Samsung Knox Security Blunder

October 23rd, 2014

samsungknox.pngThere’s an anonymous single-post blog at blogger.com that takes a look at Samsung’s Knox. Surprisingly, Knox relies on security by obscurity to hide the encryption key, the method of generation of which is now public information. It’s now known that it’s generated using the device’s Android ID and a hardcoded string.

As the author states, a stronger key should be derived using Password-Based Key Derivation Function 2(PBKDF2), from the user’s password, that shouldn’t be stored on the device.

Related to this, if you are instead relying on Android OS disk encryption, you might like to read how this has changed over time. Prior to Android 4.4 it was based on a PBKDF2 with only 2000 iterations, using the lockscreen PIN or password which tends to be short and more amenable to brute force attack.

Related Articles:

Mobile Retail Behaviour is Changing

October 22nd, 2014
gfk.gifGfK has new research into mobile consumer behaviour showing double-digit point changes in metrics that measure where and how people are shopping. 

  smartphoneandtabletsforonlineshopping.png

Gfk says that companies should "build out an up-to-date and nuanced shopper insights platform" to provide insights, without which brands will be in a ‘hit-or-miss’ mode in execution. This dovetails well with my Does OS Market Share Matter post where I encouraged analysis of users on a project-by-project or case-by-case basis.

Related Articles:

Android Growing

October 21st, 2014

businessinsider.gifThere’s an upbeat article at Business Insider that says that Android is suddenly growing massively as an e-commerce, advertising and app platform. It says…

"Too many analysts remain attached to an outdated idea of Google’s mobile operating system as fragmented, malware-ridden, and low-end. They believe Android users don’t spend money on mobile and lack lifetime value. This is no longer true."

bicumulativeactivations.png 

One of the report’s takeaways, that "mobile business models that neglect or ignore Android risk severely limiting their market potential" reflects some US conversations I have had where it has been said that Android is a blind-spot for many California tech companies.

The report also covers how Android’s ad traffic and revenue share is rising fast and is producing healthy mobile commerce orders for companies. It also explains why Android’s fragmentation problem is overblown.

Negatives include feature creep and bloatware added by carriers and OEMs. I’d also say security is an issue, especially for security sensitive apps that need to make use of payments. Such apps need to take extra measures to protect themselves.

Related Articles:

Android Binder Subversion

October 20th, 2014

androidsecuritylogo.pngSome of the vulnerabilities in Android allow code to be run as root. Alternatively, if users root their device malware can already run as root. However, what can such code then do?

Nitay Artenstein and Idan Revivo of Checkpoint Research have a new presentation and white paper on how intercepting IPC, via the Android Binder, can be used to provide for keylogging, location tracking and intercepting SMS. Indeed, even sending data from one Activity to the next uses IPC and this can be intercepted.

What can Android developers do about this? Well, if you are handling sensitive information you should consider encrypting data before sending it, to/from, for example, a Service or another Activity. The paper also describes how Android’s keyboard also uses Binder and security sensitive apps should have their own keyboard implemented within the app. I have updated my Android Security site to reflect this information.

Related Articles:

Does OS Market Share Matter?

October 15th, 2014

gartner136.gifGartner has new research that compares sales of PCs, tablets and smartphones across the respective operating systems. The headline is that tablet sales are slowing. However, does it matter?

The ever insightful Benedict Evans also has a new post where he explains that we are in the uncharted territory where a minority market share is still very large. He talks of the potential fallacy of "winner (platform) takes all" and suggests that we should look at other things such as the geographic region we are targeting.

Benedict talks a lot about developer revenues and geographic region when choosing a ‘mobile first’ platform and concludes…

"It isn’t so much that ‘maket share doesn’t matter’ (the mantra of Apple fans for decades’) as that you need to think about what kind of market share, where, and whether that matters."

I’d advise you to think and analyse even deeper. I find the emphasis on app revenues and market share slightly concerning. People should be think more about the benefit to their company. This benefit can take many forms. Whether an app is financially viable depends on the kind of app/company as much as it does the platform.

Taking Benedict’s examples of Citibank, Tesco and Carrefour they don’t even sell their apps nor use store in-app purchasing. The fact that iOS users are more affluent probably doesn’t matter for Tesco and Carrefour as iOS customers might be shopping at, at least in the UK, John Lewis and Waitrose anyway. Conversely, I very much doubt many Citibank customers use Android and they would prefer iOS. The key thing here is that these are hunches and guesses.

You need to assess what platform to use on a case-by-case basis and do some market research beforehand as to what devices your users are using and whether they would access your product/service via an app, smartphone, tablet or indeed anything else.

Back to the Gartner headline that tablet sales are slowing. Does it matter? Sales are still of a similar order to PCs and it’s still a large market. What’s probably just as important is whether your end users would access via a tablet and if so, what kind of tablet are they using?

Related Articles:

App Purchase/Subscription Insights

October 14th, 2014

branchfire.pngBranchfire have a new US mobile app study of 2,042 adults, conducted by by Harris Poll on app-buying habits. 76% of people download apps while 57% have never paid for an app. 70% of people have downloaded more than 10 apps. The study also gives useful information on highest amounts paid for apps, monthly app subscription by category and subscription pricing thresholds.

branchfiresubscriptions.png 

It’s interesting that people are open to subscriptions as this gives longer term revenue for developers. The study says that streaming and movies are the top types of app people are willing to pay for via a subscription. These are the kind of things that can exist and be consumed outside of the phone and be accessible via other means, for example the desktop. The app is just a gateway to consumption (and payment). The value is seen as the content rather than the app. This is probably a good indicator of whether it’s viable to use app subscription in a particular app.

Related Articles:

Scaling Android Development

October 13th, 2014

twitter.png

Most Android apps are created by a single developer or a team of a few developers. However, what happens in a large company where potentially hundreds of developers each want to add their small feature? There’s a new video, from DroidCon Paris, on how Twitter went from a few developers up to of the order of 100.

The video shows how Twitter developers, who were more used to working on the Twitter Web site, had to adapt to working on Android. For example, their ‘web brain’ that previously allowed bugs in the web site to exist, because they could be reverted, had to be modified for Android where a crash usually means the user will install and might not re-engage with the app for another month. Also apps have a longer lifetime until upgrade and Twitter has up to 60 versions of the Android app running at any one time due to people delaying upgrading.

The session shows 50% of Android Twitter users will upgrade within 3 days if no extra permissions are required. 75% will upgrade within 14 days. When new permissions are required manual upgrade can typically take a month.

There’s also useful information on large scale training, test devices, code style wars, testing tools, emulator vs device, remote feature on/off and toolchains.

Apple Pay Limitations

October 10th, 2014
apple.gifThere’s an interesting article on USA Today Money quoting a UBS report explaining problems with Apple Pay that will limit its dominance…
  • Onerous fees charged by Apple
  • Inferior technology
  • Little incentive for merchants to adopt Apple Pay-compatible devices

More reasons then, why Apple should open up NFC before interested parties develop alternative solutions.

Looking wider, this provides learnings for any new venture. Are the fees you expect to charge reasonable in the current (and future market), can people easily circumvent your solution using other technologies and are you expecting too much of third parties to change/update their systems in order to be part of your solution? I suppose it’s really about having an old fashioned business model which is one of the stages of my primer.