A couple months ago I was in Bali, Indonesia for a wedding and had lunch with Lucas, the developer of Futureland where I did some contract work last year. He asked me when the Kinopio iOS app was coming so I shared my apprehension about having to spend months on app development only for it to be rejected by app store review at the last minute.

Having gone through a similar rejection situation with his own app, Pagi, and having built the Futureland iOS app, he felt pretty confident that he could do Kinopio iOS. So when I got back home, we started planning things out in a space,

We decided what the app should do and how it should work, with the goal of keeping scope low and maintainability high for this first version. After we’d settled all the hard questions of what we were building in the space, I summarized the conclusions into a Notion doc and we got to work.

Fortunately, because Kinopio was designed to be touch friendly from the beginning it already worked well on mobile Safari. So the plan was to adopt a hybrid architecture where the native app would be a container for a WKWebView where the Kinopio website would live.

To enable the native app to send messages to the webview (and vice-versa) we built a bridge between the two worlds using plain old postMessages. So the Kinopio webview can say something like postMessage.send({ name: 'updateBackgroundColor', body }) and the native app can take action and send messages back to the webview in a similar way.

This postMessage bridge allows for native-only features like haptic feedback when touching content, as well as syncing the pixels above the webview with the dynamic background color behind the webpage:

We also added share sheets and widgets to quickly capture new thoughts and URLs. In the spirit of simplicity, the share sheet also uses the same kinopio.club/add page that the browser extensions use.

Regardless of platform, part of this whole programming-as-craft thing for me is getting the most out of doing the least. Which usually means using basic technologies that are easy to understand, debug, and maintain.

Anyways, 7 annoying app store rejections later (which I’ll skip talking about here for the sake of my mental health), I’m happy to be able to tell you that Kinopio iOS is now live 🎊.

I hope using it feels like an extension of your hand and mind, like it already does for me. Swipe-to-scroll and pinch-to-zoom, press and hold to paint-select and drag cards around.

Download Kinopio iOS on the App Store

As far back as I can remember, I’ve struggled to be able to express what was in my head. Whether it was drawing, writing, design, I was never happy with the result.

It took me over a decade to be able to give life to my ideas and ideals in the form of words, software, and art, in a way that satisfies me. 10+ years probably sounds like a long time, because it is. But it took creating Kinopio for me to realize just how powerful expressing yourself to turn ideas into understanding really can be.

Self-Expression Is a Productivity Superpower

Throw a rock and you’ll hit a new productivity tool you can use to Get Things Done and change your life, or your team at work.

But this one’s different, I swear. You can add comments, color-coded labels, stuff things in folders, assign them to other people, generate charts, and ask chatGPT to summarize the nightmare we’ve created.

But it’s all basically just,

1. Write tasks,
2. Do tasks

Instead of putting lipstick on a pig, what if we looked a little closer at the little oinker?

Starting with step one,

1. Write tasks

We’ve all read vague, flowery, way-too-long documents and plans that use a lot of words to say very little – or nothing at all. The tasks this kind of writing creates in any tool is a classic case of garbage in, garbage out.

“Being misunderstood is one of the most frustrating feelings in the world” - Kali Uchis

Being able to clearly express your thoughts is the unsung productivity superpower: your thoughts become actions that you feel confident doing, and your plans become tasks that your team feels inspired to execute on.

But getting the thoughts out of your head is its own special kind of work.

The Thinking Work Before the Work

We have an endless number of thoughts and ideas swimming around our heads every second of every day. Because the mind is an inherently messy, creative space, organizing your thoughts is less like cleaning your room, and more like fishing for pearls:

Dive in, swim deep and collect what shines. Then refine and polish what you find for others to cherish.

Or, as Rain put it,

“When an idea first arises, there’s still so much shaping, transforming, deleting, expressing, before you can arrive at a semblance of a place. Kinopio is perfect for making sense of this in-between state.

It’s also […] a constant reminder of the magic in software”

Who Kinopio Is For

I didn’t create Kinopio to be a better whiteboard, or a Miro/Mural/etc-killer. The origin story is way more basic than that.

While designing mockups and writing technical specs in previous jobs, I got into the habit of writing and moving ideas around using the text tool in design software. Being able to write this way was creatively liberating and inspired me to build a spatial thinking tool that anyone could use, by themselves or collaboratively.

Communicating your ideas, the thinking behind them, and expressing more of yourself is scary – right up until it becomes second nature.

Kinopio helps you get over that hump. It’s a tool, and a community, for those who dream of being understood.

P.S. Here’s the thinking space I used to make this blog post

Normally I don’t write much about server and security issues. I’m certainly no expert. But if I can prevent the birth of even a single captcha, then I’ll sleep well tonight.

Every website you can sign up for eventually will need to ask themselves the question,

how do you prevent a malicious person from running a script 100s of times a second that acts like a sign up form submission to spam or DDOS your service?

At the very minimum your server should be rate limiting requests from the same IP address. But because IPs can be faked, additional protection is needed.

The different solutions to this puzzle each strike a different balance between security and convenience:

• Captchas: use these if you hate your users
• Sign-in with Facebook/Google/etc.: causes support issues, ties critical infrastructure to untrustworthy megacorps
• User must verify their email before account is created: not too bad, but having to open email is noticeable friction – especially if you have other unread messages yearning for your attention

I was looking more user-friendly alternatives to these systems when I came across the idea of temporary tokens on the W3C wiki,

Assign a temporary token to the users at the start of their sessions. The token will be associated with the submitted form. When the session is terminated, the token expires.

Color me intrigued.

Putting Yourself In a Hacker’s Shoes

As intimidating as the term is, cybersecurity can be a fun mental exercise. While I build server routes, controllers, etc. a little voice in the back of mind asks “If I knew these api endpoints, how could I exploit them?”

So let’s take a step back to the original scenario to create some assumptions:

• To make 100s of accounts a second, you’ll most likely be running a script from the command line.
• There’s a relationship between benefit and effort. The less moral or financial incentive there is to break a service, the less effort you want to spend customizing your script.

Validating Sign Up with Session Tokens

Based on our assumption, a weak point of scripted sign ups is that the script isn’t running on the page itself. So instead of proving humanity (i.e. solve this puzzle), we really only need to prove presence (i.e. were you here? did you sign up on this website?).

Here’s how we can do that using temporary tokens:

• When you load Kinopio and open the sign up form, a randomly generated session token is created by the client and saved to the server database.
• When you submit the sign up form, the session token is included and the server first checks to see if that session token exists. If it does, then the token is removed from the database, and the sign up process continues. If it doesn’t, than the server responds with an error instead.
• Periodically, old unused tokens are purged from the database

This is definitely more towards the convenience end of the security spectrum, but no single solution here is perfect and the advantage of session tokens is that they can stack nicely on top of other measures down the line if needed.

So over the last couple weeks, I’ve been talking to VCs and founders who have and haven’t taken VC to learn whether it makes sense for Kinopio. I don’t think it does.

I’m open to the idea of selling ~5-10% equity in Kinopio for 💰 to live a smoother life right now. But the relatively-easy money of VCs has a cost – once you get on the VC ferris wheel 🎡, the primary goal of a business changes:

Before “lets make a great product and sell it to people who love it”

After 🎡 “we need fast growth to raise ever-higher rounds of investment until the company gets acquired, so I never have to work again”

This really clicked for me during a chat with someone who recently took VC:

I like what I’m building, and if it dies it’ll be a shame. But it won’t kill me like it’s killing my baby that I would’ve loved to work on for the next 10+ yrs.

Maybe that’s the healthy approach, almost certainly the smart one – but it’s not mine. I want to work on Kinopio for at least a lifetime.

Built to Die, and Secretive About It

Funding models explain why it’s so hard to rely on software services long-term. Not because of technical problems like crashes, but because they’re often built to die.

Interesting, cool, and nice-to-use tools and platforms come out all the time. But it’s annoying to invest the time in learning and relying on something new only for it to get acquired and sunset, or become crappy in the 🎡 pursuit of growth-at-all-costs.

I’ve found that the best way to predict whether software is made to die is to look at how it’s funded. What’s the company’s business model? How will they make money?

It seems like more and more people are explicitly or intuitively becoming more aware of this. But it’s still rare for businesses to share how they’re funded. Advice I got from multiple founders is that if you raise VC, wait 2-3 years to announce it.

On the other-hand, it’s also not that common for self-sufficient businesses to share their business model either. Maybe they’re afraid of looking small, or maybe they think that people don’t care.

Kind of Like Farming

Two different kinds of farms can grow vegetables. One is a factory farm built for scale, and the other takes the time to grow more expensive but healthier plants without pesticides.

Will everyone appreciate the difference? Of course not, but the latter plants are labelled ‘organic’ to give us the information and the choice, so that those of us who do care can make better decisions.

Organic Software

So maybe we should have ‘organic’ software as well, made by companies that:

1. Are not funded in such a way where the primary obligation of the company is to 🎡 chase funding rounds or get acquired (so bootstrapping, crowdfunding, grants, and angel investment are okay)
2. Have a clear pricing page
3. Disclose their sources of funding and sources of revenue

And, if you are making organic software, please proudly tell the world because we want to know you’re making something we can rely on.

p.s. I know that software terms like bootstrapped and indie also exist. But these are vaguely defined (is angel investment okay? is having staff okay?), and predominantly speak to founders, instead of to why regular people should care.

p.p.s Thanks to everyone who graciously took the time to talk to me about funding. And special thanks to Aneesha for editing this.