Remote Working, iOS, Mac OS X, and more

Web

SSL for Multiple Domains with Apache 2

The purpose of this post is to serve as something of a catch-all how-to for hosting multiple domains with Apache 2 on a single IP with SSL enabled for all of them. I recently underwent this process with every domain I have a website behind, and doing it correctly required information from a lot of different sources.

SNI

Hosting multiple SSL-enabled domains on a single IP address requires browsers to support something called Server Name Indication (SNI). It is supported in these browsers1:

  • Internet Explorer 7 onward on Windows Vista or newer
  • Mozilla Firefox 2.0 or newer
  • Opera 8.0 (2005) or newer
  • Opera Mobile 10.1 or newer on Android
  • Google Chrome (all Vista or higher versions, Chrome 6 onward on XP, and Chrome 5.0.342.1 onward on OS X or newer)
  • Safari 3.0 or newer
  • Konqueror/KDE 4.7 or newer
  • MobileSafari on iOS 4.0 or newer
  • Android default browser on Honeycomb (v3.x) or newer
  • BlackBerry 10 and BlackBerry Tablet OS default browser
  • Windows Phone 7 or newer
  • MicroB on Maemo
  • Odyssey on MorphOS

Enabling SNI support in Apache 2.2 is very simple. Add this line to your conf file (you will probably already have a similar line for regular HTTP connections on port 80).

NameVirtualHost *:443

This is no longer necessary on Apache 2.4 as it is automatically enabled when any address/port combination appears in multiple virtual hosts2.

SSL Certificates

Any SSL certificate signed by an accepted CA will work. It does not need to be anything special like a UCC certificate (these cover multiple domains in a single certificate) or an EV certificate. The free certificates issued by a service such as StartSSL are sufficient. Each domain you want to have SSL enabled for must be named in a certificate, whether they each have one or share one.

SSL Configuration

This article covers the explanation of each of these settings much better than I ever could. Here is the TL;DR settings summary to use:

SSLCompression off

<VirtualHost *:443>
    SSLEngine on
    SSLCertificateFile /path/to/certificate
    SSLCertificateKeyFile /path/to/private/key
    # The following two lines are for StartSSL's
    # intermediate certificates
    SSLCertificateChainFile /etc/httpd/ssl/sub.class1.server.ca.pem
    SSLCACertificateFile /etc/httpd/ssl/ca.pem
    # The following line is only available on OpenSSL 1.0.2 and later
    # SSLOpenSSLConfCmd DHParameters /etc/httpd/ssl/dhparam.pem

    SSLOptions StrictRequire
    SSLProtocol All -SSLv2 -SSLv3
    SSLHonorCipherOrder On
    SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH

    ServerName example.com
    # Uncomment the Header line to enable HSTS
    # DO NOT do this before ensuring SSL is fully working or you may lose access to the domain for six months
    # Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
    ErrorLog logs/example.com-error_log
    CustomLog logs/example.com-access_log common

    DocumentRoot /var/www/example.com
    <Directory /var/www/example.com/>
        AllowOverride All
        Order Deny,Allow
        Allow from All
    </Directory>
</VirtualHost>

Testing

Lastly, enter your site’s address into the SSL Labs tester to verify your configuration is secure.

Screenshot of an SSL Labs report

  1. This list is from Wikipedia’s Server Name Indication page 
  2. This is noted in the Apache 2.4 Upgrade Notes 

iOS

Five Years on the App Store

I have always enjoyed reading real accounts from developers on the App Store. As Portfolio turns five years old this August, I figured it was my turn to do the same. Enjoy!

Numbers

Portfolio sold its first copy on August 16, 2010. In the five years since it has been sold 37,805 copies for a net to me of $364,797. Apple’s share during this same time period was approximately $156,342. It has been at three price points during this time: $9.99, $12.99, and $14.99.

The best sales day ever was on February 3, 2011, in which 200 copies were sold. My revenue from that day was $2,102.

Out of those 37,805 copies sold, 210 have been refunded. Only 400 users have left reviews, weighing slightly more towards loving the app than hating it.

Graph of review breakdown

Over 71 releases it has been downloaded 692,993 times. 61% of all downloads have been in the United States with other countries dividing up the remaining 39% with no more than single digit shares.

Graph of sales by country

Analysis

While the sales number is impressive, especially for a single person development team, the trend is more worrying – people just aren’t buying apps like they used to, and I don’t think I have saturated the market. The revenue decline has been accelerating for a little over three years now, and it is reaching the level where I can no longer afford to devote as much time to the app as I once was able to – it alone can’t support me.

Graph of declining revenue

I have always charged a sustainable price, starting first at $9.99 and then raising it to $14.99. As the revenue has declined I have experimented with price points at both $12.99 and $9.99 again but found that revenue stayed roughly the same. The price is now back at $14.99.

My feeling is that this decline in revenue is attributable primarily to a few factors:

  1. App discoverability is hopelessly broken. I believe I rank where I do solely because I was an early mover and have enough momentum behind me to maintain my search ranking. Still, it’s almost impossible to find an app unless you know the exact one you’re looking for.
  2. Users are being conditioned by freemium and underpriced apps to be unwilling to pay a sustainable price. This phenomenon seems to be somewhat unique to the mobile app market.
  3. I have never charged for an update. While the App Store itself doesn’t directly support this, there is a track record of other apps doing it by listing under a new App Store entry. I believe this to be my single biggest mistake in this endeavor and given the chance to do it again I would have made each major update a paid one.

Competition has never been a problem for Portfolio. If anything it has pushed me to innovate and improve it faster. When it first launched, there were a number of other similar apps that were released close to the same time. Over time most of those fizzled, and now there is only one left (the others are still mostly available for sale but have not been updated in years). The developer of that app chose a slightly different track and has a lower app cost with an in-app purchase to enable video support.

The top charts have also never been a problem. While many developers have complained about the top charts, I believe the top grossing in the Photo & Video category has had a significant effect on my sales over the years. Prior to the introduction of Newstand and the flooding of the charts with magazines (I feel these would have been better placed in a dedicated publication category rather than alongside regular apps), I consistently ranked close to number 10. That visibility seemed to be self-reinforcing as any drop from that spot resulted in a lower daily sales average until working my way back up.

One area that has been tough are the reviews. I have always had a love/hate relationship with reviews. A couple five star reviews will greatly boost sales, but even a single one star one can kill them. Of those leaving one star reviews, fewer than 5% of them ever contacted me for support. Other developers can definitely attest to this: many one star reviews complain about things and are completely incorrect, but because responding to a review is impossible, it sits there as a scar forever. The same applies to reviews complaining about something since fixed in a later update.

Lastly, media coverage at the opening of the App Store was substantially higher than it is now. In its first 18 months Portfolio had more media coverage than I have ever been able to get for all other apps I’ve since made combined. It’s just not as hot of a topic anymore, so media outlets are focusing elsewhere.

The Future

I don’t know what the future holds, but I don’t think the App Store will be a significant part of it. As fewer and fewer users are willing to pay the software prices of even five years ago, developers will not be able to afford to put the time into apps of any substance, especially ones with a niche audience.

For myself I’m planning on testing the waters on the Mac again with a photography program called Wall Displays. Between that and other sources of revenue I have and am developing, I am hoping to diversify my income sources to better insulate myself against any one of them dropping off suddenly.

iOS

Updates

A few days ago Dan Counsell wrote about using a more frequent release schedule, a practice I’ve seen many developers switching to and which can help with limiting user backlash (while some users love shiny new updates, others hate them and will use one-star App Store reviews to let you know).

It’s definitely tempting to want to bundle more and more into a single update (a practice I’m guilty of at times), but there’s one additional benefit of frequent updates Dan didn’t address: it creates the perception of a well-maintained app. With 65% of iOS apps considered abandoned1 and App Store search broken, the App Store has essentially become a junkyard filled with incredible amounts of garbage and only the increasingly rare gem of a find. So when someone manages to actually find your app card, don’t lose them on something you can control. As a consumer, one of the best indicators of an app’s health is the date of its last update. Limiting the scope of an update and splitting its goals into several smaller, incremental updates achieves this. It’s unfortunate, but an updated date more than six months old is often a sign that the app has been abandoned, and potential purchasers are usually smart to save their money.

Screenshot of Portfolio's App Store metadata

All of that said, a large update can still have its place. At the beginning of the year I released Portfolio 4.0, a relatively large update. This update would have been impractical to do as a series of smaller updates – the things it addressed included bits of technical debt that needed to be handled completely or skipped entirely as well as an appearance refresh and overhaul.

Part of Portfolio’s technical debt involved switching the codebase over to ARC. I had held off on ARC at first because of the very brief lifetime Garbage Collection had. As the app evolved and ARC looked like it was here to stay, new additions to the codebase had been mostly written with that kind of memory management rather than manual memory management. Older code, however, had not been updated to do the same, and I felt it was becoming increasingly risky to keep the two methods both in use.

Any app spanning multiple iOS versions will also accumulate a significant amount of version checking cruft. Behaviors that change with the introduction of new iOS features need to be checked for, and doing so usually requires injecting a bunch of conditional statements whose only purpose is to perform one action on iOS x – 1 and another on iOS x. When support for older versions gets dropped, these often get left in place since they don’t generally affect anything other than the legibility of the code. After five years they definitely add up.

iOS 7 introduced the now-standard flat appearance. Such a radical departure from previous appearance standards meant a significant amount of work to rethink and redesign the interface while keeping it familiar enough for existing users. Up until Portfolio 4.0 I had only done a superficial job of updating the appearance, and I felt that this point, slightly more than a year since iOS 7, was definitely time to do it. Its metaphors and methods of interactions needed to look like they were made along side the flat appearance and not taped on.

Each of these alone involved touching nearly every source code file in the app. Rather than doing them separately and revisit the files multiple times, I thought it best to not drag out the updates and do it all at once. Even in hindsight I still feel this was the correct decision.

Going forward, I will likely stick solely to smaller updates. It’s easier to maintain, and it also makes addressing user requests and problems in a timely manner easier (I’ve never been a big fan of dealing with source control merges on single-person projects). Portfolio 5.0, whenever that happens, will not be as substantial of an update as each of its predecessors.

  1. This infographic is based on 2013 data. No newer one has been released that I’ve been able to find.