There are several schools of thought regarding Apple’s growth over the last two decades and its recent ascent into $1 trillion and $2 trillion market valuations, but their common theme is that Apple has grown from David into Goliath — arguably too big for everyone’s good save its own. What once appeared to be Apple’s small “walled garden” of an app ecosystem has become one of the world’s largest software stores, if not the largest, and detractors have increasingly characterized the company as a domineering and unsympathetic villain, crushing smaller developers at will.
My own take is that Apple’s behavior is better understood by reference to an aphorism alternately credited to Napoleon Bonaparte and Robert J. Hanlon, most often referred to as Hanlon’s Razor: “Never ascribe to malice that which is adequately explained by” incompetence (Napoleon) or stupidity (Hanlon). In either case, the broad idea is the same; absent evidence to the contrary, presume that bad things are the result of poor judgment or mistakes, rather than evil intent.
Apple isn’t a perfect company, nor is it entitled to a presumption of purely good intent. Over the years, it has vacillated between populism and benevolent dictatorship, echoing Henry Ford by suggesting (quietly) that it knows its users’ needs better than they do. There have been times when it has acted with a heavy hand, and certainly examples of when it has put its own best interests ahead of users’ needs. But user satisfaction remains a significant factor in its decisions and successes. Even if a given decision is controversial, Apple’s overall track record of creating intuitive hardware, software, and services have defined the company, and it has been rewarded with unfathomable riches for delivering best-of-class solutions at global scale. It’s now a giant, though seemingly trying hard not to be a lumbering one.
This week, security researcher Patrick Wardle provided his latest example of Apple screwing up: evidence that the company inadvertently “notarized” a piece of macOS malware, enabling it to run without objection on even recent Macs. If you don’t recall Apple’s Notarization requirement, it was announced back in 2018 as a way for developers to reassure users that apps distributed outside the Mac App Store were malware-free. Viewed in the worst possible light, Notarization was yet another example of Apple trying to exert control over everything that runs on its computers, despite the company’s benevolent explanation: “Notarization gives users more confidence that the Developer ID-signed software you distribute has been checked by Apple for malicious components.”
The problem Wardle identified was that Apple somehow gave the thumbs up to malicious adware payloads containing OSX.Shlayer malware — notarizations it “quickly-ish” revoked once notified. Wardle rightfully poked Apple for “promis[ing] trust, yet fail[ing] to deliver” with Notarization, suggesting that a security system that doesn’t work as marketed could “ultimately put more users at risk.”
That’s where Hanlon’s Razor comes in. Notarization has been around for a while, yet there haven’t been many issues with malware getting notarized. Bear in mind that Mac malware issues tend to be called out exclusively by security researchers rather than end users, as unpatched, in-the-wild exploits are nearly as rare as public user Mac malware complaints, which hasn’t been true on Windows PCs for decades. The fact that Apple’s screening process screwed up this time — or the implication that the screening system may have a bigger hole — wouldn’t mean that it’s neither trying to screen properly nor succeeding broadly at keeping users safe. In other words, this isn’t an example of security theater, but rather mistakes that should be addressed.
Earlier today, Apple reminded developers of some important App Store policy changes announced during this year’s WWDC: They can now appeal decisions that App Store submissions violated Apple’s guidelines, suggest changes to the guidelines, and not see their bug fix updates delayed over alleged guideline violations (apart from legal issues). This isn’t to say that the legions of small and large developers who have been upset with Apple over App Store guideline issues will suddenly be happy with the company — least of all Epic Games — but that Apple isn’t standing still, and is seemingly trying to take at least some developer requests into account when making decisions.
It’s tempting to take Apple’s gestures as evidence that it’s attempting to remain nimble and flexible despite its growing size, a challenge it has faced every time it has reached a new height of success. Some might view the very concept of app notarization to be overbearing, but instead of maintaining an impenetrable gate, Apple’s screening system isn’t as strong as it could be, and it’s responding quickly to reports of problems. Similarly, to the extent the process of App Store approval may have felt unilateral or unnecessarily brutal to some developers, Apple is opening the door to discussion and evolution. That sounds like a positive set of developments.
Having watched Apple spend years seemingly ignoring bug reports from users and developers, however, my biggest concern is that its invitations to appeal or change guidelines will similarly fall into a dark chasm, the digital equivalent of a suggestions box that empties out into a trash can. And what I’m inclined to see as imperfect execution or short-sighted decisions could be clearly revealed to be something worse.
It’s going to take a little time to see whether Hanlon’s Razor applies here. Apple has a chance to prove definitively that it’s not a malicious actor, just one that hasn’t performed ideally in the past, and is doing its best to be better — at least not obviously stupid — in the future.