I notice that no off-the-shelf web view wrappers (e.g. PhoneGap/Cordova) or non-web-view JavaScript frameworks (Titanium, NativeScript) are in this list. Would Xamarin, RoboVM, or RubyMotion be detectable with this method? Or can we safely assume that all of the top 100 apps are native ObjC or Swift?
The approach Ryan used was to look at ObjC classes, but you're right that many SDKs and tools don't show up there.
We actually scan millions of apps from the app stores. Here's a public view of the top 500 in US, and if you choose the cross-platform category, you can see apps like this. For example, "Pac-Man 256" is rank 28 (Unity), Amazon is rank 30 (Cordova), etc.
It's actually very difficult to accurately match code written in so many different languages as compilers discard a lot of the info you need. I spent a lot of time researching and evaluating different ways to fingerprint libraries, as well as reconstruct the boundaries of internal modules when there weren't any symbols.
We match code by using a similarity search across all components we've ever seen. Since code written in C can be compiled to x86 or ARM, we disassemble the code into an intermediate language. Then we reconstruct control-flow graphs, data dependencies, and other platform-independent features. We index these in a custom search engine, which allows quick lookup and matching.
It's very difficult, but ultimately a really fun problem to solve. Most of our engineers got started with exactly the exercise Ryan did here. :-)
I would expect that if an app is popular enough to be in the top 100 then it most likely has the bankroll to pay for native devs.
I can't imagine ever seeing a non-native app in the top 100 with the exception of maybe ReactNative-based apps which is a bit of a grey area since it compiles into native.
There are many non-native apps in the top 100. Cordova is popular for business apps (Amazon and Walgreens both use it, for example). Unity (C#) is extremely popular for games because they built an awesome dev environment and it compiles to native, thanks to Mono's translation layer.
I agree that React Native is great, and you will be seeing a lot more apps using it, especially as their Android version comes out.
I work on an SDK that's used by a lot of companies you've heard of. My experience is that a significant minority of them are using Xamarin/Cordova/Appcelerator and that we're asked if we support them more often now than we were a year ago. (Anecdotal, obviously.)
Sure, just look at our public view of the data. It's limited to the top 500 free apps in the US. Choose category "cross-platform" and then compare iOS vs. Android. List of apps and the SDKs in each is at the bottom.
I don't see why Xamarin wouldn't be detectable but I don't think it would appear as a separate library. Due to the impedance mismatch between C# and ObjC, Xamarin has to generate proxies and wrappers as well as deal with some abstraction leaks.
However, iOS (afaik) doesn't quite have shared libraries like you would have on a Linux server and there's no point in creating a separate ObjC library that would add bloat to each Xamarin binary because the C#-to-ObjC transpiler can selectively generate the wrappers/proxies during compilation. Xamarin might not even use a code generator to do that because you can just include all the ObjC code with the transpiler and copy-paste include them into the project at will.
Xamarin on iOS works in a similar way to Unity. They both use the Mono AOT compiler (ahead of time translation) to convert C# to native ARM code. It's not a JIT environment, like on Android. Miguel de Icaza is one of the founders of Xamarin and the Mono OSS project.
However, Mono isn't composed of ObjC classes so it's harder to detect just by looking at that list like the author did here. Xamarin does have a few ObjC components (such as XamarinNSThreadObject) since it adds a support library to the environment.
We actually match the structure of the code (control flow subgraphs), as well as other items like data references, so we get a more accurate view than you do just looking at class names.
You're right that each native or ObjC library you use with Xamarin has a plugin that exports a C# interface. It will be interesting to see how this evolves and if Xamarin will come up with a way of auto-generating these interfaces better.
Interesting sidenote: I saw a reply to this post on Twitter where SourceDNA commented how the makeup of the top 100 apps differs from the long tail of apps:
Developer behavior is pretty varied along a number of angles. Since even indie apps can hit the top ranks (especially in games), it's a little less useful to talk about apps by rank and instead more by company background.
Swift is growing but not huge yet. Certainly there has been a flood of experiment apps in the long tail, where someone used it as a learning exercise. Some of the larger companies are using it for a new project once in a while, but it's certainly been most popular in games.
What never ceases to surprise me is the influence a single developer can have, even in a large organization. Someone picks up a tool and then suddenly it's used everywhere in the company.
Lyft was completely rewritten in Swift so that was news. Many other companies could be using Swift but it's not really news if 95% of your code is still in ObjC.
One thing to note: Carthage usage is invisible, since frameworks built with Carthage are just Plain Old Frameworks. So people that have migrated from Pods to Carthage will be hard to track.
"Bolts-iOS" is a dependency of "facebook-ios-sdk", which means that 19 of the top apps are using an outdated version of the Facebook SDK that predates Bolts, and might be vulnerable.
Yep, there are tons of SDKs being used that aren't actively maintained like ASIHTTPRequest on iOS, for example. There are two reasons we've found:
1. App was written a while ago and is only in maintenance mode
2. Developer got started early on and hasn't kept track of the industry
The latter often happens with internal dev kits, where someone drops a static library in (say, to add a wrapper) and then never updates the dependency. New apps inherit it when they use the internal dev kit.
Anyone know what is wrong with the table? When I try to highlight text (so I can find out what Flurry-iOS-SDK is) it lets me click, but then scrolls rappidly to the top of the page when I move the mouse to highlight something (Safari on OS X).
Looks like it's an embed of a CSV file on GitHub, which is cool, since I didn't know GitHub supported that, but they've definitely got some funky JavaScript that doesn't play nice on mobile.
This is neat. Someone should get Nate Lawson in here; SourceDNA has this analysis for free and paid apps in both app stores, and he's doing it by bringing up binaries to an IR and doing pattern matching.
Note that it may be skewed a bit since apps can get created but not published on the app stores (personal experiment, in-house app for a company). This does roughly align with our data on iOS though.
Slightly off-topic but we're in the middle of building an iOS / Android SDK / library to drive improved location services.
Does anybody have any solid resources on SDK marketing directly to iOS and Android developers?
We've found some innovative ways to address the community (doesn't hurt to have an office packed with engineers to ask where they find solutions) but looking for ideas ranging from the best developer events, to publications, to PR agencies focused on devs, to marketing co's etc.
I have been surprised how hard it is to turn up prior-art on this subject.
Is this going to be open source? Or a commercial product? I don't think most iOS devs would want to use a closed-source library, not necessarily because they're averse to paying for something, but because the UX of using one is much worse.
- There's generally no dependency management, or you're forced into using Cocoapods, and using it in a bad way (binaries in your repo).
- You're at the will of the vendor for additional features (framework, Swift nullability/generics integration, bitcode), and, if they're even available, dependency bumps. This gets really painful. Every time I used a closed-source framework, it ends up being a nightmare.
This is compared to:
- Add line to Cartfile
- carthage update
- A little drag and drop
- Done, future releases will probably Just Work
You might have better luck with people that aren't necessarily "iOS devs", i.e. games, where using closed-source is more common and they might not even be using Xcode.
* Realm.io has successfully positioned themselves as a thought leader in swift development for iOS by producing solid blog content and leading the Swift SF meetups (+ contributing to open-source projects).
* Crashlytics/Fabric.io is more interesting -- my experience with them has been entirely word-of-mouth (but they have a big presence at Twitter's developer conference/WWDC/Google IO, too).
* Parse generally has interesting, high-quality technical blog content: (https://blog.parse.com).
I agree that both Realm and Fabric have done an excellent job reaching out to developers. Fabric went to another level in providing a slick interface to make it easy to drop in and update their SDKs. I'd be excited to see that more generally available, maybe integrated with CocoaPods.
No affiliation with this (not even a customer), but this might be useful for you: http://www.growamp.com
And...holy shit, they just raised their pricing by 5x. That's kind of insane. I was really on the fence about this at $500 / month, but if I really needed this now, I'd probably try building it myself. If you planned on paying for this for a year, that's $30k. Seems like you could recreate this for $30k, right?
We (MixRank) help several SDK companies track apps that are using location services. This can be very useful for sales, marketing, and business intelligence. Reach out of you'd like to chat.
How exactly do you scan these apps though? The only proper way I can think of going about it is to some how bulk download these apps and then go about analysing their code.
For giggles, go into these top 100 apps, and see how many actually properly comply with the open source licenses of many of these libraries (IE they reproduce the proper notices, etc).
Given the problems we found with SSL domain verification in another networking library, you definitely don't want to be using unmaintained code for this.
