WEBVTT

00:00.000 --> 00:14.000
Thank you for coming and I really apologize for the technical glitches, but we will jump right

00:14.000 --> 00:15.000
in.

00:15.000 --> 00:22.000
This is going to be a talk about app stores free app stores on the iOS and Android platforms.

00:22.000 --> 00:25.000
So quick note about me, I'm a software developer.

00:25.000 --> 00:27.000
I've been developing software for 40 years.

00:27.000 --> 00:31.000
As you've missed on my technical difficulties, I just had right now.

00:31.000 --> 00:36.000
But yeah, I've been developing software since there's a little kid and I've been developing

00:36.000 --> 00:43.000
apps for the iPhone and for Android since 2008 basically since the beginning of when you could do that.

00:43.000 --> 00:51.000
And I developed a very first ebook reader for the iPhone that was known as Stanza.

00:51.000 --> 00:53.000
That was went on for a while.

00:53.000 --> 00:57.000
And then since then I've done dozens of other apps.

00:57.000 --> 01:07.000
More recently, I created an open source tool called Skip.dev that helps you develop apps for both iPhone and Android from a single code base.

01:07.000 --> 01:15.000
I'm also the founder of the non-profit app fair project, which helps promote and distribute apps to universally for both platforms.

01:15.000 --> 01:21.000
And I'm also a board member of the Android project as of last year.

01:21.000 --> 01:27.000
So nearly everyone in the world has a little computer in their pocket.

01:27.000 --> 01:31.000
There's over 6 billion smartphones around the world.

01:31.000 --> 01:34.000
The vast majority of human beings have one.

01:34.000 --> 01:38.000
And these devices, they know just about everything about us.

01:38.000 --> 01:42.000
They know where we are, they know who we are, they know where we're going.

01:42.000 --> 01:47.000
They know what we're interested in, what we like, our media or movies and so on.

01:47.000 --> 01:51.000
And the question is, who really owns this device?

01:51.000 --> 01:53.000
Is this yours?

01:53.000 --> 01:55.000
You bought it, it's your property.

01:55.000 --> 02:01.000
But you actually own it in the sense that you have complete control over it, that you have agency.

02:01.000 --> 02:06.000
So how does software get on to a computer?

02:06.000 --> 02:12.000
When I first developed software back in 1982, a little radio-shack TRS AD,

02:12.000 --> 02:16.000
that had no persistence storage.

02:16.000 --> 02:21.000
So I subscribe to a magazine called the Rainbow Magazine and they send you an issue every month.

02:21.000 --> 02:25.000
And in it, they would have printed pages of source code.

02:25.000 --> 02:30.000
And so I would sit there and I'd easily transcribe that source code from my computer.

02:30.000 --> 02:33.000
From the pages of the magazine onto the computer.

02:33.000 --> 02:38.000
And then hope that you didn't make any typos because debugging was quite a primitive operation back then.

02:38.000 --> 02:40.000
And then you would run it.

02:40.000 --> 02:44.000
And there would be little games or graphics demos or things like that.

02:44.000 --> 02:48.000
So that was how we really got started in software development.

02:48.000 --> 02:56.000
Since then, from that point on, I got a cassette tape peripheral that would let you save and load your programs.

02:56.000 --> 03:00.000
So it wouldn't disappear when your system plugs are computer.

03:00.000 --> 03:10.000
And from then on, you moved on to floppy disks and heart disks and CD ROMs and so on.

03:10.000 --> 03:12.000
As we all know, that's all gone.

03:12.000 --> 03:14.000
You don't have really physical media ever.

03:14.000 --> 03:22.000
Everyone's in a wireless CD, but it's pretty much gone the way of pretty much everything else from the last millennium.

03:22.000 --> 03:26.000
And the result is that we just should be software over the internet now.

03:26.000 --> 03:36.000
And app stores have been the result of that phenomenon where a single organization will collect a number of applications and potentially curate them.

03:36.000 --> 03:43.000
And then list them for download and allow you to download them directly to your advice on mobile platforms.

03:43.000 --> 03:50.000
This is far and away the most predominant form of software distribution.

03:50.000 --> 03:56.000
And an app store when you run it on your phone is really just an app that installs apps.

03:56.000 --> 03:58.000
It's not really doing anything fancy.

03:58.000 --> 04:00.000
It's essentially a gutsy-tup downloader.

04:00.000 --> 04:02.000
It has some features like search.

04:02.000 --> 04:06.000
You might be able to review applications.

04:06.000 --> 04:09.000
You might be able to categorize them and browse them.

04:09.000 --> 04:16.000
But really all it is is an app that installs apps.

04:16.000 --> 04:27.000
So as of around the launch of the modern generation of smartphones, you really had two players that rose right around the same time.

04:27.000 --> 04:33.000
Apples, iOS, which runs on their iPhone and subsequent devices like the iPad.

04:33.000 --> 04:35.000
And then Google's Android.

04:35.000 --> 04:43.000
iOS is exclusive to Apple devices and Android runs on not only Google's own devices that they did not start out by manufacturing.

04:43.000 --> 04:49.000
But on a variety of other manufacturers that they license out the operating system too.

04:49.000 --> 04:55.000
Generally speaking worldwide, Android has about a 75% market share and iOS more or less takes up the rest.

04:55.000 --> 05:03.000
And then you have a very long tail of very small representation of other devices.

05:03.000 --> 05:08.000
But for the most part, Blackberry is gone when to his phone is gone.

05:08.000 --> 05:12.000
You're left with really two players in this market.

05:13.000 --> 05:17.000
When apps start getting first developed for these devices.

05:17.000 --> 05:20.000
When they were first released, there were no app stores.

05:20.000 --> 05:25.000
The very first app store was actually something called Citya, which was developed by Jay Freeman,

05:25.000 --> 05:28.000
also known as Souric, back in 2008.

05:28.000 --> 05:31.000
And this was a really nifty little app store.

05:31.000 --> 05:33.000
People were blown away.

05:33.000 --> 05:38.000
You could actually, you know, the iPhone came out and only had a few built-in applications.

05:38.000 --> 05:42.000
But a web browser and a calculator and, you know, a context list and things like that.

05:42.000 --> 05:52.000
But for the first time, this was something that allowed you to get browser download and potentially purchase applications from a variety of sources from a variety of developers.

05:52.000 --> 05:54.000
And it was wildly popular.

05:54.000 --> 06:01.000
It had started out with a small catalog with hundreds of apps, maybe 1,000 and had millions of developers.

06:01.000 --> 06:04.000
And it was pretty neat.

06:05.000 --> 06:13.000
2.0 when that came out, Apple introduced their own app store.

06:13.000 --> 06:23.000
And they said that this was going to be the exclusive way of developing and distributing software for their devices.

06:23.000 --> 06:28.000
At the same time, they change the operating system to break all the mechanisms that Citya was currently using to be able to, to install their applications.

06:28.000 --> 06:32.000
And they essentially froze out that platform.

06:32.000 --> 06:38.640
City, I continued on for a few more years, finding work around to be able to continue operating

06:38.640 --> 06:44.560
and to be serving their users. But ultimately, if you are fighting against the platform,

06:44.560 --> 06:50.640
as you've heard from the previous talk, you're always going to wind up losing the platform

06:50.640 --> 07:00.000
vendor is actually dedicated to crushing you. Android, on that their hand, took a different

07:00.000 --> 07:05.200
pack. They started out by providing APIs, rather developers, to be able to develop and

07:05.200 --> 07:13.200
distribute their own apps. And that actually wound up, you know, starting a fairly open ecosystem,

07:13.200 --> 07:17.280
a vibrant ecosystem of a number of different app stores. There were a number of commercial

07:17.280 --> 07:22.640
app stores, a couple of the big ones in the west for the Amazon app store, the Samsung Galaxy

07:22.640 --> 07:28.960
store worldwide. And there were also some non-commercial ones, after all, being a notable one,

07:29.040 --> 07:33.040
which I'll describe in a little bit. But it was never really a level playing field.

07:33.040 --> 07:37.280
The vast majority of Android devices are Android certified, and that certification process

07:37.280 --> 07:43.120
comes with various requirements. One of those requirements was that the Google Play Store

07:43.120 --> 07:49.840
be the most prominent, only pre-installed device, and prominently displayed on any handset

07:49.840 --> 07:55.360
that was Android certified. And that was problematic for competition in that space.

07:56.160 --> 08:04.160
And over the years, these two different gatekeepers, all their policies started to converge

08:04.160 --> 08:12.160
and align. You wind up having a system where the Apple App Store and the Play Store

08:12.160 --> 08:16.160
have more or less the same sequence of operations you need to go through in order to get your

08:16.160 --> 08:21.280
phone on to end devices. A developers need to identify themselves and register centrally.

08:22.160 --> 08:27.360
They charge developer fees. Some of them annual, some of them, some of them one time.

08:28.080 --> 08:33.760
They're lengthy terms and conditions that you need to agree to, and these terms and conditions

08:33.760 --> 08:39.120
are obviously non-negotiable. And furthermore, there was changing. There was changing out

08:39.120 --> 08:44.080
from under you. They can come up tomorrow with a new set of terms and conditions. If you don't

08:44.080 --> 08:50.480
agree to it right away, you're out of the store. So it's very much a short list that developers

08:50.480 --> 08:56.240
are kept on. Every app that you want to distribute has to be uploaded to their portal,

08:56.240 --> 09:01.680
has to be reviewed by humans, potentially, or some degree of automation or a combination.

09:02.720 --> 09:06.320
And then if it's approved, it winds up getting distributed and that same process you need to

09:06.320 --> 09:14.240
go through again for everything to update that you distribute. The benefit is that you can reach

09:14.320 --> 09:21.360
billions of potential customers. And the entire world is your oyster. If you distribute

09:21.360 --> 09:28.240
through these stores, the cost is that they take a 30% cut off of the top of an individual sale

09:28.240 --> 09:35.840
that goes through any of these applications. And that 30% cut leads to extraordinary

09:36.640 --> 09:40.480
extraordinary profit margins for these business divisions. The Google Play Store is

09:40.480 --> 09:46.000
came out in the epic trial last year. It makes around 70% profit margin. The Apple App Store

09:46.000 --> 09:53.920
makes around 80% and that is unprecedented in the history of technology in comparison to AWS

09:53.920 --> 10:01.600
makes around 20 to 30% profit margin. But so what's the problem though? You know, be thankful

10:01.600 --> 10:06.400
for what you have. If you're lucky that you're able to reach, you know, these gigantic user spaces

10:07.360 --> 10:15.760
margins, we hear love free software. But we never, we often don't examine why. We don't

10:15.760 --> 10:24.480
often say, like, what is it about free software that what problems does it solve? Why do we prefer

10:24.480 --> 10:34.080
this over other ways of developing distributing software? So one hazard that has a risen,

10:34.240 --> 10:41.040
especially in recent years has been that these app stores have these large profit margins

10:41.040 --> 10:46.720
have led to developers seeking alternative monetization routes for their apps rather than paying

10:46.720 --> 10:53.920
an absorbent of 30% cut to Apple or Google for your app store app. You can seek alternative

10:53.920 --> 11:01.440
means of monetization. And that is often through advertisement. An advertisement can provide a

11:01.440 --> 11:07.600
direct stream of revenue for the developer. But as a side effect and as a additional revenue

11:07.600 --> 11:13.520
stream for the people that are providing this ad tech, they provide a stream of data collection

11:13.520 --> 11:19.360
from your devices to centralize data brokers that then package them up, resell them, you know,

11:19.360 --> 11:27.200
throughout the world. This data collection is massive in scale. It can get all sorts of information

11:27.280 --> 11:32.000
from all sorts of parts of your devices. If you trust it with your contacts, with your calendar,

11:32.800 --> 11:42.480
with your location, with your media libraries, your photos, your camera, it can assemble

11:42.480 --> 11:46.320
these gigantic dossiers of people that are extremely valuable to resell.

11:48.640 --> 11:53.040
You know, what does your phone know about you? It has all these sensors. It tracks not only,

11:53.120 --> 11:58.000
you know, where you are, but where you're going, where your habits are, and where your interests

11:58.000 --> 12:03.120
are. And it can drive all sorts of secondary information, you know, not just your interest,

12:03.120 --> 12:08.720
your religious affiliation, your, you know, your political allegiances, and so on.

12:11.120 --> 12:16.320
So how do you identify the good apps from the bad apps? Almost all of these are marked as free,

12:16.320 --> 12:19.840
not in the sense of free software, but in the sense of, it causes your money to download.

12:20.400 --> 12:28.640
But how do we identify the good from the bad? And the problem is that you really can't. You have

12:28.640 --> 12:35.680
these opaque bundles of binaries that get sent down to your device. And you can't look inside.

12:37.600 --> 12:42.800
They are at the very least obfuscated and at the very worst, especially in the case of Apple

12:42.880 --> 12:50.560
devices, they are encrypted. And if you are in pretty much any Western country, they will,

12:51.600 --> 12:56.480
the law will be adhering to the principles of the United States digital millennium copyright

12:56.480 --> 13:03.680
app, which makes sort of felony to break open these applications and look inside and examine

13:03.680 --> 13:08.320
what exactly they're doing. Not everyone has the digital millennium copyright app, but more or less

13:08.320 --> 13:13.360
every Western country has equivalent laws on the books that have followed the precedent.

13:14.800 --> 13:19.600
So free software to the rescue, obviously, right? You can publish a source code and you can

13:19.600 --> 13:23.600
publish the app and you can tell people, okay, line these two things up. And you can see we're not

13:23.600 --> 13:29.920
doing anything the farias we're not, you know, sneaking off your information. But can you, can you work

13:29.920 --> 13:35.920
with that on a personal basis? Can you, you know, can you just say, as a principal, I'm only

13:35.920 --> 13:41.120
ever going to download these applications from these commercial app stores that are sourced from

13:41.680 --> 13:48.160
you know, places where they build the software in the open. And you could, in theory,

13:48.160 --> 13:55.120
you would have to manually manage that curation yourself, but you would be hard pressed to actually

13:55.120 --> 14:00.720
prove it. You know, someone can say, here's the source code that goes into my app, but how do you

14:00.720 --> 14:07.200
actually prove that these opaque blobs match the code that was published online? It was

14:07.200 --> 14:12.960
literally easy to slip in a little extra thing right before you submit a build that might add in a

14:13.520 --> 14:20.400
ad network, a data broker, all sorts of data collection, certain, certain, typically,

14:21.920 --> 14:27.440
tracking your, you know, personal information and, you know, your claims would be false, but it

14:27.520 --> 14:33.200
would not be provable. So that's where F2A comes in. How many people here have heard of F2A?

14:34.800 --> 14:40.320
All right, so I probably don't need to give you all that much background. So, started in 2010,

14:40.880 --> 14:47.200
it's one of the oldest app stores out there, over 15 years old, as of last year, and exclusively for

14:47.200 --> 14:54.160
you know, open source software. And it is verified, you know, either the project itself will build

14:54.240 --> 15:01.440
the binaries and distribute them to end users or it allows the developer to build the binaries themselves

15:01.440 --> 15:09.600
and distribute the binary and then the Android project will validate that by performing a reproducible

15:09.600 --> 15:14.880
build of that and checking bit by bit that they are that they're the same. So essentially impossible

15:14.880 --> 15:22.000
to hide anything when it's distributed through F2A. So that's for Android, you might say that we've

15:22.000 --> 15:26.160
got Android covered in that respect. So let's hop over to the other side of the doopily.

15:27.360 --> 15:31.680
There's nothing like that for iOS, as I mentioned, all iOS apps are encrypted, there's no open

15:31.680 --> 15:38.320
app store, APIs, you only have one route to doing it and you have no means of verifying it. However,

15:38.320 --> 15:44.560
the digital market's act popped up fairly recently. It was proposed in 2020, it passed in 2022 and it

15:44.560 --> 15:53.280
came into enforcement in March 2024. And that mandates that the gatekeepers, the digital gatekeepers

15:53.280 --> 15:59.120
of online intermediation services, in other words Apple and Google and their app stores,

15:59.920 --> 16:07.040
be able to provide the ability to have competition in the market and open up their APIs to allow

16:07.040 --> 16:13.760
alternative app marketplaces. And that is what came into effect. And a lot of people thought,

16:13.760 --> 16:20.320
great, we are going to have F2A for Apple now. And we can have a single universal source of applications

16:20.320 --> 16:29.280
across both sides. The problem is many people know is that the actual claim to compliance

16:29.920 --> 16:36.960
of for on the side of iOS was the implementation of these alternative app marketplaces. And

16:36.960 --> 16:46.000
it establishes a lot of rules. For the marketplaces themselves, you need to get approval from Apple,

16:46.000 --> 16:50.720
you need to be based in the EU, you need to write a 1 million euro standard business letter of

16:50.720 --> 16:56.000
credit. And then you have core technology fees, basically junk fees that are layered on top of it

16:56.560 --> 17:02.880
that are applied on a per download basis, even for free applications. For developers,

17:03.840 --> 17:07.920
you might think that you could just submit your app directly to these alternative app marketplaces,

17:07.920 --> 17:12.560
like you can do on Android, no, you still have to do exactly the same thing as if you are

17:12.560 --> 17:17.040
distributing your app through the Apple App Store, you need to get approval, you need to pay

17:17.040 --> 17:22.880
your fees, you need to read to the term to conditions, upload the app, and then wait and hope for approval.

17:23.440 --> 17:31.760
And only then is the app processed by Apple and bounced over to the alternative app marketplace,

17:31.760 --> 17:38.080
which then is permitted to redistribute it to the users of these marketplaces.

17:41.200 --> 17:48.480
And the biggest problem is that the exact same restrictions on the close source marketplace

17:48.480 --> 17:53.360
apply to the alternative app marketplaces, which is that the apps are wrapped up in a DRM bundle.

17:54.000 --> 17:59.040
They are encrypted. And this not only means that the end user can't see inside the app, it also

17:59.040 --> 18:03.840
means that the alternative app marketplace is also enabled to look inside the app,

18:04.640 --> 18:09.520
which makes it essentially impossible to comply with Apple's own contractual rules for

18:09.520 --> 18:14.240
these alternative app marketplaces, which is that they guarantee that any apps they distribute are

18:14.240 --> 18:20.240
free of malware. They have that requirement, but they do not offer any possibility that anyone can

18:20.240 --> 18:26.560
legally verify these apps, not only by scanning the binaries, but by lining them up with the

18:26.560 --> 18:35.440
underlying source code. At least we still have Android though, right? So maybe iOS is a

18:35.440 --> 18:39.600
lost cause, maybe the rules are not going to be in force for them, but we still have Android.

18:41.040 --> 18:44.880
And we did, up until the end of last year, at the end of last year, a lot of you probably heard

18:44.880 --> 18:50.320
that Google announced their Google developer registration mandate, which requires that

18:50.320 --> 18:55.200
anyone who wants to distribute applications anywhere in the world on an Android certified device

18:55.200 --> 19:00.480
regardless of what store friend it goes through, or whether you're just providing it for

19:00.480 --> 19:07.360
direct download from your website, must register centrally with Google. And the rules might sound

19:07.360 --> 19:11.120
familiar to you, if you have to register centrally, you have to agree to ever changing terms and

19:11.120 --> 19:17.200
conditions, you have to pay fee, and you have to register each of your applications with Google

19:17.200 --> 19:23.680
and in an ongoing way, any new applications you need to put through them. And this is a gigantic

19:23.840 --> 19:33.840
problem for the world of free software. All of a sudden, these two marketplaces are starting

19:33.840 --> 19:42.480
to really close in and align on all of their policies. And this is a critical problem for

19:42.480 --> 19:46.560
Android, because we can't really require our developers register with Google especially

19:46.560 --> 19:52.880
if we're just reproducing their builds, many will not. So it's really an existential crisis for

19:52.880 --> 20:00.880
marketplaces like ours that really rely on the freedom and independence of the app developers

20:00.880 --> 20:10.480
to be able to contribute their applications. But it's not just about what apps are available,

20:10.480 --> 20:14.880
it's also about what applications are not available. The centralization of control

20:16.080 --> 20:21.200
should be concerning for everyone, not just free software developers, because you have a lot of

20:21.200 --> 20:27.520
perils that come from centralization. You have a lot of examples of how any centralized control

20:27.520 --> 20:39.440
can lead to abuse. You saw this in Hong Kong in 2019. You saw this in Russia in 2021 with the

20:39.440 --> 20:46.880
fair voting application that got pulled. And you saw it in the US in 2025 when applications

20:46.880 --> 20:51.840
that were designed to help people protect themselves from police brutality were unilaterally

20:51.840 --> 20:57.360
and extra legally pulled from these app marketplaces at the pressure of the administration.

20:57.360 --> 21:03.360
In each of these cases, these were extra legal requirements that the gatekeepers wound up

21:03.360 --> 21:12.240
complying with. And this had worldwide consequences. And there was no review, there was no accountability

21:12.320 --> 21:18.320
and it's definitely going to continue happening again and again. So what can we do about this?

21:18.320 --> 21:24.560
How can we actually change this? What hope is there? As you probably know, I'm in the United States

21:24.560 --> 21:30.480
so the likelihood of there being meaningful regulation any time in the next few years is extraordinarily

21:30.480 --> 21:40.160
unlikely. But policy makers in Europe are actually very receptive to feedback to communication.

21:40.160 --> 21:44.480
And I've talked with many of them myself. I frequently consult with digital markets act

21:44.480 --> 21:51.840
regulators on how to go about things. And you need to make your voice heard to your policy makers.

21:52.880 --> 22:00.080
You need to point out that the only real path to digital sovereignty is through the total

22:00.080 --> 22:04.880
disintermediation of centralized control. You really need to be able to make it so that

22:05.760 --> 22:11.120
you can get directly to end users without going through one single centralized group.

22:11.920 --> 22:16.880
I started a website called Keep Android Open that focuses on pushing back against the Android

22:16.880 --> 22:22.160
developer verification mandate. I encourage people to take a look at that to see points of contact.

22:23.200 --> 22:28.400
For developers, I think everyone should consider the promotion of these alternative app

22:28.400 --> 22:33.520
marketplaces by developing for them first. If you're an Android developer, consider shipping your app

22:33.520 --> 22:38.320
on on F-eroid before anything else. And then there's nothing stopping you from also going through

22:38.320 --> 22:43.200
the Google Play Store. If you're on iOS, sign up for Alt Store and try distributing your application

22:43.200 --> 22:50.400
there. These app marketplaces are growing and thriving, but they need more high quality software

22:50.400 --> 22:56.560
and software developers are the ones that we really need to provide that. And for everyone,

22:56.560 --> 23:02.400
developer, user, policy maker, use these marketplaces. If you do not have them installed on your

23:02.400 --> 23:09.040
phone, download F-eroid for your Android phone, download Alt Store, if you're in the EU or Japan.

23:11.040 --> 23:16.960
Use them. See what they have and who knows, eventually they might be your one or only

23:16.960 --> 23:24.080
exclusive source of applications. My time is up. Thank you very much for coming. I don't have

23:24.160 --> 23:28.640
time for questions, but I will be outside this room if anyone wants to chat. And then I will be over

23:28.640 --> 23:35.200
at the F-eroid booth in UD-2 if anyone wants to learn more about the project. Thank you all for

23:35.200 --> 23:38.640
coming and hope you have a good remainder of the fuss done.