Demand for New Smartphones Dropping

argusinsightsArgus Insights has a new free report (PDF) on how ‘Consumer Smartphone Demand is Plummeting
Despite the Introduction of Flagship Phones’. The report says…

New phones are typically a vague improvement on old ones, with better cameras, memory, etc., but these small improvements are failing to create urgency for consumers to upgrade right away. “

argusyeartoyearsmartphonedemand

This might be seen as good news for developers. It’s unlikely the installed base is falling. We might get a period of relative stability where we won’t have to keep testing on newer devices. However, there is also a counter-argument that people mainly try new apps when they get a new phone.

Insecurity of Mobile Banking Apps

esieaTwo days ago I repeated my advice on having to be careful when using WebViews in security sensitive applications. Yesterday, I happened to come across a research paper (pdf) (and presentation) “Insecurity of Mobile Banking… and of other apps” by Eric Filiol and Paul Irolla of ESIEA Operational Cryptology and Virology Lab that recently became available at blackhat Asia 2015. In the research paper it says…

“Almost all (banking) applications dynamically load the graphical content of their pages from a remote server. The possibility offered by mobile development to execute html and Javascript is pushing companies to outsource the application content: what has been done for a web site can be copied almost unchanged for an application”

The authors are French so we can excuse them that the above doesn’t read that well but I think what they are saying is that because banks already have a secure web site accessible via the browser most are re-using it for use within their mobile apps.

I guess the assumption banks are making is that any checking such as login, intrusion detection etc is already there and proven it’s best to re-use these mechanisms as they are considered to be secure. Unfortunately, that assumption is very wrong. In using WebViews to render server side screens they have opened themselves up to the area of the phone software that has the most (and most complex) vulnerabilities. For example, the login might be on a web page on some server but by rendering a remote page there’s the possibility of extra unwanted things being loaded that might do literally anything such as log keys and read data in files or memory. I have also yet to see a reliable implementation of certificate pinning that works with webviews.

The authors also claim…

“Furthermore, there is at least one vulnerability affecting webview. This vulnerability has not been disclosed by Google and consequently Google will not publish any security patch to correct it for version 4.3 and prior versions. It is therefore a major vulnerability which allows a third party to take control over the phone.”

You can read the paper (pdf), slides (pdf) and a similar presentation (video) from December that analyses some well-known banking apps to show they aren’t that secure. If you really must use WebViews, you might also read my guidelines on how to be careful with WebViews on Android. If you are concerned using a banking app yourself then you can read my basic advice of consumers.

Thought’s on Google’s Bluetooth LE Eddystone and Cloud APIs

bluetoothGoogle announced their Eddystone open Bluetooth LE beacon protocol today and corresponding APIs to allow Eddystone (and Apple iBeacon) information to be stored in Google’s cloud to which arbitrary information (text, images etc) can be attached. Google have also introduced a Monitor Beacons API so that the health of beacons can be monitored. What does this mean for the cross platform (iOS and Android) developer?

The Beacon Hardware: First of all, existing iBeacon hardware won’t automatically work with (transmit data for) Eddystone. Bluvision, Estimote, Kontakt.io, Radius Networks and Signal360 have already updated their beacons but these companies represent a small part of the beacon hardware market. As a small sample, the Bluetooth LE apps I have created for clients don’t use these beacons. Maybe other manufacturers will upgrade their beacons in time? Without Eddystone, Android (4.3+) can already sense iBeacons and infer distance so it might seem there’s no urgency to use Eddystone. However, from experience, I know the extra features provided by Eddystone, such as monitoring battery life, are really needed and are not gimmick – this itself might encourage demand for Eddystone. By the way, upgrading beacons will enable them for both iBeacon AND Eddystone, such they alternately transmit in each format, so it’s not a case of supporting one or the other (or having two separate beacons for each protocol).

The Cloud API: This is interesting as it’s free way of associating content with a beacon, irrespective of whether you are using Eddystone or not. Obviously, if you only store iBeacons then you won’t get the extra benefits of the health monitoring. Note that it’s only an API and not a web interface. You will still need to create your own web interface for your customers that, in turn, uses the Google cloud API to register beacons and map your business objects into the ‘arbitrary’ content to attach to a beacon. From there, it’s only a small extra step to also provide a device JSON API yourself. I am not sure yet why people might choose to use Google’s API other than to later participate in the upcoming changes to the Google Places API to make beacons globally visible – something that will probably benefit Google more than the information provider who in many (but not all) cases will usually want to keep the content in their own app(s).

Update: My assumption that upgrading beacons will enable them for both iBeacon AND Eddystone, such they alternately transmit in each format was wrong. The Estimote blog explains that while this is technically possible and “makes a ton of sense”, it isn’t legally possible if hardware vendors wish to remain officially iBeacon compatible as Apple “don’t allow other frames”. I now expect this to seriously limit the takeup of Eddystone as many companies still work on an iOS first basis. Solution providers will have to select iBeacon OR Eddystone. For cross platform solutions, using iBeacons will give better iOS background detection while using Eddystone will give access to beacon health information and future integration into Google Places.

Android Click on Web Link to Run Arbitrary Code

tancentIn the past I have mentioned the need to be careful about using WebViews in apps, particularly apps that are security sensitive. The number and complexity of WebView vulnerabilities are such that a pragmatic approach might be to not use WebViews in security sensitive apps. Recent news has shown that the same vulnerabilities can be a security problem for the Chrome web browser app itself.

If you have been following the IT news, particularly the security news, you will know that the Italian spyware company Hacking Team recently got hacked themselves and their source code was posted on the Internet.

It turns out they developed an Android ‘remote2local‘ exploit that cleverly combines three known Chrome vulnerabilities and the root-enabling put_user or TowelRoot vulnerabilities to allow pre-defined code to be executed as root from the user simply clicking on a link in the browser. The details are on the Tancent blog (Google translated).

How bad is this? The Hacking Team have a compatibility file that says it covers Android 4.0 to 4.3 and lists some tested devices…

remote2localcompatibility

One of the vulnerabilities, CVE-2012-2825 Arbitrary memory read, was fixed in June 2012 and another, CVE-2012-2871 Heap-buffer-overflow was fixed in August 2012 so end users allowing Chrome and WebView to update via the Play Store will have had these vulnerabilities fixed a long time ago.

However, this demonstrates how vulnerabilities can be combined to run code as root without the user even knowing. The Hacking Team compatibility file and subsequent vulnerability fixes show that in some ways, Android’s fragmentation aids security. It’s difficult for exploits to cover all types of Android OS and device and they usually only work on smaller subset of devices. As I previously mentioned, this won’t be much consolation to large companies with thousands of employees or customers which greatly factor up the chances of encountering exploits that might end up accessing sensitive company information.

Android for Embedded Development Survey Findings

viaVIA Technologies have a new survey (pdf) of their customers from a range of embedded backgrounds asking them about their use of Android for embedded applications.

viaembeddedandroidfindings

TI SensorTag

texasinstrumentsUp to now most low power Bluetooth beacons have been fairly limited devices that only transmit simple information that can be used for ‘presence’ based applications. Some can send extra information such as battery life to the phone and some you can remotely cause to beep or flash but most of the innovative ideas have revolved around using them to detect presence and trigger content to be shown, for example, in retail stores or museums.

TI have something interesting with their new CC2650 SensorTag that connects to Android or iOS (as an iBeacon) providing support for up to 10 low-power sensors for ambient light, digital microphone, magnetic sensor, humidity, pressure, accelerometer, gyroscope, magnetometer, object temperature and ambient temperature.

tisensortag

 

sensortagblockdiagram

The possibilities suddenly become far more exciting and seemingly endless. For example, in sport you might attach one to your sports equipment (racquet, golf club or whatever) to analyse technique. In health, you might attach one to yourself or someone else (elderly?) to detect movement. In security, they might be attached to high-value items to protect in various (theft, dampness, extreme movement) ways or used as the basis for a home security system.

The CC2650 is available as a tag for $29 or the chip that does the work is available in large quantities, for use in your own hardware designs, for around $6.

Update: Looking closer at the one I have purchased, the $29 tag has a very restricted license that says you can’t use it in a finished product or production solution – presumably mainly because it’s not FCC approved . It’s for evaluation purposes only. That’s a shame as it’s a large step to have to integrate the chip in your own board, even if you base it on their ‘open’ hardware design.

Future Opportunities in Mobile

gartner136Current opportunities in mobile have been driven by the huge growth in mobile device shipments. So, what types of connected devices are people using now and how is this likely to change in the next few years?

Gartner has some new research that shows that while the PC market will decline about 4% this year it will recover in 2016 and grow in 2017. However, the non-phone market of 540 million devices/yr is small compared to the mobile phone market which is 1,940 million devices/yr. By 2,107 these are expected to be 566 million/yr and 2,628 million/yr respectively.

gartnerdevices

What does this mean for developers? We have reached a period of relative stability where both the PC and phone markets have levelled off. If you develop generic apps for the PC/Mac or for mobile you can expect your market to remain about the same size for the next few years.

I believe that if you are seeking growth areas then you need to be more specialised and also look for B2B or white label opportunities. Health, insurance, retail, interfacing with IoT devices, security, cloud and big data seem to be the obvious areas.

Malware Motivations

gdataYesterday I wrote about how we shouldn’t necessarily ignore malware. GDATA has new research into current Android malware. They also have a free report (pdf). There are about 4900 new malware samples every day – that’s a new malware sample every 18 seconds.

financiallymotivatedmalware

About 50% of the malware is financially motivated and is attempting to steal financial details, send premium SMS or locks the device (ransomware).

If you are an Android user, you might want to read my advice for consumers. App developers should read my guidelines on securing data and code.