Why Mobile Is Such a Big Deal for Big Data

Few things are as personal as a mobile phone. In fact, it’s something that most people have with them every waking moment -- and often while they’re asleep.

Consumer behavior like this makes mobile phones an opportunity to collect information about users throughout the day rather than just when they’re at a computer. In fact, for some people, the mobile phone is the primary way they go online, making that device the most effective way for everyone from advertisers to app developers to understand and reach their target markets.

Big data involves aggregating information from potentially disparate sources with the goal of drawing meaningful conclusions about what a person or group might be most interested in. Data mining has been around since the 1970s, but as mobile penetration has skyrocketed, so has the opportunity to gain even more insights into how consumers spend their time and money.

The information flows in both directions: Mobile apps are sources of information for big data analytics companies such as Google, but developers can also pull information from those digital warehouses.

“What we’re all trying to do is [figure out] how to get more of that person’s time,” says Mike Wehrs, president and CEO of Scanbuy, whose ScanLife QR code reader app has been downloaded more than 6 million times. “How do I continue to add value and remain relevant to their life? Big data is a means to that end.”

Do You Know Where Your Customers Are?
About a decade ago, regulators such as the FCC began requiring all new mobile phones to have built-in location technology such as GPS to help find emergency callers. Those mandates were a milestone in big data history because they changed the nature of the information that can be captured and mined compared with desktops and laptops.

“The big difference is that desktops are stationary and laptops do not in general have GPS sensors, so there is a location awareness in the data that can be captured and mined from a mobile device,” says Andrew Purtell, principal architect at Intel. [Disclosure: Intel is the sponsor of this content.]

“Location awareness is a gateway into a new way of interacting with services,” says Purtell. “For example, on services such as Twitter or Foursquare, users can publish their location to trusted members of their social network. We know these services then mine this location and activity trace for sale to advertisers and commercial concerns in general, producing new business models.”

A straightforward example is pushing ads and e-coupons to mobile users based solely on their location. Depending on the app, there are additional opportunities for developers, advertisers and others to interact with users.

“Increasingly, people live within the virtual world presented by their mobile devices as they move through the physical world,” Purtell says. “Location-aware games overlay a virtual world over the physical. For example, the Niantic Project plays out in physical space around the players, in which they interact with a virtual world overlaid onto their local neighborhood, blending the imaginary with the real.

“Retailers can publish special offers to potential customers who are physically near their location, injecting suggestions into the stream of consciousness, facilitating impulse shopping in a way previously not possible. Responses to location-specific offers can be mined for refinement of future offers.”

Providing Relevance, Not Annoyance
Location-specific offers also show how big data can be both a challenge and an opportunity for developers and the companies they work with. Big data is a chance to push a promo to customers when they’re literally in the right place to take advantage of it.

For example, a person whose social network interactions frequently revolve around coffee seems like an ideal candidate for an e-coupon when she’s passing by a café. Developers can get information about those kinds of interests by buying it from, or partnering with, big data providers.

The challenge is that she might not be interested in coffee at that moment. If that’s the case, the promo comes across as spam, and if it happens often enough, she might shut off that feature or uninstall the app. Either way, that marketing and revenue opportunity is now lost.

Developers can avoid that problem by giving users a way to indicate that they’re interested in receiving promos, such as by having the café put a QR code or NFC tag in its window. 

“That’s an expression of interest,” Wehrs says. “Now I’m initiating, and if I get an offer, I’m happy about it. It helps you provide a less-invasive experience for your end consumer.

“The whole promise of big data is that you’ll never perceive that you’re getting spam again. [You’ll never receive an] offer that isn’t for you because there will be so much intelligence in the system.”

So while data mining on computers has been around for decades, the big data trend on mobile devices holds a stronger promise: Developers and companies collect valuable information about consumers and, in turn, pass that value back to them by better meeting their needs. 

The Mobile App Security Mantra: Don’t Trust, But Verify

Although the technological designs of mobile devices have much in common with non-mobile computer systems, there are substantial differences that need to be understood. Here’s what mobile app developers should consider about the threat vectors they need to protect against.

Security on Computer vs. Mobile Ecosystems
Smartphone hardware and software technologies are radically different from that of computers. In terms of communication, on a computer you have one external communication channel -- whereas on a smartphone you have IP connectivity, Bluetooth connectivity, Cellular Data connectivity, NFC connectivity and so on. In terms of an operating system, mobile OSs are substantially more “closed” than desktop, laptop and enterprise OSs.

While at first glance this might make a mobile OS appear more secure, it’s truly a double-edged sword when -- not if -- threats manage to penetrate the OS defenses. As Luis Blando, vice president of engineering at McAfee, explains, “once the mobile OS is penetrated, the products and systems that would otherwise be able to protect the device (such as those made by security ISVs) would be limited in the protective actions they can take within the OS guardrails, and that can prevent quarantining, pre-emption or even detection.”

The mobile ecosystem is also very different from that of regular desktop computing in the number of viable operating systems, the types of application delivery mechanisms, and established policies for application acceptance. In the desktop world, with a simple visit to a URL, a user can download and install a binary which can very well be infected. In the mobile world, application download and installation is done mostly through approved stores that curate the apps.

That said, these app store checks can create a false sense of protection. “When we recently checked the origin of infected mobile software, as reported by the MMS user base, we discovered that the majority had been downloaded directly from major app stores,” Blando notes. “And, in Asia, the use of specialized app stores, which may or may not have any curation or security checks on their catalog, is widespread. Don’t think that just because you’re using GooglePlay or another major app store that it’s a guarantee of safety.”

Possibly even more significantly, there are vast differences in the usage models for mobile and regular computing devices. Mobile devices are with you all the time, record your every move, log your every communication, and are a treasure trove of both personal and corporate information. Smartphones contain much more information than the average computing device; it’s your phone, calendar, address book, camera, music station, remote control, ATM, shopping assistant, and more. The fact that smartphones are incredibly valuable for information theft pretty much guarantees that the supposedly secure “defenses” built in via technology or ecosystems as explained above will sooner or later be overcome. “Smartphones are simply irresistible as targets,” says Blando.

Despite these huge challenges, “mobile applications are often not tested at all for security, or are not tested in as much detail as traditional web applications,” notes Brian Shura, Vice President at AppSec Consulting. “The security testing toolset that is available for mobile applications is not that mature. A thorough assessment involves a large amount of manual testing combined with some automated tools. Large financial companies have the resources to perform detailed mobile application security assessments, but the majority of applications available from the App Store most likely have never undergone a thorough security assessment.”

Mobile Developers Have to “Think Differently” About Security
Mobile developers need to adopt a mobile security mindset. Although, in many ways, mobile devices are computers and developers need to treat them as such, nothing on a mobile device eliminates the need for secure coding practices. All programs should sanitize input, only request the permissions that are absolutely necessary, and never store passwords or user data in clear text.

That said, mobile software does present new security challenges both from the point of view of secure software but also of protecting the user. Any mobile developer’s first priority should always be to protect the user. One key is to never let the illusion of security or safety suggested by either a closed OS or a single-user device fool you.

Mobile software developers need to keep in mind some new challenges on mobile devices:

•      Network mobility: Mobile devices connect to many networks. Most users will connect to any open WiFi hotspot they can find as a method of reducing cellular data usage. This means that mobile software, even more than desktop software, must never trust that the network is secure. In addition to eavesdropping, mobile software developers should be wary of hostile networks that may attempt to impersonate servers or services. Apps should encrypt all network data and verify servers and services before sending authentication credentials.

•      Device usage: Mobile devices are, well, mobile. Smartphones and other mobile devices go everywhere with their owners. They are also often taken out, used for a short time, and then set down. This means that they are also quite often lost or temporarily available to strangers. This frequent and on-the-go usage means that most mobile devices are not password protected. This is in contrast to laptops that are much more often password protected and are used less often and for longer stretches of time.

Mobile software that handles sensitive data should offer users the ability to separately lock the application or access to the data. Shura explains that’s why “developers need to take this into account and build their applications in a way that a stolen mobile device doesn’t lead to an application user account compromise. For the most part, this means ensuring that sensitive information, such as passwords, are not stored on the mobile device.”

•      Screen size: Smaller screens display less data. Screen size needs to be factored in when presenting the user with secure data or data they need to verify. One example is the URL input and display field in a browser. Most desktop browsers partially rely on the fact that a user can see the entire URL in this field. This is one line of defense against phishing attacks. The URL field on a mobile browser is so small, though, that only a fraction of the URL can be shown. This hides relevant data from the user and creates a new vulnerability. Keep in mind the size of the screen so that verification data displays are short or the most important data are displayed first.

How Can App Developers Help Users Keep Private Data Safe?
While “in the past, developers of mobile applications did not have many resources to turn to for security guidance, that’s definitely starting to change,” says Shura. “OWASP (Open Web Application Security Project) now has a Mobile Security Project, which includes an OWASP Mobile Top 10 List of common vulnerabilities to avoid, Mobile Cheat Sheets for developers, and lots of testing guidance for people that are performing mobile application security assessments. I encourage mobile application developers to become familiar with the resources that are available on the OWASP website.”

Blando notes that, depending on the OS, there are also some specific issues to be wary of:

On Android:

•      Be careful creating services, as any application on the device may have access to it.

•      Treat incoming intents as hostile input -- sanitize and check the data they provide before acting on it.

•      Make sure files stored on the device are protected both with file system permissions as well as other data protection techniques like obfuscation or encryption.

•      Assume the user already has root access to the device.

On iOS

•      Assume the phone is jail-broken. That's not to rely on jail-broken behaviors, but to write your software as if the user already has full access to the device instead of relying on the OS to provide sandboxing to isolate your data from the user's view.

The Bottom Line: Don’t assume anything. Don’t trust. Verify.

Additional developer guidelines can be found at the U.S. Federal Trade Commission website: Mobile App Developers: Start with Security.

New Unity Features for App Makers

Unity, the widely used multi-platform game engine, continues to expand, offering new features and targeting additional platforms.

The past few weeks have seen considerable activity. In March, Unity Technologies released Unity 4.1, which includes support for Apple’s AirPlay wireless streaming technology and an updated memory usage tracking tool. Also last month, Unity Technologies entered an alliance with Sony Computer Entertainment Inc. that will make Unity tools available for the upcoming PlayStation 4, PlayStation Vita and PlayStation Mobile platforms.

In another alliance, Unity Technologies is partnering with Oculus VR Inc., which is developing the Oculus Rift virtual reality headset. Under that arrangement, Unity will offer Rift developers an extended Unity Pro trial license at no charge. The Unity tool comes in free and professional versions, with the latter, Unity Pro, priced at $1,500.

What’s New in Unity 4.1
Yury Yarmolovich, Unity developer at Elinext Group, a custom software developer based in Minsk, Belarus, says his company uses Unity to create augmented reality apps, among other things. He’s happy about the new features of Unity 4.1. “What is really good is the new Memory Profiler with a detailed overview of the resources used,” Yarmolovich says. “Also, shader improvements deserve recognition.”

The Memory Profiler update, available on Unity Pro, provides a greater level of detail as it breaks down non-managed memory usage. According to Unity Technologies, the feature lets developers track consumption “right down to the level of individual objects, assets, textures, meshes,” among other elements.

Unity 4.1, meanwhile, also offers multi-screen AirPlay support, which lets developers press iPads and iPhones into service as game controllers. Users control games on the handheld devices as the action is streamed to an HDTV. “I have not used much of AirPlay, but I think it’s a cool thing,” Yarmolovich says.

Chris Skaggs, founder and chief technology officer of Code-Monkeys, an application and web development company based in Newberg, Ore., cites Unity 4’s animation capability as a standout component. “Our favorite new feature is the new animation tool -- being able to set those things up inside the IDE is a big time saver and helps tremendously with animation prototyping,” Skaggs says.

Support for Additional Platforms
In general, Yarmolovich cites Unity’s cross-platform capability as an advantage, noting support for Android, iOS, Windows, Mac OS, Linux, PS3, and Xbox360, with upcoming support for Wii U, Windows Phone 8, BlackBerry 10, as well as current and next-gen PlayStation systems. He also lists other pluses, including support for C#, JavaScript and Boo; a comfortable MonoDevelop editor with a debugger; Asset Server for sharing code from the development environment; Asset Store for downloading additional applications and scripts; and support for various multimedia formats, including 3ds Max images.

Looking forward, Unity Technologies is moving to extend its platform reach. In late March, the company announced a Unity 4 open beta program for Windows Phone 8 apps. A spokesman for Unity Technologies says the company has yet to announce a release date for Windows Phone 8 support. “We just entered a more public beta period at [Game Developers Conference] and are inviting a much larger group of developers in to test,” he says.

In addition, Unity Technologies plans to let developers create games for PCs or tablets running Windows 8 and Windows RT and publish them to Microsoft’s Windows Store, according to Unity’s blog. That support will start with Unity 4.2.

Skaggs is also very interested in support for Windows 8. “As a matter of fact, Win8 with multi-touch support for things like the new Ultrabooks is something we bug Unity about on a weekly basis,” he notes.

“Whether or not it becomes a real player in the game space again will partly depend on how much developers are supported and then can deploy quality titles,” Skaggs continues. “For us, we live and die on the ‘multi-platform’ proposition and Win8 is just another platform that we want to be available on. Unity is so good with multi-deployment already...we want more.”

Developers can also anticipate Unity support for BlackBerry 10 smartphones. In February, Unity announced plans to build a development add-on for BlackBerry 10. At press time, a free beta version was expected to shortly debut. The final release is expected this summer, according to the company.

How Will DevOps Impact Mobile App Development?

The fast-paced world of mobile apps may benefit from a software development method that aims to boost efficiency and flexibility: DevOps.

DevOps, which borrows concepts from the Agile software movement, seeks to pull together the development and IT operations sides of an organization. That can prove difficult, since developers tend to favor change while operations personnel strive for stability. The DevOps approach tries to get everyone to meet in the middle and, at the same time, eliminate the awkward handoffs that can occur as software passes from coders to implementers and, ultimately, to customers. The objective: Shrink cycle time and meet changing customer needs.

Cultural change is an important aspect of DevOps, but so too is automation. An emerging set of tools aims to help bridge development and operations. As the industry changes, experts say the tenets and tools of DevOps are starting to impact mobile development. One key driver is the pace of development.

“Mobile development moves more quickly than most enterprises are accustomed to,” says Eric Minick, lead consultant at UrbanCode Inc., a Cleveland-based company that provides DevOps release and deployment tools. “It’s complicated by apps often targeting multiple platforms such as iOS, Android and generalized HTML5 offerings. Mobile teams can benefit from taking a few pages out of the DevOps playbook.”

In Minick’s view, approaches such as continuous delivery may be applied to mobile applications. In doing so, development teams “would rebuild our apps with every code change, ‘deploy’ them into simulators, and run functional test suites for each target device or platform. This can help the team catch regressions more quickly,” he says.

Enterprise Markets, Mobile Infrastructure

Many mobile apps are geared toward consumers. But adherence to DevOps could help developers extend their reach to include business accounts. “It would open up their applications and their market to enterprises,” says Jesus Garcia, alliance marketing manager for Intel’s software and solutions group. [Disclosure: Intel is the sponsor of this content.]

However, enterprises are often wary of taking on applications that don’t meet their needs in terms of maintainability, security and control, among other variables. DevOps provides insight into the operational side, which is important when it comes to application maintenance and management.

“Consumers aren’t necessarily concerned with security, manageability and maintaining applications -- but enterprises are,” Garcia says. “If a DevOps approach is going to facilitate integration into an enterprise environment, that’s a win-win for both the enterprise and app developers.”

DevOps can also help IT teams coordinate mobile apps and the enterprise back-end applications that support them.

“More and more, the mobile applications are not just building on top of existing back-end applications within the enterprise, but are driving changes to those systems,” Minick says. “That requires increased collaboration between the mobile development teams, traditional development teams and the traditional operations groups. The coordination required, and the pace being driven by mobile, is a big factor driving DevOps in the enterprise.”

Steve Hazel, vice president of product at Sauce Labs Inc., a company that lets developers test web and mobile apps in the cloud, also cites back-end applications as a fit for DevOps. He says the vast majority of mobile apps have a component in the cloud -- a website that presents an API that the app uses, for example. While a mobile app a consumer uses isn’t part of an enterprise’s operations, the back-end application falls into that category. “All of the DevOps methodologies apply to these mobile back-end sites,” Hazel says.

Hazel notes that many mobile back-end apps are being developed from scratch, so people want to adopt the newer methodologies. In his opinion, mobile developers as on the cutting edge of DevOps and Agile adoption. He suggests that the percentage of mobile developers that has adopted DevOps may be higher than the percentage of web developers that uses that method. 

Michael Prichard, founder and chief technology officer of WillowTree Apps Inc., a mobile app design and development company in Charlottesville, Va., says his company has a 12-person DevOps team, out of more than 45 employees overall. WillowTree started building native apps in 2008, but eventually the company found that those apps needed to talk to something. The DevOps group focuses on creating APIs and back-end integration.

In one recent example, WillowTree developed the NBA’s All Star Weekend 2013 iPhone and Android apps. The company, Prichard explains, created the entire back-end system, building a Django content management system instance and employing Amazon Web Services to build a scalable system. “There are no more standalone apps,” Prichard says.

New software release approaches and shorter maintenance timeframes may also contribute to DevOps adoption. Jacob Ukelson, director of product strategy at Nolio, an application release operations software company, says maintenance windows have shrunk drastically with always-on computing, and he notes that mobile will cause them to shrink further or disappear entirely. As a consequence, companies will need to manage feature upgrade deployment and bug fixes so they have minimum impact on application availability, but still ensure application stability, he says.

Companies hoping to make that happen will begin to adopt new deployment methodologies such as dark launching and blue-green deployments, which can help meet those needs, Ukelson says. DevOps can smooth that adoption path. “DevOps will give companies the agility they need for these new release paradigms,” Ukelson says.

Tool Adoption

Automation vendors find that mobile developers have started to purchase their DevOps supporting tools.

“We expect more adoption this year as mobile development matures and the DevOps approach becomes more widely understood,” Minick says. “We definitely see some customers using our tools for mobile development, and to make sure all the back-end systems have updated code in place before the apps are pushed out to customers.”

Ukelson says a few customers use Nolio for mobile app delivery. Still, mobile isn’t the main driver for adoption of Nolio’s Release Operations Suite, Ukelson says, noting that continuous delivery has become a key reason to deploy the product. Mobile, however, provides another driver for the move to continuous delivery.

The time appears ripe for DevOps and greater tool use in the still-young mobile development arena.

“In many ways, it’s still in the early days for mobile development and while the velocity is there, the discipline is lacking,” Ukelson says. “My bank’s chronically broken mobile app makes that abundantly clear. The resulting two-star ratings with a comment of, ‘Might be good if it worked’ hurt adoption over a long period of time. Adopting a DevOps mindset, and more mature tooling, should help these mobile development teams keep moving quickly while raising quality.”

Putting Mobile Developers to the Test

Mobile app developers can point to past projects to build credibility with customers, but newcomers lack that option. And even experienced hands may want to obtain some objective measure of their abilities -- a seal of approval of sorts.

That’s where technical certification programs come in. Training and developer certification tracks have become commonplace in such IT fields as networking and security. Mobile development, as a relatively new area, has generally lacked vendor-neutral certification programs. But that situation has begun to change.

The Mobile Development Institute (MDI), a division of On The GoWARE, a mobile app development company, offers its MDI Certified Developer (MDICD) program to mobile developers. In addition, CompTIA and viaForensics are working on a secure mobile developer credential, slated for launch later this year.

Mike Newman, president of On The GoWARE, says certification can help developers early on in their careers as they look for full-time positions. Employers stand to benefit as well when a job applicant can back up his or her claims to competence. “It is difficult for a lay person...to qualify technical people,” Newman says.

MDICD Certification
MDI offers MDICD certifications in Apple iOS, Google Android and BlackBerry. “It is not necessarily just a general mobile developer certification -- you get certified in a particular specialty,” Newman explains.

Students or developers often obtain certification on more than one platform. Initially, BlackBerry was the most-requested MDICD certification. Next came Apple iOS. But the rise of Android reduced demand for BlackBerry certification, Newman notes. MDI will eventually cut the BlackBerry program due to lack of interest.

MDI has considered adding a Windows Phone certification, but so far it hasn’t generated enough certification interest. “We will see what the market does and see if there is a big demand [for Windows Phone],” Newman says. “If the market demands it, we will be there.”

Newman estimates that 2,000 to 3,000 people have obtained MDICD certifications thus far.

The certification exam calls for students or developers to log into their app store developer accounts and demonstrate that their apps are available for download.

An exam proctor then conducts a remote viewing session of the test taker’s development environment. Among other things, the proctor will check to see whether the appropriate development tools have been installed and configured and ask the test taker to make a slight modification to his or her app. The modification must be demonstrated in a simulator. A list of exam requirements is available here. As for price, each examination has a $375 proctor fee.

MDI offers training classes toward the MDICD certification. Students with little or no programming experience can begin with a programming fundamentals and mobile technology introductory course, move on to foundational courses in Objective-C and Java, and eventually take operating system-specific classes. Experienced developers seeking certification may take the certification test without signing up for the classes.

Secure Mobile Application Developer Credential
and viaForensics, meanwhile, have been developing a secure mobile app developer credential and associated testing services. CompTIA, an IT industry association, already runs numerous IT certification programs including A+, Network+ and Security+. CompTIA’s credential partner, viaForensics, provides mobile app security, mobile forensics and mobile forensics training services.

Ted Eull, vice president of Technology Services at viaForensics, says the companies are in the exam development process. He expects the credential program to launch in the first half of this year.

In an interview last year, CompTIA and viaForensics officials said the credentialing initiative will educate developers on the differences between securing mobile apps and shoring up traditional applications. The program aims also to discuss the mobile app threat model and provide practical experience in coding secure mobile apps.