Steven Johnson writing for the New York Times.

Er, Steve. No they haven’t. The App Store review process does not screen for malware or stability problems, because those are mathematically impossible tasks. The only automated screening I know of is for use of private APIs, and even that is badly implemented.

Johnson tries to make the case that the review process benefits users because it protects them from viruses and other malware. The truth is that we don’t see viruses in iPhone apps because the sandboxing and code signing requirements of the platform prevent viruses from working. But those security measures do nothing to stop other kinds of malware: I could easily write an app that works normally for the first six months and then, say, deletes all your contacts. Or sends spam. Or participates in a distributed denial-of-service attack against apple.com. Since the numbers seem to indicate that each submission is reviewed for an average of twelve minutes, there’s just no way for the process to catch “sleeper” malware tactics like these. Or anything else, really.

And stability problems? I could show you dozens of approved apps with stability problems up the wazoo. Don’t make me laugh, Steven.

So what does Apple reject apps for? Containing profanity. Or being too sexy. Or implementing user interface gestures that are secretly “associated solely with Apple applications.” Or being made by Google. Or, in the case of my employer, displaying forbidden icons.

Make no mistake: the App Store review process is for Apple’s benefit and Apple’s benefit alone. It does absolutely nothing to improve the platform.¹