Monday 17 November 2014

Construction App Challenge - End of Round 1

By Vladimir Bataev

Yesterday, Nov 17, 23:59 CET was the deadline for submitting ideas for the first European mobile app challenge in construction organized by MobiCloud.

While the submissions are en route to the expert panel that will evaluate them and determine the winner, we can look at the where the ideas came from.

Geography


Ideas arrived from 9 countries in total, where the expected Western European participants were joined by their peers in Russia, the US and Singapore.



47 ideas were submitted. After merging duplicates and politely refusing submissions from existing products to keep the competition focused as much as possible on new ideas, we ended up with 37 unique ideas. These ideas were distributed in the following way, with the UK taking responsibility for almost half of all submissions:


Occupation


We aimed the competition at students (and their professors) and then at potential startups. To our surprise, contributors working for existing companies (most often, in the construction industry) were more active than their rivals from academia. 6 ideas came from freelancers and people who did not want to disclose their occupation status.


Activity


We encouraged people to submit more than one idea and we were heard - 5 participants submitted 2 ideas or more.

We know from experience that coming up with good ideas for mobile apps in construction is not easy and we were amazed with the amount of high quality submissions we received. We expected about 20 good submissions, so were pleasantly surprised to have received almost twice that amount (which means double the work for our experts, but we have already recruited new experts to evaluate all additional submissions).

We would like to thank all the participants for their efforts. We will shortly announce the precise schedule for announcement of the top rated submissions and, of course, the winner, as well as the online webinar, where our experts will discuss the best ideas.


Monday 10 November 2014

MobiCloud ShowCase

On the 30th October MobiCloud was showcased at the COMIT/Fiatech conference which was held at the Crystal in London. This two-day event attracted 150 delegates from all over the world and focused on the use of mobile technology in the construction industry. 


The event was chaired by Phil Jackson of the Institute of Civil Engineers and included speakers such as Richard Lane from the UK Government BIM Taskgroup. More information about the conference, including photographs and all the presentations, can be found on the COMIT website.


MobiCloud had a stand at the event and Martin Wilson presented a brief overview of the MobiCloud project in the morning on the 30th. In the evening after drinks and light refreshments a longer showcase was delivered including a demonstration of the Site Diary application by Otis Burris (Appear). This generated a lot of interest, particularly among delegates from the US.


Vladimir Bataev (EsperantoXL) then described the MobiCloud App Challenge  and gave an example of some of the ideas that had already been submitted. This was also well received and led to lively discussion about other potential applications of MobiCloud to the construction industry and the shortcomings of current mobile solutions.

Monday 27 October 2014

The business case for hybrid HTML5 mobile apps

by Martin Wilson, Appear


While the debate about Hybrid versus Native app development is traditionally centered around the performance of hybrid apps versus native apps, at Appear we have identified that this debate is actually rooted in individual developer preferences. We believe it is important that organizations identify the technology stack that can enable developers to be productive in the short-term while still supporting their long term organizational strategies.

We are confident that hybrid apps offer unlimited possibilities for our partners to create best-of-breed user experiences. Existing partner apps built using AppearIQ are a great example and can testify to this. However, some developers have a preference for native technologies. As such, we take a pragmatic view of this and intend, as part of our road map in 2015, to support this preference and provide native developers with a secure and efficient communication stack that would help deliver true enterprise ready solutions. This will also allow organizations to combine native and hybrid apps within a single environment.

Hybrid Apps Business Case Factor #1: Performance of Hybrid vs native apps

Native apps have a slightly quicker response time than Hybrid apps. This is a fact. Depending on the app use case, the differences in response time can be undetectable to the user. As an interpreted language, JavaScript (the technology behind hybrid apps) is slower than compiled languages like objective-c (used for development of Apple native apps). This performance metric (speed) is at the cost of one of the key benefits of the hybrid approach: app portability. Unlike machine-specific code, JavaScript is meant to be compatible with many different platforms. This overarching ambition requires the JavaScript engines to break down and parse the JavaScript code into instructions that can then be executed by the underlying platform. These are additional steps, hence additional computation, etc.
In recent years, JavaScript engines like WebKit (Android and iOS) and Chakra (Windows Phone) have significantly improved speed through optimizations like JIT compilation. Each new OS release significantly improves web performance (ie. HTML5 support, DOM querying, DOM modification, JavaScript execution, CSS execution, etc.). See Sencha’s recent post on iOS8 improved performance.
In addition, speed has been greatly improved via the continuous improvements in processor performance. For instance, the A8 CPU and GPU used in the iPhone 6 are respectively 25% and 50% faster than the A7 ones in the iPhone 5. This enables huge performance gains for mobile users. These software and hardware developments are continuously narrowing the gap between JavaScript and native speeds.
However,  the key question is not whether native code is faster than JavaScript code, but whether users will notice the difference. The performance hit usually comes from access to the local database, manipulation of images, etc. Appear IQ includes a Native bridge that optimizes access to local data stored on the device.
At Appear, we recommend using the right tool for the right job. For true real-time use cases (i.e. gaming, financial transactions, etc.), we would recommend using native technologies. To enable this Appear will offer native code support in 2015. For near real-time use cases, JavaScript has long proven to be a solid alternative. Gartner, the IT analyst, echoes that statement when it anticipates 90% of enterprise apps will be hybrid or web in 2015. Evernote, CatchApp and Appear’s own reference app Site Diary (developed as part of the MobiCloud project), are perfect examples of high performing hybrid apps. And the Financial Times provides a perfect example of a pure mobile website showing what HTML5 can offer.

Hybrid Apps Business Case Factor #2: Optimized communications improves performance

Beyond the language’s execution performance, an app’s performance can be impacted by data access. Access to data, coming from IT backend systems, is dependent on the speed and availability of network access.
Appear IQ offers HTML5 apps via the Appear container an optimized communication stack that abstracts the network connectivity challenges. It ensures that the right data is securely available on the device whenever apps need it. It also guarantees that data created by apps can be queued on the device until it can be synchronized to IT backend systems. Furthermore, Appear IQ leverages push notification services provided by OS vendors like Apple and Google to efficiently trigger data synchronizations whenever required.

Hybrid Apps Business Case Factor #3: Control of the application lifecycle

Hybrid apps put the developer much more in control of when and how their new app updates are released to end users by avoiding as far as possible reliance on public app stores for the approval and release of updates.
The hybrid approach with the Appear IQ platform combines a native layer (i.e. container) and portable HTML5 web apps. Appear typically releases a new container for developers to adapt a couple of times a year. This is to (for example) take advantage of new capabilities provded by Apple or Google. Web apps may be updated on monthly basis with new features and bug fixes.
Sometimes Apple’s review and approval process can take over a month – and if this is an important new feature that you are waiting to get into the hands of end users for feedback for further improvements you can see the iterative development process could take years – clearly not acceptable in today’s terms. Luckily enough, in 98% of the cases with a hybrid approach only the mobile web apps need to be updated, and as such we bypass App Store approval processes and enable our development partners to remain in full control over their applications.
End users are also untroubled by the updating of the hybrid apps themselves, since they are included in the HTML5 code rather than requiring approval, app download, update and synchronisations.
In other words, with the hybrid approach used by Appear we have a limited exposure to Apple’s approval process while a native approach requires it for every new release.

Hybrid Apps Business Case Factor #4: Cost & time to market – shorter development times

Mobile web development is faster than native iOS development: it is a higher level language, it does not require compilation i.e. a page reload suffices, code can be changed on the fly, in-browser testing is faster than the iOS simulator, etc. Our benchmark indicates that – assuming similar developer skills – the web development process can be 20% faster than native iOS development.
If developing one web-app is faster than developing one iOS app, the cost saving becomes tremendous when comparing with the development of multiple native apps.
In addition, Appear IQ includes a set of ready-made security and communication features which further shorten the development of hybrid apps. Depending on the complexity of the use cases, our benchmark indicates that developers can save up to 50-70% of time when leveraging our authentication and communication capabilities.

Hybrid Apps Business Case Factor #5 : Cost & performance – a high-quality user experience

Apple imposes a way of developing the mobile user experience, and provides a set of UI controls to power them. While these can be extremely powerful, you may identify a user experience that would be even better – but unfortunately that is incompatible with “Apple’s way”. This is what happened when developing the Site Diary application for the construction industry – the timeline feature provides an extremely powerful and intuitive tool for the user, but could not be easily developed using standard iOS controls.
In these cases, with a native approach you may need to develop custom controls or invest in 3rd party ones. Developing custom controls is highly time consuming, and this cost drives up when multiple platforms are involved.
On the other hand, web technologies give you greater flexibility to design and implement your custom user experience – and truly offer the best possible user experience to your customers.

Hybrid Apps Business Case Factor #6 : Cost – supporting multiple OS versions

Major releases of operating systems can change APIs, behaviors which developers have to account for. Unless updated, the apps may no longer work, or display correctly – significantly impairing the end user experience. Web technologies (incl JavaScript) on the other hand have been designed to be backwards compatible. For instance, WebKit still supports ECMAScript 3 enabling users to browse a 15 year old website with the  latest iPhone 6. The same is not always true for a 3 year old native app.
In addition, with its data access layer, Appear IQ further abstracts and avoids the complexities associated with possible API changes introduced by the OS vendors.

Hybrid Apps Business Case Factor #7 : Cost – Re-use of skills

Web technologies are used in both the mobile and backend components of the AppearIQ platform. Even though the mobile world imposes specific requirements in terms of user experience and performance management, the language is the same when developing back-office applications. On the other hand, in developing native apps objective-c is only valid on iOS and OSX environments. This requires more developers or enhanced skills in the team to cover the multiple technologies required. With AppearIQ when creating a new development team, it may be more effective and cost-efficient to invest in web technologies combined with another backend language such as i.e. Java, .NET, etc.
AppearIQ is the technology behind the MobiCloud Platform, a cloud-based environment in which to develop hybrid, cross-platform applications that leverage context awareness. For more information about MobiCloud and the current MobiCloud Construction App Challenge please see www.mobicloudproject.eu.

Thursday 16 October 2014

MobiCloud Construction App Challenge

Submit your idea for a mobile application for use in the construction industry and you could win 1,000 in our Construction App Challenge. 


If you go on to enter a team you could help develop the next must-have mobile solution for construction based on the MobiCloud platform.

All ideas submitted will be reviewed by a panel of construction experts who will give feedback and suggestions for improvements. The more notable ideas will feature at the MobiCloud showcase event which is being held at the COMIT & Fiatech IT conference at the Crystal in London on the 31st of October. The idea judged to be the best will be awarded a 1,000 prize.

We will then go on to give teams access to those ideas and provide expert help and assistance in turning them into fully-fledged business concepts using the MobiCloud platform. If any of our construction sponsors are suitably impressed they may even run trials of those solutions on site.

The Construction App Challenge is open to absolutely anybody - individuals, students, established developers or start-ups. For details and information on how to enter please visit our website at www.mobicloudproject.eu

Friday 26 September 2014

CloudWatch concertation meeting visit report

by Vladimir Bataev, EsperantoXL

On Sep 11, 2014 CloudWatch hosted a concertation event at the EC premises in Brussels to collect feedback from experts on the upcoming work programme 2016-2017 (H2020 LEIT ICT WP2016 -2017).

Traditionally, during this day members from various EC-related projects break into committees to discuss pressing subjects in software & services and cloud computing that should be considered in the work programme. The day is completed by joint review and a series of panels.


MobiCloud project was invited to join the closing panel on how the upcoming work programme can support SMEs and startups, and give additional boost to technology innovation in Europe. I sat in the company of Dalibor Baškovč from EuroCloud Slovenia, Luc Hendrickx from UEAPME and Filip Gluszak from GridPocket. The panel was chaired by Patrice Chazerand from DIGITALEUROPE.

My presentation focused on the upcoming construction app challenge organized by MobiCloud: how it opens opportunities for startups and SMEs to validate new product ideas with experts from larger companies and increase chances of success.

Mssrs. Baškovč and Hendrickx addressed the panel subject from a different angle: they have shared and reviewed the results of a survey wherein a number of startups and SMEs commented on how they use the cloud and how it supports their innovation programmes. An unexpected debate emerged on actual definitions and compositions of a typical SME in Europe, and what needs it might have on security and privacy.

The reaction of the audience was predictable -- many experts firmly believe that software vendors should be further controlled by the government to make sure that breaches are rare and propely punished, and that the burden of enforcing privacy should not be on users.

I challenged this opinion by running a small impromptu poll with the audience. I asked two sets of questions:
  1. How many people are using GMail actively? And how many of them enabled two-step authentication and went to check if their account was compromised during the most recent leak of account passwords?
  2. How many people are using Facebook Messenger on the phone? And how many did review the end user agreement which grants this app unlimited access to camera and microphone?
In both cases, the amount of raised hands decreased with each question in the set, highlighting the most important conclusion -- the consumer behavior and attitudes to privacy in the cloud have changed. Even the experts who fully understand the risks and possible consequences of breaches, are now less strict about sharing their private information or pursuing maximum available security.

Consequently, if the awareness of the privacy risks does not rise among not-expert users, it will become more and more difficult to prevent scandals like the recent celebrity photo hijacking. More importantly, simplifying the effort needed to ensure good level cloud privacy and safety for end users is a field abound with good business opportunities.

Friday 12 September 2014

New app development features now available

By Martin Wilson, Appear

Quicker Setup

For the developers creating an app for the first time it is now much easier, with an automated set-up of the environment and basic “Hello World” application ready to go. This enables users to quickly get to know their way around the MobiCloud platform and how to prototype and test apps quickly. 
This helps with the iterative process involved in developing apps in an agile manner - develop - demo - develop more - demo etc.

Build and demonstrate “data sharing apps”

Developers that don't already have a back end system to integrate with their apps needn't worry – the cloud based IA (Integration Adapter) allows them to create applications where the same data sets can be accessed by different apps, different users and devices. This new feature allows the creation of “diary” apps, “note” apps and other data sharing apps without the complexity of having to create a data back end.
Apps for most simple use cases can now be quickly put together and demonstrated, without needing to implement a full backend IA. This starting point can be adaopted and enhanced to create custom integration logic, using the backend integration kit (link to Appear's developer website)
Three illustrations of a ”to do list” app that use the new capabilities are available using any one of three different frameworks (link to actual code samples stored on Github):
Appear is developing more tutorials that will explain how to get the most from the new features in the coming days.

The continually evolving appeariq.com developer site explains in detail the AppearIQ technology behind the MobiCloud project. For the full feature list of what’s new in AppearIQ 8.1.1 click here

Tuesday 26 August 2014

What the Mozilla EUR 25.00 smartphone means for Enterprise Mobility

By Martin Wilson, Appear
Mozilla has just announced a new smartphone costing just twenty-five euros in India. This is an incredible 1%-2% of the price of a ruggedized windows PDA-type device that is still used in many Enterprise Mobility environments. The device will include up to 4GB memory, includes Bluetooth / Wi-Fi and dual-SIM which should be more than enough to support enterprise applications.
The product is one of the first cheap devices running the Firefox OS and aside from bringing the benefits of smartphone technology to consumers it will also likely offer up a whole new range of opportunities for business applications in the Asia region and beyond that until now have been impossible due to the cost of devices.
Current application developers will be looking at the launch with interest – the Indian market is still relatively untapped and potentially huge. Many current smartphone applications may not easily work with the devices. Firstly many of the applications that have been implemented using native Android or iOS SDKs will need to be re-implemented. Secondly – as the devices are intended for markets that currently are dominated by so-called “featurephones” which only offer limited internet accessibility there is the medium term issue of a lack of internet connectivity in the networks to consider.
If the device and the operating system prove popular it will support the ecosystem of HTML5 developers and container-based Enterprise Mobility solutions - such as those enabled by the AppearIQ mobility platform, which is the technology behind MobiCloud.
The ability of applications to work in offline environments (later synchronizing through the platform when connectivity is available) and in a secure container separate from other consumer applications is a key benefit for developers to consider using the platform.

Monday 30 June 2014

Appear Launch IQ 8.1

MobiCloud lead partner Appear  Networks just announced the public launch of Appear IQ 8.1 – the latest version of the mobile application enablement technology which is powering the MobiCloud project. 


The Mobicloud platform is now open to all developers, ISVs, Integrators and other software development organisations. ISVs (such as Nettropolis who are delivering their MobiCloud project for the public transit market in Germany) have already been using the platform to deliver professional mobility solutions to their customers - extending their existing software platform or building new propositions. 

Appear IQ enables the creation of professional looking, enterprise-grade mobile apps that are easily integrated with existing B2B/B2E software and distributed to end users. 

Appear IQ 8.1 includes a new Mobile SDK that simplifies the development of hybrid containerized HTML5 apps, a new Integration SDK to enable the apps to integrate to IT systems seamlessly without impacting the existing software, Support for PhoneGap / Cordova apps and a new community website with example code fragments, templates and more.

The new community website is designed around the expectations of developers - providing full documentation for the MobiCloud technology.

To learn more and to sign-up for a free user account development teams are invited to check out the new documentation site at appeariq.com.

Monday 23 June 2014

MobiCloud Site Diary Development

By Mark Collier

The first version of the site diary application has been available for a while now with over 70 commercial users trailing the app and the platform, across multiple sites and devices.


We have been great feedback about the look and ease of use for the application and some brilliant suggestions for improvements and additional features. Development on Site Diary has continued and it has grown from what was initially a fairly simple application to something much more sophisticated.

The latest release sees the following upgrades and new features - in some cases made possible by improvements to the platform which we are also continuing to develop.

Use it from a PC

We have added a Back Office Event Creation Page which allows users to input events directly from a PC. This can be preferable to using a mobile device when in the office. It also makes it easier for a whole site to reap the benefits of Site Diary when not all users have access to it via a mobile device. Feedback shows this can be the case where an employer is unable to provide all staff with mobile devices and individuals opt to use their own personal devices to access the system.  


System Resilience

We have made improvements to the login and inactivity logout behaviour, especially on Internet Explorer. This should improve the experience for users of the back-office solution.

Android Container Improvements

Site Diary was initially released on iOS and the Android version which was recently made available contained some bugs. These were not with the core application thanks to the hybrid HTLM5 development, but with native Android features. The new release addresses issues with screen orientation and improves the data synchronization.

+7 Days Event Retrieval

One indication of the success of the application has been the large number of events that are being recorded per site. This is much higher than originally expected and has lead to performance issues on some sites where data rates are low, due to the amount of data being downloaded. This has been addressed by automatically syncing events from the last 7 days only onto the device. Older events can still be retrieved on-demand from the cloud as required.

Global Weather Support

Another sign of success for Site Diary is the number of trial signups from outside of the UK. Consequently the automatic weather reporting feature has been modified to be able to access weather information from anywhere in the world - with the added benefit of improved accuracy within the UK. The ability to select local units (Celisius/Fahrenheit and miles per hour/metres per second) has also been added.

Work on the Site Diary continues and we hope to give you more updates soon. In the meantime you can still try the app for free by signing up on the MobiCloud website.

Friday 6 June 2014

The dream of an agnostic smart device world

By Mark Collier

Given recent news stories rolling around it seems there is an ever increasing demand for device agnostic solutions when it comes to smart devices. As consumers I expect we can all go through our list of devices and count a multitude of things on each device that we wish we could use seamlessly on all of our other devices.

Device agnostic solutions are greener...
Personally I have just upgraded my iPhone and now have the task of ensuring that I carry two charging cables, plus my laptop charger and my work phone charger with me everywhere I go. It’s a good ploy to get me to upgrade my iPad every time I forget one of the cables.

Luckily as far as chargers go, the end is nearly in sight. Back in March the EU overwhelmingly backed a resolution that will make it law for smart phone manufactures to produce devices with a common charger by 2017, hallelujah!  Not only will this make my bag lighter but it is estimated to save around 51,000 tonnes of electronic waste a year. It might also surprise you to know that Apple was one of the original signatories to the agreement with manufactures back in 2009. Unfortunately it would appear that some aspects of technology still change very slowly.

This brings into question whether other things such as App’s will ever become device agnostic, making life easier for app developers and consumers alike. Wouldn't it be great if you could have one device and know all the App’s out there are at your fingertips? Or will we move closer and closer to a world where you pick your device based on the App’s you want to use? -  much like picking a games console because you want to play Metal Gear Solid and Gran Turismo or  Halo and Race Pro (easy choice on the racing front). 

Postgrad researchers at Columbia University have been trying to overcome the nagging issue of not being able to access flash content on an iOS device or iTunes media on an Android device. The project, named Cider, looked to avoid the usual performance problems associated with virtualization and use a translation to alter iOS instructions to run on an Android device. The video of Cider in action seems to show it working nicely although many of the comments point out some of the flaws around speed and the use of native features.

This does raise the question though; will we ever see a day where Apple and Android work together for the benefit of the consumer? I doubt it, but we may be moving towards a world where at least the consumers don’t have to make a tough decision. For now though it still seems the cleanest, cheapest way to be device agnostic is hybrid development. This means making the most of device agnostic technologies such as HTML5 for App development and only using native code when absolutely necessary - which is the approach that MobiCloud has adopted. Perhaps we should also design a charger...

Tuesday 20 May 2014

Data Protection - Unsafe Harbours

By Jason Scott

With increasing reliance on cloud-based services and the ability for data to be resident anywhere in the world, the EU's approach to personal data protection is under threat. This post considers the history to that approach and some of the issues raised by recent revelations.



A European Perspective

With the rapid increase in electronic processing of data during the 1970’s concerns started being raised within Europe about the proliferation and potential misuse of personal information.  Data on individuals was being aggregated, communicated and used for a rapidly expanding number of purposes – such as credit worthiness checks, employment and insurance background checks and a booming industry in direct marketing.  For cultural reasons financial and medical information was considered to be highly personal but at the same time was among the most valuable for marketing purposes.

Consequently countries within Europe began enacting protective legislation. The details varied but there was consensus on many of the underlying principles. Individuals should be able to know what personal information was being held about them and why, be able to challenge and correct it and to prevent it from being passed on or used for other purposes without their consent.  

Concerns were not just limited to commercial organisations. Many countries in Europe have an uneasy history with the use of personal information by governments for surveillance and there were worries about the misuse of data regarding political affiliations or activities. In the United Kingdom these concerns led to the Data Protection Act of 1984 – ironically the same year as the title of George Orwell’s dystopian novel in which Big Brother exercises almost total surveillance (and thus control) of the population.  

The EU Data Protection Directive

As the practice of companies out-sourcing their data processing to third-parties became more prevalent, there was also concern about the transfer of personal data to other jurisdictions. Increasingly data was being processed in countries other than the one in which it had been collected and where it might not be subject to the same legal protection.  

In 1995 the European Union ratified the Data Protection Directive which required all member states of the European Economic Area (EEA) to incorporate a number of rules (agreed by consensus) into their own data protection laws – thus establishing a European-wide minimum level of protection. In the UK this took the form of the Data Protection Act of 1998, which came into force in 2000.

There are eight principles which underlie EU data protection. Personal data is defined as any data that can be used to identify a living individual and broadly speaking must be:
  1. fairly and lawfully processed
  2. processed for limited and well defined purposes
  3. adequate, relevant and not excessive
  4. accurate and up to date
  5. not kept for longer than is necessary
  6. processed in line with the rights of individuals
  7. stored securely
  8. not transferred to a country that has inadequate data protection controls
Number 8 in this list lead to a big problem. There were many countries in the world that did not meet the EU standard for adequate data protection and one of them was the USA.

EU/US Safe Harbour agreement

The USA was and is a major trading partner for the EU and also provided many of the data processing services that EU companies wanted to use. There was no way that the USA was going to change its legislation to meet European standards, so in the grand tradition of politics a compromise was reached.

The EU and the U.S. Department of Commerce negotiated a Safe Harbour agreement (or “safe harbor” if you are on the other side of the Atlantic). This was a framework by which companies within the USA could be certified as providing sufficient data protection measures to meet EU standards, but without such measures being required by US law. It would then be legal for EU companies to pass personal data to companies in the USA that were on the Safe Harbour List.

The Safe Harbour agreement was not without its detractors. In particular there were concerns that it was a self-regulated system – albeit managed by the Federal Trade Commission (FTC) under the oversight of the U.S. Department of Commerce. There was no system of mandated compliance checks (companies could self-certify) and enforcement would be largely complaint driven. However, after much debate it was finally agreed to by the EU in 2000.

The Patriot Act

A year later the dreadful attack of 9/11 happened and just over a month after that the PATRIOT act was rushed through congress. This anti-terrorism legislation covered many areas but one of the things it allowed was for the US government to inspect the data held by any US company or wholly owned subsidiary – regardless of the Safe Harbour agreement.


This raised a potential issue. While all European countries have laws that provide for access to personal data for state security purposes, the powers afforded by the PATRIOT act appeared to be broader and to have a lower threshold of “probable cause” than would be permitted in Europe. This meant that personal data held in a Safe Harbour company could potentially be accessed in a way that would be illegal in the EU – effectively subverting the Safe Harbour agreement.
   
However, despite this and its self-certification weakness, the Safe Harbour agreement seemed to work reasonably well. The FTC did indeed take enforcement action against companies or organisations that were found to break the rules and the rapid growth in cloud-based services meant that large volumes of EU personal data was held in the US or by US based companies.

Edward Snowden & the NSA

Then in 2013 a disaffected former employee of the USA’s CIA and contractor for the National Security Agency set the cat among the pigeons. Edward Snowden’s revelations demonstrated that the NSA was carrying out systematic and wide-reaching surveillance activities on a huge scale.  While many of the NSA’s activities were clearly legal in the USA, others were questionable and in one case has since been ruled unconstitutional by a US judge.

In addition to the significant damage done to the USA’s relationship with its allies and partners, the revelations re-focused attention on the Safe Harbour agreement with concerns about the US’s regard (or lack thereof) for EU citizen’s data. 


For example, among the many revelations was the fact that the NSA was secretly accessing Yahoo and Google data centres by tapping into undersea cables in order to collect information on hundreds of millions of accounts. Leaked NSA documents mention “bulk access”, “full take” and “high volume” with regard to such interceptions. This kind of dragnet approach to surveillance is highly problematic for the EU – particularly with regard to data protection.

The revelations prompted the European Commission to carry out a review of the Safe Harbour agreement and earlier this year the European Parliament’s Civil Liberties, Justice and Home Affairs (LIBE) committee backed a call for its “immediate suspension”.  The EU’s Justice Commissioner, Viviane Reding, threatened to do just that if the US fails to take action to address concerns by the summer of 2014.
The Commission has made 13 concrete recommendations... Safe Harbour has to be strengthened or it will be suspended.”
Such a suspension would have a big impact on US based cloud service providers, who have already seen a significant decline in business associated with a loss of trust following Snowden’s revelations. However, it would also have serious consequences for the many EU based companies who currently hold personal data in US companies.

Access to Data held in the EU

To make matters worse for EU companies holding data in the cloud, it has become clear that data being held by US companies physically outside of the US is not safe from the PATRIOT act (as had often been assumed). Because the act applies to all US companies or wholly owned subsidiaries it can be used to force an EU based company, such as Microsoft UK or Amazon Ireland, to hand over its data to the US authorities. 

In such cases there may be legal conflicts between US and local legislation, but statements from companies such as Microsoft and Google as well as from the Information Commissioner's Office for the UK, make it clear that EU based US wholly-owned subsidiary companies are vulnerable to the PATRIOT act.

The Safe Harbour agreement in its current form actually increases this vulnerability, since an EU based subsidiary can legally transfer data to its parent company - if that company is registered under Safe Harbour. Once the data is in the US it is entirely within the scope of the PATRIOT act.


Data held outside of the US may also be vulnerable via other means. A US judge recently ruled that Microsoft must provide emails that are held on a server in Ireland. Details of the emails were requested via a US search warrant. Ordinarily such a warrant would not be enforceable outside of the US, but the judge ruled that it should be treated in the same way as a subpoena for documents. Under US law that means it applies regardless of where the documents are held. Microsoft is challenging the ruling.

Consequences

At the moment there is a lot of uncertainty about data protection and the status of personal information held in the cloud. Because the USA is home to the largest cloud storage and service providers it has been the focus of much of the debate - but many of the legal issues and concerns apply equally elsewhere. This includes countries and organisations within the EU itself, such as GCHQ in the UK and the role it has played in the NSA's surveillance activities.

What is almost certain is that there will be changes to EU legislation on data protection at some point and probably changes to the Safe Harbour agreement.  There have been calls to reduce EU dependence on non-EU cloud service providers by developing its own infrastructure and this is likely to continue. It is conceivable that some US companies could partner with companies based in the EU to avoid the "wholly owned subsidiary" aspect of the PATRIOT act. However, doing so might be viewed very negatively by their home markets in the US, so may not be tenable for many of the well-known names.

What is your view?

At MobiCloud we would be very interested to hear whether these issues are currently a concern for companies considering enterprise mobility applications. They may even be seen as an opportunity for European cloud infrastructure providers. For some companies using cloud-based solutions the issues may be almost academic. If you are already in the cloud to stay then do you have other more prosaic or pressing security concerns? Please let us know.





Thursday 8 May 2014

Jailbreaking and BYOD

By Marcin Lukow of Appear Networks


With an increasing acceptance of BYOD (bring your own device) there is growing scope for conflict between personal freedom and corporate responsibility.


According to recent statistics, 23 million mobile devices currently in use are jailbroken and the number of users deciding to use an alternative to Apple’s App Store is constantly growing. Every release of a new Apple device brings up the topic of jailbreaking in the context of security. It is next to impossible not to at least hear about the process, but what exactly is a jailbreak?

In 2007 a group of engineers called the iPhone Dev Team, as a reaction to Apple’s hermetic software ecosystem, released a tool which made it possible to install third-party applications on the first iPhone – i.e. applications not approved by Apple and not bought via the Apple App Store.

The tool took advantage of a security flaw in the iPhone’s operating system (iPhoneOS, renamed iOS with the launch of the iPad) which allowed it to run with far greater rights than it should have been able to (a privilege escalation attack). It then used these rights to break out of a BSD jail – the system the iPhone used to stop applications gaining full control of the device. It was this that gave the name to the process. Other ecosystems use different names for doing the same thing - on Android it is called “rooting”.

Since then Apple has made a constant effort to improve the security of their operating system in order to make jailbreaking impossible. However, hackers have kept pace and new releases of iOS are quickly followed by new versions of jailbreaking tools. It took just 3 months for iOS 7 to get cracked.


For most people Apple’s App Store is a sufficient source of applications. However, some users do not like being limited by Apples’s strict policies of what software can be installed or what preferences can be changed on their mobile phones. There are unofficial applications that mimic the Android home screen, blacklist unwanted phone calls, enable tethering without carrier consent or give access to hidden settings that allow users to customize their iPhone experience far beyond Apple’s intentions.

In 2010, as part of their review of the Digital MillenniumCopyright Act the U.S. Copyright Office introduced an exemption for thejailbreaking of smart phones – essentially making it legal (a corresponding EUdirective was published in 1991). This provided users with an additional incentive for unlocking their devices but does legal and fun mean safe?

The probability of a user installing a malicious program from an unverified supplier is much higher than when using the official Apple App Store. A good illustration of the risk is an example of data protection. One of the file security modes on the iPhone is to protect the data until the device is unlocked using a PIN code. It would be unfeasible to brute force PINs using the standard login screen because the device gets wiped after a certain number of failed attempts. However, it is possible to programmatically check all 9999 combinations by bypassing the login screen and using a private API (application programming interface). Use of this is prohibited by the Apple App Store rules. 

Although there are cases where such applications have been accidentally accepted on the Apple App Store, they are quickly pulled when the concealed functionality is discovered. Users installing apps from outside of the App Store have no such protection.

Another more sophisticated, yet equally viable example is a hidden process running in the background of the device and sending sensitive data to unauthorized third parties. Preventing this might be essential in a BYOD situation where sensitive business data has to be distributed to employees. One possible solution would be to encrypt the data independently of the operating system, but with a jailbroken device it cannot be assumed that the encryption functions have not been replaced with malicious counterfeits or that the encrypted files will not be transferred to a much more powerful computer and decrypted anyway. 

The risk persists even if a jailbroken device itself does not store the data but has access to a corporate network. Using commonly available tools it is possible to turn such devices into "sniffers" to provide hackers with confidential and potentially useful information about the network infrastructure.


Unsurprisingly security is the first and most important point cited by Apple with regard to unauthorized modifications – although one might assume they are also concerned about losing App Store revenue. Jailbreaking tools have been made extremely easy to use and even casual users are just a few clicks away from breaking open their devices. After cracking it is not possible to install official updates without removing the jailbreak, which means that vulnerabilities used to break into the system remain unpatched. Some tools used to crack into the iOS also close the security holes but this is not always the case, leaving the device open to further attacks.

The question arises of whether there is something that can be done to mitigate the risk of jailbreaking in a BYOD scenario. The most obvious defence is to prevent jailbroken devices from accessing sensitive data. There are mobile device management systems (MDMs) that try to detect whether the devices they are managing have been jailbroken or rooted, but they are not 100% accurate. There are even countermeasures that be applied to a jailbroken device to make it appear legitimate to an MDM (jailbreak jammers).


A more effective approach, as with many security issues, is to address user behaviour directly. Jailbreaking can be discouraged by raising security awareness among users and pointing out that the risks significantly outweigh the benefits – especially since many of the desired Apps or changes find their way into an official version sooner or later.  It is also important, if possible, to keep up to date with the new versions of the operating systems and install them as soon as they get released. It does not render the devices jailbreak-proof and it can sometimes introduce minor problems, but it definitely makes it more difficult for hackers.




Tuesday 29 April 2014

The Mobilization Hierarchy of Needs

By Martin Wilson of Appear Networks

Abraham Maslow first proposed his theory of human motivation  more than 70 years ago and it is still a popular meme used by colleges and business management today. The original theory proposes 5 levels of human fulfilment that start with basic physiological needs (eating, breathing), progress through social status (friends, respect) and end with self-actualisation (creativity, talent). It is usually depicted as a pyramid with the most basic need at the base. More broadly in business Maslow “re-mixes” are used in many different ways – for example to talk about how work environments can meet the needs of employees or how products can meet the needs of customers.


When faced with implementing a mobile project we can utilise the same approach and consider a Mobilization Hierarchy of Needs. This is a useful exercise whether you are an independent software vendor (ISV) or an organisation looking to develop (or have someone develop for you) a mobile application to add to your armoury. The Mobilization Hierarchy of Needs starts with cost and rises through timing, risk, quality and innovation.

1. COST – The need to limit costs

Most software companies or IT departments will have a budget that is already sized according to existing needs. Extending that budget to include development of a mobile application may be a challenge. Then there are the make or buy questions – whether to buy-in expertise or components of software or implement in-house. This is a delicate balance. Mobilization will take resources away from core business. Which mobile devices will be supported? Developing for multiple platforms can get expensive and then maintaining the resulting apps as those different mobile platforms evolve is even more expensive.

2. RAPID – The need to shorten time to market

A big new challenge to existing established ISV’s are the “Mobile First” competitors. These companies have sprung seemingly from nowhere in the past 2-3 years with “mobile” as their focus. Everything they do is around ensuring the mobile experience for their customers is perfect. Users are being seduced by the simple experience of using mobile devices to meet their business needs and if you are an ISV you are probably already being asked when your “mobile app” will be ready. The quicker your mobile app can be delivered the shorter the time to profitability and the greater the chances are that the future of your business is secured.

3. RISK – The need to minimize the risk of failure

Taking on a mobile project involves some risks. Is your team equipped with the right skills? They can learn, but the experience of learning will have a cost which may not be forecast in your project. Will the mobile applications you deliver meet the expectations of your customers? What about the different mobile operating systems? Will your application be cross-platform and work on all the different operating systems? Which platform to choose first? How can you avoid some of the most common mistakes? Mitigating project risks is an important way of increasing the odds of a successful investment in mobile.

4. PRO – The need to deliver a professional solution

In order for your application not to disappoint it will need to meet professional standards – including your customer security requirements, users’ usability expectations, availability and reliability considerations. If this need is not met there is the risk that your established software business could be impacted by the poor reception given by your new mobile user base.

5. ” I ” – The need for innovation

Ensuring your existing products extend to the mobile realm is an effective way to keep your new “mobile first” competition at bay – they will be focused on building the “shiny” mobile part without their back-end being established. But having a mobile solution will push your proposition into new markets. Being able to use your new found mobile reach to create whole new propositions is an important source of differentiation and will help you stay ahead, and by carefully exploiting new device functionality, form factors and operating system capabilities there will be plenty of scope for meeting the need for innovation.

MobiCloud


The MobiCloud platform uses Appear Network’s technology to make it easier to address all of these needs. Applications can be rapidly developed at reduced cost by intrinsic cross-platform support and cloud hosting. Risk is reduced by using proven platform capabilities and rapid deployment allows development to be done iteratively (an “innovation discovery process”). The cloud hosted Backend-as-a-Service (MBaaS) model enables the rapid testing and delivery cycles necessary to achieve this.

For more information about MobiCloud and how you can participate, please visit our website and consider joining our partner program.