search

stacks-archive / app-mining

For App Mining landing page development and App Mining operations.
https://app.co/mining
MIT License
49 stars 16 forks source link

Unsigned native apps #151

Closed Walterion01 closed 4 years ago

Walterion01 commented 4 years ago

As @larrysalibra talked about App Mining NIL proposals:

We’ve recently seen a number of native apps for both macOS and Windows. Most of these apps are unsigned by the developer and will not install in default configurations of both operating systems unless the user overrides the security settings to allow installation of software from unknown developers. This is dark pattern behavior we don’t want to encourage because it unsafe for users and unsafe for our reviewers.

Policy: Apps must be installable using the default security settings on a fresh install of the targeted operating system. Apps that require overriding default operating system security settings will be ineligible.

Please help me to understand these:

These messages are mostly not a safety issue, and they are primarily a Buy-A-License from OS provider issue. We have BlackHole, and it has Windows, and Mac clients and both of them have security messages Larry talked about. We did try to solve them before releasing apps as no one wants to give their users an ugly welcome, but some problems prevented us: Microsoft and Apple will sell you the license if you register the app completely with them. Otherwise, they show you the message even if there is no security flaw with the app. Take Norton case, they flagged BH without any security reason, and a user asked them, and they removed it quickly.

We had emails from some users that told us about this, and almost all of them knew the situation and just wanted to let us know. As we targeted professional users, that was and still not an issue for us, and the user base is growing beautifully for an app with a need to install, and more people are talking about it, eg today post. If this wants to go with the proposal, either we should leave our privacy behind and go with OS providers (who are not good famous of privacy or even safety) or leave the native apps behind as there is no control on the web apps.

My thought is that it is an OS issue, not Blockstack or NIL as it is not related to privacy, security, identity, storage or even encryption. I would be happy to know more about how we can solve this and provide a better experience or also there is a way to prevent these messages.

P.S. Please take a look at VirusTotal report for a proper safety check.

larrysalibra commented 4 years ago

Does Blockstack want to play the rule of closed app stores? For example, like Google Play that controls the app identities and how they work or give the app creator what it provides the users? An open and private world with a safe identity to let users choose what they want? Or as we call it here CantBeEvil.

What part of buying a license will help safety or how it is aligned with values of Blockchain, decentralisation or privacy?

Hi @Walterion1 - thank you so much for bringing up these points! I find them very compelling.

I agree with you that centralized certificate authorities aren't aligned with our ethos either. Software developers should not have to ask permission to develop or distribute apps.

I'm prepared to change the policy on unsigned apps until we have a way to distribute apps securely with Blockstack names. For, now we won't apply this policy this month (September).

I'd still like to hear thoughts of others.

Walterion01 commented 4 years ago

Thank you for the open thoughts, Larry. I will be glad to have such a secure way to distribute the apps, and I like to see more native apps integrated with Blockstack.

larrysalibra commented 4 years ago

@jeffdomke Our conclusion on this issue is we will NOT penalize apps for being unsigned. Thanks to @Walterion1 for providing clear reasoning as to why that decision is most clearly aligned with our vision and goals.

This issue can be closed unless anyone else wants to discuss further.