The Latest from Blackhat

blackhateurope15If you are a mobile developer, you should take a look at the white papers and presentations that have become available following the recent blackhat Europe 2015.

Of particular interest to Android developers is (In)Security of Backend-as-a-Service (pdf) that shows how hard-coding service credentials for services such as Parse, Cloudmine and Amazon AWS not only puts particular user’s data at risk but the whole platform at risk. The easily-obtained credentials can be used to access huge amounts of sensitive data. The apparent ease of using BaaS has caused mobile developers to cut and paste sample code without thinking of the security implications.

Wondering what else your app might be doing wrong? The AndroBugs framework presentation allows you to scan APKs for known coding mistakes. It decompiles the app and looks for bytecode patterns that signify vulnerabilities in the code. Androbugs has recently become open source on GitHub.

Another way your app data might become visible is if it’s stored in the OS sandbox and subsequently backed up either on a rooted device or via ADB. The presentation on Authenticator Leakage Through Backup Channels on Android (pdf) goes into a lot more detail.

As usual, black hat activities look into the problems but don’t give many ‘white hat’ recommendations how to fix apps. It’s easier and more fun to find problems than it is to provide fixes. If you are looking for some answers then my site provides some recommendations.

App Retention Linked to Contextual Content

mobileworldliveThere’s an article at Mobile World Live (by the GSMA) titled Personalisation Key to App Stickiness. We all know user retention is just, if not more, important as user acquisition so how do we achieve this?

The survey by Localytics found that mobile users will start a new app on average 4.5 times before potentially stop using it.

The key is…

“Personalied app content and marketing messages, tailored to their specific behaviour, location and intentions.”

Hence, it’s crucial we use the first app launches to discover context for displaying the appropriate content in those and future app launches. For example, if the app continues to show ’empty’ states then it’s unlikely to be used again. However, what if the app shows nothing because it’s driven by external events such as location, iBeacons or notifications? It’s important to allow the user to initially populate the data somehow, perhaps via browsing limited content or via injected dummy events. That way, the user will get to see how the app can provide value.

The End of Freelancing in the UK?

Last weekend there were articles in The Guardian and Daily Mail explaining how under the new proposed rules, if I were to work greater than 1 month for a client I would have to become their permanent employee.

I was contacted by TheRegister today after I tweeted about this and they have the following quote from me on a recent news article

“If it’s implemented it will change how freelancers work in the UK – not just IT but ALL industries. I guess most freelancers will take the easier route, go permanent and the flexible workforce will disappear.”

How did all this come about? Since 1999, there has been something called IR35 that the UK Government has tried to use to force one man company contractors to pay themselves fully through Pay As You Earn (PAYE) rather than through corporate tax on dividends on shares that saves on national insurance as I will explain later.

The main problem with PAYE and IR35 for contractors is that they end up paying MORE tax than normal employees as they have to pay an extra (very roughly) 13.8% national insurance normally paid by the employer because contractors, running their own company, are the employer AND the employee.

It turned out IR35 was full of holes because it was impossible for HM Revenue & Customs (HMRC) to legally differentiate contractor companies from other companies due to their varying situations and differing written contracts. Almost all IR35 legal cases have been lost by HMRC and most contractors pay themselves a small salary in order to build up national insurance contributions and the remainder through dividends. Tax is still paid but it’s through corporation tax.

Very very roughly, the contractor saves the employee national insurance of about 10% compared to a normal employee and avoids the ‘unfair’ extra employer national insurance of 13.8%. However, there are no entitlements to holiday pay, sick pay, healthcare, training, auto-enrolment for pension contributions and the right to bring a claim for unfair dismissal. Contractors choose to sacrifice those rights, take on the risk of not having continual work and also have extra costs such as computer hardware and substantial company accountancy fees.

In the last budget the Chancellor announced a review of IR35 and The Guardian and Daily Mail articles are probably a controlled leak by the Government to assess a new strategy. Unfortunately the new strategy is just as flawed.

Do the numbers make financial sense? How much VAT will be lost? My company claims very little VAT back on items purchased and hence almost all income collects VAT for HMRC at 20%. What about the 100,000 accountants (fees of typically £1000) that are used by contractors? What about the economic contribution of contracting recruitment agencies? How much will it cost for the HMRC to police this? All this will be lost to the UK economy.

It’s not just about money. The real damage is to my current and future startup clients who will no longer have access to a flexible workforce. My company supplies specialist mobile development skills to clients across a range of startup industries. They need work doing for short periods of time where they nearly always don’t have the specialist skills in-house. The work tends to be on and off because, as a startup, they don’t have the money or requirement to take on someone full time. Some of my clients are becoming successful now, contributing tax and this wouldn’t have been possible without a flexible workforce. What’s a flexible workforce worth to the UK?

Then there’s IR35. There were so many holes and interpretations that, as I said, it was unworkable for HMRC. This new proposal also has holes and possible re-interpretations. What about contractor companies registered overseas? What about client companies registered overseas? What if contractors join together to form a ‘software house’ – how different will they be to a consultancy such as Accenture? What if contractors or their clients split work to packages less than a month? If my company works for an individual rather than a company (it has happened) do they need to run PAYE? You get the idea. The new proposal might turn out to be equally unworkable for HMRC.

As I said at the start of this article, this would affect all industries, not just IT. It could change things for UK companies, not just contractor companies but, more significantly, those companies that use them directly or indirectly.

Aggregation and Intermediaries

I am often sceptical when I see predictions from Analyst Houses but one caught my attention yesterday. Forrester, via CNBC in their How mobile will transform business in 2016 article says…

“Consumers will continue to spend most of their time in only a few apps (e.g. Facebook, Google Maps, WeChat), but will increasingly turn to aggregation apps”

This correlates with what I have been seeing recently re apps that are about to be developed. Aggregation is an emerging theme and a current opportunity. While I can’t name names due to confidentiality, we are going to see more apps that aggregate things. What kinds of things? Well, it will initially tend to be around products and services that are purchased. Instead of going to one vendor app, expect to use an app to compare prices and services much as we do for some things on the web at the moment. However, with more contextual information, particularly location, from apps there’s the potential of there being many more app-based intermediaries in more verticals.

Linux, Android Kernel Insecurity

thewashingtonpostThere’s an extremely long, sometimes entertaining, sometimes boring article The Kernel of the Argument at the Washington Post on insecurity of the Linux Kernel.

The gist of the article is that Linus Torvalds has personally managed the Linux kernel since its creation in 1991 and has had little interest in making it more secure at the cost of poorer performance. Instead, he argues it’s the responsibility of the components surrounding/using the kernel to enforce security. Linus has also said “I personally consider security bugs to be just ‘normal bugs.’”

If you don’t already know, Android is based on Linux. What does this mean for Android Developers? Well, it demonstrates, as with Android itself (or iOS), there will almost certainly always be vulnerabilities. YOU, not the OS, have ultimate responsibility to ensure your apps’ data is secure. YOU need to protect data to the level appropriate for your app. Don’t necessarily just rely on the OS.

Flutter – Cross Platform App Development from Google

fluttericonFlutter is a new cross platform app development framework from Google that allows apps to be created for both Android (KitKat or later) and iOS (iOS 5 or later). It’s still being developed, primarily by engineers at Google.

Flutter is a high performance (60fps) 2D rendering engine with framework and widgets on top. There are also Material Design widgets. It’s all open source.

Internally, Flutter is a mix of C, C++, Dart and Skia (the 2D rendering engine). On Android, there a Dart VM that isn’t an interpreter. Instead, the Dart VM generates JIT-compiled optimized native code. On iOS the code is compiled with LLVM and Dart code is AOT-compiled into native code. On either platform you can call native services via IPC.

The programming language used is Dart which is also open source. Dart, which became available about a year ago, was once thought to be a future replacement for Javascript in the browser but now seems to have taken a new direction. Dart is a mix between c++ and Java and supports classes with single-inheritance. It supports interfaces, abstract classes, reified generics and optional typing.

Flutter isn’t suitable for production apps just yet and you can’t yet produce installable apps that easily. On the plus side I can see it will be enable us to produce high performance, cross platform apps with much less effort and cost. However, I have some reservations.

The first is that the widgets don’t use the respective system’s underlying widgets. There are Material Design widgets but who is going to want these on iOS? iOS look and feel widgets are needed. Even if these were available, it will create ‘look and feel’ problems when Apple and Google update the system widgets in the future. Also, I can’t see how Flutter widgets would ever provide for all the theme/style customisations provided by the native platforms.

Of course, we have been here during Nokia’s ownership of Qt. Providing for respective platform UIs, especially over time, is a monumental task. Getting developers to learn a new language also requires some sort of motivation. Apple is managing it with Swift but people are coming from the much more unfriendly Objective-C. Another unknown is the Google internal politics of where this fits into existing Android dev tools. Again, internal politics helped to kill Nokia Qt. However, the wildcard is Oracle that could tip things the other way. Much longer term, there’s a (small?) chance Oracle’s continual battles over Java IP could tip Google into using an alternative.

Finally, Flutter isn’t the only cross-platform framework trying to use Dart. Fletch is also based on Dart.

Mobile Programming at a Higher Level

tranqltrnql has become available today for iOS and Android developers that aids programming contextual things (e.g. location, weather, database, server) at a higher level than using a multitude of libraries and APIs. For example, you can determine whether the user is in a vehicle, with just one API call.

trnql was founded by former Google and Yahoo veterans and aims to simplify the developer experience. For product owners, this means much quicker time to market and less expensive development – but you will, of course, have to pay for the trnql API longer term.

Mobile development is reaching ever higher levels of maturity. At first there were just the OS APIs. Then came the many libraries, for example the many Android libraries listed on Android Arsenal. We are starting to see even higher levels of abstraction such as Android Templates and now trnql that enables writing of much less code.

The main problem with abstraction is that the higher you go, the more you become constrained to a particular way of doing something. That particular way is usually tried and tested so it’s a compromise of reliability/time-to-market vs flexibility.

As your app matures, you will probably find you will want to do things differently or implement lower level things yourself to own the responsibility for aspects such as security. Starting simple, maps well onto the lean startup way of doing things as it maximises learning velocity.

Designing For Android

detroitlabsDetroit Labs has a new post on 5 Reasons Why Your Android App Should Not Mirror Your iOS App (And Vice Versa).

Their first reason is something I have been saying for a long time: It will cost you more if you clone an iOS app. However, something I hadn’t considered is that paying attention to platform differences can be better for app marketing…

“If you build features that are Apple- or Android-specific, app stores are more likely to feature your app, and it will definitely garner better ratings.”

More specifically, at the moment, if you do a great job implementing Android’s Material Design then you will be on a faster track to being featured in the Play Store.

So what other kinds of things should be different? Take a look at my article on Porting iOS to Android for some high-level tips.