For Virtualization,Cloud Computing,Mobile Knowledge share, If you want? Go get it!! http://www.upaper.net/flychoi
2010년 1월 15일 금요일
Android malware: How open is too open?
As competition heats up, smartphone vendors are scrambling to woo developers to their respective OS platforms. But some developers are more desirable than others. The discovery of suspected malware in the Android Market online app store is evidence that mobile platforms are becoming as attractive to criminals as they are to legitimate software vendors.
More than 50 Android apps have been flagged as potential hazards since December, all of them published by a developer identified only as "09Droid." The apps were advertised as online banking tools, each targeted at a specific financial institution. Their true purpose, security researchers now believe, was phishing and identity theft.
[ Stay up on tech news and reviews from your smartphone at infoworldmobile.com. | Get the best iPhone apps for pros with our business iPhone apps finder. | See which smartphone is right for you in our mobile "deathmatch" calculator. ]
Google has since removed the 09Droid apps from the Android Market, but the fact that they were listed in the first place raises serious questions about the safety of the app-store software delivery model, as practiced by Google and other vendors. If mobile infrastructure providers don't act quickly to restore customer confidence, this incident could cast a lasting pall over the mobile apps market, even as it's just getting started.
Apple: Hero or tyrant?
While all smartphone vendors offer online markets for third-party software, their approaches to security vary. Apple's App Store was the first such market and it remains the largest, with more than 100,000 apps available for download and 3 billion apps sold since the store opened in 2008. It also has the tightest security model. Software is carefully vetted by Apple examiners before being approved for sale on the App Store, and the process is no mere rubber stamp. Indeed, the company's intransigence on some issues has inspired much puzzlement and lively online debate.
That's not to say there have been no malware incidents on the iPhone platform. One early example changed iPhone users' wallpaper to a photo of '80s singer Rick Astley. Since then, security experts have discovered at least one case of malware in the wild that can steal contacts, e-mail, and other data from iPhone handsets. But these exploits only work on "jailbroken" iPhones, so called because they have been intentionally hacked to accept apps from sources other than the App Store. Because of the obvious security risk, jailbreaking an iPhone voids its warranty.
But Apple's model is not without its critics. As the number of developers submitting software to the App Store has increased, the approval process has slowed, leading some developers to accuse Apple of undermining their time-to-market advantage. And some iPhone owners insist they have no choice but to jailbreak their phones, claiming Apple blocks legitimate apps from the App Store for arbitrary, specious, or obscure reasons.
These gripes have lent ammunition to the iPhone's competitors, who hope to gain market share by offering alternatives to what they characterize as Apple's heavy-handed, draconian policies. Last fall, Verizon Wireless marketed its latest Android handset, the Motorola Droid, by suggesting the Droid would do everything the iPhone wouldn't -- a campaign that seems ironic now, in the wake of the 09Droid phishing debacle.
Risking it all for openness
Perhaps no other smartphone vendor has staked its fortunes on its developer community more than Palm. From the onset, Palm has promoted its WebOS as an open alternative to proprietary platforms, including Apple's. In its boldest move to date, it unveiled Project Appetite, an open source software foundation that customers can use to build their own, independent WebOS app stores. But lacking any formal oversight, how can Palm users be sure that such stores won't be used to exploit their handsets for phishing and other nefarious purposes?
Open platforms are attractive to developers, but as we have now seen, developers come in all flavors. If smartphone vendors aren't careful, they risk repeating the mistakes of the PC software industry, with mobile platforms becoming the new Wild West of computing.
At first blush, WebOS apps may seem safer than most. They're built with HTML, CSS, and JavaScript, rather than native code. But in response to pressure from game developers, Palm recently announced a plug-in development kit that allows programmers to build modules for webOS apps using C and C++, increasing the risk considerably.
By comparison, Google's Android OS is based on Java, which is known for its sandbox security model. Google engaged security experts early in the Android design process, in hopes of weeding out any potential vulnerabilities before bringing the OS to market. But even if the Android platform is completely bug-free -- an unlikely assertion -- the 09Droid apps are proof that malware doesn't need to exploit software flaws to be dangerous. Credulous users are just as vulnerable to phishing attacks as defective software.
Tough love for developers
Strong governance is the only solution. Open source platforms such as Android and WebOS invite independent review of their code, but it's unrealistic to expect an open source community to anticipate every possible avenue of attack. Far more important is the ability to act swiftly when exploits arise, and that's something only centralized oversight can provide.
Google did the right thing by removing the 09Droid apps from the Android Market. But the fact that security advisories about the apps were issued by the affected banks, and not the Android Market itself, is an embarrassment. Allowing those apps to linger in the store for a month or more is inexcusable.
While a strong developer community is an asset to any platform, part of a community's strength is its reputation in the eyes of customers. When malware authors are allowed to run unchecked, the loss of customer trust hurts every developer.
Apple's insistence on a single App Store may indeed seem draconian. Cynics will say it serves no purpose other than channeling a revenue stream to Cupertino. But by ensuring that each and every app in the App Store has met its rigorous standards, Apple has forged a bond of trust with iPhone users that no other smartphone vendor can match. There is yet room for smartphone vendors to compete with the iPhone through innovation. Sacrificing security and stability for "openness," however, is throwing the baby out with the bathwater.
http://www.infoworld.com/d/developer-world/android-malware-how-open-too-open-784?page=0,1
iPhone App Piracy Reaches $450 Million? Doubtful
However, in order to generate the $450 million figure, the author of the post uses some questionable back-of-the-envelope calculations that raise some flags. Our sources say that the real number is closer to $15 million to $20 million instead.
Piracy: Not Even a Big Issue
The reason why App Store piracy isn't as rampant as it could be is simple: Most people don't bother to jailbreak their iPhones, the first step to gaining access to tools that allow for pirated app downloads. However, keep in mind that jailbreaking isn't done just for purpose of pirating applications. Thanks to a now-easier-than-ever process for jailbreaking, iPhone owners can choose from a number of software programs that automate the advanced hacking required to gain control over the device. Once jailbroken, you can install all sorts of unauthorized third-party applications to your phone via unofficial app store likes Cydia or Icy. Last year, we looked at a number of reasons why you would want to jailbreak by listing some of the better jailbroken apps, including one that turns your iPhone into a modem, a themeing app called Winterboard, and multiple apps that bring video to the video-less iPhone 3G. But let's be honest. A good many jailbreakers are hacking their phones to gain access to apps they don't want to pay for.
In October of 2009, mobile analytics firm Pinch Media dispelled some of the myths about App Store piracy. Most notably, they found that "try before you buy" as a reason for pirating apps was a myth. That's referring to the claim made by the jailbreaking community that one of the main reasons they pirate apps are because the App Store doesn't offer trial periods for paid applications. If the developers themselves don't offer a free "lite" version of the app, there's no way to tell if the app is going to be worth the price, claim the jailbreakers. But Pinch Media revealed this desire to demo apps was just an excuse. After tracking the jailbroken app ecosystem for many months, the company found that the conversion rate is only 0.43% for pirate-to-paid apps. In other words, the pirates aren't trying and buying later. They're just trying and trying and trying.
That can be bad news for some developers. 24/7 Wall St.'s report references developers like Neptune Interactive Inc. and Smells Like Donkey Inc. who each have apps with 90% piracy rates. Another developer, Web Scout Inc., sees a 75% piracy rate for a $.99 game and Fish Labs sees a 95% piracy rate for a $7 game. This seems to show that piracy rates increase with app prices. For example, notes the report, expensive apps like TomTom's $79.99 GPS program and its Garmin counterpart are found all over file-sharing sites like thepiratebay.com.
However, piracy shouldn't really be a major concern for developers, no matter what the rate. In fact, after the merger of mobile analytics firms Pinch Media and Flurry, they're even considering doing away with the piracy-tracking feature due to lack of use among developers. Flurry's VP of Marketing, Peter Farago, tells us that most of their customers (the developers using the service) are from developed economies like the U.S., Canada and Western Europe. It's outside of these countries where the majority of piracy takes place, as they noted in a report last year. In these less developed economies, developers aren't actually losing sales to pirates - those illegal downloads would have likely never been purchases anyway.
$450 Million?
The $450 million figure cited in the report was based on an average piracy rate of 75% per paid app - or three pirated downloads for every one. With 510 million paid app downloads, the number of pirated app downloads is 1.53 billion. With an average price of $3 per app, that would lead to $4.59 billion in losses for both developers and Apple combined. Since most pirates wouldn't have paid for the apps anyway, the estimated 10% who would have paid brings the figure to $459 million in lost revenue.
Is that fuzzy math? Well, the calculations do make a lot of assumptions to reach the final result. For example, the 510 million is an assumption based on analyzing Berstein's report, but Pinch Media's own analysis from October 2009 claimed that number is closer to 610 million. Today they're saying it's more like 750 million (3 billion paid downloads over the lifetime of the store, with roughly 25% paid).
Also, using average numbers like the 75% piracy rate and the average price of $3-per-app aren't going to be anywhere near as accurate as an actual app-by-app review would be. And as Mashable notes, the 75% piracy rate may be accurate for games, but other paid applications are likely to have a much lower rate.
Finally, the 10% who would, in theory, go buy the app later might be an overly generous estimate. Pinch Media found that only one in 14 would do so.
More Like $15 Million
Farago did a little back-of-the-envelope calculations of his own this morning and found the $450 million to be excessively high. With 3 billion downloads over the lifetime of the App Store with 25% paid, that's 750 million paid downloads. At an average price of $3 per app (the one figure he agrees with in the 24/7 Wall St. report), you're looking at 2.25 billion in gross revenue. Developers get to keep 70% of that, or 1.6 billion (approx.). But the blog post is asserting that lost revenues from pirated apps are about a third as large? That sounds suspicious. Extrapolating from these figures, even if as much as 10% of the iPhone-owning community were pirates shopping at an alternative app store, we would be talking $160 million in lost revenue (10% of 1.6 billion), not $450 million. A 10% piracy rate is probably not even accurate, though - it's too high. Farago says they've found the rate to be closer to less than 1% in reality. However, since these are rough estimates, he states that Flurry would say the number is more likely to be in the range of $15 million to $30 million at the most - a number much, much lower than what the 24/7 Wall St. blog claims.
In the end, piracy shouldn't even be that much of an issue for developers. It seems that ever since the launch of P2P networks for file-sharing, everyone from record executives to movie moguls have claimed that piracy is killing their respective industries. But is it really? Those pirated downloads don't necessarily represent actual lost sales. Without a way to download these things for free, they would have simply never been purchased in the first place (for the most part, that is). The same holds true for app sales. Developers should focus on increasing sales among the user base that is paying by making the app worth the money, updating it with new features and marketing it effectively. Mooning over the lost revenue - be it $15 million or $450 million - won't help.
http://www.readwriteweb.com/archives/iphone_app_piracy_reaches_450_million_doubtful.php
Will Google Apps Make The Nexus One Enterprise Ready?
Our bet is that Google Apps will be tightly integrated into the Nexus One enterprise phone. Google syncs every Android phone to a Google account. The next step seems logical. Sync Google Apps with the Android.
With Google Apps integrated, a customer could assign employees a Nexus One smartphone that is tied centrally to the account. As described on Ars Technica, each device could have its own Google Voice number. The smartphones could be then distributed to employees. Billing would be centralized and the employees would have a managed suite of applications for email, messaging, calendering, contacts and more.
In the end, Google may be the winner simply also by offering features that are as available on the Nexus One as on a Blackberry device. A core Google strategy is to develop features that cut across the consumer and enterprise. That's apparent in a feature announced today that allows Blackberry users to search email and contacts with a new Google application. You can perform the same function on a Nexus One.
But he Nexus One has a long way to go before it can really compete with the Blackberry or the iPhone.
With that in mind, here are some security features that would make the Nexus One more compelling for the enterprise.
Hardware Encryption
Without hardware encryption, the Nexus One will never meet enterprise security standards. The iPhone and the Blackberry both have this necessary feature.
Remote Data Removal
A lost smartphone is a vulnerable smartphone. The Android does not support the capability to erase data remotely. Like encryption, this is a must have feature for the enterprise.
Security Settings
The Blackberry has the ability for corporate IT to lock down a device. This relates to remote data wiping. The Android needs this corporate security capability for it to be enterprise ready.
Application Signing
The iPhone requires application signing. The certificate can be pulled at any time by Apple. This helps protect against rogue applications. Android devices do not require a trusted authority sign the certificates.
It's Still Early
We know little about what is planned for the Nexus One. But we can't expect it will have huge appeal in the enterprise. It's so new to the market. The OS is still quite nascent in its development. Even with a Google Apps integration, enterprise managers will have to see how the OS and its security features measure up before giving it the green light.
http://www.readwriteweb.com/enterprise/2010/01/ready-for-a-google-apps-phone.php