Apps Publishing Security Policy

BSkyB has become the latest high-profile victim of a security blunder which has caused them to suspend all their Sky Android applications from the Google Play app store.

The hackers would appear to have used a combination of phishing and social engineering techniques to compromise a trusted computer and steal corporate login details for third-party sites such as Google and Twitter.

The storefront for Sky’s Android mobile apps was defaced, with the app descriptions changed and screenshots replaced.

Sky Go defaced

To make a bad situation even worse for Sky, one of their official Twitter accounts was also compromised and the hackers used it to draw more attention to their handywork.

skyhelpteam

Fuelled by the ‘official’ Twitter misinformation, customers were led to believe that the apps had also been tampered with, although this has been subsequently denied by Sky on their Help Forum:

We have temporarily removed our Apps from the Google Play store following a security alert.

All Sky Apps were unaffected and any Sky Android apps previously downloaded by customers are safe to use. There is no need to remove them from your android device.

As soon as we have restored the apps on Google Play we will post up an update.

In a related security breach, Twitter has locked access to @SkyHelpTeam, which is why we are currently unable to tweet from this account. However, help and info is available via @SkyHelpTeam1Facebook and here on the Sky Help Forum.

The tweet that was made from the @SkyHelpTeam twitter, in the early hours of Sunday morning, advising customers to unistall their apps was NOT an official tweet from Sky. Twitter security immediately detected this vogue messaging and locked account as part of agreed standard security process.

Sky have suffered this humiliation as a result of sloppy security practices. With a robust security policy the damage from this attack could have be limited or prevented entirely.

My recommendations for an apps publishing security policy:

  • Use a dedicated Google account for the Google Play Developer Console, not an account used for other Google services. Do not divulge the email address of this account.
  • Enable 2-Step Verification on your Google account and use Google Authenticator to login. Make sure that you properly sign out of your Google account when you have finished each session.
  • Only use a bookmarked https link to access the Developer Console. Never click on links contained in emails or on other web sites.
  • Tightly limit access to the Developer account. Only permit access to those directly involved with apps publishing, usually just the Apps Manager and their deputy.
  • Wherever possible use discrete private keys to sign each application – see the Signing Strategies section of Android Developer Tools. This limits the damage should the private key for an individual app be compromised.
  • Store your signing keys securely, preferably using a hardware-encrypted USB flash drive (such as an IronKey). Physically store the keys in a locked safe.
  • Use a standalone computer for code signing and never connect it to a network. Treat all networks as untrusted, even your corporate LAN.
  • Have a well rehearsed contingency plan to ensure business continuity if the worst does happen.

Dot BigBang

Dot BigBang

If you haven’t already heard about new generic Top-Level Domains (or gTLD) then you might be excused for thinking it’s of no interest to you.

Current top-level domain names (TLD) are restricted to the known extensions such as .com, .net and .org. Some additional extensions like .biz and .info were later introduced, but these have not gained widespread adoption for reasons I’ll go into a little later.

For the uninitiated, ICANN (Internet Corporation for Assigned Names and Numbers) is the authority responsible for managing global Internet domain names. They have been under pressure to expand (or in my view deregulate) the domain name registry market and as a result are accepting applications for what they call ‘new’ generic Top-Level Domains (gTLD).

A new gTLD can be pretty much anything. For example, you might want to start up your own Internet registry for farmers, offering domain names with the .farm extension. To achieve this you pay a hefty $185,000 evaluation fee to ICANN, submit your application and eventually you might end up as the official owner of the .farm registry. ICANN estimates that they may issue up to 1,000 of these new gTLD extensions in a year.

The general concept is that since the amount of meaningful names in the popular .com namespace is finite, introducing new gTLDs will expand the pool of available names. The theory being that someone like Apple Farm Co then has a chance of registering a name like apple.farm for their business.

In practice however all that happens is that the owner of the existing .com variant uses their trademark ownership rights to secure ‘their’ name via a sunrise registration period and so most of the names are taken before the registry even opens its doors for public registrations.

The introduction of .biz and .info is a perfect example of this. The .com owner doesn’t want or need a new gTLD variant of their name, but they are compelled to purchase it as a defensive registration. The end result is more spend for no commercial benefit and no appreciable increase in the available name space.

So how will these new gTLDs improve the situation? I’m stumped. Ever since ICANN announced the new gTLD program, I have been trying to think of a compelling use case for them.

Faced with the myriad of confusing and unfamiliar new gTLDs and concerned at the risks of online fraud, end-users will seek refuge in the provenance of .com. All this will do is reinforce the value of the traditional domain name extensions.

.com remains the undisputed domain heavyweight and I don’t see that situation changing any time soon. The only obvious winners in the gTLD game will be ICANN, registrars and consultants out to persuade you to register even more domain names you don’t need.

Embrace the bit-pipe!

Every mobile network operator I’ve ever worked with has been preoccupied with the corporate paranoia that they might one day become “just a bit-pipe”. It’s spoken about in hushed tones like it will be the end of the world if data is the main service they end up delivering to their customers.

To counter the bit-pipe fear, some operators have desperately attempted to expand beyond their core business. They seek to exploit their brands and diversify into other service industries.

O2 has been the greatest exponent of this strategy, as described in this Marketing Week article from March 2012:

o2changing46_460

O2 is to implement a new business approach designed to champion innovation and which includes a brand campaign that will convey its “Fresh thinking, new possibilities” mindset to consumers.

The new mantra, created by O2’s marketing department, will be underpinned by a refreshed brand strategy, which will move the focus of O2’s marketing away from handsets and tariffs to other areas of its business, such as money, ticketing and charity initiatives.

Sally Cowdry, O2’s marketing and consumer director, says the new way of thinking has been endorsed by the board, so every division must now ensure every business process has “Fresh thinking, new possibilities” at its core.

Presumably this new way of thinking hasn’t gone down all that well since Sally Cowdry has subsequently announced her departure from the O2 business.

With the current obsession for cloud-based services, social networking and on-demand entertainment, being a ‘bit-pipe’ has actually become very important indeed.

When Google invented the Chromebook, they recognised that most people need a laptop computer for web browsing – and that requires Internet connectivity. The same is also true of most smart phones. If you don’t have good network coverage, be it cellular data or WiFi, then there’s not much fun to be had with your shiny device.

So what has become the fuel for all our connected devices? Mobile data connectivity.

Consumers want a reliable mobile network, with bandwidth on tap and good coverage. Provide all of these for a reasonable price and consumers will stay with you. Yes voice and text revenues are on the decline, but those conventional cash-cow revenue streams are simply being substituted by data consumption.

While some mobile operators diverted investment away from their core network and bet the family silver on non-telecomms service strategies, 3 Mobile bravely took the opposite approach and heavily promoted their ‘big-boned’ Internet credentials. Not long after Orange & T-Mobile got together and re-invented themselves as the superfast connectivity provider EE.

This unashamed focus on data connectivity is unsurprisingly a hit with data hungry consumers, with recent commercial success going to those who embrace the bit-pipe philosophy!

Time will tell which strategy has proven most sustainable, but with the unpopular O2 Wallet service already due to be obsoleted by the Payments Council’s mobile payments, I know where my money is.

iPhone 5

An industry insider told me that sales of Samsung’s Galaxy S III sky-rocketed the day after Apple’s big reveal of the iPhone 5. Evidently potential customers were holding off their upgrades until they had seen the new product, but what they saw disappointed.

I probably shouldn’t be admitting this, but I have already used the iPhone 5 and I was underwhelmed too. iPhone has become the safe (even boring?) option, something you would confidently give to your Mum and Dad. Apple’s runaway success has become the de facto smartphone, but the commercial imperative not to alienate their mainstream customer base has stifled innovation.

The original popularity of iOS (then iPhone OS) was due to its perfect blend of technology, form and function. Often it wasn’t possible to customise something to your liking, but that was by design and the intention was to keep things deliberately simple.

I look at iOS 6 and wonder where Steve Jobs’ painstaking obsession with simplicity has gone. I never expected CEO Tim Cook to share the same ethos, but since Jobs had apparently described Sir Jonathan Ive as being his “spiritual partner” there was a hope that he would carry forward Jobs’ legacy. It’s likely however that Ive’s control only extends as far as the hardware design, not the operating system, which is the responsibility of Scott Forstall.

Watching the official iPhone 5 promo video, it’s hard not to be impressed by Apple’s manufacturing techniques and the obvious attention that has gone into the hardware design (like crystalline diamond-cut chamfers!), but it doesn’t detract from the hard truth that to the average customer the new iPhone just doesn’t seem all that different.

With each new iPhone Apple usually succeeds in generating enough excitement and desire to persuade existing customers to follow the natural upgrade path, but they also lose some customers to Android – and they rarely return. I don’t know anyone (including myself) who has switched to Android and then gone back to an iPhone. Once you’ve broken away from the closed iPhone ecosystem it feels quite liberating to have the freedom of open services and a wide range of devices.

Conversely with each evolution of the Android platform the gap has been closing and arguably the Android 4.1 ‘Jellybean’ release has leapfrogged iOS by delivering a simple intuitive user interface and powerful features – much like the original iOS.

Samsung are seizing the opportunity to capitalise on the apathy surrounding iPhone 5 with a marketing campaign directly comparing their two flagship products:

Apple fanbois have responded with their own parody advert, but when the best they have to brag about is ‘fits all pockets’ and ‘elastic bounce back’ (the subject of Apple’s recent patent dispute with Samsung), it doesn’t bode well.

It’s certainly not all doom and gloom for Apple. They will of course sell iPhone 5 by the millions, but the shine is starting to fade.

I do have an answer to their predicament. Apple needs another product with which to dazzle and showcase their technical excellence and suppressed innovation.

Dear Tim, how about you add a new model to the iPhone range? Call it the ‘iPhone X’, pack it with enough fancy gizmos and new technology to satisfy the Android crowd and demonstrate what the biggest company in the world can really do.