Android and iOS Design Resources for Mobile Game & App Developers

Digital Innovation Gazette provides useful tips and resources for the design and development of mobile games and mobile apps for Android and iOS platforms. Content articles covering new trends, techniques and standards.

The Mobile App Security Mantra: Don’t Trust, But Verify

Although the technological designs of mobile devices have much in common with non-mobile computer systems, there are substantial differences that need to be understood. Here’s what mobile app developers should consider about the threat vectors they need to protect against.

Security on Computer vs. Mobile Ecosystems
Smartphone hardware and software technologies are radically different from that of computers. In terms of communication, on a computer you have one external communication channel -- whereas on a smartphone you have IP connectivity, Bluetooth connectivity, Cellular Data connectivity, NFC connectivity and so on. In terms of an operating system, mobile OSs are substantially more “closed” than desktop, laptop and enterprise OSs.

While at first glance this might make a mobile OS appear more secure, it’s truly a double-edged sword when -- not if -- threats manage to penetrate the OS defenses. As Luis Blando, vice president of engineering at McAfee, explains, “once the mobile OS is penetrated, the products and systems that would otherwise be able to protect the device (such as those made by security ISVs) would be limited in the protective actions they can take within the OS guardrails, and that can prevent quarantining, pre-emption or even detection.”

The mobile ecosystem is also very different from that of regular desktop computing in the number of viable operating systems, the types of application delivery mechanisms, and established policies for application acceptance. In the desktop world, with a simple visit to a URL, a user can download and install a binary which can very well be infected. In the mobile world, application download and installation is done mostly through approved stores that curate the apps.

That said, these app store checks can create a false sense of protection. “When we recently checked the origin of infected mobile software, as reported by the MMS user base, we discovered that the majority had been downloaded directly from major app stores,” Blando notes. “And, in Asia, the use of specialized app stores, which may or may not have any curation or security checks on their catalog, is widespread. Don’t think that just because you’re using GooglePlay or another major app store that it’s a guarantee of safety.”

Possibly even more significantly, there are vast differences in the usage models for mobile and regular computing devices. Mobile devices are with you all the time, record your every move, log your every communication, and are a treasure trove of both personal and corporate information. Smartphones contain much more information than the average computing device; it’s your phone, calendar, address book, camera, music station, remote control, ATM, shopping assistant, and more. The fact that smartphones are incredibly valuable for information theft pretty much guarantees that the supposedly secure “defenses” built in via technology or ecosystems as explained above will sooner or later be overcome. “Smartphones are simply irresistible as targets,” says Blando.

Despite these huge challenges, “mobile applications are often not tested at all for security, or are not tested in as much detail as traditional web applications,” notes Brian Shura, Vice President at AppSec Consulting. “The security testing toolset that is available for mobile applications is not that mature. A thorough assessment involves a large amount of manual testing combined with some automated tools. Large financial companies have the resources to perform detailed mobile application security assessments, but the majority of applications available from the App Store most likely have never undergone a thorough security assessment.”

Mobile Developers Have to “Think Differently” About Security
Mobile developers need to adopt a mobile security mindset. Although, in many ways, mobile devices are computers and developers need to treat them as such, nothing on a mobile device eliminates the need for secure coding practices. All programs should sanitize input, only request the permissions that are absolutely necessary, and never store passwords or user data in clear text.

That said, mobile software does present new security challenges both from the point of view of secure software but also of protecting the user. Any mobile developer’s first priority should always be to protect the user. One key is to never let the illusion of security or safety suggested by either a closed OS or a single-user device fool you.

Mobile software developers need to keep in mind some new challenges on mobile devices:

•      Network mobility: Mobile devices connect to many networks. Most users will connect to any open WiFi hotspot they can find as a method of reducing cellular data usage. This means that mobile software, even more than desktop software, must never trust that the network is secure. In addition to eavesdropping, mobile software developers should be wary of hostile networks that may attempt to impersonate servers or services. Apps should encrypt all network data and verify servers and services before sending authentication credentials.

•      Device usage: Mobile devices are, well, mobile. Smartphones and other mobile devices go everywhere with their owners. They are also often taken out, used for a short time, and then set down. This means that they are also quite often lost or temporarily available to strangers. This frequent and on-the-go usage means that most mobile devices are not password protected. This is in contrast to laptops that are much more often password protected and are used less often and for longer stretches of time.

Mobile software that handles sensitive data should offer users the ability to separately lock the application or access to the data. Shura explains that’s why “developers need to take this into account and build their applications in a way that a stolen mobile device doesn’t lead to an application user account compromise. For the most part, this means ensuring that sensitive information, such as passwords, are not stored on the mobile device.”

•      Screen size: Smaller screens display less data. Screen size needs to be factored in when presenting the user with secure data or data they need to verify. One example is the URL input and display field in a browser. Most desktop browsers partially rely on the fact that a user can see the entire URL in this field. This is one line of defense against phishing attacks. The URL field on a mobile browser is so small, though, that only a fraction of the URL can be shown. This hides relevant data from the user and creates a new vulnerability. Keep in mind the size of the screen so that verification data displays are short or the most important data are displayed first.

How Can App Developers Help Users Keep Private Data Safe?
While “in the past, developers of mobile applications did not have many resources to turn to for security guidance, that’s definitely starting to change,” says Shura. “OWASP (Open Web Application Security Project) now has a Mobile Security Project, which includes an OWASP Mobile Top 10 List of common vulnerabilities to avoid, Mobile Cheat Sheets for developers, and lots of testing guidance for people that are performing mobile application security assessments. I encourage mobile application developers to become familiar with the resources that are available on the OWASP website.”

Blando notes that, depending on the OS, there are also some specific issues to be wary of:

On Android:

•      Be careful creating services, as any application on the device may have access to it.

•      Treat incoming intents as hostile input -- sanitize and check the data they provide before acting on it.

•      Make sure files stored on the device are protected both with file system permissions as well as other data protection techniques like obfuscation or encryption.

•      Assume the user already has root access to the device.

On iOS

•      Assume the phone is jail-broken. That's not to rely on jail-broken behaviors, but to write your software as if the user already has full access to the device instead of relying on the OS to provide sandboxing to isolate your data from the user's view.

The Bottom Line: Don’t assume anything. Don’t trust. Verify.

Additional developer guidelines can be found at the U.S. Federal Trade Commission website: Mobile App Developers: Start with Security.

New Unity Features for App Makers

Unity, the widely used multi-platform game engine, continues to expand, offering new features and targeting additional platforms.

The past few weeks have seen considerable activity. In March, Unity Technologies released Unity 4.1, which includes support for Apple’s AirPlay wireless streaming technology and an updated memory usage tracking tool. Also last month, Unity Technologies entered an alliance with Sony Computer Entertainment Inc. that will make Unity tools available for the upcoming PlayStation 4, PlayStation Vita and PlayStation Mobile platforms.

In another alliance, Unity Technologies is partnering with Oculus VR Inc., which is developing the Oculus Rift virtual reality headset. Under that arrangement, Unity will offer Rift developers an extended Unity Pro trial license at no charge. The Unity tool comes in free and professional versions, with the latter, Unity Pro, priced at $1,500.

What’s New in Unity 4.1
Yury Yarmolovich, Unity developer at Elinext Group, a custom software developer based in Minsk, Belarus, says his company uses Unity to create augmented reality apps, among other things. He’s happy about the new features of Unity 4.1. “What is really good is the new Memory Profiler with a detailed overview of the resources used,” Yarmolovich says. “Also, shader improvements deserve recognition.”

The Memory Profiler update, available on Unity Pro, provides a greater level of detail as it breaks down non-managed memory usage. According to Unity Technologies, the feature lets developers track consumption “right down to the level of individual objects, assets, textures, meshes,” among other elements.

Unity 4.1, meanwhile, also offers multi-screen AirPlay support, which lets developers press iPads and iPhones into service as game controllers. Users control games on the handheld devices as the action is streamed to an HDTV. “I have not used much of AirPlay, but I think it’s a cool thing,” Yarmolovich says.

Chris Skaggs, founder and chief technology officer of Code-Monkeys, an application and web development company based in Newberg, Ore., cites Unity 4’s animation capability as a standout component. “Our favorite new feature is the new animation tool -- being able to set those things up inside the IDE is a big time saver and helps tremendously with animation prototyping,” Skaggs says.

Support for Additional Platforms
In general, Yarmolovich cites Unity’s cross-platform capability as an advantage, noting support for Android, iOS, Windows, Mac OS, Linux, PS3, and Xbox360, with upcoming support for Wii U, Windows Phone 8, BlackBerry 10, as well as current and next-gen PlayStation systems. He also lists other pluses, including support for C#, JavaScript and Boo; a comfortable MonoDevelop editor with a debugger; Asset Server for sharing code from the development environment; Asset Store for downloading additional applications and scripts; and support for various multimedia formats, including 3ds Max images.

Looking forward, Unity Technologies is moving to extend its platform reach. In late March, the company announced a Unity 4 open beta program for Windows Phone 8 apps. A spokesman for Unity Technologies says the company has yet to announce a release date for Windows Phone 8 support. “We just entered a more public beta period at [Game Developers Conference] and are inviting a much larger group of developers in to test,” he says.

In addition, Unity Technologies plans to let developers create games for PCs or tablets running Windows 8 and Windows RT and publish them to Microsoft’s Windows Store, according to Unity’s blog. That support will start with Unity 4.2.

Skaggs is also very interested in support for Windows 8. “As a matter of fact, Win8 with multi-touch support for things like the new Ultrabooks is something we bug Unity about on a weekly basis,” he notes.

“Whether or not it becomes a real player in the game space again will partly depend on how much developers are supported and then can deploy quality titles,” Skaggs continues. “For us, we live and die on the ‘multi-platform’ proposition and Win8 is just another platform that we want to be available on. Unity is so good with multi-deployment already...we want more.”

Developers can also anticipate Unity support for BlackBerry 10 smartphones. In February, Unity announced plans to build a development add-on for BlackBerry 10. At press time, a free beta version was expected to shortly debut. The final release is expected this summer, according to the company.

How Will DevOps Impact Mobile App Development?

The fast-paced world of mobile apps may benefit from a software development method that aims to boost efficiency and flexibility: DevOps.

DevOps, which borrows concepts from the Agile software movement, seeks to pull together the development and IT operations sides of an organization. That can prove difficult, since developers tend to favor change while operations personnel strive for stability. The DevOps approach tries to get everyone to meet in the middle and, at the same time, eliminate the awkward handoffs that can occur as software passes from coders to implementers and, ultimately, to customers. The objective: Shrink cycle time and meet changing customer needs.

Cultural change is an important aspect of DevOps, but so too is automation. An emerging set of tools aims to help bridge development and operations. As the industry changes, experts say the tenets and tools of DevOps are starting to impact mobile development. One key driver is the pace of development.

“Mobile development moves more quickly than most enterprises are accustomed to,” says Eric Minick, lead consultant at UrbanCode Inc., a Cleveland-based company that provides DevOps release and deployment tools. “It’s complicated by apps often targeting multiple platforms such as iOS, Android and generalized HTML5 offerings. Mobile teams can benefit from taking a few pages out of the DevOps playbook.”

In Minick’s view, approaches such as continuous delivery may be applied to mobile applications. In doing so, development teams “would rebuild our apps with every code change, ‘deploy’ them into simulators, and run functional test suites for each target device or platform. This can help the team catch regressions more quickly,” he says.

Enterprise Markets, Mobile Infrastructure

Many mobile apps are geared toward consumers. But adherence to DevOps could help developers extend their reach to include business accounts. “It would open up their applications and their market to enterprises,” says Jesus Garcia, alliance marketing manager for Intel’s software and solutions group. [Disclosure: Intel is the sponsor of this content.]

However, enterprises are often wary of taking on applications that don’t meet their needs in terms of maintainability, security and control, among other variables. DevOps provides insight into the operational side, which is important when it comes to application maintenance and management.

“Consumers aren’t necessarily concerned with security, manageability and maintaining applications -- but enterprises are,” Garcia says. “If a DevOps approach is going to facilitate integration into an enterprise environment, that’s a win-win for both the enterprise and app developers.”

DevOps can also help IT teams coordinate mobile apps and the enterprise back-end applications that support them.

“More and more, the mobile applications are not just building on top of existing back-end applications within the enterprise, but are driving changes to those systems,” Minick says. “That requires increased collaboration between the mobile development teams, traditional development teams and the traditional operations groups. The coordination required, and the pace being driven by mobile, is a big factor driving DevOps in the enterprise.”

Steve Hazel, vice president of product at Sauce Labs Inc., a company that lets developers test web and mobile apps in the cloud, also cites back-end applications as a fit for DevOps. He says the vast majority of mobile apps have a component in the cloud -- a website that presents an API that the app uses, for example. While a mobile app a consumer uses isn’t part of an enterprise’s operations, the back-end application falls into that category. “All of the DevOps methodologies apply to these mobile back-end sites,” Hazel says.

Hazel notes that many mobile back-end apps are being developed from scratch, so people want to adopt the newer methodologies. In his opinion, mobile developers as on the cutting edge of DevOps and Agile adoption. He suggests that the percentage of mobile developers that has adopted DevOps may be higher than the percentage of web developers that uses that method. 

Michael Prichard, founder and chief technology officer of WillowTree Apps Inc., a mobile app design and development company in Charlottesville, Va., says his company has a 12-person DevOps team, out of more than 45 employees overall. WillowTree started building native apps in 2008, but eventually the company found that those apps needed to talk to something. The DevOps group focuses on creating APIs and back-end integration.

In one recent example, WillowTree developed the NBA’s All Star Weekend 2013 iPhone and Android apps. The company, Prichard explains, created the entire back-end system, building a Django content management system instance and employing Amazon Web Services to build a scalable system. “There are no more standalone apps,” Prichard says.

New software release approaches and shorter maintenance timeframes may also contribute to DevOps adoption. Jacob Ukelson, director of product strategy at Nolio, an application release operations software company, says maintenance windows have shrunk drastically with always-on computing, and he notes that mobile will cause them to shrink further or disappear entirely. As a consequence, companies will need to manage feature upgrade deployment and bug fixes so they have minimum impact on application availability, but still ensure application stability, he says.

Companies hoping to make that happen will begin to adopt new deployment methodologies such as dark launching and blue-green deployments, which can help meet those needs, Ukelson says. DevOps can smooth that adoption path. “DevOps will give companies the agility they need for these new release paradigms,” Ukelson says.

Tool Adoption

Automation vendors find that mobile developers have started to purchase their DevOps supporting tools.

“We expect more adoption this year as mobile development matures and the DevOps approach becomes more widely understood,” Minick says. “We definitely see some customers using our tools for mobile development, and to make sure all the back-end systems have updated code in place before the apps are pushed out to customers.”

Ukelson says a few customers use Nolio for mobile app delivery. Still, mobile isn’t the main driver for adoption of Nolio’s Release Operations Suite, Ukelson says, noting that continuous delivery has become a key reason to deploy the product. Mobile, however, provides another driver for the move to continuous delivery.

The time appears ripe for DevOps and greater tool use in the still-young mobile development arena.

“In many ways, it’s still in the early days for mobile development and while the velocity is there, the discipline is lacking,” Ukelson says. “My bank’s chronically broken mobile app makes that abundantly clear. The resulting two-star ratings with a comment of, ‘Might be good if it worked’ hurt adoption over a long period of time. Adopting a DevOps mindset, and more mature tooling, should help these mobile development teams keep moving quickly while raising quality.”

Mobile Device Adoption: Targeting the Next 50 Percent

Fifty-five percent of American mobile users now own a smartphone. That’s about 130 million people, which is a big pool of potential customers for your app. But what if that addressable market doubled?

It won’t happen easily or soon. The low-hanging fruit -- techies, prosumers, business people -- has been picked. Meanwhile, T-Mobile USA is among the mobile operators scrapping the tradition of handset subsidies. If that becomes a trend, then feature phone owners who want to upgrade tomorrow will have to shell out at least twice the amount they would today.

“One way or another, you’re going to have to pay some significant cost at some point, whether it’s up front -- $500 or $600 for the smartphone -- or $200 up front and $20 every month,” says Ramon Llamas, IDC research manager.

That’s one barrier. Another is the cost of a data plan, although that’s becoming less of a hurdle thanks to the growing selection of cut-rate, unlimited-data plans, such as those from Straight Talk and T-Mobile. The roll-out of Long-Term Evolution (LTE) could enable even more aggressive pricing strategies because the technology significantly lowers an operator’s cost of delivering data service.

“Carriers are interested in smartphone growth since they can compensate drops in voice and SMS revenue with data flat rates,” says Brent McMicking, who manages Intel’s phone launches worldwide. [Disclosure: Intel is the sponsor of this content.]

Who’s Using -- and Not Using -- Smartphones
The analyst firm iGR recently asked over 1,000 U.S. consumers about their plans to buy a phone in the next 30 days.

“The majority of those who were likely to buy [a phone] say they would probably buy a smartphone,” says Matthew Vartabedian, iGR vice president. “Not surprising. What I did find interesting was that older respondents (35+) with feature phones were about 10 to 20 percent more likely to buy a smartphone than younger respondents. Younger respondents (18-34) were more likely to buy multiple smartphones (two or more), which is also interesting. The survey data suggests that older consumers are already choosing smartphones.”

The catch is that not every first-time smartphone owner uses many -- or any -- apps. “[After] six months, my father-in-law has yet to use his iPhone 4 for anything except voice and text,” Vartabedian says. “He uses the preloaded weather and stock apps, but that's it. Maybe some Web browsing. I think he generates about 20 MB of 3G data in a month. I don't think he's even opened the App Store.” 

Smartphones Take Off in Developing Markets
There are a couple of reasons why it’s worth looking at smartphone adoption outside of the U.S. The first is that there are big potential markets, at least for those developers willing to localize their apps, such as in terms of language.

The second is because the strategies that vendors are using to upsell foreign consumers could be applied in the U.S., too. One example is the Yolo smartphone, which Intel and Safaricom recently launched in Kenya. It’s noteworthy because it’s the first smartphone to feature a processor and reference design created to reduce manufacturing costs without cutting corners such as performance. For example, the Yolo smartphone has 1.2 GHz processor, a 5 megapixel camera and support for 21 Mbps HSPA+ service.

That feature set is a break from tradition: In both developed and developing markets, affordable has been synonymous with pokey processors, limited memory and other shortcomings. Those undermine the app user experience.

“In India, Indonesia and China, they’re cutting corners left and right,” Llamas says. The device build [quality] is rather cheap, so people are replacing their phones every six to eight months.”

The Yolo smartphone sold out within two weeks of its debut. That suggests that a lot of people in developing countries who don't own a smartphone already understand the benefits of owning one, such as the selection of apps. Translation: There’s pent-up demand not only for smartphones, but also for apps.

“In emerging markets, smartphones will be the first computer device for many people and provide a deeper Internet experience versus feature phones,” McMicking says. “Pent-up demand for smartphones is a function of perceived value and the overall experience, of which apps are a part. The opportunity for developers is to reach a new set of customers.”