok, there are a load of apps on the Central already, which are mainly
performing one or two actions, in that their whole purpose is to only
popup certain daily messages, or fix a particular set of issues in given
pieces of software. To test and verify these apps to run as expected,
would likely not be very hard, and take little time. But there also are
a handful apps available, which are far more general, and which may need
quite a bit of understanding, should you get to see all its many
features in action. If we just go for one of your own apps, staff
members, how about an app like the HotSpot. Had you got that from a
third-party, you would need to spend some time on learning to use the
app, then test it under a number of situations, before you could verify
that it will be doing what it supposedly was designed to, and nothing else.
3. What happens if an app behaves differently?
No, I am not refering to the case, where you see the app performs in an
unwanted way. Then you of course would refuse the app. But sometimes a
developer have made the app perform a certain way, do to numerous hours
of testing, cooperation with test-personel, maybe even had to take
certain steps in order to have it properly working also with
International users. My question is if you will have the necessary
background for determining if that is a misbehaving of the app, or if
there is a reason for things happening the way they do.
4. You don't care about the operation of the app, only scan for known
issues of the incoming app?
Well, I just meant to put that out as an easy-way-around-the-bush
approach. Of course you care, but maybe you just don't have the
necessary time and interest to test and verify all features of any app,
big or small. But what about the community's understanding of the
matter. If AISquared tell they have verified all apps on App Central,
will that be taken in the meaning that you have actually run and
acknowledged the full functionality of the app? At least, you may want
to be quite clear with the community, as to what exactly does your
verification include.
5. Will all apps - in the future - have to be open-sourced?
Or, at least, will you require any app developer to upload the source
code fully exposed, along with any other material that affects the app
functionality - for your staff to be able to trace any suspect behavior.
Alternatively, should a developer upload an encrypted app, will you then
decrypt his code, hunting for suspecious pieces of coding. At least, you
may want to let the developers know, that such would be the case. And
how much time will it take to scroll through thousands of lines of code,
and understand why the developer did it this way and not that, simply to
check for any thing that could potetntially cause headache?
6. Should App Central continue to be free - both for the users, and the
developers?
If you are going to spend hours in verifying apps, I guess this cannot
continue to be done on a free basis in the long run. Still, without the
verification, and some kind of manual or half-automated interaction, how
easy will it be to prevent this kind of trouble would arise again.
One alternative to App Central - the way it stands today, would have
been not to have the apps themselves available directly on your servers.
For instance, you could have made it more of a subscribing service. I
would go to the Central, be able to read about the different apps just
like today. Finding an app I think to be of interest and which would
solve my issue, I would subscribe to it. This would result in an Email
being sent to the app author, informing that I now want his app. He then
will send me the WEPM-package, and I will have to install it. This way,
the app author will be far more in control of his package, and actually
also would know far more about the popularity of his app. If you want,
you could have implemented routines in the core of the screen reader, to
prevent any apps that were not certified for the actual serial number.
When I subscribe to an app, I will have to give my serial number as part
of the process, either manually or automatically. The app developer then
will have to leave me a package, stamped with that serial number. Yes, a
long way around that bush, ain't it. And yet, not even that would fully
ensure absolute security. Still, it could be one way, to make things
work a bit more smoothly. Just thought to throw the idea on the board,
in case it could be of any help. You even could let the developer of any
app, choose if he wants his app uploaded to App Central, or if he rather
will have App Central act as his Subscription Manager.
David
On 1/18/2015 1:15 AM, Aaron Smith wrote:
FYI -- Regarding the security settings of Window-Eyes, I posted this to gw-info
earlier.
Thanks,
Aaron
