When Should An App Be Published?

[Don Geronimo]

I've been talking with my friends, who meet together as a group to work on our respective design/development projects, and the topic of when to publish something to a store came up after I showed them how my secret messages app is coming.

Some of them suggested that I tweak the UI a bit and try publishing it to see what happens. I'm a little bit unsure, though:

1. While the algorithms I implemented test correctly using a specifications' (in this case, Rabbit and Spritz) vectors, I'm not in a place of expertise to know if the enciphering process I made is secure. I don't really want to release anything that isn't secure, especially since bad apps will haunt you forever.

2. I don't have any way of doing a secure key exchange, and I question how careful people would be exchanging symmetric keys amongst each other. I can probably learn how to do such things, and it'll be fun to learn, but...

3. Why would I do that when PGP exists and is available already on WP and Windows? If I took care of the first two points I'm practically reinventing the wheel.

Don't get me wrong; I'd like to get something published someday and learn more and more, and I feel that even this app I made could be useful to someone out there. But I'm just wary of those points I made, and I'm not sure if those are really valid concerns.

(Relatively speaking, it at least provides more security than some of the Caesar cipher apps I see in the Store, though...)

 

[gpobernardo]

How about a beta program for the app you're developing? Once feedback is relatively positive from those in the beta program then I guess that's an indicator that your app should be publishable.

 

[Don Geronimo]

That's certainly an option, perhaps one that I could try with this app in particular. I'm still wary of it being insecure, though, considering it's dealing with encryption.

Is that a common hurdle--wanting to wait to release something until it's perfect, but never releasing it because it never feels good enough? How can you deal with that insecurity as a new developer so you don't get stuck in a Debian-esque cycle?

 

[gpobernardo]

I think it's a matter not only of the security level of the app but also of the confidence of the developer. In fact, I think having that feeling of one's creation not being good enough is a quality of a true artist. I'm not a developer (yet I find the app you're describing very interesting that's why I replied), but let me try to draw something up based on what I've experienced which may be parallel to your situation.

I'm a classical pianist (among other things I do), but unlike other prodigies I started relatively late (13 years old). I also didn't have a piano teacher and though we had a real piano at home it was tuned one key lower, the keys were getting stuck and it was out of tune. I taught myself from watching videos of other classical pianists, watching how their fingers moved, how they pressed the keys, how they sat... etc. Eventually, after two-three months, I could play a few complete pieces. We had the piano tuned and I made corrections to the wrong notes I was playing (compared to the audio recording and music sheet). Eventually, we had to overhaul and restore the piano so it could cope up with the "speed" requirements of the pieces I wanted to play.

But then came a time when I was invited to a sort-of recital. I was very apprehensive about it. No training, different piano, and there will be people who will be watching. I just felt that my technique wasn't good enough. Nonetheless, the day came and I played the pieces I knew. Being classical pieces, my audience weren't really able to detect the mistakes I made. They didn't even seem to appreciate my interpretation of the piece. They just saw a 14-year old playing some old-sounding Beethoven and Liszt pieces. It turned out a lot better than I imagined - there actually was an applause.

Cutting the story short, after that day, I could once in a while be found in random piano stores playing some pieces for the public and the store owner. Being a piano store, other "professional" pianists were there, too. I got some of their attention and they would give me comments and advice as to how I could further improve. Now, 12 years later, I wouldn't say that I'm satisfied with how I play - I'm still far from satisfied with my technique. But if I hadn't jumped into that "mini-recital" 12 years ago, I wouldn't have had the confidence and the motivation to further improve my technique... and I wouldn't have received the free feedback from those who really know what they're doing.


I believe some parallelism can be drawn from this experience to any activity, such writing, painting, singing...including developing apps, or even sky diving! The beta program surely would allow you to gather feedback from other users. While most of the comments may not be technical, at least you would have concrete insight on what the users are expecting from the app. All you have to do is to "just do it".

P.S. We're planning to buy a second hand piano from one of those stores - the current piano simply isn't as responsive and quick.:wink:

 

[nmercy]

Personal experience, it depends on what you're doing the project for... if it's just learning and having fun you can pretty much release it whenever. If it goes poorly, it doesn't matter, it's a learning experience (and you can always start a new account when you've gotten better for a mere $20 lifetime charge).

With my first app, I wanted so many features and bells and whistles in it, all while learning the platform. On top of regular work, it was hard to find time to work on the app, and when I did I would have to try and figure out where I left off since I was bouncing all over the app. Six months quickly passed, then a year. I finally determined what the key features I needed to launch with at bare minimum, got those working and submitted the app.

Recently I've taken a more agile/scrum approach to my efforts, more through the philosophy of working on 1 feature at a time rather than trying to bite off a ton and waiting for everything to be perfect. We'll see how this goes, but I have high hopes.

Did something similar with the other app, determined the bare minimum features that were needed to launch, worked on them one at a time, and launched relatively quickly (less than a month compared to a year).

Now both apps do have quite a big back log of features that would be nice to implement... and will just take them one at a time.

There is a philosophy that it is better to fail quickly than to fail slowly... basically meaning, once you get something that's usable release it and see what happens. The worse case it fails and you've only spent a little time, best case it's a hit and really takes off, most likely case a few people will download it and if you're lucky send you some feedback.

On a side note, if you haven't signed up for https://rewards.msdn.microsoft.com/ as they have some really nice helpers for starting app development, challenges to help you make a better app, along with some nice prizes for doing so

 

[Don Geronimo]

@gpobernardo, @nmercy, thanks for the advice on this matter. I think I will polish up some obvious things in it and try to publish it; it didn't occur to me that I could just buy another lifetime account for 20 US$ once I become good.

I'm still not sure what security implications may be apparent in how my app does things (even if it outputs input according to the specifications I'm using), but until I learn more, perhaps it's alright for now that I make sure objects storing any kind of sensitive/private information (symmetric keys, clear/cipher text, PRNG states) are cleared/zero'd before destruction.

 

[a5cent]

Assuming this is more to you than just "fun", I'd recommend this as a general rule:

With professional customers that understand software development and the need for regression testing, and whom you can integrate directly into the development process, it's best to release early and regularly.

With consumers it's best to release only once your app has reached a state which you think most consumers would find useful, user friendly, polished, and which to the best of your knowledge, is bug free. Few consumers will forgive bugs, even if it's labeled "beta", and you rarely get a second chance to make a first impression.

Is that a common hurdle--wanting to wait to release something until it's perfect, but never releasing it because it never feels good enough? How can you deal with that insecurity as a new developer so you don't get stuck in a Debian-esque cycle?

If you think your app isn't mature enough, specify the smallest set of features you must add before releasing, and then stick to it. Don't move the goalpost once you get there.

If secure communications is the whole point of your app, then it's likely necessary that your app be secure from the very first release, even if it's in beta.
If you want yourself and your customers to be confident about your app's security features, you should probably consider factoring out the security relevant parts into a separate library and then open source it. That's the only way you'll get people to trust such an app without a big company name attached to it.