Windows Phone7 for iOS Developers

This evening I attended a very interesting event. Microsoft hosted Windows Phone 7 for iPhone OS Developers. This was our regular Silicon Valley iOS Group meet-up. But today it was held at Microsoft headquarters at Mountain View. No I am not dreaming. This actually happened!

Microsoft wanted to present Windows Phone 7 to iPhone developers and attract them to port their applications to Windows Phone 7. Microsoft presented the tools, the overall development methodology and constructed an application on the fly. That was quite impressive. They also brought in a third party development team who develop on iOS, Android and Windows Phone and had them show their app and share the development experience across platforms.

Nice touches:

• The development environment was based on regular VisualStudio and SQL Server 2008. They showed the development using C# and XAML.
• Two primary development frameworks are XNA (for game development) and SilverLight.
• There was a visual design environment where you could drag and drop design elements on a canvas and then program the events (OnClick etc.) and edit the code-behind. This metaphor is already very well known to many developers.
• It was very simple to develop using a DB on the local machine and then pushing the DB over to a remote Azure Cloud. The migration of local data to the cloud (at least for small example) was nice. Support for SQL Azure and Migration tools finally seems to be coming together.
• The programming model was built around developing Against Web Services which made it very simple to change.
• Unlike Android, submission to Windows Market Place needs to be vetted by Microsoft and hence there is tighter control over security. Pretty much like Apple.
• There are some really innovative controls like Panorama which shows Microsoft has tried to set itself apart and not just copy iPhone, the way Android has been doing.

The rough edges:

• Windows Phone 7 has no enterprise distribution model. The Application market place is only for the consumer. So if a corporation wanted to build an Application and distribute through a store they cannot do it today. Please note that Apple has an enterprise version of their developer license which allows a corporation to distribute their apps.
• It did not seem to me that Windows Phone 7 has true multitasking for applications. An incoming phone call would send a running app to tombstone. Which means it is where iOS was in the previous generation.
• Windows phone has to support multiple devices and form factors (for example phones can come with or without sliding keyboard). Although this is nothing compared to the dreaded Android fragmentation, but this puts an onus on QA. Here are some choices: http://www.microsoft.com/windowsphone/en-us/buy/7/default.aspx
• They do not have the concept of an ADHOC build. This is used to give iPhone Applications to BETA testers without cycling through the store.
• When asked “What are the top selling Apps in your marketplace?” there was no clear answer.

My take
Overall Windows Phone 7 seemed behind iOS and will continue to do so. However, they have a few things. The widely known and understood development model and the foothold in the enterprise. Also, with the recent success of Kinect they seem to have their mojo. Time will tell whether the Nokia marriage will last happily ever after or end in a messy divorce. But it does seem like they are making a sincere effort to win the hearts and minds of developers.

Tidbits

• When asked whether they would port their apps to WP7 several developers raised hands.
• Flurry is reporting a sharper increase in developer interest with WP7.http://wmpoweruser.com/after-nokia-deal-flurry-confirms-windows-phone-7-overtook-blackberry-in-developer-interest/
• If you want to remember one link, keep this in mind: http://create.msdn.com/en-US/

Thought I would share this with you all.

Best Regards, Somnath

Enterprise Mobile Security

Industry analysts and security experts believe that as smart-phone adoption increases within the enterprise, attacks and malwares will also increase. Smart phones may become conduits to breaches of corporate data. Malwares and viruses will masquerade as apps and may compromise both personal and corporate data. 2010 saw a huge rise in such instances of targeted malware.

2011 is really a year to watch for mobile attacks. With WikiLeaks and StuxNet, fear is looming in everyone’s mind regarding what and how the next attack will be. Let us try to imagine and understand the surface of potential risks. We will focus on risks related to large businesses and enterprises.

I) Data breach as a result of lost/stolen device
A lost device means potential for loss/theft of sensitive information and also enabling unauthorized users to gain access to ENTERPRISE networks. Remember the hapless Apple engineer losing the iPhone 4 prototype in a bar? In case you are rolling your eyes, please remember, that over a six month period, 3,000 laptops were lost in London cabs. Compare that to 55,000 phones lost during same period!

Also, when individuals lose a device it is a personal loss. When enterprise devices are lost it is a much bigger affair. Some experts put the total cost of a lost laptop to be around $49,000. This cost reflects the enterprise wide effort (corporate, legal, purchasing, admin, etc.) required to deal with a lost laptop.

A sophisticated approach is to use a service such as “remote-locate-and-lock” which will remotely locate the phone using built in GPS service and lock out a lost phone. Even more stringent policies of “remote-wipe” can be enforced to remove all sensitive data from a misplaced phone. There are several vendor software options which are emerging. For iOS there is “Find My Phone”, for Android there is Lookout .

Additionally, it is important that key content be encrypted and stored in a fashion so that even a device loss does not compromise key information using a proper standard like AES-128 or AES-192.

II) Malicious code attack coming from masquerading applications
This usually happens after downloading an application, which in-spite of masquerading as an innocuous app, actually engages in nefarious activities (keyboard logging, transmission of private information secretly, etc.). In July 2010, The ‘Carrot App’ for Android was disguised as a calculator application. The malicious application was programmed to email to the attacker of transcripts all text messages, both sent and received by the infected device.

Due to Apple’s stringent application review and publication process these problems are less common in iOS, but are still an area of concern. Android, due to its open publishing policy can be more prone to such attacks. Please refer to the recent in-depth study on App genome.

III) Mobile device OS, Applications or protocol vulnerability
Software vulnerability at this level is hard to fend off and can only be mitigated by constant study of and vigilance against security threats. It is advised to ensure that the latest versions and patches of the OS & development environments (Apple XCode or Android SDK) are applied carefully and security patches are taken seriously. Remember the chain is only as strong as the weakest link!

IV) Weak or non-existent mobile device authentication

This is a double-edged sword. Having a very hard pass-code is easy to forget and hence affects the usability. On the other hand, having something straightforward like “1234” or “admin” is easy to guess and easy to crack. The long-range solution for this is using some form of biometric or fingerprint based authentication. However, until these are refined we should have a TWO FACTOR AUTHENTICATION (a combination technique of something you know, e.g. pass-code and something you have, e.g. a CAC reader). In many cases a simpler variant of CAC Reader can be adopted, e.g. a token code which is distributed via SMS. Such two-factor authentication schemes are proposed by large organizations such as Google and Microsoft. Such options will provide additional protection against phishing and malware attacks, as the one-time token codes are valid only for a limited duration of time and are deactivated automatically, thus preventing access to any sensitive information.

There can be additional attack surfaces which we have not thought about yet. After all, a “Hacker’s mind” has a different orientation than a “Builder’s brain”. Constant vigilance can never be overstated in today’s world, specially when you adopt more modern means to conduct your business.