Thursday, November 10, 2011

Mobile Talks

I attended two talks this morning related to the mobile space.  The first focused on determining whether your mobile browser is secure, and the second concerned HTML5 and mobile browsers.  I'll summarize them both here.

Is Browsing the Internet on your Mobile Phone Secure?
Chaitrali Amrutkar, Georgia Tech

Chaitrali's research focuses on the security of various mobile browsers.  I was impressed that she covered 90.5% of mobile browsers in the market in her study, in which she evaluated three major areas of security:
  1. User Event routing: Overlapping elements in the browser can be a hazard; the study found that in mobile browsers in general, the event routing is inconsistent, which means that sometimes the user may think they tapped the top-most element on a webpage, but actually a hidden element beneath it was tapped instead.  This opens the browser to potential attacks such as cross-site log-in attacks, which allows an attacker to phish the user and log the user in with the attacker's credentials.  The attacker can then monitor the user's actions on the web.  Vulnerable browsers were android (both mobile and tablet).
  2. Boundary Control: Here the related attacks were display ballooning and password control.
  3. Navigation: Here top level frame navigation policy allows top level frames to be navigated by any of its descendants regardless of their origin.  This is by design in all mobile browsers.
The researchers conclude that mobile browsers are not the same as desktop browsers; mobile browsers fail to provide similar security guarantees as their deskto counterparts.  Also, the blind adoption of all widely deployed policies make all mobile browsers vulnerable.

The Power of HTML5 on Mobile
Matt Kelly, Facebook

Matt gave a very nice talk on HTML5, which he presented as consisting of HTML, Javascript, and CSS.  HTML5 is new technology, with several interesting aspects: 
  • cache manifest: files can be downloaded and served when the user is offine.  This has efficiency benefits too.
  • local storage 
  • canvas: allows pixel by pixel access to the dom and allows you to create rich apps like games.
Some examples of apps that use these features are gmail, facebook, and words with friends.

So, why HTML5?

Right now, if you want to share the app experience, you need to have the same experience built for the same device across your friends
  • you currently need to develop for multiple platforms with multiple languages
  • HTML5 allows ONE codebase and you can deploy to any device
  • Facebook is working on 'Faceweb', a horizontal approach, using HTML5 to build apps that work on any device
Matt described coding a web app as a paradigm shift in that data is thought of as separate from layout.  You can add local storage or hash manifests.  Only loading data minimizes data sent to client over the wire - something I think will be useful going forward given that unlimited data plans are being phased out.  Another interesting thing is that this lets you eliminate zooming, something which is nice for tablets.

No comments: