I think it's safe to say that the internet has become a "quasi-necessity" today. That is to say while it is not necessarily a "necessity", it is definitely not a "luxury" either. Banking, instant messaging, geo-locating and routing, governmental applications... While the question whether internet access is going to be a human right or not is a good debate topic, that's not what I'm going to rant about today.
Imagine a world where it is impossible to be a functioning member of the society without an internet connection. Not like today where it's practically improbable, think actually impossible. You can't buy a house that doesn't come connected to a remote smart housing server. You can't pay your taxes without internet access. You can't do your banking, you can't even open a savings account without internet. It's all digital.
Let's look at a few examples of how it would go:
There are a few features that I currently have to use my bank's mobile application for:
- Depositing/withdrawal using QR codes
- Contactless payments using the phone
- Applying for offers and promotions
- Opening a branch-free banking account
While I don't mind them being application exclusive features, there is one thing I do mind: the method I have to obtain the app. I have to obtain it through my operating system vendor's application store, meaning that to do banking with my bank, I also need to enter a contract with my OS vendor.
Since I can't just rant about drawbacks without also suggesting, let's also take a look at a few potential solutions:
F-Droid/Linux style distribution
In an ideal world, I would be able to have a store client that retrieves application packages from decentralized servers that all talk the same protocol. While this is already the reality within the open source community (e.g. F-Droid, Linux package managers as per the topic header); this is simply, practically infeasible for real world applications. Why?
- Lack of security within such package manager systems, especially considering the high security needs of applications that deal with things such as banking or governmental processes, would be inexcusable. Consider that even today when they're relatively niche, there have been malicious/bad PPAs or AUR scripts (doesn't necessarily have to be intentional). If you have enough users, some of them are guaranteed to make typos or find malicious links!
- Technical skills needed to operate such package managers. Probably the biggest reason this approach wouldn't work.
Making each repository its own application wouldn't work either since then you either have to:
- Register with that repository's owner, shifting the problem
- If you're maintaining your own repository, get users to sideload your app.
While the term "sideload" implies a danger of intrusion that is not merited, that is the least of our worries here. Most instant messaging apps I use (even the proprietary ones) do provide direct package downloads for my mobile OS. I do appreciate that. While the same arguments of the previous model applies here but there is also one another thing to consider with this method: server connections.
There are currently two methods to achieve push notifications to a mobile applications:
- Always on server connection that is handled by the application. Requires your app to always run in the background. Certainly not the most battery efficient (considering the lack of optimization brought with "sprints" nowadays) so very much discouraged, even at OS level nowadays.
- Centralized vendor provided connections. The norm nowadays. The device only needs to maintain one connection to a main server and all notifications are routed through that path.
Do you see the issue here?
Internet of Things / Smart Homes
There are many, many, many examples of a vendor going out of business or deprecating an IoT device making them essentially paper weight. Locally hosted IoT is not a solution either considering then you either lose the ability to contact the device from outside of the local network or essentially expect your users to be system administrators.
Dependency on Transportation
As human population grew and expanded throughout the planet, an industry for transportation of goods emerged. That is fine. That is acceptable. What isn't is the dependency on these things. A society needs to be able to self-sufficient. Transported goods should only be pleasant bonuses. Fortunately for me, I don't need to theorize examples for this topic as it has already happened in history more than enough times (e.g. 2021 Suez Canal obstruction).
History of Middlemen
Historically, lumber and coal companies used to pay their employees with "company scrips", issued by them and only accepted in company stores owned by them. While this was historically solved in United Kingdom with the "Truck Acts", it took until 1938 for the United States to solve this problem with the "Fair Labor Standards Act of 1938". The problem of middlemen isn't anything new, it just keeps reappearing with every new unregulated industry.
The Problem of Middlemen
Vendors do go out of business. Devices do become obsolete. It is simply foolish to depend on a vendor to provide you lifelong service. Look at Internet of Shit when you're bored. Why are we as a society progressing towards solely relying on vendors to distribute our software? There needs to be a better way that doesn't compromise security or require developers to register with distributors. I'll think about it.
UPDATE (5 Oct 2022): I did at first consider default pre-trusted repositories as F-Droid comes with a few of its own and the model seems to work fine for operating systems for providing root certificates (even though it historically was abused a few times by both manufacturers and trusted developers on the pre-trusted repositories). This solution, however, does not scale. At all.
Have you ever seen one of those "Install This App at X Store" kind of banners? In fact, F-Droid has something very similar! I think this could work! This however does not solve the security aspect of this model as now you have to make sure your users are finding your site to discover your repository links and not anything malicious instead.