So! I built an app store for web apps using RemoteStorage.
You can check out the GitHub page if you want to skip right to the code
Let’s talk about why I think this is a good idea
The current ecosystem of apps on the web and phone generally requires too much trust on the part of users. There are lots of stories of simple phone apps selling users’ data and I think it’s time to stop privacy leaks in a guaranteed way, and I believe we can do that while still retaining the usefulness of apps.
I think a simple solution is to stop assuming apps should have network access. A phone app with access to my camera and microphone but no way to exfiltrate any data out of a phone is not a privacy problem. An app can’t violate my privacy if it can’t send data anywhere
My hypothesis is that RS apps tend to be ones where users create content (that’s why owning your data is important for those apps), and that those types of apps are also less reliant on network access. Looking at many of the types of apps on the RS app list - productivity, self-improvement, finance, password - we see that for these types of apps, the core functionality is not about accessing data over the internet. There will always be other types of RS apps that need network access, but I think Mercato can help a lot with the apps where privacy is the most important.
Given this, we should be able to restrict RS apps to only being able to use the network to talk to your RS server, your data will still be synced and your app will still be useful, but the privacy of your data is no longer about trusting the individual app developers.
Mercato is a web based app platform (similar to an app store) that guarantees your privacy by running your apps inside of a privacy sandbox - the original app developers cannot see your data because it is all stored/synced in RemoteStorage and never goes through a server that the developer controls. The privacy sandbox enforces its restrictions by using modern web standards (specifically Content Security Policy).
Let’s say you hear from a friend about a diary app that’s hosted on the Mercato platform.
- Your friend sends you a link to the app: https://diary.nooq.run (right now this link doesn’t work - I’m planning to host a Mercato instance at nooq.run)
- You’ll be redirected to log into the mercato instance (eg nooq.run/login) - mercato will request access to the Mercato scope. This has two purposes: 1) mercato client stores a token so mercato can identify you on other devices/if you clear your cookies 2) Mercato uses this to know what RS server you’re using, so when it locks down network access, it will still allow access to your RS server
- You can now go to you app’s page (diary.nooq.run) and use the app like a normal RS app. You’ll see RS’s permission prompts for that app like normal.
If a user wants to see all the apps hosted on Mercato, there’s a page where you can browse all the apps (eg nooq.run/listing)
Basically, Mercato is a static file hosting service that uses Content-Security-Policy to tell your browser to not let the JS code of the app talk to any servers except mercato and the user’s RS server.
My general goals for Mercato are:
- The Mercato server should not need access to your RS storage (the client does, but it never sends RS tokens to the server)
- You should not have to change your app to host it on Mercato. In theory that’s true but I want to port over/write some real apps before I say that’s true.
- Maintain the existing RS permissions model - apps should each have their own unique domain
If Mercato were to become popular, I hope there would be multiple Mercato services being run, allowing for some competition in app store requirements/% of sales taken by the server/etc.
More details on this at Mercato README - how it works - let me know what questions you have!
Mercato doesn’t remove the need for all trust: you do still need to trust the folks running Mercato server. If you really wanted to be careful, you could write a browser extension that watched network traffic to verify that. The folks running your Mercato server are accountable to you for maintaining your privacy, just like the folks running your RS server are accountable to you for keeping control of your data.
A lack of network access does limit significantly the type of apps that will work, but I think it works well for many of the knowledge creation apps where users really care about their data (and thus RS is appealing)
To build an app, you just write a normal RS app in a SPA style - then you submit it to the Mercato server and it’ll be made available to users. Right now this is a manual process where you email the app to me
More details on this at Mercato README - developing for Mercato - let me know what questions you have!
- You can find the code up at GitHub
- I don’t currently have a publicly available server - I’ll see if I can get a toy one set up today, but I’ll definitely get a reliable one up early next week.
- Apps: Right now there aren’t any I’d like to port over Inspektor since I want to use it for developing locally
- Small features/bug fixes are listed at DEVELOPEMENT.md - TODOs (looks like I need to fix the Markdown there
- I have some more extensive thoughts on longer term feature ideas for Mercato here: README - future work
If you’re interested in working on Mercato, let me know! I’m starting a new job soon, so I don’t know how much time I’ll have for building new features/etc, but if it gains some traction I can guarantee I’ll either be spending time on it to ensure it keeps moving forward or I’ll support an official fork to a different maintainer.
I had originally envisioned this as being an actual app store (similar to phone apps stores) where developers could get paid for creating quality apps that respect their privacy. Running an app store is not something that fits with my current work arrangement :), so I figured I’d just release the app hosting part of it. If someone else wants to run one, please do!
The name Mercato is from the Italian for Market. I don’t speak Italian, so let me know if you’re aware that it has some terrible slang meaning. I enjoy the Italian language theme of the RS community naming (perhaps just the JS components?)
Perhaps there’s some huge hole in the whole premise of using Content-Security-Policy for this? I don’t think so, but if you have any thoughts on the matter I’d love to hear from you. Some real pen-testing would definitely be appropriate
It seems like I’m not the only one hoping to see RS proliferate and that has ideas for how to encourage that. I’m excited to see where all this goes and if we can get traction for RemoteStorage!
Well, that got long! Please let me know of any questions you might have - this is my first attempt to explain the concept as a whole, so please let me know if anything needs further explaining. I may be slow to respond in the next few days, but I’m looking forward to chatting with folks about the idea.