Facebook Platform ecosystem – Now Supersized!

I often find myself discussing issues about Facebook applications with people who aren’t yet a part of the Platform ecosystem. They talk with me because they’re possibly interested in having their company play some role in it, and they’d like some data on the size of the opportunity. The questions I most often hear are “How big is the opportunity on the Facebook Platform? How many developers? How many applications?”.

My initial reaction is to answer “Huge!”, but I know that the question is really about quantity and not quality. Assigning numbers to these questions is often difficult, but the one “official” place to get statistics like this is Facebook’s Statistics page. Unfortunately Facebook updates the “big” statistics like the number of active users quite often, but the Platform stats has stayed static for quite some time. When I first began getting interested in the Platform two years ago, Facebook claimed that there were a million people worldwide developing for it. That number has stayed constant for a long time.

Until now. Facebook recently updated this page and now claims that 2.5 million of us are building on the Facebook Platform. However you look at it, that’s a pretty impressive number. They also claim that there are 20 million application installs done on the average day. Spread out over 500 million users, some quick math tells us that the average user is installing a new app once a month – also quite impressive.

Hopefully Facebook will update these stats a bit more often since they do show the viability for making a business case by working with the Platform.

Monitoring your Facebook application for regression – Part 1

A few days ago there was a post in the Facebook Developers Blog entitled Testing Using The Beta Tier, which is important to read and to understand its implications. The gist of the post is that the developers at Facebook are pretty busy and are constantly modifying the Facebook Platform. They push out updates on a weekly basis and all of us in the Facebook Platform ecosystem are affected by this whether we like it or not (and whether we know it or not). Fortunately, as this post explains, you can get access to the beta version of these updates before they go live to ensure that your application plays well with it. This is a valuable service that Facebook is providing, and it’s important to understand why.

Let’s contrast a Facebook app with a plain old Web Application. Imagine you’ve just finished designing and building your great new Web App. Before deployment you test every possible thing that could go wrong and you feel really confident about its stability and robustness. You’re so confident that it won’t break that you decide to relax and spend the next two weeks in Bora Bora without even a laptop. Things may go wrong, but if your app is really well-written, then all of the problems will be operational problems. Someone tripped over a power cord and knocked out a router, or spilled coffee into a server.  Things that are certainly problems, but they don’t need you the programmer to fix them. Go get yourself another drink and don’t worry about your app.

But Facebook development isn’t like that. You still need a good operations team to make sure your app stays online, but the stability and reliability of your Facebook app also depends on the invisible hand of Facebook, something that you have no control over. Before booking your flight to Bora Bora you’ll need to come to grips with the possibility that Facebook could very easily push out an update that changes an API in a way that breaks your application. If/when that happens to you, then you the programmer will need to do something about it to get your app back up and running again, even if it means getting up from the beach. And that’s the important point here: Facebook applications can and will experience regression even when they aren’t being changed because Facebook is always changing.

The first step to dealing with a problem like this is knowing that there is a problem. If you have a general Web App, knowing that it isn’t working isn’t so hard to do. You can simply set up a monitoring system to periodically hit the app and make sure that it responds properly. There are many inexpensive commercial services that make this really easy to do.

But what about Facebook applications? You can monitor the application to ensure it is up and running, but that won’t tell you if Facebook has done something to break it. That’s why Facebook’s Beta Tier is so valuable – you can find and fix potential problems before they get seen by users.

But how can we do this automatically? It would be great if we could set up an automated way to know that the next Facebook update will break your application. In our next post we’ll look at some strategies for how we can do this. In the meantime, leave a comment if you think this would be a good idea, and any thoughts you have about it.

Facebook Platform as walled garden – How Sophos got it wrong

Graham Cluley from Sophos, a leading internet security company, recently published a piece entitled Facebook users call for application “walled garden” to protect against attacks. In it, he asks the simple question: ”Should Facebook follow Apple’s example, and have a ‘walled garden’, verifying all apps?”. 1025 of his blog readers responded to the poll, 95% of them with YES!

The results of the poll should come as no surprise. Security/privacy is always a hot topic for Facebook, and saying that you’re not for better security is akin to also being against motherhood and apple pie. It’s true that there are malicious Facebook apps, but is a walled garden approach correct? I say no.

Let’s look at the facts. Apple has a great opportunity to wall off it’s garden with the App Store. If you’re a developer and want to distribute your app, you need to go through Apple. They’ll take it and verify (to some extent) that it isn’t malicious, as well as verifying that it fits into the Apple World View (i.e. no “bad stuff” or treading too close to something Apple wants for itself). Once done, it’s put on some server just waiting for people to download and use it on their iPhone.

That ain’t how Facebook works. Facebook apps are simply web applications that are proxied by Facebook. (I’ll just discuss Canvas apps here, as Connect apps REALLY can’t be policed) There’s no “server repository” for Facebook apps – they’re hosted by their developers on their own server equipment, Amazon AWS, Joyent, Rackspace, or any of the thousands of other places to host web apps.  It’s like this because that’s how the Platform is defined, and how it needs to be defined. If you don’t like that and want it changed, then you don’t understand how the Facebook Platform architecture works.

And that’s where the problems start if Facebook tried to “walled garden” its third-party developed Platform apps. Facebook cannot vet them like Apple vets iPhone apps because tomorrow the app can, and probably will change. Since it’s hosted externally, Facebook cannot control, or even know about this change. Even if Facebook threw lots of money at the problem and hired loads of people to vet every app that was put on the Platform, it would be really easy for malicious people to get around this.

So sorry Sophos, getting better security is what everyone wants, but Facebook cannot “walled garden” its Platform like Apple does because they’re very different. Comparing Apple to Facebook is like comparing apples to …. well, you get the idea.

FacebookCamp Toronto

FacebookCamp Toronto will be held at 6:30 on October 21 at MaRS. In every other city in the world, this would be called a Facebook Developer Garage, but here in Toronto, we’re very tied in to our *Camp taxonomy for developer meetups.

Come on out, meet other developers, and learn a bit more about the Open Graph. We’ll be there hoping to talk with you about testing Facebook applications.