Debug in 2014

It has been a pretty good year for Debug. We kicked things off in January with an interview with Evan Doll of Flipboard fame. Then we ran the table with a long string of amazing guests throughout the rest of the year.

I really enjoy Debug for a few reasons. Primarily I think it’s a worthwhile endeavour that captures stories that would have other wise have been missed. I know there are people in Apple who listen to the show and learn some of the history from the stories our guests have told. That’s amazing to me. For whatever reason our guests are universally open, honest and forthright. Our guests seem to trust us and I’m really proud of what we’ve managed to achieve.

Which brings me to the second reason I enjoy doing Debug. I love having conversations with these people. I’m always excited and sometimes I’m even nervous. Every interview I’ve done has found me five minutes in and me wondering how the hell I can fill an hour. That’s when the interview stops and the conversation starts. Three hours later we have a show in the can.

We’ve had some terrific conversations this year. On episode 40 we had Jessie Char, Serenity Caldwell, Brianna Wu and Georgia Dow run the show and the result was one of the things I’m most proud and happy to have had a part in creating. We had a brief series about alternative languages and their ecosystems. We had Nitin Ganatra. We had a lot of Nitin. Too much Nitin. Nobody likes that guy. And nobody likes Don Melton, our other repeat offender. They even teamed up for a couple of shows. Jerks.

Thank you all for listening. Our audience is far beyond what I’d have anticipated. We peaked at over one hundred thousand and our average listeners are well up there. I’m so sorry for all the pauses. I swear I’m thinking and not just wasting your time.

We’ll continue to have incredible guests. If anything the reason I feel comfortable saying nice things about a project of mine is that, really, the show is about the guests. We’ll keep having in depth discussions and fleshing out the historical record.

It has been a thrill. Thanks for coming along for the ride so far.

Regarding OAuth for Apps

OAuth for native apps is the worst of all worlds. It’s horrible to implement, it’s a horrible user experience and nobody understands it. That’s a little bit hand-wavy, true. Nobody who actually uses your software actually knows what the hell this OAuth business is nor do they care.

Yes, when they use OAuth they are presented with a page that appears to be branded similarly to your website. A website that, despite what all the big cats seem to do, may actually seriously and honestly strive to protect your personal data. So it’s possible that this branding may well make the user of a native app feel more comfortable submitting their login information. After that is done the native app receives a token that can then be used to communicate with your service.

The problem is that there is absolutely nothing here that precludes native applications from acting as phishing terminals. Nothing. In fact it is completely possible that a malevolent application could use genuine OAuth authentication most of the time but, very occasionally so as not to draw attention, present a phishing attack instead.

Craig Hockenberry went into great detail in his piece about this today — In-App Browsers Considered Harmful. If you’re not a nerd you should be aware that the “Considered Harmful” title is not by accident. This is the language used when developers are warning other developers from following a common practice. You don’t use it lightly. Unless you’re using it lightly because it’s dumb. This is not dumb.

Craig booted his app out to iOS Safari in order to do the OAuth dance. He did this because despite being more steps for the user to take it avoided the issue of trust I outlined above. A user didn’t need to trust Iconfactory or Craig. They needed only to trust Apple. Which is a fair assumption since using an iPhone implies a fair amount of trust in Apple in the first place.

Turns out Apple rejected the app because they thought the user experience of going through Safari to obtain an OAuth token was too onerous. First, yes, it’s completely stupid that’s the way things need to work. Second, “user friendly” doesn’t mean what it appears Apple thinks it means in this case.

Less tapping around and not leaving the app? Yes. That’d be a good thing. It appears, however, that Apple rejected this application because it strove to do the right thing for users over the long term — establish a level of trust and transparency vetted through Apple’s own web client for the platform.

“That’s a shitty experience” is, as far as I’m concerned, a decent reason for rejecting a submission to the App Store. What happened here was an application that didn’t take a short-sighted and myopic view of what a “shitty experience” really means was punished for doing so. It is not in Apple’s interest, or for anyone serious about the platform, to enable or accept a culture where phishing attacks are not only possible but the potential is encouraged by the platform vendor in the name of fewer clicks and less task-hopping.

Yes, it’s a pain in the ass to do it. No, the solution isn’t to reject apps that take the time to do it right and, more over, will take it on the chin from Apple and their customers in order to be as transparent, secure and honest as possible.

The issue is OAuth. It’s cumbersome, difficult to implement well and requires hoops to be jumped. Rejecting a developer for doing the right thing by their customers (who are all Apple customers) encourages a culture of not giving a fuck. That’s never turned out well in the long run.

CocoaConf Yosemite

I’ve been excited about this for a while now and I’m really happy to be able to finally talk about it. In late April CocoaConf will be holding an event at Yosemite National Park.

Yosemite is best known for being the the home of El Capitan, the rock face that Captain Kirk climbs at the beginning of Star Trek V: It Never Happened. And, of course, Yosemite is the birthplace of Yosemite Sam who vies with Elmer Fudd to be the canonical Bugs Bunny villain. Apparently, it’s also the marketing name of an operating system for personal computers and, I’m told, an incredibly beautiful place.

I can’t say enough great things about the speakers they’ve lined up. It’s a terrific collection of some of the most insightful people in the field. I’m looking forward to this for so many reasons. If you can make it please join us. Registration is now open.