I don’t recall the first time I heard VMware say they were working on virtualization for phones. I do recall my response then, and it’s the same as today. Actually, my response is even more focused today. It’s a silly idea that nobody will buy. More importantly, it’s completely the wrong approach to solving any security issues with smartphones today.
I’ve been a huge fan of VMware for many many years (it goes back to when I worked at Microsoft, ironically, before we had acquired the Connectix technology). I still use their Workstation product and use Fusion at home on my Mac. But I think that virtualization has no role in smartphone security – at least not on the phone itself.
VMware isn’t the only company proposing this, there is at least one more I’m aware of, and there will be others. And why not? How hard is it to shim a hypervisor down next to the processor and run two OS images? Can’t be that hard. But it’s nonsensical, inefficient, and user-unfriendly. It’s parlor tricks where real solutions are needed.
The iPhone is where it is in the market because it simply breaks down user experiences into distinct tasks. To use the phone, you use a Phone app. To listen to music, you launch a Music app (iOS cleaved the “iPod app” in two on all platforms as it had been on the iPad). Video, Contacts, Clock… it’s pretty logical. So why on earth would any consumer within an organization want a schizophrenic phone with two places to do everything? Consumers don’t want to dual-boot devices – most haven’t ever done it with a PC or Mac, and most won’t want to do it with a phone, and remember that it’s consumers making purchasing decisions here, usually not the IT org. That’s not likely to change anytime soon.
These VMware approaches only work on Android devices today, since Apple has wisely selected to tightly control the entire platform, and Microsoft is largely mimicking this behavior, though partnering with ODMs to build their own hardware (it’s unlikely Microsoft would take well to a Windows Phone 7 device that dual-booted with Android or a second instance of WP7 – it’s a crappy user experience).
Instead of trying to consider end-user-hostile approaches that make the device less usable by feigning security, people should be focusing up the stack. iOS doesn’t need this technology. By requiring signing and approval of apps, Apple may be deemed draconian by some, but the alternative is the wild west of the Android Marketplace, where you’re just as likely to find a great game as you are to get shot (okay, metaphorically – but you’re likely to become a crimeware victim).
By focusing on the platform, signing applications, providing hardware encryption, running applications in their own silo with their own data stored there enabling strong passcodes, remote wiping and profile management, Apple has prepared a platform that is far more enterprise ready than many may give them credit – WP7 is largely mimicking most aspects of this ecosystem for the same reasons (don’t get me wrong, iOS management is far from perfect). With Android, Google has left the platform without strict reigns, and unfortunately this causes approaches such as a hypervisor to create work/home personalities to make some modicum of sense, as it provides a layer of security below a platform facing threats at all sides. But organizations who think this make sense are doing their end-users no productivity favors – and that should always be their penultimate concern.
Look at Amazon – they are following Apple’s footsteps to create a marketplace of legitimacy for the same reasons. Consumers want (and deserve) to feel safe. But creating two personalities on one phone? Ridiculous. It’s inefficient from a usability and power/processor perspective, and i totally end-user hostile.
Rather than focusing on security at the loader/kernel level, VMware and other vendors would do far better by showing more concern for (and understanding of the dynamics of) the consumer as an IT driver. Focus on the App. Create a platform to make Apps secure and manageable. Stop focusing on the kernel. Stop focusing on “stupid hypervisor tricks”. Virtualization has a huge, invaluable role in the data center, even on developer and IT admin workstations and some consumer desktops. But it makes no sense on smartphones. Virtualization is not a solution for smartphone insecurity. Thinking of the platform holistically and focusing on solving the problems where the actual problems exist in the platform is critical, and will be the only way to build usable, workable solutions that don’t compromise the unique value and user dynamics of today’s smartphones and tablets.