Situation
Mobile application store owners are known to explicitly forbid some application extensibility scenarios.
Apple:
2.7 Apps that download code in any way or form will be rejected
2.8 Apps that install or launch other executable code will be rejected
https://developer.apple.com/app-store/review/guidelines/#functionality
Microsoft:
3.9 All app logic must originate from, and reside in, your app package
Your app must not attempt to change or extend the packaged content through any form of dynamic inclusion of code that changes how the application behaves with regard to Store certification requirements. Your app should not, for example, download a remote script and subsequently execute that script in the local context of the app package.http://msdn.microsoft.com/en-us/library/windows/apps/hh694083.aspx
Google (not sure if it is as restrictive):
An app downloaded from Google Play may not modify, replace or update its own APK binary code using any method other than Google Play’s update mechanism.
https://play.google.com/about/developer-content-policy.html
Problem
Some applications such as Minecraft and Codea are meant to let users produce content (not just consume it). Codea projects are obviously an executable code and Minecraft is known to be Turing-complete.
Now they don’t have any built-in online community gallery capabilities, but it would be easy to imagine them added in future. This is something users would definitely appreciate:
https://gaming.stackexchange.com/questions/148549/how-to-transfer-minecraft-pocket-edition-world-between-ipads
http://codea.io/talk/discussion/527/best-way-to-share-code-straight-from-ipad/p1
Microsoft has already done this with their Project Spark (PC/Xbox) and Media Molecule/Sony have this in their Little Big Planet (PS, also Turing-complete).
Questions
1) Obviously specific store owners make their own, often random and unfair decisions, but generally where is the line between ‘code’ and user-created content?
2) Is it a conscious decision to favour security over experience or a simple case of short-sightedness?
3) What can be done to work around today? I am aware of the browser technology but am only interested in application development.
For iOS apps, in their Developer agreement, Apple states an exception to rule 2.7 for interpreting downloaded code, if that code is Javascript, executed using public UIWebView or WebKit APIs (which can be a sub-component of a native iOS app), and which does not change the basic functionality of the app as per the app’s description or as submitted for review.
The old-fashioned way (from Apple II days and earlier) to distribute code was to publish that code in print, and have the users (re)type the source code into their own computer (or a terminal). Apple seems to allow programming language interpreters in the App store (many: BASIC, Lisp, Python, etc.) that allow running code that the users have typed in themselves. So this old-fashioned way to share code will still work.
Just display the source code, or allow it to be printed out, and let the user manually type it into their mobile app.
For a really definitive answer, you will have to ask Apple, Microsoft and Google for what they consider to be code and why those restrictions are in place.
Generally, “code” means instructions that can be executed on the device in question, either directly or through an interpreter. It thus also includes scripts.
These restrictions probably exist to give the store owners a fighting chance against malware. It should be noted that due to the way that apps on these mobile platforms are insulated from each other, virus-scanners are also prohibited from doing much of the work in protecting you that you might take for granted on a PC.
If you really want to create an app that can execute downloaded third-party code, your only legal option seems to be to provide it outside the official stores. You run a big risk that the app will be regarded with suspicion in any case.
2