Cross Platform Tools and Security

blackhatasia15If you follow this site you will know I am not a great fan of cross platform tools. They tend to sacrifice performance and ‘look and feel’ for faster development. In cases where you can refine the look and feel, it usually becomes increasingly difficult to get screens with the correct UI idioms because most tools are based on generating html/javascript. Enterprise apps seem to be the most suitable use for cross platform tools as the look and feel of the UI tends to be less important. However, is this true?

I have recently written how anyone using app creating tools based on WebViews or using WebViews in their app needs to be aware of security vulnerabilities. Taking this further, there has been a recent presentation at BlackHat Asia 15 on ‘The nightmare behind the cross platform mobile apps dream‘.

The problem with cross platform is that it provides a uniform environment that offers up a large number of apps that can be hacked in the same way and, as it turns out, can also be more easily hacked. The presentation gives some sobering problems with Cordova, Adobe AIR and Titanium. For example, Adobe AIR’s EncryptedStorage API doesn’t do much and only stores data as Base64 encoded. Titanium’s default https is broken, doesn’t validate the SSL certificate and hence is vulnerable to Man in the Middle (MiTM) attacks.

If you are using cross platform tools then you are passing some responsibility for security to the framework. I am beginning to think platform tools are actually less suitable for Enterprise because that’s where there are usually increased security concerns.

The Web vs Apps Outcome

android.gifThere was time when some people thought the future of mobile development was the web. That thinking was based on the fact that the web was a common platform across all types of device and that would be the only way to solve fragmentation. If you look at the ‘Web Technologies’ section at the bottom of this site you will see I was sceptical.

In practice, we all know apps have dominated. While Apple and Google have improved their web browsers, they haven’t put in as much effort to allow the browser access to APIs nor improve the user experience for web-based apps. However, I believe the situation has become even worse than this.

The lack of browser-based access to native APIs has caused workarounds to be devised that are used in hybrid apps that contain WebViews and code included by most 3rd party ‘easy’ app creation tools. On Android these involve use of Javascript access to the Android native Context to call into native code. Unfortunately, as these are workarounds, they are very insecure. My article on ‘Use WebViews Carefully’ gives more details. Anyone using app creating tools based on WebViews or using WebViews in their app needs to be aware of these vulnerabilities. In fact, as of last week, outside of embedding in apps, even using the browser on its own has been the subject of a security scare.

A second problem is that there’s now no one ‘Android Browser’ upon which the WebViews are based. Niels Leenheer has a great set of slides that explains how browsers vary across Android versions, devices and phone manufacturers. The consequence of this is that getting any non-trivial WebView-based app to work across many device types is very difficult. The many 3rd party companies creating app creation tools based on web technologies face an uphill battle – as do people using their tools.

It’s ironic that the (web) platform that some people thought might solve the fragmentation problem has, arguably due to under-investment and lack of innovation by Google and Apple, become one that has security and fragmentation headaches.

VisionMobile’s Developer Economics Q1 2014 Thoughts

visionmobile.gifVision Mobile has a new Developer Economics Q1 2014 report based on a survey of 7,000 app developers in 127 countries. As might be expected, iOS and Android are very dominant and iOS remains as top revenue earner. However, if you want apps to provide revenue, read on.

The ecosystem was worth $68 billion in 2013 and is projected to grow to $143 billion in 2016. This seems like a huge incentive for companies to take up mobile if they haven’t done so already. However, where’s the money? We are told…

"60% of developers are below the “app poverty line”, i.e. earn less than $500 per app per month"

How can this be? How can such a large, tens of billions, market result in such a low income per app? The report provides some extra insights on the revenue distribution across and within platforms… 

visionmobilerevenuedistribution.png
Even on iOS, a few apps (mainly games I guess) represent the majority of the income. So why do developers continue to develop apps when they aren’t likely to make any money? The report provides some insights on developer motivations…

 developertypesandmotivations.png

It can be seen that Hobbyists, Explorers, Product Extenders, Enterprise and, to some extent, Guns for Hire and Digital Media Publishers don’t really care about the ability to generate revenue.

What does this mean for entrepreneurs in the mobile space? Well, if you are thinking of making money from apps (‘Hunters’ as Vision mobile calls them) then you are probably wasting your time unless you think you can be part of the small slice of the market (games?) that makes the majority of the money. Instead you probably need to change your business model to become one of the other categories of developer.

Apps vs Internet

orange.gifOrange has some new free Orange Exposure research conducted by TNS that concentrates on the path to purchase across the UK, France and Spain. It concludes that 4G networks are igniting uptake in m-commerce, showrooming is on the rise and Android’s dominance over iOS is continuing (also with a leap in tablet market share).

useofbrowservsapps.png 

An interesting insight for mobile developers is that people are increasingly using apps to access the internet rather than the traditional browser. I suspect this means that there are opportunities for brands/companies/developers to create apps that present web site data in more innovative and easier to use ways as opposed to just within a webview in the app.

Tablet Usability Study

nielsennormangroup.pngNielsen Norman Group have a new article on the results of six rounds of usability studies with tablet users across iPad, Android and Windows tablets.

The main problems were the same as for applications on other platforms…

"Difficult features, mismatch with user workflow and poor instructions that people don’t read"

Nielsen Norman Group observes that websites are much more usable than on smartphones. This together with the requirement  for apps to modify the user interface for different tablet models causes Nielsen Norman Group to advise developers to "stick to websites" and only create an app if it really adds value over a website. If you do make an app then don’t make it a scaled up phone app. The article also covers other issues such as Web UX bleedthrough and gesture problems.

I’d say the advice to only create an app if it really adds value over a website is equally applicable to smartphone apps. There are too many ‘shallow’ smartphone apps that might as well be websites. In the past it might have been worth creating the equivalent of a site in an app in order to gain visibility via the app stores but, with so many apps in the stores, that time is well over.

M-Commerce Report

affiliatewindow.pngAffiliateWindow has a recent free report on M-Commerce: The Complete Picture (pdf). It provides information on mobile growth trends in terms of their network traffic, sales and conversion rates across iOS and Android.

 affiliatewindowiosandroidgrowth.png

Most of AffiliateWindow’s mobile activity is Internet rather than app-based. Web site publishers get paid when affiliate links are used to purchase goods or services from AffiliateWindow’s partners – irrespective of whether the click was from the desktop or a mobile device.

The report also mentions that AffiliateWindow also offers app download campaigns as well as tracking in app activity.

Developer Economics Q3 2013

visionmobile.gif

Vision Mobile has results of a new developer survey including 6,000 respondents from 115 countries. The free report (registration required) also includes information on OS platform market shares and related insights.

For example…

"There are no profits to be made in handset production itself. In other words, hardware is dead. Instead, value has migrated to upwards in the technology stack (to services) and downwards (to handset components)."

This situation means that it’s very difficult, if not impossible, for OS newcommers to compete…

"Even Microsoft with an estimated over 5 billion dollars invested in Windows Phone has managed to secure a tiny 3% smartphones sales share in 2.5 years since the platform launched."

visionmobilesmartphonesalesq12013.png

The developer survey is full of interesting insights and deeper numbers on the use of HTML in mobile development, developer mindshare and intentshare by mobile OS. There’s also analysis on platform choice vs what developers are trying to achive. There are also numbers on tablet development, revenue models and average revenue per month.

When I read reports such as this I often start wondering what constitutes a ‘developer’. For example, I am an ‘implementing’ developer but my clients might also consider themselves developers. While I don’t do development for intermediaries any more, there are also some types of client who themselves have clients, for example brands, who might also consider themselves as doing mobile development. Similarly, those people working inside companies have managers and end clients who might be seen as developing for mobile.

Vision mobile have sliced developers a different way and have split them into categories based on what they are trying to achieve…

  • Hunters
  • Explorers
  • Guns for hire
  • Hobbyists
  • Product extenders
  • Gold seekers
  • Enterprise
  • Digital content publishers
The report considers the repercussions of their respective motivations.

HTML5 Tricks and Treats

venturebeat.gifJust about every mobile conference I have been to recently has had an over-emphasis on HTML5 for mobile. Hence, it’s refreshing to see an opposing opinion piece at Venture Beat on "Why HTML5 provided more tricks than treats in 2012".

Ben Savage, founder of Spaceport.io, argues that HTML5 development isn’t optimal for solving mobile design issues such as use of keypads, differing screen sizes and use of the touchscreen. He also says HTML5 provides less discoverability than the app stores, has problems with performance, browser fragmentation and that Javascript might not be the best choice for creating robust apps.

I think the key thing to do is assess your proposed app against the limitations. Sometimes the limitations don’t matter or are small compared to the advantages. I previously wrote a quick summary of the main considerations.