Thursday, May 13, 2010

More Salvos from Apple and Adobe, to No One in Particular

I was out of the country when Steve Jobs posted his open letter on Flash to the Apple web site. Had I been around I would have dissected it. Today Adobe published its own open letter(s) about how great Flash is, why open markets are good, and even an ad campaign promoting choice. This passive-aggressive slap-fest is really just another reason for me to use my Apple vs. Adobe graphic that I spent nearly 10 minutes creating over a month ago.

To put my own preferences out there again, I have been critical of Flash for a long time (Jakob Nielsen roasted it 10 years ago now). The technology itself is mostly harmless, but developers have latched onto it for years to create confounding, inaccessible, and cryptic interfaces for web sites. To be fair, if they hadn't used Flash, they might have still made the same terrible chum, but Flash just enabled their poor behavior. Apple has always been the plucky upstart that despite being just another corporate computer company had somehow tricked masses of designers and wanna-be-cool-but-different (as opposed to being just different, like *nix users) folks in to giving them free advertising via legions of window stickers and the like. Except now people are recognizing them as the corporate juggernaut they are (When did Apple become uncool? at Yahoo! News).

Let me compare and contrast some points from the two letters.

Open vs. Closed

From Apple:

While Adobe's Flash products are widely available, this does not mean they are open, since they are controlled entirely by Adobe and available only from Adobe. By almost any definition, Flash is a closed system.

From Adobe:

The core engine of the Flash Player (AVM+) is open source and was donated to the Mozilla foundation where it is actively maintained. The file formats supported by the Flash Player, SWF and FLV/F4V, as well as the RTMP and AMF protocols are freely available and openly published. Anyone can use the specifications without requiring permission from Adobe. Third parties can and do build audio, video, and data services that compete with those from Adobe. [...] There are no restrictions on the development of SWF authoring tools, and anyone can build their own SWF or FLV/F4V player. [...] Adobe Flex, the primary application framework for Flash, is also open source and is actively maintained and developed by Adobe and the community.

As an end-user, I need help understanding Apple's point. How is what Adobe states any different from Apple's own WebKit? Because they claim it started as open source, whereas Flash didn't? The points in these letters don't speak to the average user, that's for sure.

From Apple:

Rather than use Flash, Apple has adopted HTML5, CSS and JavaScript – all open standards. [...] HTML5 is completely open and controlled by a standards committee, of which Apple is a member. [...] Perhaps Adobe should focus more on creating great HTML5 tools for the future, and less on criticizing Apple for leaving the past behind.

I'm going to let Adobe off the hook on this one. As I have said before, HTML is NOT a final specification yet. Apple is clearly pleased as punch that Safari supports much of HTML5, and good for them. But they are really pushing the canvas element as the Flash replacement. Given how quickly the W3C wraps up a spec, and browser makers get it into their browsers, and users download it, it's just not a good argument. It may be worth noting that JavaScript was originally Netscape's creation and is now known as ECMAScript.

Bear in mind that HTML5 has been handed off by the standards committee (W3C, of which Adobe is also a member) to the Web Hypertext Application Technology Working Group (WHATWG, of which Apple is a founding member). It turns out that Apple, Mozilla, and Opera were unhappy with the W3C progress on XHTML and HTML, and so broke off on their own. As a result, WHATWG is working on HTML5 alongside the W3C HTML working group, using the same human editor.

Touch Interfaces

From Apple:

Apple's revolutionary multi-touch interface doesn't use a mouse, and there is no concept of a rollover. [...] Even if iPhones, iPods and iPads ran Flash, it would not solve the problem that most Flash websites need to be rewritten to support touch-based devices.

From Adobe:

Flash was actually originally created as a technology for tablets with touch interfaces. And today, Flash has full support for working on touch-based devices. [...] For new Flash content developed specifically with touch in mind, Flash Player 10.1 provides a complete set of multitouch and gesture APIs.

Ok, Apple has a point, Flash does not support multi-touch. Multi-touch is relatively new, however, and Adobe promises it in their (much delayed?) Flash 10.1. I do take issue that Flash does not support touch devices. About 4 years ago we developed a Flash application to run on touch-screen displays for a kiosk, and it worked very well. The issue is again not with Flash specifically, it's with developers who are terrible at designing interfaces.

Security

From Apple:

Symantec recently highlighted Flash for having one of the worst security records in 2009.

From Adobe:

The Symantec Global Internet Threat Report for 2009 found that Flash had the second fewest number of vulnerabilities of all Internet technologies listed (which included both web plug-ins and browsers).

Erm, so who do we believe? Neither links to a report, but they both cite Symantec. So I went to the Symantec site and grabbed the document Internet Security Threat Report: Volume XV: April 2010. I searched in the PDF for Adobe Flash and found this:

In 2009, Symantec documented 321 vulnerabilities affecting plug-ins for Web browsers (figure 9). ActiveX technologies were affected by 134 vulnerabilities, which was the highest among the plug-in technologies examined. Of the remaining technologies, Java SE had 84 vulnerabilities, Adobe Reader had 49 vulnerabilities, QuickTime had 27 vulnerabilities, and Adobe Flash Player was subject to 23 vulnerabilities. The remaining four vulnerabilities affected extensions for Firefox.

Apple QuickTime had 4 more vulnerabilities than Adobe Flash? Did I mention that when I hit the Apple site, my browser keeps trying to get me to install QuickTime? There's also this quote:

The 321 total vulnerabilities in plug-in technologies for Web browsers for 2009 is less than the 424 in 2008. Of the total for 2008, 287 vulnerabilities affected ActiveX, which is significantly more than any other plug-in technology. Of the remaining plug-ins for which vulnerabilities were documented, there were 54 vulnerabilities identified in Java SE, 40 in QuickTime, 17 in Adobe Reader, 16 in Adobe Flash Player, and 5 vulnerabilities in Firefox extensions.

16 in Adobe Flash, 40 in Apple QuickTime. I really need some help finding Apple's point. I also need help finding Adobe's point. From what I see here, Flash is safer than QuickTime, even though (in further reading) it gets targeted more. If you want clear answers, you may need to read all 97 pages of the Symantec document, which was not linked from either Apple or Adobe.

Overall

Apple's letter clearly belies frustration with may have been Adobe's missed promised delivery dates. Apple also has a point that Flash doesn't hand off the video decoding work to the processor, eating battery life. Adobe has stated this is coming in the 10.1 release. Apple points to YouTube running as an app on the iPhone, but is silent on the fact that videos embedded in a page are inaccessible but does concede, backhandedly, that users aren't missing much video. And then Apple goes on about how Flash is designed to be cross-platform, and as such doesn't enable developers to write the best iPhone/iPad apps. And this is the crux of it all. Apple just wants the control and Adobe wants in.

Update (May 14): Read Adobe and Apple: Please Spare Us the Platitudes About "Open" over at Mashable for another take on all this.

Update (May 20): Read How secure is Flash? Here's what Adobe won't tell you at ZDNet where the writer also compares the Symantec report against Adobe. He missed the point, however, that Symantec recommends both Flash and JavaScript be disabled for a secure browsing experience, something that would hamper Safari's reliance on HTML5 in lieu of Flash.

2 comments:

  1. Take a look at http://www.zdnet.com/blog/bott/how-secure-is-flash-heres-what-adobe-wont-tell-you/2152

    I haven't skimmed the Symantec report, so I don't know if the QuickTime vulnerabilities have just as bad a history. For sure, Apple has a so-so reputation for resolving critical OS X bugs in a timely fashion.

    ReplyDelete
  2. Whoah, it's like this guy either read my blog post or just saw how absurd it is that nobody linked to the Symantec report that was touted on both sides. The Symantec report does not distinguish between Flash and PDF in some other statements, but I do like how he highlights the section on disabling Flash and JavaScript (a recommendation from Symantec). Disabling JavaScript in Safari would be as crippling (if not more so) as disabling Flash in the other browsers. That might be why Apple didn't link to the report, either.

    ReplyDelete