The Mobile App Security Mantra: Don’t Trust, But Verify

Although the technological designs of mobile devices have much in common with non-mobile computer systems, there are substantial differences that need to be understood. Here’s what mobile app developers should consider about the threat vectors they need to protect against.

Security on Computer vs. Mobile Ecosystems
Smartphone hardware and software technologies are radically different from that of computers. In terms of communication, on a computer you have one external communication channel -- whereas on a smartphone you have IP connectivity, Bluetooth connectivity, Cellular Data connectivity, NFC connectivity and so on. In terms of an operating system, mobile OSs are substantially more “closed” than desktop, laptop and enterprise OSs.

While at first glance this might make a mobile OS appear more secure, it’s truly a double-edged sword when -- not if -- threats manage to penetrate the OS defenses. As Luis Blando, vice president of engineering at McAfee, explains, “once the mobile OS is penetrated, the products and systems that would otherwise be able to protect the device (such as those made by security ISVs) would be limited in the protective actions they can take within the OS guardrails, and that can prevent quarantining, pre-emption or even detection.”

The mobile ecosystem is also very different from that of regular desktop computing in the number of viable operating systems, the types of application delivery mechanisms, and established policies for application acceptance. In the desktop world, with a simple visit to a URL, a user can download and install a binary which can very well be infected. In the mobile world, application download and installation is done mostly through approved stores that curate the apps.

That said, these app store checks can create a false sense of protection. “When we recently checked the origin of infected mobile software, as reported by the MMS user base, we discovered that the majority had been downloaded directly from major app stores,” Blando notes. “And, in Asia, the use of specialized app stores, which may or may not have any curation or security checks on their catalog, is widespread. Don’t think that just because you’re using GooglePlay or another major app store that it’s a guarantee of safety.”

Possibly even more significantly, there are vast differences in the usage models for mobile and regular computing devices. Mobile devices are with you all the time, record your every move, log your every communication, and are a treasure trove of both personal and corporate information. Smartphones contain much more information than the average computing device; it’s your phone, calendar, address book, camera, music station, remote control, ATM, shopping assistant, and more. The fact that smartphones are incredibly valuable for information theft pretty much guarantees that the supposedly secure “defenses” built in via technology or ecosystems as explained above will sooner or later be overcome. “Smartphones are simply irresistible as targets,” says Blando.

Despite these huge challenges, “mobile applications are often not tested at all for security, or are not tested in as much detail as traditional web applications,” notes Brian Shura, Vice President at AppSec Consulting. “The security testing toolset that is available for mobile applications is not that mature. A thorough assessment involves a large amount of manual testing combined with some automated tools. Large financial companies have the resources to perform detailed mobile application security assessments, but the majority of applications available from the App Store most likely have never undergone a thorough security assessment.”

Mobile Developers Have to “Think Differently” About Security
Mobile developers need to adopt a mobile security mindset. Although, in many ways, mobile devices are computers and developers need to treat them as such, nothing on a mobile device eliminates the need for secure coding practices. All programs should sanitize input, only request the permissions that are absolutely necessary, and never store passwords or user data in clear text.

That said, mobile software does present new security challenges both from the point of view of secure software but also of protecting the user. Any mobile developer’s first priority should always be to protect the user. One key is to never let the illusion of security or safety suggested by either a closed OS or a single-user device fool you.

Mobile software developers need to keep in mind some new challenges on mobile devices:

•      Network mobility: Mobile devices connect to many networks. Most users will connect to any open WiFi hotspot they can find as a method of reducing cellular data usage. This means that mobile software, even more than desktop software, must never trust that the network is secure. In addition to eavesdropping, mobile software developers should be wary of hostile networks that may attempt to impersonate servers or services. Apps should encrypt all network data and verify servers and services before sending authentication credentials.

•      Device usage: Mobile devices are, well, mobile. Smartphones and other mobile devices go everywhere with their owners. They are also often taken out, used for a short time, and then set down. This means that they are also quite often lost or temporarily available to strangers. This frequent and on-the-go usage means that most mobile devices are not password protected. This is in contrast to laptops that are much more often password protected and are used less often and for longer stretches of time.

Mobile software that handles sensitive data should offer users the ability to separately lock the application or access to the data. Shura explains that’s why “developers need to take this into account and build their applications in a way that a stolen mobile device doesn’t lead to an application user account compromise. For the most part, this means ensuring that sensitive information, such as passwords, are not stored on the mobile device.”

•      Screen size: Smaller screens display less data. Screen size needs to be factored in when presenting the user with secure data or data they need to verify. One example is the URL input and display field in a browser. Most desktop browsers partially rely on the fact that a user can see the entire URL in this field. This is one line of defense against phishing attacks. The URL field on a mobile browser is so small, though, that only a fraction of the URL can be shown. This hides relevant data from the user and creates a new vulnerability. Keep in mind the size of the screen so that verification data displays are short or the most important data are displayed first.

How Can App Developers Help Users Keep Private Data Safe?
While “in the past, developers of mobile applications did not have many resources to turn to for security guidance, that’s definitely starting to change,” says Shura. “OWASP (Open Web Application Security Project) now has a Mobile Security Project, which includes an OWASP Mobile Top 10 List of common vulnerabilities to avoid, Mobile Cheat Sheets for developers, and lots of testing guidance for people that are performing mobile application security assessments. I encourage mobile application developers to become familiar with the resources that are available on the OWASP website.”

Blando notes that, depending on the OS, there are also some specific issues to be wary of:

On Android:

•      Be careful creating services, as any application on the device may have access to it.

•      Treat incoming intents as hostile input -- sanitize and check the data they provide before acting on it.

•      Make sure files stored on the device are protected both with file system permissions as well as other data protection techniques like obfuscation or encryption.

•      Assume the user already has root access to the device.

On iOS

•      Assume the phone is jail-broken. That's not to rely on jail-broken behaviors, but to write your software as if the user already has full access to the device instead of relying on the OS to provide sandboxing to isolate your data from the user's view.

The Bottom Line: Don’t assume anything. Don’t trust. Verify.

Additional developer guidelines can be found at the U.S. Federal Trade Commission website: Mobile App Developers: Start with Security.

New Unity Features for App Makers

Unity, the widely used multi-platform game engine, continues to expand, offering new features and targeting additional platforms.

The past few weeks have seen considerable activity. In March, Unity Technologies released Unity 4.1, which includes support for Apple’s AirPlay wireless streaming technology and an updated memory usage tracking tool. Also last month, Unity Technologies entered an alliance with Sony Computer Entertainment Inc. that will make Unity tools available for the upcoming PlayStation 4, PlayStation Vita and PlayStation Mobile platforms.

In another alliance, Unity Technologies is partnering with Oculus VR Inc., which is developing the Oculus Rift virtual reality headset. Under that arrangement, Unity will offer Rift developers an extended Unity Pro trial license at no charge. The Unity tool comes in free and professional versions, with the latter, Unity Pro, priced at $1,500.

What’s New in Unity 4.1
Yury Yarmolovich, Unity developer at Elinext Group, a custom software developer based in Minsk, Belarus, says his company uses Unity to create augmented reality apps, among other things. He’s happy about the new features of Unity 4.1. “What is really good is the new Memory Profiler with a detailed overview of the resources used,” Yarmolovich says. “Also, shader improvements deserve recognition.”

The Memory Profiler update, available on Unity Pro, provides a greater level of detail as it breaks down non-managed memory usage. According to Unity Technologies, the feature lets developers track consumption “right down to the level of individual objects, assets, textures, meshes,” among other elements.

Unity 4.1, meanwhile, also offers multi-screen AirPlay support, which lets developers press iPads and iPhones into service as game controllers. Users control games on the handheld devices as the action is streamed to an HDTV. “I have not used much of AirPlay, but I think it’s a cool thing,” Yarmolovich says.

Chris Skaggs, founder and chief technology officer of Code-Monkeys, an application and web development company based in Newberg, Ore., cites Unity 4’s animation capability as a standout component. “Our favorite new feature is the new animation tool -- being able to set those things up inside the IDE is a big time saver and helps tremendously with animation prototyping,” Skaggs says.

Support for Additional Platforms
In general, Yarmolovich cites Unity’s cross-platform capability as an advantage, noting support for Android, iOS, Windows, Mac OS, Linux, PS3, and Xbox360, with upcoming support for Wii U, Windows Phone 8, BlackBerry 10, as well as current and next-gen PlayStation systems. He also lists other pluses, including support for C#, JavaScript and Boo; a comfortable MonoDevelop editor with a debugger; Asset Server for sharing code from the development environment; Asset Store for downloading additional applications and scripts; and support for various multimedia formats, including 3ds Max images.

Looking forward, Unity Technologies is moving to extend its platform reach. In late March, the company announced a Unity 4 open beta program for Windows Phone 8 apps. A spokesman for Unity Technologies says the company has yet to announce a release date for Windows Phone 8 support. “We just entered a more public beta period at [Game Developers Conference] and are inviting a much larger group of developers in to test,” he says.

In addition, Unity Technologies plans to let developers create games for PCs or tablets running Windows 8 and Windows RT and publish them to Microsoft’s Windows Store, according to Unity’s blog. That support will start with Unity 4.2.

Skaggs is also very interested in support for Windows 8. “As a matter of fact, Win8 with multi-touch support for things like the new Ultrabooks is something we bug Unity about on a weekly basis,” he notes.

“Whether or not it becomes a real player in the game space again will partly depend on how much developers are supported and then can deploy quality titles,” Skaggs continues. “For us, we live and die on the ‘multi-platform’ proposition and Win8 is just another platform that we want to be available on. Unity is so good with multi-deployment already...we want more.”

Developers can also anticipate Unity support for BlackBerry 10 smartphones. In February, Unity announced plans to build a development add-on for BlackBerry 10. At press time, a free beta version was expected to shortly debut. The final release is expected this summer, according to the company.

Mobile Device Adoption: Targeting the Next 50 Percent

Fifty-five percent of American mobile users now own a smartphone. That’s about 130 million people, which is a big pool of potential customers for your app. But what if that addressable market doubled?

It won’t happen easily or soon. The low-hanging fruit -- techies, prosumers, business people -- has been picked. Meanwhile, T-Mobile USA is among the mobile operators scrapping the tradition of handset subsidies. If that becomes a trend, then feature phone owners who want to upgrade tomorrow will have to shell out at least twice the amount they would today.

“One way or another, you’re going to have to pay some significant cost at some point, whether it’s up front -- $500 or $600 for the smartphone -- or $200 up front and $20 every month,” says Ramon Llamas, IDC research manager.

That’s one barrier. Another is the cost of a data plan, although that’s becoming less of a hurdle thanks to the growing selection of cut-rate, unlimited-data plans, such as those from Straight Talk and T-Mobile. The roll-out of Long-Term Evolution (LTE) could enable even more aggressive pricing strategies because the technology significantly lowers an operator’s cost of delivering data service.

“Carriers are interested in smartphone growth since they can compensate drops in voice and SMS revenue with data flat rates,” says Brent McMicking, who manages Intel’s phone launches worldwide. [Disclosure: Intel is the sponsor of this content.]

Who’s Using -- and Not Using -- Smartphones
The analyst firm iGR recently asked over 1,000 U.S. consumers about their plans to buy a phone in the next 30 days.

“The majority of those who were likely to buy [a phone] say they would probably buy a smartphone,” says Matthew Vartabedian, iGR vice president. “Not surprising. What I did find interesting was that older respondents (35+) with feature phones were about 10 to 20 percent more likely to buy a smartphone than younger respondents. Younger respondents (18-34) were more likely to buy multiple smartphones (two or more), which is also interesting. The survey data suggests that older consumers are already choosing smartphones.”

The catch is that not every first-time smartphone owner uses many -- or any -- apps. “[After] six months, my father-in-law has yet to use his iPhone 4 for anything except voice and text,” Vartabedian says. “He uses the preloaded weather and stock apps, but that's it. Maybe some Web browsing. I think he generates about 20 MB of 3G data in a month. I don't think he's even opened the App Store.” 

Smartphones Take Off in Developing Markets
There are a couple of reasons why it’s worth looking at smartphone adoption outside of the U.S. The first is that there are big potential markets, at least for those developers willing to localize their apps, such as in terms of language.

The second is because the strategies that vendors are using to upsell foreign consumers could be applied in the U.S., too. One example is the Yolo smartphone, which Intel and Safaricom recently launched in Kenya. It’s noteworthy because it’s the first smartphone to feature a processor and reference design created to reduce manufacturing costs without cutting corners such as performance. For example, the Yolo smartphone has 1.2 GHz processor, a 5 megapixel camera and support for 21 Mbps HSPA+ service.

That feature set is a break from tradition: In both developed and developing markets, affordable has been synonymous with pokey processors, limited memory and other shortcomings. Those undermine the app user experience.

“In India, Indonesia and China, they’re cutting corners left and right,” Llamas says. The device build [quality] is rather cheap, so people are replacing their phones every six to eight months.”

The Yolo smartphone sold out within two weeks of its debut. That suggests that a lot of people in developing countries who don't own a smartphone already understand the benefits of owning one, such as the selection of apps. Translation: There’s pent-up demand not only for smartphones, but also for apps.

“In emerging markets, smartphones will be the first computer device for many people and provide a deeper Internet experience versus feature phones,” McMicking says. “Pent-up demand for smartphones is a function of perceived value and the overall experience, of which apps are a part. The opportunity for developers is to reach a new set of customers.”

Mobile Technology Solutions for Customer Loyalty Programs

A range of enterprises -- from restaurants to retailers -- use customer loyalty initiatives to encourage repeat business. Customers might receive a free item based on a certain amount of visits and purchases, for example.

Developers now aim to get customer loyalty programs up and running on mobile devices. Many businesses already provide mobile apps to help users locate stores or find particular brands. So the task becomes helping businesses integrate loyalty programs into their existing mobile customer outreach efforts.

Different Approaches to Customer Loyalty
Approaches in this category vary. Punchh, which bills itself as a social loyalty program for restaurants, provides a mobile app version of the familiar loyalty program punch card. It also lets restaurants reward customers for referring friends and family via their social networks.

Sastry Penumarthy, co-founder of the Cupertino-based company, says he sees an enormous opportunity for restaurants and other enterprises to market themselves in a completely different way. “The technologies that allow them to do that are mobile and also social media,” he says.

If a restaurant signs up for the Punchh service, customers may download the mobile app which places a virtual punch card on their device. A customer launches the location-aware app when he or she enters a restaurant and the merchant “punches” the loyalty card when the customer purchases a meal. To validate a punch, the phone can be used to scan a receipt.

Recent Punchh customers include Max’s Restaurant Cuisine of the Philippines, which plans to use the service to reward customers for repeat visits and customer referrals.

To help restaurants dole out those rewards, Punchh taps Facebook to find out who suggested the restaurant to the user and whether the user has referred the restaurant to others. If new customers follow the original customer’s recommendation and eat at the restaurant, the merchant provides additional punches on the card. Penumarthy calls those perks “social rewards.”

In another take on mobile loyalty, PunchTab Inc. provides an on-demand incentive platform. Businesses and brands that subscribe to the platform can build “social and mobile-enabled” loyalty and rewards programs, according to the company. PunchTab’s customers include Atlantic Records, Arby’s and eBay.

Mehdi Ait Oufkir, founder of Palo Alto-based PunchTab, says he has seen solid traction for mobile-enabled incentive programs on the enterprise side. While some companies seek to cultivate customers, others use rewards programs to engage their own employees.

Oufkir cites the example of one customer who wanted to build a mobile app-based points program to encourage employees to attend training sessions. In another case, a company is using an incentive program to encourage employees to submit their billable hours via mobile phone. Oufkir says the company’s employees found their in-house reporting system difficult to use and, as a consequence, failed to submit all of their billable hours. In contrast, he says, employees find the mobile approach easier and more fun to use.

Beyond the Punch Card
Punch cards are the centerpiece of many a loyalty program. However, Steve Schroeder, chief executive officer at AppGage LLC, a mobile loyalty company based in Ann Arbor, Mich., says he believes mobile loyalty programs should push beyond the punch card.

“We take punch cards and stick it on the phone and call it a loyalty program,” he says of the industry in general. “Loyalty has nothing to do with digital punch cards.”

Instead, Schroeder says loyalty stems from understanding people and learning about their behavior. To accomplish that, loyalty programs need to harness a mobile phone’s sensors to gain insight into customer behavior and then feed that knowledge into an analytics engine to suss out the customer’s needs, he says.

AppGage’s AppGagement Loyalty Framework provides such a platform, according to Schroeder. The company’s first framework-based app, a project for Get Healthy Michigan, a statewide health program that aims to encourage health and wellness, is scheduled to launch in April.

The Android-iOS Data Disparity

It's one of the biggest mysteries in wireless these days: More people worldwide own Android smartphones and tablets, yet iOS devices often drive the lion's share of Web traffic from handheld devices.

For example, during the first five weeks of 2013, iOS devices drove almost 7 percent of all traffic on non-cellular networks -- while Android accounted for 2 percent. That’s according to Akamai’s IO portal, which tracks usage across a variety of browser types. Another company, Net Applications, says iOS devices drove about 60 percent of mobile traffic each month over the past year.

These kinds of differences aren’t academic. Instead, they’re things that developers should keep an eye on because they affect the market for their apps. The catch is that the differences melt away or flip-flop depending on factors such as network type and device type.

For example, the disparity reverses when the devices are connected to cellular rather than WiFi. In that case, Android accounted for 23 percent of traffic, compared to 20 percent for iOS, Akamai found. iOS leads on WiFi because of  the iPad, whose owners typically forgo the cellular option.

“Out of that 7 percent of overall traffic that iOS accounted for on non-cellular networks, 4.2 percent was iPad,” says Guy Podjarny, CTO of Akamai’s Web Experience business unit. “It’s the iPad that tips the balance when you talk about browser market share, but it has a very small foothold in cellular traffic.” You can read more about data disparities here.

 

Behind the Numbers of iOS vs. Android Data Usage
There’s no shortage of theories about why these differences exist. For example, some thing that vendor and operator pricing encourages people who are replacing their feature phone to buy an Android device even though they have little interest in more than voice and text. If that’s correct, then the addressable market for Android apps isn’t as large as it seems.

A related issue is that unless an operator is subsidizing the heck out of an Android smartphone, a low price often indicates mediocre hardware capabilities. That too can affect whether owners of those devices are a good fit for apps that work best when the phone has a powerful processor and lots of memory.

“While top-range Android devices are on par -- and in several cases higher spec -- than iPhones, there is a large amount of Android devices that are much lower spec, providing a sub-par user experience that could also affect user engagement,” says Andreas Pappas, senior analyst at VisionMobile.

The relationship between OS choices and audience engagement level also plays out overseas, but for other reasons. “Android is popular in countries where mobile broadband and even fixed broadband has low penetration (e.g., China),” Pappas says. “In these markets, access to the Internet via mobile devices can be much lower than in the U.S., preventing users from engaging with online services.” 

In any part of the world, demographics can be an even bigger factor. “It is most likely that the same demographic group will have similar levels of engagement on either platform,” Pappas says. “So if you take 100 iPhone users and 100 Android users among, say, users that are industry analysts, you will probably observe, more or less, the same engagement pattern.”

That’s an example of why it can be more important to focus on the target demographic’s attributes rather than fixating on whether developing a native Android or iOS app is the best way to reach as many potential customers as possible.

“I don’t think the usage gap justifies [targeting] one over the other,” Podjarny says. “I would look at statistics around conversion percentages, how likely are iOS users to pay for something or click on an ad versus Android users, or is one platform more dramatically popular than another within your target audience.”

 

 

Change Is the Only Constant
A mobile operating system’s market share, brand perception and app usage can change dramatically in just a year. Think back to the fall of BlackBerry and the rise of Android. So if you’re going to use information on data usage to decide, for example, which OS to develop for first, look for numbers that are no more than a couple of quarters old.

“Android is making inroads both in developed and developing markets and is no longer considered the cheaper/alternative platform," Pappas says. “Android devices have come a long way and they offer features that are not available on the iPhone (e.g., NFC), making them the preferred choice for a lot of tech-savvy people.”

What’s more, “data usage on Android is likely to approach the levels of iPhone usage as they are increasingly being adopted by data-hungry users,” Pappas continues. “User engagement on low-cost Android devices (feature phone replacements) is likely to rise as users get up to speed with apps and better understand the use cases enabled via smartphones.”