Wirevolution

Enterprise Mobile Security

Subscribe!

Archive for the ‘smartphone’ Category

Gesture recognition in smartphones

Wednesday, November 13th, 2013

This piece from the Aberdeen Group shows accelerometers and gyroscopes becoming universal in smartphones by 2018.

Accelerometers were exotic in smartphones when the first iPhone came out – used mainly for sensing the orientation of the phone for displaying portrait or landscape mode. Then came the idea of using them for dead-reckoning-assist in location-sensing. iPhones have always had accelerometers; since all current smartphones are basically copies of the original iPhone, it is actually odd that some smartphones lack accelerometers.

Predictably, when supplied with a hardware feature, the app developer community came up with a ton of creative uses for the accelerometer: magic tricks, pedometers, air-mice, and even user authentication based on waving the phone around.

Not all sensor technologies are so fertile. For example the proximity sensor is still pretty much only used to dim the screen and disable the touch sensing when you hold the phone to your ear or put it in your pocket.

So what about the user-facing camera? Is it a one-trick pony like the proximity sensor, or a springboard to innovation like the accelerometer? Although videophoning has been a perennial bust, I would argue for the latter: the you-facing camera is pregnant with possibilities as a sensor.

Looking at the Aberdeen report, I was curious to see “gesture recognition” on a list of features that will appear on 60% of phones by 2018. The others on the list are hardware features, but once you have a camera, gesture recognition is just a matter of software. (The Kinect is a sidetrack to this, provoked by lack of compute power.)

In a phone, compute power means battery-drain, so that’s a limitation to using the camera as a sensor. But each generation of chips becomes more power-efficient as well as more powerful, and as phone makers add more and more GPU cores, the developer community delivers new useful uses for them that max them out.

Gesture recognition is already here with Samsung, and soon every Android device. The industry is gearing up for innovation in phone based computer vision with OpenVX from Khronos. When always-on computer vision becomes feasible from a power-drain point of view, gesture recognition and face tracking will look like baby-steps. Smart developers will come up with killer applications that are currently unimaginable. For example, how about a library implementation of Paul Ekman’s emotion recognition algorithms to let you know how you are really feeling right now? Or, in concert with Google Glass, so you will never again be oblivious to your spouse’s emotional temperature.
Update November 19th: Here‘s some news and a little bit of technology background on this topic…
Update November 22:It looks like a company is already engaged on the emotion-recognition technology.

BYOD Cyber-Security. How concerned should you be?

Tuesday, May 14th, 2013

According to ComputerWeekly.com, “Nearly half of firms supporting BYOD report data breaches.” PWC’s 2013 Information Security Breaches Survey said “9% of large organisations had a security or data breach in the last year involving smartphones or tablets.” But as you know, correlation is not causation, and those quotes may imply a greater danger from BYOD than has yet been observed.

One of the most authoritative and exhaustive analyses of cyber security is Verizon’s annual “Data Breach Investigations Report.” The 2013 edition of the report analyzes over 47,000 ‘security incidents,’ including 621 ‘data breaches.’ It says:

The “Bring Your Own Device” (BYOD) trend is a current topic of debate and planning in many organizations. Unfortunately, we don’t have much hard evidence to offer from our breach data. We saw only one breach involving personally-owned devices in 2011 and a couple more in 2012.

So if your main concern is corporate data breach, the situation is not yet as dire on the mobile side as it is on the non-mobile side. But the Verizon report cautions:

Obviously mobile malware is a legitimate concern. Nevertheless, data breaches involving mobile devices in the breach event chain are still uncommon in the types of cases Verizon and our DBIR partners investigate. However, we do expect them to make more of an appearance in our data as mobile payment systems continue to become more common.

Two reports that focus on mobile malware are Trend Micro’s “Mobile Threat and Security Roundup,” and one I mentioned in a previous post, BlueCoat’s “2013 Mobile Malware Report.”

According to Trend:

In 2012, we detected 350,000 malicious and high-risk Android app samples, showing a significant increase from the 1,000 samples seen in 2011. It took less than three years for malicious and high-risk Android apps to reach this number—a feat that took Windows malware 14 years.

Just as Windows malware varied, so did Android malware—around
605 new malicious families were detected in 2012. Premium service abusers, which charge users for sending text messages to a premium- rate number, comprised the top mobile threat type, with transactions typically costing users US$9.99 a month. And victims of mobile threats didn’t just lose money, they also lost their privacy. The issue of data leakage continued to grow as more ad networks accessed and gathered personal information via aggressive adware.

Aggressive adware in mobile devices are now similar to the notorious spyware, adware, and click-fraud malware rampant in the early days of the PC malware era. They, like PC malware, generate profit by selling user data. PC malware took advantage of loopholes in legitimate ads and affiliate networks, while today’s aggressive adware can cause data leakages that aren’t always limited to malicious apps. Even popular and legitimate apps can disclose data.

The BlueCoat report concurs with this assessment:

Mobile threats are still largely mischiefware – they have not yet broken the device’s security model but are instead more focused on for-pay texting scams or stealing personal information.

So mobile malware is exploding, but so far targeting individuals in relatively trivial thefts. The Trend report observes that mobile threats are recapitulating the history of computer threats, but faster. Expect to see the mobile device threat level increase.

Mobile Malware Update

Friday, March 22nd, 2013

Blue Coat Systems has published an interesting report on the state of mobile malware. The good news is that in the words of the report “the devices’ security model” is not yet “broken.” This means that smartphones and tablets are still rarely hijacked by viruses in the way that computers commonly are.

Now for the bad news. On the Android side (though apparently not yet on the iOS side), virus-style hijackings have begun to appear:

Blue Coat WebPulse collaborative defense first detected an Android exploit in real time on February 5, 2009. Since then, Blue Coat Security Labs has observed a steady increase in Android malware. In the July-September 2012 quarter alone, Blue Coat
Security Labs saw a 600 percent increase in Android malware over the same period last year.

But this increase is from a minuscule base, and this type of threat is still relatively minor on mobile devices. Instead the report says, “user behavior becomes the Achilles heel.” The main mobile threats are from what the report calls “mischiefware.”

Mischiefware works by enticing the user into doing something unintentional. The two main categories of Mischiefware are:

  1. Phishing, which tricks users into disclosing personal information that can be used for on-line theft.
  2. Scamming, which tricks users into paying far more than they expect for something – like for-pay text (SMS) messages or in-app purchases. Even legitimate service providers can be guilty of this type of ‘gotcha’ activity, with rapacious international data roaming charges, or punitive overage charges on monthly ‘plans.’

“User behavior becomes the Achilles Heel” is hardly a revelation. A more appropriate phrase would be “User behavior remains the Achilles Heel,” since in this respect the mobile world is no different from the traditional networking world.

Mobile Security and HTML5

Friday, March 8th, 2013

Smartphones and tablets have plenty of computing power to host malware, and they are simultaneously connected to the Internet via a cellular connection and to the LAN via Wi-Fi. So everybody in your organization has a device capable of by-passing your firewall in their pocket.

The good news is that smartphone OSes were designed recently enough that their creators were able to build security into the platforms using techniques like ARM TrustZone, and “chain of trust.” Technologies of this type are merely optional on PCs. Plus,the Android and iPhone app stores tightly control the applications that they distribute, and most people don’t take the trouble to avoid this protection. With these system-level and application-level protections, smartphones and tablets are intrinsically less vulnerable than PCs.

But there’s plenty of bad news, too. The chain of trust isn’t foolproof, and malicious code can get through the app store certification process.

On top of these traditional threats, a new one looms: HTML 5. Adobe Flash is so notoriously vulnerable that Steve Jobs refused to let it onto the iPhone. Adobe has now thrown in the towel, and committed to HTML 5 instead. HTML 5 is presumably safer than Flash, but it is untried, and it has powerful access to the platform more akin to a native app than to traditional HTML.

This means that we can expect a rising tide of smartphone-related security breaches.

Big Brother

Wednesday, January 16th, 2013

Some ideas are so obvious once you hear them that you feel like you already had them yourself. One such is a new application for Wi-Fi from a company called Euclid Analytics.

Euclid’s idea is to provide Google Analytics-style information on foot traffic in retail stores. They implement it using the Wi-Fi on smart phones. This is technologically trivial: if you leave the Wi-Fi on your phone turned on, it will periodically transmit Wi-Fi packets, for example ‘probe requests.’ Every packet transmitted by a device contains a unique identifier for that device, the MAC address. So by gathering this information from a Wi-Fi access point, Euclid can tell how often and for how long each device is in the vicinity. Presumably enough people have Wi-Fi on their phones by now to gather statistically representative data for analytics purposes.

The Euclid technology doesn’t require your opt-in, and it doesn’t need to be tied to Wi-Fi. The concept can trivially be extended to any phone (not just Wi-Fi equipped ones) by using cellular packets rather than Wi-Fi, and for people with no phone, face recognition with in-store cameras. For this kind of application even 90% accuracy on the face recognition would be useful.

One of the only four choices on Euclid’s website’s navigation menu is Privacy. Privacy gets this prominent treatment because the privacy issues raised by this technology are immense.

Gathering this kind of information for one store – anonymous traffic by time, duration of stay, repeat visits and so on doesn’t seem too intrusive on individuals, but Euclid will be tempted to aggregate it across all the stores in the world, and to correlate its data with other data that stores already gather, like point of sale records.

Many technology sophisticates I talk with tell me that it is naive to expect any privacy whatsoever in the Internet age, and I guess this is another example. Euclid will effectively know where you are most of the time, but it won’t know much more than your cellular provider, or any any of the app vendors to whom you have given location permission on your phone.

ABI projects rapid uptake of 802.11ac

Wednesday, October 24th, 2012

An interesting graphic from ABI research projects ongoing rapid growth in Wi-Fi in phones out to 2017, when the penetration will be approaching 100%. This doesn’t seem to be unrealistically fast to me, since the speed at which feature phones have been displaced by low-cost smartphones implies that by that time practically all phones will be smartphones, and since carriers are increasingly attracted to Wi-Fi for data offload from their cellular networks.

The graphic also shows rapid transition from 802.11n to 802.11ac starting next year.

Wi-Fi Penetration in Mobile Handsets by Protocol World Market, Forecast 2010-2017

ITExpo: BYOD – The New Mobile Enterprise

Sunday, September 9th, 2012

If you are going to ITExpo West 2012 in Austin, make sure you attend my panel on this topic at 1:30 pm on Wednesday, October 3rd.

The panelists are Jeanette Lee of Ruckus Wireless, Ed Wright of ShoreTel and John Cash of RIM.

The pitch for the panel is:

BYOD (Bring Your Own Device) has been in full swing for a couple of years now, and there’s no going back. Enterprises have adopted a policy of allowing users to use their own devices to access corporate networks and resources. With it comes the cost savings of not having to purchase as many mobile devices, and user satisfaction increases when they are able to choose their preferred devices and providers (and avoid having to carry multiple devices). But the benefits don’t come without challenges — the user experience must be preserved, security policies must accommodate these multiple devices and operating systems, and IT has to content with managing applications and access across different platforms. This session looks at what businesses can do to mitigate risks and ensure performance while still giving your users the device freedom they demand.

Mobile Virtualization

Saturday, February 18th, 2012

According to Electronista, ARM’s next generation of chips for phones and tablets should start shipping in devices at the end of this year.

These chips are based on ARM’s big.LITTLE architecture. big.LITTLE chips aren’t just multi-core, they contain cores that are two different implementations of the same instruction set: a Cortex A7 and one or more Cortex A15s. The Cortex A7 has an identical instruction set to the A15, but is slower and more power efficient – ARM says it is the most power-efficient processor it has ever developed. The idea is that phones will get great battery life by mainly running on the slow, power-efficient Cortex A7, and great performance by using the A15 on the hopefully rare occasions when they need its muscle. Rare in this context is relative. Power management on modern phones involves powering up and powering down subsystems in microseconds, so a ‘rarely’ used core could still be activated several times in a single second.

The Cortex A15 and the Cortex A7 are innovative in another way, too: they are the first cores based on the ARMv7-A architecture. This is ARM’s first architecture with hardware support for virtualization.

Even without hardware support, virtualization on handsets has been around for a while; phone OEMs use it to make cheaper smartphones by running Android on the same CPU that runs the cellular baseband stack. ARM says:

Virtualization in the mobile and embedded space can enable hardware to run with less memory and fewer chips, reducing BOM costs and further increasing energy efficiency.

This application, running Android on the same core as the baseband, does not seem to have taken the market by storm. I presume because of performance. Even the advent of hardware support for virtualization may not rescue this application, since mobile chip manufacturers now scale performance by adding cores, and Moore’s law is rendering multicore chips cheap enough to put into mass-market smartphones.

So what about other applications? The ARM piece quoted above goes on to say:

Virtualization also helps to address safety and security challenges, and reduces software development and porting costs by man years.

In 2010 Red Bend Software, a company that specializes in manageability software for mobile phones, bought VirtualLogix, one of the three leading providers of virtualization software for phones (the other two are Trango, bought by VMWare in 2008 and OK Labs.)

In view of Red Bend’s market, it looks as if they acquired VirtualLogix primarily to enable enterprise IT departments to securely manage their employees’ phones. BYOD (Bring Your Own Device) is a nightmare for IT departments; historically they have kept chaos at bay by supporting only a limited number of devices and software setups. But in the era of BYOD employees demand to use a vast and ever-changing variety of devices. Virtualization enables Red Bend to add a standard corporate software load to any phone.

This way, a single phone has a split personality, and the hardware virtualization support keeps the two personalities securely insulated from each other. On the consumer side, the user downloads apps, browses websites and generally engages in risky behavior. But none of this impacts the enterprise side of the phone, which remains secure.

Droid Razr first look.

Friday, November 18th, 2011

First impression is very good. The industrial design on this makes the iPhone look clunky. The screen is much bigger, the overall feel reeks of quality, just like the iPhone. The haptic feedback felt slightly odd at first, but I think I will like it when I get used to it.

I was disappointed when the phone failed to detect my 5GHz Wi-Fi network. This is like the iPhone, but the Samsung Galaxy S2 and Galaxy Nexus support 5 Ghz, and I had assumed parity for the Razr.

Oddly, bearing in mind its dual core processor, the Droid Razr sometimes seems sluggish compared to the iPhone 4. But the Android user interface is polished and usable, and it has a significant user interface feature that the iPhone sorely lacks: a universal ‘back’ button. The ‘back’ button, like the ‘undo’ feature in productivity apps, fits with the way people work and learn: try something, and if that doesn’t work, try something else.

The Razr camera is currently unusable for me. The first photo I took had a 4 second shutter lag. On investigation, I found that if you hold the phone still, pointed at a static scene, it takes a couple of seconds to auto-focus. If you wait patiently for this to happen, watching the screen and waiting for the focus to sharpen, then press the shutter button, there is almost no shutter lag. But if you try to ‘point and shoot’ the shutter lag can be agonizingly long – certainly long enough for a kid to dodge out of the frame. This may be fixable in software, and if so, I hope Motorola gets the fix out fast.

While playing with the phone, I found it got warm. Not uncomfortably hot, but warm enough to worry about the battery draining too fast. Investigating this, I found a wonderful power analysis display, showing which parts of the phone are consuming the most power. The display, not surprisingly, was consuming the most – 35%. But the second most, 24%, was being used by ‘Android OS’ and ‘Android System.’ As the battery expired, the phone kindly suggested that it could automatically shut things off for me when the power got low, like social network updates and GPS. It told me that this could double my battery life. Even so, battery life does not seem to be a strength of the Droid Razr. Over a few days, I observed that even when the phone was completely unused, the battery got down to 20% in 14 hours, and the vast majority of the power was spent on ‘Android OS.’

So nice as the Droid Razr is, on balance I still prefer the iPhone.

P.S. I had a nightmare activation experience – I bought the phone at Best Buy and supposedly due to a failure to communicate between the servers at Best Buy and Verizon, the phone didn’t activate on the Verizon network. After 8 hours of non-activation including an hour on the phone with Verizon customer support (30 minutes of which was the two of us waiting for Best Buy to answer their phone), I went to a local Verizon store which speedily activated the phone with a new SIM.

Deciding on the contract, I was re-stunned to rediscover that Verizon charges $20 per month for SMS. I gave this a miss since I can just use Google Voice, which costs $480 less over the life of the contract.

iPhone 4S not iPhone 5

Monday, October 10th, 2011

Technically the iPhone 4S doesn’t really pull ahead of the competition: Android-based phones like the Samsung Galaxy S II.

The iPhone 4S even has some worse specifications than the iPhone 4. It is 3 grams heavier and its standby battery life is 30% less. The screen is no larger – it remains smaller than the standard set by the competition. On the other hand the user experience is improved in several ways: the phone is more responsive thanks to a faster processor; it takes better photographs; and Apple has taken yet another whack at the so-far intractable problem of usable voice control. A great benefit to Apple, though not so much to its users, is that the new Qualcomm baseband chip works for all carriers worldwide, so Apple no longer needs different innards for AT&T and Verizon (though Verizon was presumably disappointed that Apple didn’t add a chip for LTE support).

Since its revolutionary debut, the history of the iPhone has been one of evolutionary improvements, and the improvements of the iPhone 4S over the iPhone 4 are in proportion to the improvements in each of the previous generations. The 4S seems to be about consolidation, creating a phone that will work on more networks around the world, and that will remain reliably manufacturable in vast volumes. It’s a risk-averse, revenue-hungry version, as is appropriate for an incumbent leader.

The technical improvements in the iPhone 4S would have been underwhelming if it had been called the iPhone 5, but for a half-generation they are adequate. By mid-2012 several technologies will have ripened sufficiently to make a big jump.

First, Apple will have had time to move their CPU manufacturing to TSMC’s 28 nm process, yielding a major improvement in battery life from the 45 nm process of the current A5, which will be partially negated by the monstrous power of the rumored 4-core A6 design, though the Linley report cautions that it may not be all plain sailing.

Also by mid-2012 Qualcomm may have delivered a world-compatible single-chip baseband that includes LTE (aka ‘real 4G’).

But the 2012 iPhone faces a serious problem. It will continue to suffer a power, weight and thin-ness disadvantage relative to Samsung smartphones until Apple stops using LCD displays. Because they don’t require back-lighting, Super AMOLED display panels are thinner, lighter and consume less power than LCDs. Unfortunately for Apple, Samsung is the leading supplier of AMOLED displays, and Apple’s relationship with Samsung continues to deteriorate. Other LCD alternatives like Qualcomm’s Mirasol are unlikely to be mature enough to rely on by mid-2012. The mid-2012 iPhone will need a larger display, but it looks as though it will continue to be a thick, power hungry LCD.