Monthly Archives: September 2013

App security is really low

Web browsers have had since ages a small lock to tell their users when they were securely connected to a web server.

Apps, especially those for mobiles, do not expose this information. It is very difficult to know if they use proper encryption, or that they even check the validity of the encryption certificates (when using methods such as SSL or TLS). Without such encryption, user credentials (login and password) and the exchanged personal data can easily be snooped.

App makers should mandatorily use encryption for communication. And they should use certificates to make sure they connect to the expected server. And they should expose that to the user interface!

Mobile Security, Not Realy Usable, Not Really Secure

Yesterday I stumble upon a journalist opinion who think that current Yahoo! CEO, Marissa Mayer, is just a twerp when it comes to mobile security. I do not think we should qualify someone, even the CEO of an internet company like Yahoo!, of a twerp just because one does not use a pass-lock for its mobile phone.

Why mobile phone security is important?

It is certainly about money, one could use your phone/data connection, but you can easily/quickly close this gap (e.g. using Apple’s Find my iPhone, or some Android equivalents). The other thing that has value is the personal data within the phone. But this has value either in the numbers (smart phone data from thousands of users stolen could interest spammers and hoaxers, for sure) – but unlikely with one phone theft – or because you are a high-profile person or you want to use those data against its rightful owner (blackmail, defamation, etc.).

So yes, security is important for a mobile device.

Security vs. usability

But the usability and efficiency of the security features on mobile is awful! It gets into the way of quickly grabbing the phone and performing an action (urgent call, photo, etc.).

Which is why I understand that people do not want to use a pass-code or similar mechanism to access their phone. Most are cumbersome, they get in the way of easily/readily use the phone (that’s why I still carry a camera when I want to take pictures!). And their relative security is dubious. The PIN1 or gesture authentication mechanism can sometimes – and with the right tool – be read from the finger traces on the phone and/or could be brute force (I am convinced there are ways to do that automated).

Since a few weeks I have a smart phone. It is not a too old one, neither a brand new one, but it is a good smart phone. I got a Samsung Galaxy S (1st generation). I have tried several pass-lock, there is the ubiquitous 4 digits PIN, the swipe gesture, a password, a simple lock and nothing. Clearly, the two last options are the one usable! Out of the pseudo secure ones, only the PIN code seemed not too difficult to use. This is a great disappointment. I do not trust my phone to protect my data to the same extent I trust my computer. And the worst, it seems that making this better is not on the agenda of most manufacturers/mobile OS providers, unless you count the attempt by Apple to improve at least the usability side with the fingerprinting.

Fingerprinting is not the panacea in terms of security. But when properly implemented it is as secured as a PIN-lock and it does not get in the way of using the phone2. Furthermore, I am sure this technology will evolved and we can hope in the near future to have good-enough fingerprinting-lock technology which can surpass PIN-lock in terms of security.

 

  1. I still do not get why PIN pass-code system do not randomise the place of the numbers on the screen!?!
  2. This is my humble opinion, no hard facts. Others have better expressed their views on fingerprinting on mobile phone than I did.

Finally someone got it right regarding 64-bit performance increase:

It seems that the bulk of the A7’s performance gains do not come from any advantages inherent to a 64-bit architecture, but rather from the switch from the outdated ARMv7 instruction set to the newly-designed ARMv8. – iFixit iPhone 5s Teardown

64-bit architecture myths

I should start a video serie “fun with flags 64-bit theories”, but for now I will stick with only this short article. Here is the ironic part:

“There’s no shortage of pundits and self-described experts asserting that Apple’s shift to a 64-bit architecture is either a hoax, a pointless marketing ploy that will deliver no real benefit, or an inevitable shift that everyone will eventually follow anyway at some point, and therefore neither newsworthy nor deserving of any credit.” – for Apple Insider, Daniel Eran Dilger

The journalist then went on citing several Apple statements out of the iOS development guidelines. Considering those statements as true because aimed at developers. I guess that should be viewed as scientific proof ;-) You can read the full article though, it is not all bad, and better than many others I have recently read on the subject. But up to now, the most accurate comments on the new 64-bit ARM CPU for Apple’s iPhone 5s is from Anand. One of those statement is:

“When all apps running on the device are compiled for the 64-bit runtime, iOS never loads the 32-bit versions of those libraries, which means that the system uses less memory and launches apps more quickly,” – Apple

This is slightly marketing terms. A 64-bit apps is likely to use more memory than the same 32-bit counter part, most basic data types have had their size increased. But this is true that the 32-bit stack does not need to be loaded. There is an engineering trade-off to make per app: does the gain in memory consumption when switching to 64-bit exceeds the 32-bit stack footprint? But the author does not get that point and conclude that:

“The company also outlines why it will be beneficial for third party apps to release 64-bit versions of their titles for users, even if those apps don’t in themselves score massive gains from the move to 64-bits: the key result will be lower memory use for the end user.” – for Apple Insider, Daniel Eran Dilger

Lower memory use for the end user when 3rd party apps release 64-bit apps? That would be astonishing. If all 3rd party apps were 64-bit then there is no need for 32-bit stack, but I guess this stack represents a fraction of the overall available/used memory. Apple is also recognising this drawback of 64-bit systems as they state later on:

“Because so many fundamental types have increased in size, the 64-bit version of your app uses more memory than the 32-bit version does. (…) Expect to spend more time optimizing the performance of the 64-bit version of your app.” – Apple

But this is something the journalist blatently ignore.

Note: Moving from 32-bit to 64-bit does not mean you need twice the amount of memory. Not all data types have their size doubled, and apps can be refactor to use less demanding data types.

Then the stunt on the 64-bit memory model (either LP64, LLP64 or ILP64) is also a funny one. Really who cares unless you are a developer which has to use binary data or which needs to optimise an app for memory usage? Unix decided long ago to go the LP64 way (although I do not think all Unix flavour did follow it) after evaluation (performing a trade-off) severa criterias including portability, interoperability or performance. And Windows decided to go the LL64 way, which is not bad either. And regarding performance differences between those models, it only affects the memory pressure and depending on the application this can have no impact or some performance hit. And in this regard, Microsoft choices for Windows would limit the memory pressure when directly recompiling a 32-bit apps for 64-bit.

I am not going on to talk about the journalist speculations on Android move to 64-bit with its engineering and business chalenges. I fully agree that moving to 64-bit has its challenges, and then moving the apps ecosystem is another challenge of its own. But I do not think that moving the core of Android, including Dalvik, to 64-bit is as difficult as the author is implying at least from a pure technical stand. But like him, this is my gut feeling and I have nothing to base this statement on! Hence, I won’t talk about it.

Overall, this journalist, Daniel E. Dilger, is doing a better jobs than many other before him regarding the 64-bit transition which Apple is trying to do for its mobile ecosystem. But this article is clearly biaised towards Apple and in order to be so, the journalist has taken many shortcut and wrongly understood statements made for developers (not journalists!).

Note: I love Apple since many years, I have a MacBook and an iPad (and an iPod lying somewhere). But I am pationate about Linux since almost its inception, and thus I do have an old computer and several VMs running it. I also have an Android phone since recently. The only OS which I do not stand but forced to use (only for work) is Windows. So with this context in mind, I guess my opinions above are rather objective.

Continue reading

64-bit chips are too much for a smartphone! Really?

After today’s Apple event, the press is on ebullition to report on it. One journalist at Gigaom has written an article on “Apple’s new 64-bit chip is too much for a smartphone, but great for a MacBook“, he explicitly stated the following:

For chip nerds the idea of 64-bit chip inside a smartphone is overkill. The benefits of a 64-bit chip is that is can take advantage of 4 gigabytes of addressable RAM, but most smartphones are barely hitting 2 or 3 GB of RAM today.

First, let’s correct his statement and then I will tell why I think that a smartphone can benefit from 64-bit chip.

Continue reading