I’ve just updated the list of presentations on mobile security:

 

Browser’s cache fulfill several aims, among others, to save network bandwidth and to diminish web pages loading time which, in turn, drop down the time costs of delays over user’s web loading. For example, suppose the typical user spends an average of 450 hours/year to surf the web at a rate of 120 pages/hour; an implied wage of 12€/hour; a fall in loading time due to the use of a cache of 1 second via desktop and 10 seconds via mobile; a caching success rate of 40%, then we easily estimate that the typical user can save between 72€/year(computer) and 720€/year(mobile) by just activating the browser’s cache.

Therefore, and given storage and bandwidth’s current costs, the implied break-even point on the use of the browser’s cache is always positive, even to store all the browsed pages that the user would ever visit for decades, a time longer than the average life of any device. This fact will still uphold true not by the exponentially decreasing costs for storage and bandwidth, but just because the labor costs are linearly increasing in time. But taking apart labor costs from the equation just consider the technological trends and taking into account that mobile bandwidth’s costs will always be several orders of magnitude higher than fiber and cable’s bandwidth, we would face the curious case that using the browser’s cache will soon stop making any sense in a computer but will still be  profitable in a mobile, and that for the period of several decades and also taking into consideration the higher mobile storage costs. Note that this is just one of the many divergences that could appear in the future evolution of the various Internet browsing devices, and that will entail much greater instruction density per transmitted byte to correct them.

The key point of this and other analyses always rests under the relative differences in the price evolution between magnetic storage (Kryder’s law -2x every 13 months-), the circuit’s scale of integration (Moore’s law -2x every 18 months-) and bandwidth’s throughput (Nielsen’s law -2x every 21 months-), among others. And we should put greater emphasis in the last one, since being the one with the slower evolution will also make it to be the most limited resource and, therefore, the one that will end up dominating the final price of any computer system. And on the other hand, storage will be the most used resource to lessen the disadvantages and deficiencies brought by telecommunication’s slowest evolution, following Jevons’s paradox, which remind us that increases in the efficiency with which a resource is used tend to increase, rather than decrease, the rate of consumption of that resource.

On the subject of the expected evolution of telecommunications, it would always be necessary to take apart the trends of the different underlying technologies (fiber, cable and wireless). And although the most optimistic would certainly lean into Edholm’s law, that predicts that the throughput of the different technologies will end up converging as a result of the law of the decreasing marginal returns on the fastest ones and even when taking into consideration the parallel increases in throughput that they have been experiencing, it will be the Cooper’s law regarding the efficiency in the use of the electromagnetic spectrum (-2x every 30 months-), the one law that highlights the underlying idiosyncrasy of wireless since it exploits a natural resource with no possibility of being expanded: analyzing its increases in efficiency in the last 100 years, we find that improvements in coding methods only explain the 0,6% of its enhancement; the enlargement of the spectrum under utilization, a mere 1,5%; and the most efficient use of the spectrum by its better confinement, the resting 97,9%. Nevertheless, optical fiber is in hard contrast to any wireless technology (Butter’s law -2x every 9 months), and just another reason to expect that the differences between the software applications available on mobile devices and the non-mobile ones using optical fiber cannot but be heightened over the years, the raison d’être of the mobile software cambrian explosion.

 

As a follow-up to my previous post about mobile subsidies, it’s important to note that new IFRS financial accounting rules affecting them are under discussion (IAS 18: Revenue in Relation to Bundled Sales), even though they are not expected to come by 2015. Traditionally, mobile revenue per month is recognised for the whole bundled mobile contract, the cost of the handset is expensed on the first day of the contract and the initial subsidised payment, if any, is reported; under the forthcoming accounting proposals, these subsidised contracts would be effectively unbundled and interests would be taken into consideration.  That is, a receivable for the unsubsidised fair value of the terminal would be recognised on the first day and every monthly instalment per month would be proportionally split into two parts: a fraction to settle the terminal receivables with their corresponding income from interests, the handset being recognised at inception of the contract, and the rest will be booked as revenue for the services.

These changes will provide a much more faithful view of the real nature of the current mobile business model: handsets are just not marketing expenses but integral to the whole mobile experience, therefore their costs won’t be diffused with other charges and profits and revenue will stop being misstated. But on the other hand, the new approach is more imprudent and the treatment of the breach of mobile contracts will further introduce unnecessary complexity.

 

All the recent news about the Android and iPhone smartphones storing geo-location data without the user’s knowledge and consent are just the tip the iceberg of the very long history of the clash between the growing functionality of mobile phones and the unawareness of the userbase, and a omen of what’s to come in the ever increasing privacy erosion created by the digital world. The applications to uncover the hidden features are freely available (iPhoneTracker, Location Cache) and it was their very own existence what propelled the public worry and interest.

Yet as Scott McNealy, CEO and co-founder of SUN, once said, “You have zero privacy anyway, get over it”: a truth best-known to computer scientist but hardly understood by the general public.

I’ve also been reading the very small list of books written on mobile security, and these are my recommendations:

  • Mobile Device Security: A Comprehensive Guide to Securing Your Information in a Moving World. Very high level and non-technical overview of the new mobile paradigm for computing and communications, covering the threats, risks, scenarios, business cases, security models and policies of organizations. Technical readers will be highly disappointed.
  • Mobile Application Security. Recent book covering all the topics required to master mobile application security, making it a very good compilation of all the data currently scattered all over the net. It covers all the mobile operating systems, even the disappearing ones (Windows Mobile, WebOS, Symbian, Java ME) and the specific mobile technologies (Bluetooth, SMS, geolocation). An expanded chapter on enterprise security on the mobile OS would be preferred.
  • Mobile Malware Attacks and Defense. A wonderful technical and historical reference on mobile malware and other mobile threats, with an emphasis on forensic techniques applied to the different mobile platforms. It shines at its comprehensiveness, as it lists almost every technique, malware and software known as of its publishing date. The only shortcoming is that Android is not mentioned since the book is a bit dated.
 

I’ve just updated the list of the best technical presentations available on the net about smartphone security. Nowadays, smartphones are the weakest part of any corporate network and it’s quite fun having lots of flashbacks while watching the same attacks of the 90s working  again and again on the new smartphones.

 
  1. Manage memory properly, but resist the urge to use
    1
    retainCount

    , it’s a bad idea. Also, it’s better not use

    1
    autorelease.
  2. Draw on the available toolset to improve the quality of the code: Instruments, to find the root cause of bugs; Shark, to improve performance; Clang Static Analyzer, to get the most detailed and comprehensive compiler warnings.
  3. Try to anticipate every iOS update, because there will always be changes to be made.
  4. Develop re-entrant code, because every method could be interrupted and the app could get any message in any state: it’s very important to remember this before coding every method. Read the open-sourced iPhone app code available on the net: the idioms and the patterns are very different from the Java/C++ paradigm.
  5. Beware of using SQLite with flash memory I/O: it will block the GUI.
 

The tools to decompile iPhone apps are quite well-known:

  • Otx, an advanced disassembler based on otool
  • class_dump_z, an updated version of the old class-dump for the iPhoneOS, to extract Objective-C class interfaces
  • Hex-Rays, the most advanced decompiler ever, also supports ARM binaries (based on Datarescue’s IDA Pro)

Unfortunately, there’s no easy way to obfuscate iPhone apps, even if the iPhone is 4 years old. The easiest approach would be to take advantage of the LLVM source-to-source feature to recompile the mobile apps to an intermediate high level-language and transform the source code using a specialized tool like TXL to modify the control flow before generating the final binaries. Delving into the LLVM route, it would be ideal for using more sophisticated obfuscation techniques to bring the superb DynInst into play, but it doesn’t support the ARM instruction set. As a final point, there is a commercial tool to obfuscate Objective-C, Morpher, although there are not outside reviews about its value.

 

A list of the best presentations about smartphone security all over the net:

And others about network vulnerabilites:

Note: this post will be expanded in the future.

 

BOM (Bill of Materials) for Mobile Phones

The mobile industry is not like the PC industry, populated by manufacturers that are just component assemblers of the various parts (memory, CPU, HD, …). In the mobile industry, the more vertical integrated mobile manufacturer is Samsung, a market leader in displays, memory and CPUs for mobile phones that also sells its quality components to other OEMs and ODMs (Apple To Buy Components Worth $7.8 Bln From Samsung Electronics This Year).

As shown in the graph above of a typical bill of materials of a mobile phone, those parts are the costlier and more important of a mobile phone: from this point of view, Samsung looks like a vertical mainframe manufacturer from the 60-70s, but with much of its software developed by an external provider (Android). So not only they have an obvious cost advantage on the low end of the smartphone market, they are also the leaders managing component droughts and bullwhip effects, which are very profit destroying in the mobile industry. Finally, note that the first reason Nokia has decided to go the Microsoft’s route is to differentiate enough from Samsung’s Android offerings, the second biggest mobile manufacturer after Nokia.

 
  • DynJava. Java dynamic scripting interpreter engine. Gives you runtime access to all protected and private methods and fields of all running applications, and executes arbitrary Java code with all permissions.
  • AndroidShell. You can invoke any Android APIs from PC and see the execution result immediately.
  • aLogCat. View color-coded, scrolling (tailed) Android device (logcat) logs directly from your phone. No USB, adb, or emailing necessary.
  • adbWireless. adbWireless enable ADB wireless connection to connect to the phone as if connected by USB.
  • Titanium Backup. Backup, restore, freeze your apps + data + Market links, even protected apps.
  • Android Scripting Environment. Scripting Layer for Android (SL4A) brings scripting languages to Android by allowing you to edit and execute scripts and interactive interpreters directly on the Android device. These scripts have access to many of the APIs available to full-fledged Android applications, but with a greatly simplified interface that makes it easy to get things done.
  • touchqode. View and edit source code on Android phone. Touchqode is a true mobile code editor that comes with syntax highlighting, autocomplete and other features found in a desktop IDE. We support Java, HTML, JavaScript, Python, C++, C#, Ruby and PHP.
  • aGrep. aGrep is a open-source text search program like a “grep”.
 

More than half of all computers aren’t computers anymore

More than half of all computers aren’t computers anymore. Smartphone shipments surpass PCs. The transition is done. But in this new era of mobile personal computing, the limiting factor is not the CPU, it’s the spectral efficiency of the whole mobile environment, experienced as the user goodput. At least 1MBit/s is needed to get an optimal browsing experience on a mobile phone.

Evolution of average versus peak spectral efficiency over time

As in Moore’s law, the growth is exponential, but with a rather less pronounced slope. And underlying both, economic models that serve as a self-fulfilling prophecy and a barrier of what technology could achieve in the future: the costly deployments of mobile networks, financed by debt, parallel those of semiconductor chip fabrication plants that Rock’s law models as constraints to transistor integration limits.

 
Set your Twitter account name in your settings to use the TwitterBar Section.