On code signing, and the world of difference between Android and iOS

Geoffrey Goetz, writing for GigaOM, digs into the concept of code signing:

One of the benefits that curators like Apple and Google can gain from code signing apps is that it provides a means of stopping malware from spreading, especially when the platform only allows code signed apps to be installed. Just this past week Google took measures to suspend a particularly malicious group of apps labeled as malware from being distributed in Google Play. With 99 percent of all mobile malware targeting the Android platform, preventing such threats from spreading is something that any app store operator like Google would want to ensure its customers it has the situation under control.

If Apple and Google both use code signing, why does “99 percent of all mobile malware” target Android?

On the one hand, Apple enforces code signing and they completely control the code signing process. Apple is the only code signing authority. Short of jail-breaking your phone, if you are running an iOS app, Apple has vetted that app.

Android, on the other hand, offers code signing as a suggestion:

While it is true that Android developers can sign apps before deploying them to device, they don’t really have to. There are plenty of ways that developers can deploy apps to Android devices that do not require any level of code signing at all. Side-loading apps by tethering the device with a USB cable, downloads apps from web sites or even install apps from an attachment in an email message are some examples. While Google may have some control over Google Play, it does not control the Android platform as a whole.

Apple’s insistence on total control is an inconvenience for developers, certainly, but it is a boon to users and the ecosystem as a whole. If you care about security, the best existing solution requires this level of control.

The article makes the case that the process of getting your app on the App Store is a difficult, arcane process:

The goal of most developers is getting their app into the App Store. This requires one to work through the intricacies of creating an AppID, TeamID, Distribution Certificate, and Provisioning Profile from within an Apple Developer account. Once this is completed, developers soon realize that the battle is only half over, as they then need to create an iTunes Connect account and register for an available App Record which is necessary to upload and submit your app for review. It never goes quite as planned the first time around and you end up spending a fair amount of time troubleshooting what step you missed. When all is said and done, you realize that you could actually make a career out of helping developers shepherd their apps through this process.

All I can say to this is, when the App Store launched (along with iPhone OS 2.0) back in 2008, the process of getting an app on the app store truly was an incredibly arcane, confusing process. The current process does feature hoops to jump through, but in my opinion, it is head and shoulders better than the way it used to be.