Why Mobile Is Such a Big Deal for Big Data

Few things are as personal as a mobile phone. In fact, it’s something that most people have with them every waking moment -- and often while they’re asleep.

Consumer behavior like this makes mobile phones an opportunity to collect information about users throughout the day rather than just when they’re at a computer. In fact, for some people, the mobile phone is the primary way they go online, making that device the most effective way for everyone from advertisers to app developers to understand and reach their target markets.

Big data involves aggregating information from potentially disparate sources with the goal of drawing meaningful conclusions about what a person or group might be most interested in. Data mining has been around since the 1970s, but as mobile penetration has skyrocketed, so has the opportunity to gain even more insights into how consumers spend their time and money.

The information flows in both directions: Mobile apps are sources of information for big data analytics companies such as Google, but developers can also pull information from those digital warehouses.

“What we’re all trying to do is [figure out] how to get more of that person’s time,” says Mike Wehrs, president and CEO of Scanbuy, whose ScanLife QR code reader app has been downloaded more than 6 million times. “How do I continue to add value and remain relevant to their life? Big data is a means to that end.”

Do You Know Where Your Customers Are?
About a decade ago, regulators such as the FCC began requiring all new mobile phones to have built-in location technology such as GPS to help find emergency callers. Those mandates were a milestone in big data history because they changed the nature of the information that can be captured and mined compared with desktops and laptops.

“The big difference is that desktops are stationary and laptops do not in general have GPS sensors, so there is a location awareness in the data that can be captured and mined from a mobile device,” says Andrew Purtell, principal architect at Intel. [Disclosure: Intel is the sponsor of this content.]

“Location awareness is a gateway into a new way of interacting with services,” says Purtell. “For example, on services such as Twitter or Foursquare, users can publish their location to trusted members of their social network. We know these services then mine this location and activity trace for sale to advertisers and commercial concerns in general, producing new business models.”

A straightforward example is pushing ads and e-coupons to mobile users based solely on their location. Depending on the app, there are additional opportunities for developers, advertisers and others to interact with users.

“Increasingly, people live within the virtual world presented by their mobile devices as they move through the physical world,” Purtell says. “Location-aware games overlay a virtual world over the physical. For example, the Niantic Project plays out in physical space around the players, in which they interact with a virtual world overlaid onto their local neighborhood, blending the imaginary with the real.

“Retailers can publish special offers to potential customers who are physically near their location, injecting suggestions into the stream of consciousness, facilitating impulse shopping in a way previously not possible. Responses to location-specific offers can be mined for refinement of future offers.”

Providing Relevance, Not Annoyance
Location-specific offers also show how big data can be both a challenge and an opportunity for developers and the companies they work with. Big data is a chance to push a promo to customers when they’re literally in the right place to take advantage of it.

For example, a person whose social network interactions frequently revolve around coffee seems like an ideal candidate for an e-coupon when she’s passing by a café. Developers can get information about those kinds of interests by buying it from, or partnering with, big data providers.

The challenge is that she might not be interested in coffee at that moment. If that’s the case, the promo comes across as spam, and if it happens often enough, she might shut off that feature or uninstall the app. Either way, that marketing and revenue opportunity is now lost.

Developers can avoid that problem by giving users a way to indicate that they’re interested in receiving promos, such as by having the café put a QR code or NFC tag in its window. 

“That’s an expression of interest,” Wehrs says. “Now I’m initiating, and if I get an offer, I’m happy about it. It helps you provide a less-invasive experience for your end consumer.

“The whole promise of big data is that you’ll never perceive that you’re getting spam again. [You’ll never receive an] offer that isn’t for you because there will be so much intelligence in the system.”

So while data mining on computers has been around for decades, the big data trend on mobile devices holds a stronger promise: Developers and companies collect valuable information about consumers and, in turn, pass that value back to them by better meeting their needs. 

The Mobile App Security Mantra: Don’t Trust, But Verify

Although the technological designs of mobile devices have much in common with non-mobile computer systems, there are substantial differences that need to be understood. Here’s what mobile app developers should consider about the threat vectors they need to protect against.

Security on Computer vs. Mobile Ecosystems
Smartphone hardware and software technologies are radically different from that of computers. In terms of communication, on a computer you have one external communication channel -- whereas on a smartphone you have IP connectivity, Bluetooth connectivity, Cellular Data connectivity, NFC connectivity and so on. In terms of an operating system, mobile OSs are substantially more “closed” than desktop, laptop and enterprise OSs.

While at first glance this might make a mobile OS appear more secure, it’s truly a double-edged sword when -- not if -- threats manage to penetrate the OS defenses. As Luis Blando, vice president of engineering at McAfee, explains, “once the mobile OS is penetrated, the products and systems that would otherwise be able to protect the device (such as those made by security ISVs) would be limited in the protective actions they can take within the OS guardrails, and that can prevent quarantining, pre-emption or even detection.”

The mobile ecosystem is also very different from that of regular desktop computing in the number of viable operating systems, the types of application delivery mechanisms, and established policies for application acceptance. In the desktop world, with a simple visit to a URL, a user can download and install a binary which can very well be infected. In the mobile world, application download and installation is done mostly through approved stores that curate the apps.

That said, these app store checks can create a false sense of protection. “When we recently checked the origin of infected mobile software, as reported by the MMS user base, we discovered that the majority had been downloaded directly from major app stores,” Blando notes. “And, in Asia, the use of specialized app stores, which may or may not have any curation or security checks on their catalog, is widespread. Don’t think that just because you’re using GooglePlay or another major app store that it’s a guarantee of safety.”

Possibly even more significantly, there are vast differences in the usage models for mobile and regular computing devices. Mobile devices are with you all the time, record your every move, log your every communication, and are a treasure trove of both personal and corporate information. Smartphones contain much more information than the average computing device; it’s your phone, calendar, address book, camera, music station, remote control, ATM, shopping assistant, and more. The fact that smartphones are incredibly valuable for information theft pretty much guarantees that the supposedly secure “defenses” built in via technology or ecosystems as explained above will sooner or later be overcome. “Smartphones are simply irresistible as targets,” says Blando.

Despite these huge challenges, “mobile applications are often not tested at all for security, or are not tested in as much detail as traditional web applications,” notes Brian Shura, Vice President at AppSec Consulting. “The security testing toolset that is available for mobile applications is not that mature. A thorough assessment involves a large amount of manual testing combined with some automated tools. Large financial companies have the resources to perform detailed mobile application security assessments, but the majority of applications available from the App Store most likely have never undergone a thorough security assessment.”

Mobile Developers Have to “Think Differently” About Security
Mobile developers need to adopt a mobile security mindset. Although, in many ways, mobile devices are computers and developers need to treat them as such, nothing on a mobile device eliminates the need for secure coding practices. All programs should sanitize input, only request the permissions that are absolutely necessary, and never store passwords or user data in clear text.

That said, mobile software does present new security challenges both from the point of view of secure software but also of protecting the user. Any mobile developer’s first priority should always be to protect the user. One key is to never let the illusion of security or safety suggested by either a closed OS or a single-user device fool you.

Mobile software developers need to keep in mind some new challenges on mobile devices:

•      Network mobility: Mobile devices connect to many networks. Most users will connect to any open WiFi hotspot they can find as a method of reducing cellular data usage. This means that mobile software, even more than desktop software, must never trust that the network is secure. In addition to eavesdropping, mobile software developers should be wary of hostile networks that may attempt to impersonate servers or services. Apps should encrypt all network data and verify servers and services before sending authentication credentials.

•      Device usage: Mobile devices are, well, mobile. Smartphones and other mobile devices go everywhere with their owners. They are also often taken out, used for a short time, and then set down. This means that they are also quite often lost or temporarily available to strangers. This frequent and on-the-go usage means that most mobile devices are not password protected. This is in contrast to laptops that are much more often password protected and are used less often and for longer stretches of time.

Mobile software that handles sensitive data should offer users the ability to separately lock the application or access to the data. Shura explains that’s why “developers need to take this into account and build their applications in a way that a stolen mobile device doesn’t lead to an application user account compromise. For the most part, this means ensuring that sensitive information, such as passwords, are not stored on the mobile device.”

•      Screen size: Smaller screens display less data. Screen size needs to be factored in when presenting the user with secure data or data they need to verify. One example is the URL input and display field in a browser. Most desktop browsers partially rely on the fact that a user can see the entire URL in this field. This is one line of defense against phishing attacks. The URL field on a mobile browser is so small, though, that only a fraction of the URL can be shown. This hides relevant data from the user and creates a new vulnerability. Keep in mind the size of the screen so that verification data displays are short or the most important data are displayed first.

How Can App Developers Help Users Keep Private Data Safe?
While “in the past, developers of mobile applications did not have many resources to turn to for security guidance, that’s definitely starting to change,” says Shura. “OWASP (Open Web Application Security Project) now has a Mobile Security Project, which includes an OWASP Mobile Top 10 List of common vulnerabilities to avoid, Mobile Cheat Sheets for developers, and lots of testing guidance for people that are performing mobile application security assessments. I encourage mobile application developers to become familiar with the resources that are available on the OWASP website.”

Blando notes that, depending on the OS, there are also some specific issues to be wary of:

On Android:

•      Be careful creating services, as any application on the device may have access to it.

•      Treat incoming intents as hostile input -- sanitize and check the data they provide before acting on it.

•      Make sure files stored on the device are protected both with file system permissions as well as other data protection techniques like obfuscation or encryption.

•      Assume the user already has root access to the device.

On iOS

•      Assume the phone is jail-broken. That's not to rely on jail-broken behaviors, but to write your software as if the user already has full access to the device instead of relying on the OS to provide sandboxing to isolate your data from the user's view.

The Bottom Line: Don’t assume anything. Don’t trust. Verify.

Additional developer guidelines can be found at the U.S. Federal Trade Commission website: Mobile App Developers: Start with Security.

New Unity Features for App Makers

Unity, the widely used multi-platform game engine, continues to expand, offering new features and targeting additional platforms.

The past few weeks have seen considerable activity. In March, Unity Technologies released Unity 4.1, which includes support for Apple’s AirPlay wireless streaming technology and an updated memory usage tracking tool. Also last month, Unity Technologies entered an alliance with Sony Computer Entertainment Inc. that will make Unity tools available for the upcoming PlayStation 4, PlayStation Vita and PlayStation Mobile platforms.

In another alliance, Unity Technologies is partnering with Oculus VR Inc., which is developing the Oculus Rift virtual reality headset. Under that arrangement, Unity will offer Rift developers an extended Unity Pro trial license at no charge. The Unity tool comes in free and professional versions, with the latter, Unity Pro, priced at $1,500.

What’s New in Unity 4.1
Yury Yarmolovich, Unity developer at Elinext Group, a custom software developer based in Minsk, Belarus, says his company uses Unity to create augmented reality apps, among other things. He’s happy about the new features of Unity 4.1. “What is really good is the new Memory Profiler with a detailed overview of the resources used,” Yarmolovich says. “Also, shader improvements deserve recognition.”

The Memory Profiler update, available on Unity Pro, provides a greater level of detail as it breaks down non-managed memory usage. According to Unity Technologies, the feature lets developers track consumption “right down to the level of individual objects, assets, textures, meshes,” among other elements.

Unity 4.1, meanwhile, also offers multi-screen AirPlay support, which lets developers press iPads and iPhones into service as game controllers. Users control games on the handheld devices as the action is streamed to an HDTV. “I have not used much of AirPlay, but I think it’s a cool thing,” Yarmolovich says.

Chris Skaggs, founder and chief technology officer of Code-Monkeys, an application and web development company based in Newberg, Ore., cites Unity 4’s animation capability as a standout component. “Our favorite new feature is the new animation tool -- being able to set those things up inside the IDE is a big time saver and helps tremendously with animation prototyping,” Skaggs says.

Support for Additional Platforms
In general, Yarmolovich cites Unity’s cross-platform capability as an advantage, noting support for Android, iOS, Windows, Mac OS, Linux, PS3, and Xbox360, with upcoming support for Wii U, Windows Phone 8, BlackBerry 10, as well as current and next-gen PlayStation systems. He also lists other pluses, including support for C#, JavaScript and Boo; a comfortable MonoDevelop editor with a debugger; Asset Server for sharing code from the development environment; Asset Store for downloading additional applications and scripts; and support for various multimedia formats, including 3ds Max images.

Looking forward, Unity Technologies is moving to extend its platform reach. In late March, the company announced a Unity 4 open beta program for Windows Phone 8 apps. A spokesman for Unity Technologies says the company has yet to announce a release date for Windows Phone 8 support. “We just entered a more public beta period at [Game Developers Conference] and are inviting a much larger group of developers in to test,” he says.

In addition, Unity Technologies plans to let developers create games for PCs or tablets running Windows 8 and Windows RT and publish them to Microsoft’s Windows Store, according to Unity’s blog. That support will start with Unity 4.2.

Skaggs is also very interested in support for Windows 8. “As a matter of fact, Win8 with multi-touch support for things like the new Ultrabooks is something we bug Unity about on a weekly basis,” he notes.

“Whether or not it becomes a real player in the game space again will partly depend on how much developers are supported and then can deploy quality titles,” Skaggs continues. “For us, we live and die on the ‘multi-platform’ proposition and Win8 is just another platform that we want to be available on. Unity is so good with multi-deployment already...we want more.”

Developers can also anticipate Unity support for BlackBerry 10 smartphones. In February, Unity announced plans to build a development add-on for BlackBerry 10. At press time, a free beta version was expected to shortly debut. The final release is expected this summer, according to the company.

There's a Map for That

Mobile’s value proposition is ultimately convenience: anytime, anywhere access to people and information. Hence the value of adding maps and other navigation features to apps.

For mobile app developers, there’s no shortage of map solutions. One factor to consider is the app’s target platform and what it natively includes.

“Google Maps is superior in terms of coverage and precision, especially in remote areas,” says Mette Lykke, co-founder of Endomondo, whose apps combine fitness with social networking. “Until recently this was the natural choice for apps on Android and iOS. It still is for Android.”

Apple’s dumping of Google Maps might be the best-known example of how the field of mapping options isn’t static, but it’s not the only major change in the past year. In June, Microsoft announced that Nokia Maps would replace Bing Maps in Windows Phone. And in November, Nokia announced HERE, a multi-device and -OS solution that will expand to Android in early 2013.

Map Features: Web-Based or Native?
When comparing options, one factor for mobile app developers is whether to use a native map library or a Java Script API (JSAPI) Web-based map. Each option has its pros and cons. For example, one consideration is whether the app needs to target multiple platforms, such as Android and iOS.

“The Web-based map enables cross-platform support, which will save the developer the effort in writing a separate mapping code for each platform,” says Oded Nevo, platform product manager at Telmap, an Intel-owned company that specializes in location services. [Disclosure: Intel is the sponsor of this content.]

“However, choosing the Web-based map will mean in many cases that developers will need to slightly compromise the map performance,” he continues. “Choosing to use a native library will mean coding the map section per each platform. However, you will get a slicker map behavior.”

Factors to Consider in Choosing a Map Feature for Your Mobile App
In addition to the Web-based versus native consideration, it’s also important to research the APIs available in a mapping library. Focus on things such as the ease of implementation and whether the map feature supports all of the functions that are key for making your mobile app stand out in the market.

“Last but not least is pricing,” Nevo says. “Most of the big brands in the mapping APIs arena will offer a free quota that many developers will probably never exceed, especially if they are at the initial stages of building/developing a product.

“For more mature products which generate a large amount of traffic, developers should seek getting an SLA with the chosen mapping solution provider. This is called in many cases the ‘professional’ plan/track. Developers also need to bear in mind that there are several types of applications that are automatically being categorized under the professional plan/track license scheme. These are usually paid applications, enterprise applications or applications around asset management and tracking.”

Putting Mobile Developers to the Test

Mobile app developers can point to past projects to build credibility with customers, but newcomers lack that option. And even experienced hands may want to obtain some objective measure of their abilities -- a seal of approval of sorts.

That’s where technical certification programs come in. Training and developer certification tracks have become commonplace in such IT fields as networking and security. Mobile development, as a relatively new area, has generally lacked vendor-neutral certification programs. But that situation has begun to change.

The Mobile Development Institute (MDI), a division of On The GoWARE, a mobile app development company, offers its MDI Certified Developer (MDICD) program to mobile developers. In addition, CompTIA and viaForensics are working on a secure mobile developer credential, slated for launch later this year.

Mike Newman, president of On The GoWARE, says certification can help developers early on in their careers as they look for full-time positions. Employers stand to benefit as well when a job applicant can back up his or her claims to competence. “It is difficult for a lay person...to qualify technical people,” Newman says.

MDICD Certification
MDI offers MDICD certifications in Apple iOS, Google Android and BlackBerry. “It is not necessarily just a general mobile developer certification -- you get certified in a particular specialty,” Newman explains.

Students or developers often obtain certification on more than one platform. Initially, BlackBerry was the most-requested MDICD certification. Next came Apple iOS. But the rise of Android reduced demand for BlackBerry certification, Newman notes. MDI will eventually cut the BlackBerry program due to lack of interest.

MDI has considered adding a Windows Phone certification, but so far it hasn’t generated enough certification interest. “We will see what the market does and see if there is a big demand [for Windows Phone],” Newman says. “If the market demands it, we will be there.”

Newman estimates that 2,000 to 3,000 people have obtained MDICD certifications thus far.

The certification exam calls for students or developers to log into their app store developer accounts and demonstrate that their apps are available for download.

An exam proctor then conducts a remote viewing session of the test taker’s development environment. Among other things, the proctor will check to see whether the appropriate development tools have been installed and configured and ask the test taker to make a slight modification to his or her app. The modification must be demonstrated in a simulator. A list of exam requirements is available here. As for price, each examination has a $375 proctor fee.

MDI offers training classes toward the MDICD certification. Students with little or no programming experience can begin with a programming fundamentals and mobile technology introductory course, move on to foundational courses in Objective-C and Java, and eventually take operating system-specific classes. Experienced developers seeking certification may take the certification test without signing up for the classes.

Secure Mobile Application Developer Credential
CompTIA
and viaForensics, meanwhile, have been developing a secure mobile app developer credential and associated testing services. CompTIA, an IT industry association, already runs numerous IT certification programs including A+, Network+ and Security+. CompTIA’s credential partner, viaForensics, provides mobile app security, mobile forensics and mobile forensics training services.

Ted Eull, vice president of Technology Services at viaForensics, says the companies are in the exam development process. He expects the credential program to launch in the first half of this year.

In an interview last year, CompTIA and viaForensics officials said the credentialing initiative will educate developers on the differences between securing mobile apps and shoring up traditional applications. The program aims also to discuss the mobile app threat model and provide practical experience in coding secure mobile apps.