Category Archives: iPhone

Hey kids, let’s go to Dubuque!

Posted on by
Reply

When you travel somewhere, especially somewhere new, somewhere eclectic – do you ever buy your airline ticket, hop on the plane, and eagerly look forward to planning your activities once you arrive?

No. No, you don’t. You plan a trip, buy tickets, get everything lined up long before you go. It’s been my contention for some time that buying a new computing device – smartphone, tablet/slate or other, is just like taking a trip. Also, unlike years ago where when we bought a computer, it was guaranteed to come with Windows and run all the old apps that for some reason we hang on to like hoarders on a TV show, today’s new devices come with a Baskin-Robbins assortment of operating systems – none of which will run Windows applications as-is (and that’s fine, as long as enough other apps are actually available for the device being considered).

With all due respect to the people of Dubuque, I call the act of buying a device without regard to how you’ll actually use it, “taking a trip to Dubuque“. I have been to Dubuque once, briefly while moving cross-country, but I can’t speak with authority as to the activities that avail themselves there (I’m sure there are some fun and interesting things to do). But having come from a similarly small town in Montana with a less catchy name, Dubuque works better as a destination that you’re going to want to plan for before you arrive, or you might be a little bored.

I was a fan of Microsoft’s Tablet PC platform when it first came on the scene – in fact my main computer at Microsoft for almost two years was a Motion Computing “slate” device (not a convertible, though I did order a Motion USB keyboard too). Unfortunately, my experience was that handwriting recognition, though handy, wasn’t perfect – and with my horrible handwriting, resulted in an archived database of my handwriting, not anything searchable or digitally usable. In essence, OneNote and a few drawing applications ( I didn’t have Photoshop, but surely it would be useful as well) were the only real applications that took advantage of the Tablet PC platform. That hasn’t changed much. Today the main reason why you’d buy a Tablet PC running Windows 7 is for pen input, not broad consumer scenarios (Motion Computing, which still makes great hardware has become soley focused on medical and services for exactly this reason). Though Windows 7 actually does have full multi-touch gesture support, most people don’t even know this, as witnessed during a recent webinar we had at work where people asked when Microsoft would introduce a version of Windows with touch support (they already do!) - and few applications make the most of it. I haven’t tried using Microsoft Office 2010 with a touch-focused PC, but I can’t imagine it being a great fit. Office, to date, is written to be driven via  a mouse (or a stylus, acting as a proxy-driven mouse). Touch requires a very different user interface design.

The iPad was successful from day 1 because it took advantage of the entire stable of iPhone applications, and simply doubled their resolution (to varying success), and used that to cantilever into motivating developers to build iPad optimized applications. No Android slate has established anywhere near the same market, most likely because of this aspect – when you get the device, what do you do with it? Sure. You’ll browse the web and check email. What else? How many consumers really want to pay $800+, plus data plans for a device that can just check email and browse the web? That’s not very viable. Today, HP announced new, pretty good looking all-in-one TouchSmart devices. Though one section of that article mentions them being consumer focused, the article ends with a fizzle, stating the systems are “designed with the ‘hospitality, retail, and health care’ industries in mind”. Yes, that’s right. Without a stable of consumer-focused multi-touch applications, devices like this, as great as they may sound at first glance, become just simple all-in-one PC’s for most, and touch-based only when damned into a career within a vertical industry with one or more in-house applications written just for touch, that they’ll run day in and day out until the device is retired.

It’s quite unfortunate how touch hasn’t taken off in Windows. ISVs don’t write apps because there aren’t enough touch-based Windows computers and no way to monetize to the ease and degree the Apple App Store has enabled, and yet people don’t buy touch-based Windows PCs for the same reason they don’t buy 3D TV’s – it’s a trip to Dubuque. Like most consumers, I’m not going to buy a ticket there until we’ve got some clear plans of what we’re going to do on the trip.

Unlimited – for a limited time only

Posted on by
Reply

Know what a loss leader is? It’s something you give a way at or below cost in order to get feet in the door of your store or to get people clicking through to your website.

Enter the word, “unlimited”. Really now. Not many things are actually unlimited. Stars and planets exist for a long time, but unlimited? No. The universe goes on for quite a long distance – as a species, we’ll likely never know the answer to the question of, “is the universe finite or infinite” – so even our universe may not be “unlimited”.

I’ve been known to say, “if something advertises itself as being ‘green’, it probably isn’t”. Not always true, but a good rule of thumb to ensure you always question, “is it really?”

In the past two years, we’ve seen AT&T  move from selling tens of millions of iPhones with unlimited data to a new model with a capped 2GB a month, plus overages. You can’t even get unlimited unless you’re grandfathered in under an old unlimited plan. Bear in mind, 2GB is a LOT of data for most consumers to burn through in 30 days on a phone (even a really smart one), and I have to work really hard to try and bust through the 2GB cap in order to self-validate having the retained unlimited plan.

Verizon? Yeah – they have unlimited for the new iPhone – but that is just to lure people like me away, and will end in time.

I noticed Mozy, the popular online backup utility, ended their unlimited backup plan.

I’ve noticed a growing trend of seeing “unlimited” as a loss leader to get people hooked into a subscription product, only to see the model change at a later date. I’m not necessarily calling this a bait-and-switch, since many companies handle the transition well, grandfathering in the early subscribers who usually led to the services economics no longer making sense, as their demand on the service exceeded the supply that was within plan. But it is troubling to see so many companies throwing out the word “unlimited” as marketing bait only to lure you back in to a constrained model at a later date.

The reality is, unlimited isn’t unlimited – almost every service or product I can think of grows to the point where unlimited is actually available for a limited time only.

App Ideas – Parking finder

Posted on by
Reply

Name: Parking finder

Product: Mobile maps (iPhone, Android, Windows Phone 7, any other mobile device)
Problem: When looking up directions to a destination – why not provide parking resources too?
Proposed solution: You’re looking up directions to a theatre, pub, or some other venue that you want to go to – and almost any mapping software can get you there. But if you’re traveling to any densely populated area, such as downtown in a major city, a theme park, or other major destination – getting you there is only half of the battle. Where do you park?

  1. When looking up directions you should be able to specify include parking as an option, or set it as the default for your mapping product.
  2. Type in the destination.
  3. Click Route
  4. The directions include steps to get you to the destination by offering you nearby parking, which you can select and then be offered walking/bus/transit directions to get to your destination.
  5. Bonus points:
    1. Easy: Include options to categorize available parking by type:
      1. Street|Lot|Garage
      2. Free|Pay
      3. Cash|Credit
    2. Harder: Include pricing information
    3. Hardest: Include availability, and even offer the option to reserve a space using a credit card/Paypal.

Next time you go to a restaurant or concert, and you find parking a challenge, listen to the feedback around you – you’re not alone. I’ve noticed it’s a common thread that people have difficulty finding parking near their destination.

App Ideas – Route builder

Posted on by
Reply

This is the first post in a series I plan, outlining ideas either for modifications to existing products, or a desire for an entirely new product. As a product manager or program manager for almost 10 years, random ideas strike me at a moments notice, but I can’t productize everything I dream up. If I post an idea here, it is public domain.

Name: Route builder
Product: Mobile maps (iPhone, Android, Windows Phone 7, any other mobile device)
Problem: When you need to run three errands, why can you only put in one destination?
Proposed solution: Say you need to go to Target, your Chase bank branch, and a Hallmark store. Sure, if you’re in your home town, or going to stores you always use, it would be limited in use. But when going to stores, parks, or other destinations you dont normally visit or when travelling to other cities, it would be useful.

  1. Click Build Route
  2. Type in each of the destinations. I envision a spot for a single destination, with a + to append additional destinations.
  3. Click Route
  4. Route builder finds the most efficient route to visit all three of those destinations.
  5. Bonus points:
    1. I should be able to tell my mapping app my home address, work address, and add addresses of family members by way of the address book, allowing me to use them as a destination (or if I’m at one of them, the source).
    2. With any route, the user should be able to specify that they want to complete a round trip to their current location. In doing so, the route could be optimized either by the order I need or want to visit them, or by the most efficient route.
    3. I should be able to save a route for access later if I want to.
    4. This could easily be modified to append additional destinations after you’re on your way to destination 1.

As an iPhone owner, I’ve often wished for this functionality in the iPhone’s built in Maps application – and I doubt I’m alone.

iPhone Security

Posted on by
Reply

I like opening with that subject – because it’s two words that Apple seems to never want to see next to each other.

On Slashdot today, an article covered my friends from F-Secure discussing the barriers that are precluding the antivirus industry from making inroads in protecting iPhones from malware.

Indeed, they are correct, you cannot build A/V into the iPhone platform – the API is explicitly designed to forbid that. However, I have to counterpoint. I mentioned in a tweet several days ago:

The constraints keeping security s/w from diving deeper into the iPhone platform are the same ones precluding any need for them.

Yes, you read that right. I’m saying that the iPhone doesn’t need antivirus. Instead, Apple’s bigger problem is the lack of a mature platform management solution for the iPhone. Let me show you why.

When I went to Winternals, we rapidly discovered a giant chasm in security as Mark and I discussed how UAC (LUA at the time) would fall far short of creating a security boundary for Windows Vista (and continues to do so for Windows 7). The chasm is the latency between these steps:

  1. Exploit is identified
  2. Malware is authored and released
  3. Malware spreads
  4. Malware is identified
  5. Malware can be contained

You see, the flaw is that step 4 has to exist at all.

The fundamental flaw is blacklisting. Instead of fighting the good (but intractable) fight trying to identify all of the bad code, whitelisting relies on the premise that only known good, known trusted, code can start at all.

At Winternals, we created Protection Manager to respond to this hole in the security market. The key goals of the product were to only let known trusted code run, and to optionally run it with least privilege. In 2006, Microsoft acquired Winternals and, regrettably, discontinued the Protection Manager product. While Windows 7 features AppLocker, which theoretically applies whitelisting to Software Restriction Policies, I believe AppLocker has some fundamental shortcomings that I’ll discuss in a future post. Some aspects of Protection Manager, most notably the premise that a Digital Signature (code signing) is the best way of authenticating that code is:

  1. From a trusted source and
  2. Not been tampered with since publication

After Winternals, I worked on whitelisting again at CoreTrace, where the Bouncer product evolved to also recognize the importance of Digital Signatures, as one of the sources of Trusted Change. Only known trusted code is allowed to execute first off, and only code with specific properties is allowed to enable new code to be added to the whitelist.

Today, you hear mention all over the Internet of the rickrolling iPhone worm. Many have mimicked the code created on a whim by Ashley Towns, the worm’s creator. But the fundamental issue here isn’t the iPhone’s susceptibility to malware. Nope. Not at all.

You see, all existing worms that have compromised the iPhone rely on the fact that the iPhone must be both jailbroken and it must then have SSH installed, with an unmodified root password. Both qualify as best of breed “worst practices” from a security perspective.

In fact, those of us who haven’t jailbroken our iPhones (not arguing the ethics of that – that’s a separate conversation for another time) were not, and are not, susceptible at all. Why? Because the iPhone infrastructure as defined by Apple utilizes whitelisting. Only applications signed by software vendors that Apple has authorized (and that have signed the code) are ever countersigned by Apple and pushed through the App Store to be downloaded for purchase. Similar, but not as restrictive, constraints exist for Apple’s Enterprise program for application publishing.

To date, I have not seen any published malware that runs on an iPhone that has not been jailbroken or otherwise forced to run unsigned code (see Law #1 in the 10 Immutable Laws of Security. Any hack that does ever do so will rely on somehow compromising the signature infrastructure used for application publishing on the iPhone by Apple.

You may recall my original point – that the problem was the lack of enterprise management software of the iPhone itself. At CoreTrace, we were approached by an organization we were already working with that was realizing the growing number of Macs – and of even more concerning, the number of “rogue” iPhones (phones brought in by employees, and connected to the local wireless network and/or Exchange Server without IT ownership at any level).

The more we dug into it and researched, including the limited analysis necessary of the iPhone API and two fun, but largely circular conversations with Apple in Cupertino, the more we realized that they weren’t asking for, nor could we deliver (at least on non-jailbroken hardware) any form of “Bouncer for iPhone”.

Instead of security, the problem posed to an enterprise admin by the iPhone is that as an organization, you don’t need to control what is running on your iPhones from a “bad code” perspective, rather that the iPhone needs hardcore, Apple provided (and secured) management in order to control how “renegade” the devices themselves are. That means the ability to:

  1. Prevent connectivity of jailbroken hardware to an organization (Exchange, wireless, Bluetooth, or other)
  2. Prevent jailbreaking of connected hardware (or sever connectivity at a hardware level when it occurs)
  3. Explicitly control which Apple or Enterprise published applications can be downloaded or run on connected iPhones (don’t allow games, allow only these 10 applications, etc)
  4. Explicitly control the iPhone’s software image, configuration, and settings (much as Group Policy can do with Microsoft Windows systems) – NOT trying to reverse engineer how images get pushed out in a decentralized way via iTunes itself
  5. Explicitly control how applications can access any PII on the device or in documents (GPS location, email addresses, address book or call history info, etc)
  6. Explicitly control document DRM on the platform as IRM/RMS can do for Microsoft Office and Windows

Today (even following those conversations with Apple), KACE is the only vendor I’m aware of that performs any aspect of this kind of work, besides Apple’s weak Configuration Utility. KACE’s is very comprehensive – but both approaches suffer from the fact that they are after the fact management solutions, not built into the hardware and software of the iPhone itself.

From the time that I was at Microsoft, I kept hearing more and more “security experts” talk about how the impending doomsday was coming for handhelds. It still hasn’t really come. I believe that through their native use of whitelisting, Apple has fended this threat off for the foreseeable future for the iPhone platform. Instead, I believe that the biggest problem facing the iPhone isn’t “potential attackers” – there will be plenty of those – but their chance of success is very low.

Instead, it is the iPhone’s impending success eating into the enterprise market from the bottom up that is the problem. The lack of an enterprise management solution that is built into the deepest aspects of the system will not preclude the iPhone’s success at building up a rogue enterprise following. But it will both leave a bad taste in the mouth of the IT admins fighting the good fight to try and keep their organizations secure, and potentially introduce some bad compliance-related headaches in organizations already struggling to keep/retain compliance, due to the lack of DRM and platform control over the device itself and any information on it.

Apple itself needs to come to terms that the iPhone (and the Mac platform itself, frankly) need proper security and policy management at the lowest levels, or de-emphasize their viability as an enterprise platform on both counts.

Sorry for the length of this post – but this topic has been burning in me for a bit – I needed to get it all down for the record.