Mobile Security and HTML5

Smartphones and tablets have plenty of computing power to host malware, and they are simultaneously connected to the Internet via a cellular connection and to the LAN via Wi-Fi. So everybody in your organization has a device capable of by-passing your firewall in their pocket.

The good news is that smartphone OSes were designed recently enough that their creators were able to build security into the platforms using techniques like ARM TrustZone, and “chain of trust.” Technologies of this type are merely optional on PCs. Plus,the Android and iPhone app stores tightly control the applications that they distribute, and most people don’t take the trouble to avoid this protection. With these system-level and application-level protections, smartphones and tablets are intrinsically less vulnerable than PCs.

But there’s plenty of bad news, too. The chain of trust isn’t foolproof, and malicious code can get through the app store certification process.

On top of these traditional threats, a new one looms: HTML 5. Adobe Flash is so notoriously vulnerable that Steve Jobs refused to let it onto the iPhone. Adobe has now thrown in the towel, and committed to HTML 5 instead. HTML 5 is presumably safer than Flash, but it is untried, and it has powerful access to the platform more akin to a native app than to traditional HTML.

This means that we can expect a rising tide of smartphone-related security breaches.

ABI projects rapid uptake of 802.11ac

An interesting graphic from ABI research projects ongoing rapid growth in Wi-Fi in phones out to 2017, when the penetration will be approaching 100%. This doesn’t seem to be unrealistically fast to me, since the speed at which feature phones have been displaced by low-cost smartphones implies that by that time practically all phones will be smartphones, and since carriers are increasingly attracted to Wi-Fi for data offload from their cellular networks.

The graphic also shows rapid transition from 802.11n to 802.11ac starting next year.

Wi-Fi Penetration in Mobile Handsets by Protocol World Market, Forecast 2010-2017

Sharing Wi-Fi Update

Back in February 2009 I wrote about how Atheros’ new chip made it possible for a phone to act as a Wi-Fi hotspot. A couple of months later, David Pogue wrote in the New York Times about a standalone device to do the same thing, the Novatel MiFi 2200. The MiFi is a Wi-Fi access point with a direct connection to the Internet over a cellular data channel. So you can have “a personal Wi-Fi bubble, a private hot spot, that follows you everywhere you go.”

The type of technology that Atheros announced at the beginning of 2009 was put on a standards track at the end of 2009; the “Wi-Fi Direct” standard was launched in October 2010. So far about 25 products have been certified. Two phones have already been announced with Wi-Fi Direct built-in: the Samsung Galaxy S and the LG Optimus Black.

Everybody has a cell phone, so if a cell phone can act as a MiFi, why do you need a MiFi? It’s another by-product of the dysfunctional billing model of the mobile network operators. If they simply bit the bullet and charged à la carte by the gigabyte, they would be happy to encourage you to use as many devices as possible through your phone.

WiFi Direct may force a change in the way that network operators bill. It is such a compelling benefit to consumers, and so trivial to implement for the phone makers, that the mobile network operators may not be able to hold it back.

So if this capability proliferates into all cell phones, we will be able to use Wi-Fi-only tablets and laptops wherever we are. This seems to be bad news for Novatel’s MiFi and for cellular modems in laptops. Which leads to another twist: Qualcomm’s Gobi is by far the leading cellular modem for laptops, and Qualcomm just announced that it is acquiring Atheros.

Video calling from your cell phone

Although phone numbers are an antiquated kind of thing, we are sufficiently beaten down by the machines that we think of it as natural to identify a person by a 10 digit number. Maybe the demise of the numeric phone keypad as big touch-screens take over will change matters on this front. But meanwhile, phone numbers are holding us back in important ways. Because phone numbers are bound to the PSTN, which doesn’t carry video calls, it is harder to make video calls than voice, because we don’t have people’s video addresses so handy.

This year, three new products attempted to address this issue in remarkably similar ways – clearly an idea whose time has come. The products are Apple’s FaceTime, Cisco’s IME and a startup product called Tango.

In all three of these products, you make a call to a regular phone number, which triggers a video session over the Internet. You only need the phone number – the Internet addressing is handled automatically. The two problems the automatic addressing has to handle are finding a candidate address, then verifying that it is the right one. Here’s how each of those three new products does the job:

1. FaceTime. When you first start FaceTime, it sends an SMS (text message) to an Apple server. The SMS contains sufficient information for the Apple server to reliably associate your phone number with the XMPP (push services) client running on your iPhone. With this authentication performed, anybody else who has your phone number in their address book on their iPhone or Mac can place a videophone call to you via FaceTime.

2. Cisco IME (Inter-Company Media Engine). The protocol used by IME to securely associate your phone number with your IP address is ViPR (Verification Involving PSTN Reachability), an open protocol specified in several IETF drafts co-authored by Jonathan Rosenberg who is now at Skype. ViPR can be embodied in a network box like IME, or in an endpoint like a phone of PC.
Here’s how it works: you make a phone call in the usual way. After you hang up, ViPR looks up the phone number you called to see if it is also ViPR-enabled. If it is, ViPR performs a secure mutual verification, by using proof-of-knowledge of the previous PSTN call as a shared secret. The next time you dial that phone number, ViPR makes the call through the Internet rather than through the phone network, so you can do wideband audio and video with no per-minute charge. A major difference between ViPR and FaceTime or Tango is that ViPR does not have a central registration server. The directory that ViPR looks up phone numbers in is stored in a distributed hash table (DHT). This is basically a distributed database with the contents stored across the network. Each ViPR participant contributes a little bit of storage to the network. The DHT itself defines an algorithm – called Chord – which describes how each node connects to other nodes, and how to look up information.

3. Tango, like FaceTime, has its own registration servers. The authentication on these works slightly differently. When you register with Tango, it looks in the address book on your iPhone for other registered Tango users, and displays them in your Tango address book. So if you already know somebody’s phone number, and that person is a registered Tango user, Tango lets you call them in video over the Internet.

ITExpo West — Achieving HD Voice On Smartphones

I will be moderating a panel discussion at ITExpo West on Tuesday 5th October at 11:30 am in room 306B: “Achieving HD Voice On Smartphones.”

Here’s the session description:

The communications market has been evolving to fixed high definition voice services for some time now, and nearly every desktop phone manufacturer is including support for G.722 and other codecs now. Why? Because HD voice makes the entire communications experience a much better one than we are used to.

But what does it mean for the wireless industry? When will wireless communications become part of the HD revolution? How will handset vendors, network equipment providers, and service providers have to adapt their current technologies in order to deliver wireless HD voice? How will HD impact service delivery? What are the business models around mobile HD voice?

This session will answer these questions and more, discussing both the technology and business aspects of bringing HD into the mobile space.

The panelists are:

This is a deeply experienced panel; each of the panelists is a world-class expert in his field. We can expect a highly informative session, so come armed with your toughest questions.

Genuine Disruption from PicoChip

Clayton Christensen turned business thinking upside-down in 1997 with his book “The Innovator’s Dilemma” where he popularized his term “disruptive technology” in an analysis of the disk drive business. Since then abuse and over-use have rendered the term a meaningless cliche, but the idea behind it is still valid: well-run large companies that pay attention to their customers and make all the right decisions can be defeated in the market by upstarts that emerge from low-end niches with lower-cost, lower performance products.

PicoChip is following Christensen’s script faithfully. First it made a low-cost consumer-oriented chip that performed many of the functions of a cellular base station. Now it has added in some additional base station functions to address the infrastructure market.

Traditional infrastructure makers now face the prospect of residential device economics moving up to the macrocell.
From Rethink Wireless

Intel Infineon: history repeats itself

Unlike its perplexing McAfee move, Intel had to acquire Infineon. Intel must make the Atom succeed. The smartphone market is growing fast, and the media tablet market is in the starting blocks. Chips in these devices are increasingly systems-on-chip, combining multiple functions. To sell application processors in phones, you must have a baseband story. Infineon’s RF expertise is a further benefit.

As Linley Gwennap said when he predicted the acquisition a month ago, the fit is natural. Intel needs 3G and LTE basebands, Infineon has no application processor.

Linley also pointed out Intel’s abysmal track record for acquisitions.

Intel has been through this movie before, for the same strategic reasons. It acquired DSP Communications in 1999 for $1.6 Bn. The idea there was to enter the cellphone chip market with DSP’s baseband plus the XScale ARM processor that Intel got from DEC. It was great in theory, and XScale got solid design wins in the early smart-phones, but Intel neglected XScale, letting its performance lead over other ARM implementations dwindle, and its only significant baseband customer was RIM.

In 2005, Paul Otellini became CEO; at that time AMD was beginning to make worrying inroads into Intel’s market share. Otellini regrouped – he focused in on Intel’s core business, which he saw as being “Intel Architecture” chips. But XScale runs an instruction set architecture that competes with IA, namely ARM. So rather than continuing to invest in its competition, Intel instead dumped off its flagging cellphone chip business (baseband and XScale) to Marvell for $0.6 Bn, and set out to create an IA chip that could compete with ARM in size, power consumption and price. Hence Atom.

But does instruction set architecture matter that much any more? Intel’s pitch on Atom-based netbooks was that you could have “the whole Internet” on them, including the parts that run only on IA chips. But now there are no such parts. Everything relevant on the Internet works fine on ARM-based systems like Android phones. iPhones are doing great even without Adobe Flash.

So from Intel’s point of view, this decade-later redo of its entry into the cellphone chip business is different. It is doing it right, with a coherent corporate strategy. But from the point of view of the customers (the phone OEMs and carriers) it may not look so different. They will judge Intel’s offerings on price, performance, power efficiency, wireless quality and how easy Intel makes it to design-in the new chips. The same criteria as last time.

Rethink Wireless has some interesting insights on this topic…

Dual Mode Phone Trends Update 4

We are half way through the year, so it’s time for another look at Wi-Fi phone certifications. Three things jump out this time. First, a leap in the number of Wi-Fi phone models in the second quarter of 2010. Second, the arrival of 802.11n in handsets, and third Samsung’s market-leading commitment to 802.11n. According to Rethink Wireless “Samsung’s share of the smartphone market was only about 5% in Q1 but it aims to increase this to almost 15% by year end.” Samsung Wi-Fi-certified a total of 73 dual mode phones in the first six months of 2010, three times as many as second place LG with 23. In the 11n category, Samsung’s lead was even more dominating: its 40 certifications were ten times either of the second place OEMs.

Here is a chart of dual mode phones certified with the Wi-Fi Alliance from 2008 to June 30th 2010. We usually do this chart stacked, but side-by-side gives a clearer comparison between feature phones and smart phones. Note that up to the middle of 2009, smart phones outpaced feature phones, but then it switched. This is a natural progression of Wi-Fi into the mass market, but may also be exaggerated by a quirk of reporting: of HTC’s 17 certifications in the first half of 2010, it only categorized one as a smart phone.
Dual mode phones by quarter 2008-2010

The chart below shows the growth of 802.11n. It starts in January 2010 because only one 11n phone was certified in 2009, at the end of December. As you can see, the growth is strong. I anticipate that practically all new dual mode phone certifications will be for 802.11n by the end of 2010.

802.11n phones 2010 by month

Below is the same chart sliced by manufacturer instead of by month. The iPhone is missing because it wasn’t certified until July, and the iPad is missing because it’s not a phone. With only one 802.11n phone, Nokia has become a technology laggard, at least in this respect. The RIM Pearl 8100/8105 certifications are the only ones with STBC, an important feature for phones because it improves rate at distance. All the major chips (except those from TI) support STBC, so the phone OEMs must be either leaving it disabled or just not bothering to certify for it.

802.11n phones 2010 by manufacturer

All you can eat?

The always good Rethink Wireless has an article AT&T sounds deathknell for unlimited mobile data.

It points out that with “3% of smartphone users now consuming 40% of network capacity,” the carrier has to draw a line. Presumably because if 30% of AT&T’s subscribers were to buy iPhones, they would consume 400% of the network’s capacity.

Wireless networks are badly bandwidth constrained. AT&T’s woes with the iPhone launch were caused by lack of backhaul (wired capacity to the cell towers), but the real problem is on the wireless link from the cell tower to the phone.

The problem here is one of setting expectations. Here’s an excerpt from AT&T’s promotional materials: “Customers with capable LaptopConnect products or phones, like the iPhone 3G S, can experience the 7.2 [megabit per second] speeds in coverage areas.” A reasonable person reading this might think that it is an invitation to do something like video streaming. Actually, a single user of this bandwidth would consume the entire capacity of a cell-tower sector:
HSPA ell capacity per sector per 5 MHz
Source: High Speed Radio Access for Mobile Communications, edited by Harri Holma and Antti Toskala.

This provokes a dilemma – not just for AT&T but for all wireless service providers. Ideally you want the network to be super responsive, for example when you are loading a web page. This requires a lot of bandwidth for short bursts. So imposing a bandwidth cap, throttling download speeds to some arbitrary maximum, would give users a worse experience. But users who use a lot of bandwidth continuously – streaming live TV for example – make things bad for everybody.

The cellular companies think of users like this as bad guys, taking more than their share. But actually they are innocently taking the carriers up on the promises in their ads. This is why the Rethink piece says “many observers think AT&T – and its rivals – will have to return to usage-based pricing, or a tiered tariff plan.”

Actually, AT&T already appears to have such a policy – reserving the right to charge more if you use more than 5GB per month. This is a lot, unless you are using your phone to stream video. For example, it’s over 10,000 average web pages or 10,000 minutes of VoIP. You can avoid running over this cap by limiting your streaming videos and your videophone calls to when you are in Wi-Fi coverage. You can still watch videos when you are out and about by downloading them in advance, iPod style.

This doesn’t seem particularly burdensome to me.