Kyle Richter is a longtime Mac and iOS developer with four programming books under his belt—a Mac community guy if there ever was one. So he was intrigued when he discovered a popular iOS app using his app’s name as a keyword; some fellow developer wasn’t playing fair.
When he looked into the offending app, it was riddled with privacy and security flaws. The experience frustrated him—where’s the solidarity, anyway?—and our conversation about it turned to the idea of codifying good developer behavior. Could computing professionals honor an opt-in credo as in other fields?
Tell me about what happened with QuizUp and what you discovered?
QuizUp first came to my attention a couple of weeks ago as it was using one of my company’s product names as a search keyword. Having worked on several real-time multiplayer iOS apps, I became intrigued by the way it claimed to handle its networking. I began digging into the networking traffic to get a sense of how the game functioned, and while looking into the networking components I discovered a sizable amount of privacy and security issues.
I contacted Nick Arnott, a friend of mine who works as an iOS security researcher. We found dozens of issues: from storing Facebook contact information in plain text on the device, handling passwords unsafely, transferring the user’s entire address book to the company insecurely without express permission, and sending each user’s personal information to random strangers including their full name, location, date of birth, email address, and Facebook ID.
I attempted to alert Plain Vanilla Corp., the publisher of QuizUp to my findings in private. When several days passed without a response, I decided that, due to the considerable size of the user base that was at risk, I should catalog the issues on my personal blog.
After the article was up for a few hours, I was contacted by senior leadership at Plain Vanilla Corp. looking for additional details on my findings. Like most companies who find themselves in this situation, they were eager to fix the issues and move past them. A new version of QuizUp has recently been released which they claim corrects the privacy issues; however, I have not had a chance to thoroughly evaluate the update. From an initial inspection, though, it appears they are moving in the correct direction.
You’ve said that "more and more often we are seeing developers take the low road." Why does unsavory developer activity seem to be increasing now and what are some common examples?
The Mac development community was very small when I first started developing on the platform. Everyone knew each other and we all worked toward a common goal of creating the best third-party software experience for the small market share available. With the release of the iPhone there has been an incredible surge in developer interest in Apple’s platforms. The community has grown from a few thousand active developers to over a million in a very short time.
With the large influx of new developers and products it should be expected that we would see an increased amount of problems. Among those problems the platform has seen is an increasing amount of aggressive behavior in order to succeed. Issues such as spamming users for reviews to forcing users to log in with social networks so additional marketing can be sent to users friends and followers are common and now, sadly expected. The aggressive use of pay to play, "freemium" type games, used to suck money out of player’s pockets in order to allow them to continue progressing through a game, has become the standard model for the top 200 grossing apps.
Some notable and familiar companies have even changed their business models to one where they simply clone successful or novel indie games and repackage them to maximize profits while running the smaller company out of business. There has also been a huge influx in gaming the market place, including paying for app downloads and fake ratings. At least once a week I get an email about paying for reviews, downloads, or other gray market app services.
I would say the worst types of violations are those that take advantage of their users, exposing them to additional harm solely for the sake of profit. While these types of occurrences are rare, they do occur from time to time.
On the other hand, I think slightly misrepresenting the functionality of an app is on the lower totem of issues that users should be concerned about today. There are however a large number of apps that grossly misrepresent their functionality. It became such an issue that Apple began disallowing the updating of screenshots after app approval and it has made a significant dent in the number of instances of this type of cheat. If a product serves the purpose it was designed for it people will continue using it.
Are most of these ethical violations malicious, or do they arise out of lazy coding in trying to cut corners?
While it’s a matter of semantics, I think to be unethical you have to be malicious, ethics is intertwined with the consciousness of the act. I don't consider it unethical to make a mistake in code that causes private information to be leaked.
Do I think that most privacy violations are malicious, however? No, I don’t. Software development is complex and it’s easy to overlook scenarios in which privacy may be breached, doubly so for green developers. There have however been some notable cases of unethical development practices, such as Path scrapping the user’s address book without permission, and a multitude of apps that do not work as advertised. However, I think that most of the incidents come from oversight or lazy programming.
Developers, investors, and business owners are in such a rush to get apps shipped, while keeping budgets as tight as possible. With tight budgets and tight deadlines, things get overlooked and corners get cut, sometimes accidentally, sometimes to deal with the pressure. More and more, mobile developers are leveraging third-party code to quickly build and deploy apps, but many of those developers do not understand the code they are implementing or the ramifications of using them. It is getting very easy to build a mobile app, but it is harder than ever to build one well.
Who is responsible for making sure a developer adheres to ethical standards?
Surprisingly, a lot of different parties have varying degrees of responsibility. First and foremost, the developer should be self-moderating; they need to put care and thought into how their software interacts with a user’s data. The publisher, Apple and Google, for example, also have oversight and guidelines for approvals, which have several sections overlooking privacy as well as malware. Lastly, the consumer—both the end user and the tech media—provides the final check. Supporting apps and companies who play on an unbalanced board does nothing but hurt everyone.
Do you feel that the major app stores like Google Play and Apple’s App Store should have a Code of Ethics all developers must adhere to?
Apple and, to a lesser extent, Google do provide guidelines and rules for app development. These rules do cross slightly into ethical grounds. One such rule which QuizUp likely violated was 17.1: "Apps cannot transmit data about a user without obtaining the user's prior permission and providing the user with access to information about how and where the data will be used." These rules are often hard to enforce, however, most of the time requiring user complaints to spur any action. With the sheer number of new apps being submitted every day, it becomes quickly overwhelming. Neither Apple nor Google currently have the resources in place to thoroughly check for privacy concerns. When issues are found and receive enough attention, then the publishers react.
If there were a universal Developer’s Code of Ethics, what are the main points you think it should entail?
Treat your users, customers, competitors, investors, and partners, as you would like to be treated if you were in their shoes. Ethics are hard to define and I don’t believe its something that can be legislated successfully. Sadly, we live in a world where things often need to be spelled out in a bit more detail. I would love to see a group or advisory board from across the industry come together and provide some ethical guidelines for software—much as we do with standardized protocols like OpenGL or TCP/IP. It wouldn’t likely be possible for this group to have any real power to enforce anything, which would limit the effectiveness and purpose of it from the start.
And what should be the punishment for developers found breaking this Code?
The U.S. government has previously fined software companies for ethical type violations, such as Path. The usefulness of these types of deterrents remains to be seen. Banning of a specific company or developer has been very rare, the most notable case being when Apple brought down a lifetime ban to Khalid Shaikh, pulling the 1,400 apps he had previously published.
We’ve reached the point where apps are becoming an essential part in our daily lives. Do you think it’s time for the U.S. and other governments to set up legal guidelines regulating the developer community?
We have a fair amount of legislation already in regards to privacy and even specifically to software from decades of web and desktop apps. These same regulations apply equally well to mobile apps. I don’t think there is a need for any more government oversight here; it often gets out of hand quickly and doesn’t apply equally to all organizations. Our legislative representatives in the U.S. have proven time and time again that they lack the technical understanding to handle the regulation of the Internet or software.
Developers, users, and media should form a self-regulating industry. Companies should be held accountable by their users for unethical behavior. When people stop supporting businesses that are not doing the right thing, those businesses will adapt or fail. Right now, the vast majority of users don’t care about their privacy and will even occasionally attack those exposing privacy concerns. This needs to change before anything real can happen. Class action lawsuits as well as small claim cases provide users a path of recourse if necessary.
One last question: Do you feel most developers are ethical?
Yes, I believe most developers are ethical, but I also believe that most businesses are not. Humans by nature tend to generally err on the side of good, but when these same humans are grouped those actions can change drastically. Developers tend to be people who strive to solve problems and understand technology, most of whom would do the job for free if they could find a way to live. Businesses on the other hand tend to want to expand and increase revenue; the easiest way has always been and will always be to cut corners and toe the line of unethical tactics.