At this year’s Google I/O conference the search giant announced Instant Apps – Android applications dynamically downloaded, installed, and executed, with a single click. Slick functionality, certainly, but functionality which comes at the price of undermining the openness of Android as a platform. Instant Apps will be part of Google Play Services, not Android, and so alternative distributions will be left in the cold.
20 years ago Microsoft tried something very similar, and with the same justification. Microsoft failed, so it’s worth taking a moment to see why Google will probably succeed.
It was 1996 when Microsoft broke out of the browser sandbox with ActiveX, a technology providing the same functionality as Instant Apps. Just like Google, Microsoft’s primary motivation was extending its control over the platform, but Google will likely succeed where Microsoft didn’t, so what’s altered since ActiveX failed to change the world?
ActiveX was designed to compete with Java Applets – a technology from Sun which solved the same problem using Java. Java Applets run within a slightly-larger sandbox, designed to prevent the applet doing any damage, while permitting more functionality than a web page alone.
ActiveX didn’t come with a sandbox: downloaded code runs native with all the performance, and capabilities, that implies. These days an ActiveX download requires user approval before running, but at launch the only protection was the digital signature from Microsoft.
Which wasn’t enough. The public overwhelming recoiled from the idea of letting downloaded applications automatically run without a sandbox, while the Java Applet sandbox proved woefully insecure. Modern browsers (Chrome and Edge) don’t support either type of downloaded content by default, forcing companies still reliant on ActiveX to use IE or install extensions.
But the concept was valid, and sandboxed content is more popular than ever. JavaScript is part of almost all web sites, and executes in a sandbox in much the same way as a Java Applet. Native applications, meanwhile, are getting more restricted as mobile platforms pioneered the idea of applications that could be trusted a bit, but not entirely.
Android and iOS provide granular security, a sandbox-with-extensions. An application can ask for permission to access the camera, but won’t be allowed to make phone calls if it didn’t request the right.
At first glance Instant Apps look very much like ActiveX. Digitally-signed applications will be downloaded and executed without user interaction, and will be able to access device resources which would normally sit outside the sandbox (such as the camera and NFC chip). These applications will be signed by Google, but the user will not be given a list of requested permissions, and will not have the option of rejecting them either. While it might seem that Instant Apps inherent all the downsides of ActiveX, it’s been a long time since ActiveX failed as a web technology, and much has changed.
ActiveX suffered from having to support multiple operating systems, and slow download times, but Instant Apps are only on Android and when a single web page already averages more than 2MB* the additional load of a small app isn’t significant.
Which brings us back to security, and why Google will do a much better job than Microsoft ever could. The fact is that Android, and other modern operating systems, are compartmentalised into sandboxes at every level, making the sandbox the default operating environment rather than an exception to the rule.
Once it had been approved, and digitally signed, an ActiveX application could do anything – write to arbitrary memory addresses, interfere with data stored by other applications, rewrite the OS to act as a reproduction engine (the latter being why we call them “viruses”), enjoying a level of freedom denied to any approved application running on Android, no matter who approves it.
The architecture of Android means that Instant Apps won’t rely on the certification process of Google Play. They will still run within the sandbox which surrounds all Android applications. Even more importantly – all the Instant Apps will be delivered from Google’s servers. That means a misbehaving app can be instantly removed from circulation, and Google will curate the applications to ensure none make use of permissions they don’t need.
The paternal management is new. A company like Google can keep a careful eye on how Instant Apps develop, and tweak their capabilities as they go along. The permanent beta has become Agile development, and the company managing the platform has become a guiding hand which won’t let go.
Instant Apps will have security issues, the Android compartmentalism isn’t perfect and there will be a few well-reported breaches, but Google will move swiftly to patch and secure the system. Alternative distribution stores, tolerated on Android, will likely be excluded from Instant Apps, and users won’t be permitted to opt out of Google’s control.
Competing distributions of Android will struggle to provide similar functionality, and even if they do it won’t be compatible, bringing Android more under Google’s control. Instant Apps will provide useful functionality, just as Google has been demonstrating at its developer conference, but at the cost of locking out the competition.
Instant Apps will succeed where ActiveX failed. Better compartmentalisation and centralised management will secure it, and users will appreciate it, but the real winner will be Google who squashes alternative app stores and outmanoeuvres alternative Android distributions, all in the interest of providing greater web-site functionality.
* http://www.httparchive.org/interesting.php?a=All&l=Apr%201%202016