A Brush with Apple

3 months ago, Apple pulled the plug on future releases of the Embassy Companion App. After 6 months of continuous updates, the Apple review team suddenly determined that our app violated their terms of service, and we were thereafter prohibited from shipping additional updates to the app. They claimed we were in violation of App Store Review Guidelines 2.5.2, which reads:

2.5.2 Apps should be self-contained in their bundles, and may not read or write data outside the designated container area, nor may they download, install, or execute code which introduces or changes features or functionality of the app, including other apps. Educational apps designed to teach, develop, or allow students to test executable code may, in limited circumstances, download code provided that such code is not used for other purposes. Such apps must make the source code provided by the Application completely viewable and editable by the user.

The Apple review team highlighted the phrase: “nor may they download, install, or execute code which introduces or changes features or functionality of the app, including other apps”. We were annoyed by this explanation, but also a bit relieved, since it indicated a simple misunderstanding of our technology rather than a clear breach of Apple’s terms and conditions. Our Service Marketplace enables users to download and install free and open source software onto their Embassies, not onto their Apple device. Moreover, the installation of services to the Embassy does not meaningfully alter the functionality of the Embassy Companion App. That is the function of the Embassy Companion App, its primary purpose.

Despite our best efforts, including emails, phone calls, and an official appeal to the App Store Review Board, our explanations fell on deaf ears. We will never know whether the Embassy Companion App was cancelled by malice or incompetence, but cancelled it was.

The collision with Apple precipitated a sobering reminder of our own fragility. Early on, we had accepted a certain degree of vulnerability in exchange for development expediency and user convenience, and that vulnerability had been exploited earlier than we anticipated. We knew Apple would eventually try to stop us, but we did not think it would happen for at least another 6 months. As a result, and with focused determination, we accelerated our plans to implement a more robust and decentralized architecture.

Today we are proud to announce the launch of Ambassador 0.2.0. With this release, the entire Embassy experience has been re-imagined and re-architected to resist interference from Apple and Google. It is now possible to purchase an Embassy, discover and install open source services, and use those services in total privacy from anywhere on Earth — all without permission from or reasonable means of being stopped by Apple or Google.

Prior to today, the Embassy Companion App for iOS and Android was the only means by which users could set up and connect to their Embassies. The app enabled the initial setup of the Embassy and also served as the permanent user interface for Ambassador, the Embassy’s operating system. When Apple cancelled the Embassy Companion App, they were effectively chopping the head off our entire product offering.

Our strategy to mitigate the attack by Apple and future attacks of a similar nature was to bifurcate the initial setup of an Embassy from its ongoing usage. As such, we broke the Embassy Companion App into two separate apps, calling them the Setup App and Ambassador UI.

1. The Setup App is a bite-sized app used only to perform the initial setup of the Embassy and will be made available on various native platforms, including iOS, Android, Mac, Linux, Windows, or as a single page application downloaded from the internet and run as a file on any computer. Setting up the Embassy involves inputting a unique product key and choosing a strong master password. That’s it. The whole process takes less than 60 seconds, and it’s totally trustless.
2. Ambassador UI is a web app, packaged and shipped with Ambassador itself and served directly from the Embassy. The Embassy hosts Ambassador UI as both a Tor Hidden Service and on the device’s Local Area Network (LAN), the cryptographic keys for which are created inside the Setup App during initial setup, so users can be sure the connection to their Embassy is private and secure. In other words, your Embassy is now a private website that can be reached by visiting its unique .onion or .local URLs right from the browser! Try stopping that, Apple.

Resulting from the setup process are three artifacts: (1) a .onion URL; (2) a .local URL; and (3) a SSL Certificate Authority.

1. With the .onion URL, users can access their Embassy from any Tor-enabled browser, including: Tor Browser, Firefox (with SOCKS5 proxy enabled), Brave, and now Start9 Labs’ own Consulate for iOS (more on this below).
2. With the .local URL, users can access their Embassy from any browser, so long as they are connected to the same Local Area Network (LAN) as the Embassy device.
3. With the SSL Certificate Authority (CA), users can be sure that the communications coming from the other end are in fact coming from their own Embassy and not someone pretending to be their Embassy.

More on #1: Tor Browsers for iOS are notoriously bad. The Tor Foundation does not officially support any of them. As such, we deemed it necessary to come up with something better. It pained us dearly that iPhone users (which account for a significant percentage of our customers) would be condemned to a sub par mobile experience.

As such, today we are excited to announce the Consulate browser!

The Consulate is a bare bones, bookmark-centric browser for .onion and .local URLs. It puts bookmarks at the center of the browser experience, such that Embassy owners can visit their own private “websites” that are served up by their own personal Embassies. Remember, it is not only Ambassador UI that receives its own .onion and .local URL, but every service installed on the Embassy. Install Bitwarden — it receives its own unique addresses. Install File Browser — it also receives its own unique addresses. These addresses can then be bookmarked in the Consulate to produce a “phone within a phone” experience. To illustrate: imagine you are looking at your phone’s home screen, full of your normal apps. You click the Consulate to reveal a whole new list of “apps”, except these apps are of a totally different nature — they are actually bookmarked web applications (websites) being privately served up by your Embassy. It’s like switching into dark mode, where everything you do is private, and radically so. There are no trusted parties sitting between you and your Embassy.

To wrap things up: our previous user experience model was great, but had a critical vulnerability in that it could be shut down by Apple or Google, a vulnerability that was exploited much sooner than we anticipated. As a result, we accelerated our plans to decentralize the Embassy platform architecture such that no one could practically prevent a user from setting up and connecting with their Embassy in total, trustless privacy. To view the complete list of improvements and new features, please see the official 0.2.0 release notes.

Ambassador 0.2.0 (including Ambassador UI), Setup App, and Consulate mark the single biggest release of new technology in Start9 Lab’s history and the official conclusion of our alpha phase. We thank our customers for taking a chance on an unknown product and team, and we thank Apple for attacking us and only reinforcing our resolve to build unstoppable technology for the sovereign individual.