
Amazon has no idea how to run an app store - lkrubner
http://www.smashcompany.com/business/amazon-has-no-idea-how-to-run-an-app-store
======
lkrubner
This is perhaps the key bit of silliness:

"And this is where we run into the first bit of craziness. Amazon decided that
they should model the Alexa app store after the iPhone app store. So there is
a certification process to get your app into the store. But think about the
difference: you are not uploading a binary file to the Alexa app store, you
are simply registering an URL. So Amazon has no real control over your
software. You could get an app approved, and then you could swap out the app
for any other app, and the Certification team at Amazon would never know. They
don’t control your code. Your code is not in their store, so they have no
control over what you do. And yet they modeled this process after the iPhone
store, where Apple does have control over your app."

But that doesn't get at how crazily broken the certification system. You have
to read the quotes from the other developers to understand that.

~~~
eli
You are assuming that the only purpose of certification is to catch actively
malicious developers. I can think of many other perfectly good reasons to have
one: to make sure server response times are fast enough, to make sure it fits
the guidelines for types of content they want in their ecosystem, to make sure
it doesn't blatantly violate any trademarks, etc.

I don't think the concept of a certification process is the problem, just the
implementation is terrible (compared to the Apple process which is merely
"poor")

~~~
SilasX
But that doesn't refute the parent's point: since the content at a URL is
inherently mutable, they could judge that (at time of submission) some app is
the type of content they want in their ecosystem, and then seconds after
approval, it no longer is.

~~~
DDub
It could be that the client device validates a checksum against the approved
list at the store before installing? Haven't tested if this is the case, just
spitballing a mechanism that would allow for the control without the hosting.

~~~
woah
[https://github.com/substack/hyperboot](https://github.com/substack/hyperboot)

------
dahart
Apple's review process also sometimes felt arbitrary, especially early on, and
there's been a long list of complaints over the years that sound just like
these.

I used to work in games, and the approvals for Nintendo, Sony, and Microsoft
were all super, ridiculously frustrating at times. We had experiences very
much along the same lines of failing again for doing the very thing they asked
of us in the previous rejection.

Anyway, usually it works out eventually. No problem with making some noise
about it being bad, and hopefully they hear it, but it is not uncommon, nor
unique to Amazon.

The point about registering a URL isn't entirely accurate, IMO; plenty of
Apple App Store apps consist partially or entirely of webviews. Even for fully
native apps, Apple doesn't really have "control" of the code in the sense
described in the article. Registration and the approval process are primarily
there to give the publishers control over what appears in their store, as well
as identify the submitters in a way that attempts to keep a little bit of
accountability should they do something bad. Those reasons for requiring
registration and review are just as valid for a url as for a bundle of code.

~~~
bananaboy
My experience in games has been the opposite. As opposed to Apple and Amazon,
the console certification requirements are set in stone. The documents are
very clear about what you have to do.

~~~
MaulingMonkey
The requirements are generally much better documented for consoles. But some
of the requirements can still be subjective. Edge cases still pop up as well,
and the requirements can change over time (especially early in the console
cycle when everything is still getting ironed out - nevermind when switching
between console generations.)

Even ignoring the edge cases and subjective items, they can be _extremely_
picky about such important things as... leaderboard username terminology.
Which will not necessarily be the same across all storefronts from a given
company, even if they're all using the same service under the hood.

And then the moment you step into the territory of needing waivers for
anything - better hope your publisher has a good relationship to secure those.

------
rdtsc
Or Amazon video on Android device I have -- in order to have play prime videos
it told me to disable app source checking and side-load some .apk file, which
will then help me get the Amazon video apk file... or something.

Yeah forget that. At first I thought it was a joke of some sort. But I guess
that's how you are supposed to do it.

I'll just stick to Netflix and watch videos there. Somehow that manages to
work without side-loading a bunch of crap.

~~~
lmm
What's the threat model there? It's not like _Amazon_ are going to start
stealing customer credit card numbers - if anything they're one of the few
companies I'd trust to get security right. Tick the checkbox in settings,
install the APK, untick the checkbox again. It's really not a lot of effort or
risk.

(The most sensible-sounding negative claim I've heard is that Amazon do that
so that they can do more invasive location tracking than Google permits
(though the same kind that Google does themselves))

~~~
rdtsc
> What's the threat model there?

* It annoys me as a consumer.

* It reeks of incomptency ( yeah, go and disable that security check that looks like it is there to prevent malicious software to be installed on your device, yeah, yeah, that one ).

* It is a convoluted process.

* It leaves my device vulnerable. Let's not speculate (like you did apparently) but copy and paste from their own source:

[https://www.amazon.com/gp/feature.html?ie=UTF8&docId=1003016...](https://www.amazon.com/gp/feature.html?ie=UTF8&docId=1003016361&ref_=mas_surl_undrgrnd)

\---

Update Phone Settings

    
    
        Go to your phone Settings page
        Tap Security or Applications (varies with device)
        Check the Unknown Sources box
        Confirm with OK
    

Step 2 Go to Downloads

    
    
        Open Downloads on your device by going to My Files or Files
        Tap on the Amazon App file (Amazon_App.apk)
        Tap Install when prompted
    

Step 3 Launch Underground App

    
    
        Tap Open to launch the Amazon Underground App
        Use the Menu on the left and select Apps & Games
    

\---

Yeah, I don't see anything about the "untick the checkbox again" part.

------
umanwizard
It's really remarkable how much Amazon's reputation has been self-destructing
in the last year or so.

Even 6 months ago when I told people I thought Amazon was an all-around shitty
company (having worked there) and shouldn't be mentioned in the same breath as
Google, FB, etc., people looked at me like I was insane.

Somehow the stock keeps going up... I don't have any material insider info but
just on a hunch I doubt that will remain true forever.

~~~
goldenkey
Having worked there as well and recently left, I'm super surprised as well to
see them considered with the likes of Google or Facebook, etc.

Shitty middle managers are rampant. The engineering culture is defined by
Levels..Level 3, 4, 5 etc. Consistency is promoted over quality. Codebases
were so horribly not DRY it makes me want to vomit.

Unit tests for constants -- unit tests for specific code inside of functions.

I can go on and on. But generally the place is ran like it's a sales company
primarily. Not an engineering company.

Amazon has a cancer through out it. It's basically a shitty copy of Microsoft
without any of the virtues..but all the vices.

Not to mention, it says a lot that they have no perks except "free tea." 12
Leadership principles, which are dumb shit like "Be curious", "Have instinct."

Amazon doesn't have the brightest or the best - they have sheep that get
tangled in the middle, or assholes that somehow become management. The company
is only surviving because it set its margins so low that no one else could
compete.

But now market leaders are sprouting out. Chewy.com for pet food. Walmart.com
for general goods. Drugstore.com / Soap.com / Walgreens.com, the list goes on.

With such a shitty internal culture, Amazon will fall. I will have a shit-
eating grin when that happens.

\---------------------------

Amazon Web Services was their saving grace. But having seen internally how
each team has different practices, different tech..some that are arcane and
esoteric. Theres no cohesion. Even the CSS for Amazon, theres no sheet that is
shared. Each team has to hard-rip the colors and whatnot from other projects
like the retail site.

Makes me totally re-evaluate AWS after seeing how its built internally.

The charm of AWS is that every service in that goddamn console looks like its
a polished part of a pyramid of engineering sanctity.

Heh, wrong. Each service...written by a different team, with totally different
methods, totally different tech. Some teams even use .NET and IIS... You can
probably probe the endpoints to some of these services and maybe see it
externally. But well, take my word for it.

Once a team has a decent AWS project, they slap together a new logo. Make the
UI blend with the existing panel. And then scale it using existing AWS
services. But it still is a hydra of mismatched code.

The whole thing is a frankenturd - they did a good job with the design, ui,
and IAM policies to make these services look like they are all part of the
same cohesive development. But it simply isn't the case. AWS is patched
together like a paranoid android on the inside.

~~~
petra
If AWS is so shitty on the inside, why aren't the blogs filled with stories
about bugs etc after the enormous amount of use it gets ?

~~~
westernmostcoy
I suspect only EC2/S3 and their paired services (EBS, IAM, etc) gain enough
use to qualify as "enormous" and thus receive wide attention for their
failings. AWS has a _lot_ of services:

[https://en.wikipedia.org/wiki/Amazon_Web_Services#List_of_pr...](https://en.wikipedia.org/wiki/Amazon_Web_Services#List_of_products)

Putting that aside, I'm not sure "why aren't people complaining?" is a
reasonable way to prove or disprove how buggy software is.

------
melted
No one has any idea how to run an App Store. Even Apple's App Store is vastly
inadequate to sell the gigantic number of apps available on it. Top N apps
make out like bandits, everyone else is basically dying. It will always be
power law, but IMO the tail could extend quite a bit further than it does
today.

~~~
woah
The App Store is not there to serve developers

~~~
melted
It's not clear who or what it serves right now. It stands to reason (from
simple arithmetic) that the more money developers make the more money Apple
will make as well. They do make billions off that store. Making more money
means surfacing more apps to more users, adapting to user preferences,
employing prediction, etc. Apple doesn't seem to be doing much (if any) of
that.

------
galactoise
I'm the same "Galactoise" quoted in the original story. I'm really happy to
see the conversation that cropped up here, about the lack of value around
trying to certify a mutable black box, and hopefully the power of HN is enough
to get some action from the Alexa team.

I also wanted to pass along a blog post I threw together on the topic.
[http://www.derpgroup.com/blog/on-the-topic-of-
certification](http://www.derpgroup.com/blog/on-the-topic-of-certification)

It's pretty long, but the tldr is as follows: We're all worked up about this
idea of having to build switches into our code to meet arbitrary certification
guidelines, only to turn them off the moment we are live in prod. It's worth
noting, though, that Amazon pulls these sort of antics (bait-n-switches) on us
regularly and without remorse, and that there's really no way we can even know
it happened. This is arguably even more destructive to the quality of our
products than trying to build for a set of capricious guidelines.

------
meesterdude
Not surprised by this at all.

>However, the Amazon system is so broken that it potentially offers a fix for
itself. When the Certification Team rejects your app, you don’t need to change
the app. You do not need to respond to their requests. You do not need to make
any of the changes that they demand. Since a new person reviews each
submission, and since there is no limit on submissions, one way to get through
the certification process is to simply roll the dice and spam the
certification team. Submit an app 10 times, or 20 times, or 30 times. At some
point you will probably get lucky, and someone will approve your app.

Amazon has clearly put a lot of thought into how this is going to work.

They also have no idea how to run a video streaming service; or they think
they do, and just don't know how much it sucks. They also have started sucking
in buying things, with things like "pantry" which require you to buy a box for
$5 so you can get things like soap.

I canceled my prime and have been buying things from stores. I buy my videos
(ala DVD) so I can watch them when i want and not be worried about them
getting pulled by disney from the "prime" section and being forced to buy it.

Honestly, the only thing I have any respect for is AWS. But even that is
severely lacking in polish in clarity, and it's almost a full time job trying
to keep up with their additions and changes.

~~~
erikpukinskis
> They also have started sucking in buying things, with things like "pantry"
> which require you to buy a box for $5 so you can get things like soap.

Delivering batches of household goods of arbitrary size profitably is a hard
problem that no one has figured out. Everyone is fiddling with business models
trying to make it work.

I think at the end of the day shipping is expensive and trying to hide that
from customers without incentivizing profit-negative transactions is nigh
impossible.

Things will probably change when we have droids roaming the sidewalks, but
until then these strange charges are going to keep popping up.

~~~
CamperBob2
_Delivering batches of household goods of arbitrary size profitably is a hard
problem that no one has figured out._

Wait, wait, I think I've figured it out. _Raise the price._ Repeat until
either the transaction is sufficiently profitable, or the customers go away.

That will work better for everyone than what Amazon has started to do lately,
which is prevent you from buying certain items at any price until your order
exceeds $25.

Basically, Amazon has started to tell their customers "No." That's new, and I
agree with the other posters who call it a bearish sign.

~~~
deegles
Maybe the current prices are already low enough that raising them would make
the customers go away?

~~~
CamperBob2
I can only speak for myself. Seriously, are people actually _defending_
Amazon's add-on items? I'd love to hear more about the business rationale, no
snark intended.

------
astazangasta
The 'app store' is the adulterated form of the Linux package repository. No
shock that when you remove community management, accountability, openness,
verifiability and add in monetization things get shittier.

~~~
nailer
I think that's how app stores began - do you remember 'Click N Run' in 2002?
[http://i133.photobucket.com/albums/q41/mp3tunes/cnr-
linspire...](http://i133.photobucket.com/albums/q41/mp3tunes/cnr-linspire-
installer.jpg)

~~~
SixSigma
The NeXT Computer and the NeXTSTEP operating system was the platform used for
creating the first App Store, originally demonstrated to Steve Jobs in 1993.

[https://en.wikipedia.org/wiki/NeXT](https://en.wikipedia.org/wiki/NeXT)

~~~
nailer
Do you have any screenshots? Your comment originally said NeXT created
bundles, which is very different from an online store for software.

~~~
SixSigma
Yes, the bundle thing is also true. I found the bit about app stores while I
was trying to find a year.

No screenshots. I just remembered that the bundle thing was something I was
excited about wrt Next at the time. And booting from Cdrom, and display
postscript. I wanted one so badly but by the time I had money they were very
obsolete.

~~~
nailer
There's no reference though. It's just:

> creating the first App Store which was originally demonstrated to Steve Jobs
> in 1993

without any footnotes. Would have loved to actually read something on the
topic.

~~~
SixSigma
I only know really know about it from memory and even then it's from reading
PC-World, not direct experience.

The Bundle was one of those great ideas for users that got kicked in the nuts
by Copy Protection methods until signing and activation was bult into the OS
proper.

[https://en.wikipedia.org/wiki/Bundle_%28OS_X%29](https://en.wikipedia.org/wiki/Bundle_%28OS_X%29)

Even on early Windows all you had to do was xcopy a directory to share it with
friends. My Quake2 folder still follows me from machine to machine.

~~~
nailer
Yeah, I get what you're saying about bundles, and I think they're a great
idea, I just want to see if you have anything about what you said re: a place
to buy bundles online.

------
kohanz
Interesting timing: I just got an e-mail for a (free) app that I purchased in
the Amazon app store. Only problem, I have never visited the Amazon app store.
The Amazon rep on the live chat explains to me that this is because someone
entered their e-mail address incorrectly when making a purchase. How does that
make sense? Shouldn't you need to be signed in to your Amazon account (or some
other account) to make an app purchase? It actually makes you type in your
confirmation e-mail address manually? Can someone with experience in their app
store comment? That seems like a brutal design decision...

------
notlisted
I have an echo. I like it, but the skills store is awful for the consumer too.
Too many silly apps (like the current #1 listing a fart app referenced below),
and the app features a skills list, but no categorization, no option to filter
apps by stars so unknown gems can be discovered, no stats on installs, no
rating distribution graphs. All very strange.

Worse still, there's no standard vocabulary to interact with skills and the
flexibility of the wording depends on the developer. You need to mention the
app, which can have weird long names (e.g. Agog Reader) or near-duplicate
names (e.g. three bitcoin apps).

All-in-all, the skills feature (and the skills store) feels like an after-
thought.

~~~
lkrubner
> All-in-all, the skills feature (and the skills store) feels like an after-
> thought.

Joseph Jaquinta expressed a similar sentiment when he wrote:

"Amazon's traditional areas (everything on AWS) follows a different model.
They are more like a utility. Minimal engagement. No direct support. They
provide a service. You take it or leave it. While this I think is a workable
approach for a wide audience in a mature area, I do not think it is a wise
approach for Alexa. But, that's if they give a hoot about 3rd party developers
and think they are going to add any significant value to their platform. We
don't know if this is so, because they won't say."

------
jjaquinta
This is my take on it here: [http://ocean-of-storms.com/tsatsatzu/explaining-
amazons-indi...](http://ocean-of-storms.com/tsatsatzu/explaining-amazons-
indifference/)

~~~
lkrubner
This bit from your blog post is a great summary:

"There’s no public tracker for tickets. Features and suggestions go off into
the void, and you’re left guessing if they are ever going to happen. Releases
come infrequently and unannounced. There’s no product roadmap. No indication
of what’s coming up. Nothing to create a development plan against. There’s no
bidirectional collaboration with the community. The closest any developer gets
to the team is during skill certification. And, even then, names are hidden
and you only get anonymous mails from the “Alexa Skills Team”."

------
scottu
Other than the operational issues, like not have a good way to contact amazon,
this reminds me of a 900-number system we ran at MCI.

When you registered for a 900-number, you had to submit a script along with
it. MCI would try to limit the possibility that you'd use it for some
nefarious purpose, all CYA. They had a team (probably one person) that audited
the numbers periodically. That didn't stop people re-using the numbers for
bogus financial services and adult things.

~~~
ceejayoz
We went through the same thing a couple years ago with an SMS short code. Had
to submit a script (despite it being dynamically driven), set a max number of
messages per month (despite it being user-initiated), etc.

The real kicker is we once got a massive nastygram from Verizon threatening us
with shutdown - they claimed we were sending porn spam messages via the
number. After quite some time auditing our entire stack we got a "our bad, one
of our techs had malware on their Android phone" email.

------
yeukhon
I think the whole approval process is just a ToS legal scheme of "we did our
part, so we can go after you and blame you if something happened." I don't
know if will ever scan your URL for any intelligent malicious misuse but it
may. If someone can explain exactly how "skill" works with Alexa... sounds
like some kind of Pipe / IFTT kind of service.

------
cm2187
The amazon music application is also one of the most appalling software too,
it is messy, it keeps flashing, there doesn't seem to be any logic in how the
screens are organised, it's impossible to know where you are or how to go back
to one place. I love amazon, I buy half of my music on amazon music, but
downloading the music is an unnecessary painful step.

Also they need to improve the quality of the samples vs itunes. When you buy a
rock song, there is usually is only one recording of that song. But if you buy
classical music there will be many recordings with very different qualities.
With the quality of the samples available now, it's almost impossible to tell
if a recoding will be of a good quality or not. Itunes has much better
quality.

~~~
JoshuaJB
I've had a good experience with the web app [1]. It's a surprisingly well
designed piece of software compared to it's competitors (e.g. Spotify or
Pandora). The library could definitely use better curation though.

[1]
[https://www.amazon.com/gp/dmusic/cloudplayer/player](https://www.amazon.com/gp/dmusic/cloudplayer/player)

~~~
cm2187
I am referring to the windows app.

------
galactoise
Follow-up, this post getting love on HN seems to have helped us get their
attention. We had a conference call with them where we were able to work
through a lot of the issues we were facing:

[http://www.derpgroup.com/blog/the-certification-saga-
problem...](http://www.derpgroup.com/blog/the-certification-saga-problem-
solving)

------
johndandison
The post-approval switcheroo is similar to the Office/SharePoint app stores -
really all the 'app' is is a delegation of permission. If your app can change
and operate within the permission you're initially granted during
'installation,' you can really do anything you'd like in the actual
application itself. A rather large hole.

------
vonklaus
Maybe they should add support for the certification process. They could price
this in nano-seconds using utc time based on the region of the developer
(except u.s east virginia). If you are rejected you could get max-support
integration (4 pico dollars a parsec) to resubmit.

Overall, amazon's coherent pricing strategy and simplicity make it a pleasure
to work with

------
soyiuz
From a practical standpoint, why would you not try to pass the certification
process first with a bare-bones, minimally viable service designed
specifically to pass certification? Then iterate on top once it is in.

------
renownedmedia
The Firefox Marketplace does the exact same thing. One simply submits a URL,
it gets approved, then becomes available. Any changes made afterwards go
unnoticed by moderators.

~~~
rhelmer
For FirefoxOS "hosted" apps this is true, but they also don't have access to
any significant APIs. Only "packaged" apps do.

This is also not true for add-ons (for desktop/mobile or FirefoxOS), these are
packaged as zip files and can't be arbitrarily changed.

However, there is the problem however of the app or add-on downloading and
running code from the internet unchecked, which is probably intractable to do
in an automated way (at least for the current APIs exposed, and for a dynamic
language like JS), manual review is required.

Mozilla requires manual review, and Apple disallows interpreters. I'm not sure
what if anything Google does about this problem for Android.

------
AndrewUnmuted
This article gave me an enormous sense of deja vu, as a former Amazon
employee. I managed the QA of user-submitted media for a service run by one of
its subsidiaries, and the requirements for this service, too, were
unreasonable and communicated very poorly.

Somehow, Amazon's "working backwards" principle always fails when it comes to
establishing reasonable procedures, SLAs, and solid documentation.

------
Apocryphon
What would be the solution? Is there even a way to verify that web services
are not malicious?

~~~
galactoise
The solution is to not try to verify the content of a rest service.

There is a lot of good that Amazon can do with their certification process -
things like helping a developer figure out appropriate example phrases, or
making sure that all of the appropriate fields are filled in (like providing a
thumbnail for the appstore, etc).

Their weird pedantism about an arbitrary set of rules, however, serves only to
scare off those of us who are actually interested in advancing the default
user experience. Out of the box experimentation is frowned upon, and the
result is that they're basically handing the ecosystem to the shovelware
creators.

------
tempodox
Apple also has no idea how to run an app store. Does anyone?

------
colinmegill
lol title change

~~~
jrcii
Yeah that sure got editorialized, didn't it? For the newcomers, pretty much
all day this post was titled "Amazon has no idea how to run an app store"

------
meesterdude
Actual title: Amazon has absolutely no idea how to run an app store

Why did the title change? It used to be the same as the original article, but
now it's been needlessly editorialized to be kinder to amazon. Seriously? What
the fuck. That's not HN's job, and is a disservice to the article, and the
community.

~~~
coderdude
The submitted article and especially its title are both emotional to a fault
and sensationalist. The arguments presented are backed up only by anecdote and
cherry-picked comments from other people who have been rejected by Amazon.
I've seen all this before. There's a reason why the article is scant on the
details of the rejection. In the same way a rant about PayPal tends to exclude
certain details that deflate the author's rage. His final paragraph is the
icing on the cake. I'm glad to see the title change.

~~~
lkrubner
This is a strange thing to say:

"There's a reason why the article is scant on the details of the rejection"

Did you click through the link to the page where the developers were
discussing the certification process on the Amazon developer forum? This is
the link the article above:

[https://forums.developer.amazon.com/forums/thread.jspa?messa...](https://forums.developer.amazon.com/forums/thread.jspa?messageID=27691)

This seems as detailed as you will find for a critique of an app store.

And additionally, both of those developers linked to their own blog posts
where they offered still more details:

[http://www.derpgroup.com/blog/on-the-topic-of-
certification](http://www.derpgroup.com/blog/on-the-topic-of-certification)

[http://ocean-of-storms.com/tsatsatzu/explaining-amazons-
indi...](http://ocean-of-storms.com/tsatsatzu/explaining-amazons-
indifference/)

You say the final paragraph is the "icing on the cake". The final paragraph is
a summary of what Joseph Jaquinta suggested in his longer post. The above
linked blog post would be redundant if it simply copy-and-pasted everything
that developers had written over at the Amazon developer forums. Like any blog
post, it was written with the assumption that some people would click through
the links to see the source material.

~~~
coderdude
Actually, I didn't see those. I'll read them.

------
dang
That title is over the top, so we replaced it with the much more neutral first
sentence of the article.

~~~
colinmegill
yeah, agreed with Candelabra - that title got lots of upvotes and was what it
was

~~~
dang
The problem is that such titles routinely get upvotes, presumably because of
some reflex they trigger in the brain. If we want to have a site that
gratifies intellectual curiosity—which we do—we have no choice but to
counteract them. That's a fundamental principle of this place.

------
ceejayoz
In fairness, it seems this is true for Apple (broken review process) and
Google (malware infestation).

Oddly, I haven't heard one horror story about the Windows Phone app store.

~~~
VeilEm
Google Play does not have a "malware infestation". I have never once
downloaded any malware, lookout has never detected any malware on my phone and
I've never known anyone who has downloaded malware from Google Play. Anecdotal
for sure, but given you said "infestation" you'd think I'd be crazy to
download anything at all from Google Play. Absolute nonsense.

~~~
JustSomeNobody
Indeed. This is so overblown it is pathetic.

Edit: I wonder what smut the down voters have been downloading that may have
given them the malwares. Reputable apps are fine. And there's no infestation.
Just stahp.

~~~
detaro
Malware-containing apps have millions of downloads, and there are/were
thousands of them. One might argue if that is an "infestation", given the much
larger number of apps in the store, but it also isn't something that has only
happened once or twice.

And when it comes to e.g. games there isn't much of reputation information
outside a very small set of hits. No need to download "smut".

------
danbmil99
Fun fact: Jeff Bezos won't let anyone at Amazon buy a color printer.

~~~
sib
Have no idea what you are talking about, as we had multiple color printers in
my team.

