Fuse Chicken BOBINE

I was recently turned onto a different type of cable for a different type of application. Yesterday I talked about the Kenu 2 in 1 and it’s virtues, but one thing it gives up in being lightweight is rigidity. That brings us to the Fuse Chicken BOBINE.

The BOBINE is basically a flexible semi-rigid USB to lightning cable that allows you to work on your phone in a semi-upright position. For the most part I don’t think there’s a lot of value in this, except when you’re traveling.

Just as a test, I laid down on the ground and used the BOBINE to semi-connect it to my backpack. I’ve had to use my backpack as a back/headrest in airports on extremely long layovers when there is no open Admiral’s club in sight. I’m not proud of it, but sometimes a business traveler has to do what they have to do – even in a suit. And sometimes that’s laying on the ground with food poisoning and yes, that’s happened to me.

The nice part about the BOBINE is that you don’t have to use your arms to keep it in place and in view while you’re in strange positions – like on your back feeling like you stomach is on strike from the rest of your body. When you have your hands free you can use a bluetooth keyboard easier and get more work done, or you can simply watch videos and try to distract yourself from that feeling in your stomach.

Anyway, I think there are far less uses for this than other cable management systems because it requires me to remove my case to fit properly, but still an interesting one to have with you on International flights where you might end up having to deal with some extremely odd layovers. A little comfort can go a long ways.

And in case you were wondering, it was the oysters that did me in. Of course it was, I can hear you saying.

Kenu 2 In 1

One of the problems I’ve regularly run into as a Smartphone Exec is that I regularly have the wrong cable for the occasion. I either have a microUSB cable or a lightning cable, but often the wrong one at the most inopportune times. On a flight I ran across an advertisement for Kenu Tripline (pronounced “Canoe”) that offers a pleasantly simple solution.

The nice part about it is that it has both cables in one. If I happen to need one to charge my headphones, I have that, if I need the other to charge my phone, I have that. All in a lightweight package. I also happen to like that they have 3′ and 6′ options. Often times I make the mistake of thinking shorter is better, but keep in mind how often you are using shared plugs in conference rooms and having an extra foot or two of distance is a life-saver.

That’s even more critical when you’re using your mobile phone during a presentation. Often times the plugs are on the floor and 3′ is barely long enough at the best of times. 6′ is just much more comfortable and I find it’s worth the added ounces. And it’s still less weight than two cables that get caught up with one another and misplaced. Reduce and simplify. That’s the mantra, right?

Multi Tenancy

Multi Tenancy is a weird concept on mobile computing. Having two distinct users utilizing the same hardware is commonplace on the desktop. Yet on phones we somehow ignore this very useful attribute of modern operating system design.

Let me give you some examples of how it’s useful. First of all imagine a parent handing their child her cell phone and allowing them to play games without risking something bad happening to the data on the device. Second imagine handing your phone to somebody at a bar to allow them to watch a video but also not expose your device to anything malicious. Lastly imagine doing a presentation and not having other non-related apps interfering with that presentation on your phone.

With these examples in mind it’s easy to see why the virtues of multi tenancy would be useful on a mobile operating system. Thankfully while this does not exist exactly as described there is a feature on the iPhone that does solve some of these issues. This feature is called “guided access.”

Using Guided Access a user of the device can limit a third-party from accessing other apps or from Interacting with a part of the app by blocking certain parts of the screen. A six digit pin of your choosing protects users from escaping Guided Access.

It’s a very useful feature that virtually no one uses from what I can tell. But one can see how this could be a nice partial replacement for true multi tenancy. You still can’t have two users on the same device with separate contacts (as an example) or different email accounts that are separate from one another , and so on, but it’s still a very useful feature.

Hat tip to my friend Taylor for alerting me to the feature’s existence.

Mud Puddle Problem

When it comes to security of the apps you use and the device you chose, I think it’s best to consider the Mud Puddle problem. That may not be a term you’ve heard but it’s very important to understanding how threat actors think about your device.

For instance, let’s say you drop your phone in a puddle of mud and it ceases working. You try everything you can to clean it up but it stops working. If you can take it to some store and some genius can recover your data off of the device, it has failed the mud puddle problem.

The basic concept is this. If there is a way that a stranger can take your device and resurrect the data out of it, it means an adversary can do it as well. That is why it is always best to ask vendors how your data is secured. Can they recover your information after you’ve deleted it? Can they recover it after your account has been erased? Can they recover it if your device has been crushed in an anvil? If the answer is yes, then probably many people have access to your data whether you or they realize that or not.

It’s something to consider as you consider which products and services to use.

Multitasking on a Smartphone

Multi-tasking on a phone is a very different thing than multi-tasking on a desktop environment. There are some things that are similar and work well. Then there are also quite a few things that need a lot of work or just are currently not possible for a variety of reasons.

Let’s start with the good. You can do things like listen to music while you work. You can take a phone call while you work. You can run several apps at the same time, cutting and pasting between them or having them launch one another. You can download things in the background – like email for instance. Your system can be monitoring dozens of chat clients running with virtually no processing power and still push you a message as it arrives, and on and on.

The bad news is that you can’t do things like you might on a traditional computer – even when running on a full sized monitor through an HDMI dongle. For instance you can’t watch a movie and write an email. Quite often I used to watch a presentation in one window that lasted an hour and work in another, looking over only when I needed to see what the presentation was saying – that’s just not possible on the phone. You can’t have two apps open at the same time for transcribing purposes or for productivity reasons.

The issue comes down to a combination of problems. Its a mix of screen real-estate, the lack of a mouse and app handles to switch between apps to give focus to the active window, and the memory requirements.

What that means is that if you need to do that you end up doing context switching far far too often between apps. On the iPhone (as an example) this means taking the hands off the keyboard and double clicking the home button to switch contexts between windows. That’s a very slow and annoying context switching operation. Unlike the alt-tabs keyboard shortcuts of the world which context switch and are very fast, you’re really stuck doing a slow operation.

So there is a long ways to go to consider it an equivalent operating environment. But it is coming along. Not that many years ago, the iPhone couldn’t even run two apps concurrently. So we’ve come far enough that it’s a useful business tool. I still think Continuum is going to ultimately be the path forward for mobile operating systems though as a result – the phone should be context aware of switching into desktop mode. Memory issues may prevent it, but the screen real-estate and access to a mouse and keyboard are foregone conclusions in the business world. So it’s just a matter of giving the phone a little more memory, making context switching seamless and allowing Bluetooth mouse access. We’re so close I can taste it!

Rules of Thumb for Business Mobile App Development

I’ve spent a lot of time with various types of mobile apps over the years and compiled a list of things to think about when developing a mobile app for business use. If this saves anyone a headache while using your app, that’s a big win. If you want to make your business customers happy, this is the hit-list I’ve come up with:

  1. Make it work functionally. So many apps have drop downs or buttons that don’t do anything at all. It’s mind boggling how these apps make it through the QA process. But if something looks like a button and doesn’t work like one, you’ve created a usability nightmare.
  2. Make it easy to use. A lot of apps have rich functionality buried underneath a complicated/convoluted multi-tier navigational structure, making it difficult to find the options necessary to interact with it in the way the user wants to. There’s been a lot of studies that the more you make someone click the less likely they are to find and click that option. So keep the interface clean, simple to use and easy to navigate. Don’t forget to pay attention to your workflows.
  3. Make it stable. I regularly run into unstable apps that crash when you do something like navigate away and then navigate back. That’s a terrible user experience. Your apps should be memory efficient, fault tolerant and if they do crash they should do so in the most graceful way possible.
  4. Make it save work if appropriate to do so. Some apps are safer to use because they save work as you go. Crashes are quite common on mobile, so this is a very useful feature if it’s appropriate to do so.
  5. Make it work with an external keyboard. Things like tab and shift-tab should work as expected – getting you from one form field to the next. If you have to take your hand off they keyboard to use your application you should probably re-think it, unless it is core to the app’s functionality (like a drawing program or something). Business users intuitively feel like touching the phone and interacting with it directly slows them down. Lack of a mouse really hurts app developers, but that’s a separate issue.
  6. Make it work equally well in landscape and portrait. So few apps do this well or even at all. Not even the settings app on iOS does this. Having to switch between the two just to use your app is annoying to say the least. You’re not a special snowflake and there’s almost never a reason to force the user into one mode over the other. Some apps like games need it to be in a certain orientation, fine, and no, I’m not talking about those. But your feature had better be worth it if you’re going to force the user to change the orientation of the device. Don’t play favorites though – just because you envision someone using the device in portrait mode, doesn’t mean that’s how they want to be using it. That’s especially true if they are using an external monitor.
  7. Give your app the same functionality as the browser version of your website. This should be straight forward, but almost no apps get this right. They often have no signup system, no payment system or a bunch of missing features. Why bother building an app if you aren’t allowing your customers to give you money? The worst is when websites force you to download an app and then don’t have the feature on the app. Are you trying to drive the customer away?
  8. Give an option to remove your ads, even if that means payment. It’s the most requested feature of most apps that have ads. Go ahead and do them a favor. Ads are not just annoying, they’re also a huge user of data, and mobile data plans aren’t cheap.
  9. Allow selectable muting and selectable alerts. A lot of the alerts that you think are important a user will disagree with you on. Meanwhile a lot of the things you couldn’t care less about a user will kill for. Making your alerts as selectable and customizable as possible is very helpful. As an example, making alerts specific to certain senders in emails would be very useful because some people have very important things to say, and many people have way too much email to get alerts about every inbound email. Selectable alerts is a winner.
  10. Keep push notifications to emergencies or important notifications only. Basically my rule of thumb when it comes to alerts is silence all of them unless they are warning of something involving a combination of the three I’s: impending, important and irreversible. If your alert is telling me about something I don’t care about you’ve made me that much closer to uninstalling your app or muting it permanently. Don’t waste the user’s time.
  11. Give the option to disable access to the location when not in use. Not only is accessing my location a battery hog, and a data hog it’s also just plain creepy. Ask for only the permissions you need. This should be obvious, but most of the time it appears it’s not. If you really want to be nice to your user only ask for it when you need it, rather than upfront. That way they can selectively disable it and re-enable it. Not many people are this paranoid, but when they are, this little detail can go a long way.
  12. Use SSL/TLS for everything possible. A lot of apps not only don’t use HTTPS but they don’t even tell the user that they aren’t. So there’s no way for them to even notice that something nefarious could be happening and is possible, unlike a web application with a browser where the protocol (http or https) is in the URI field.
  13. Create layered authentication if the app’s access includes sensitive information. For example banking apps shouldn’t allow users to check details without authenticating each time. The rule of thumb here is that theft of an unlocked phone should not mean complete loss of whatever data the app has access to if you build your app well. This really only applies to sensitive data, but it’s amazing how many apps have sensitive data these days.
  14. If you’ve discontinued the app in favor of another one, alert the user to that fact. I’ve run into a number of situations where the app appears to no longer work, but what really happened is that they stopped supporting that version and created a new version. Without telling the user, you’re really creating a terrible user experience.

These rules of thumb are primarily related to business apps but I can see situations where many of these issues could be useful for any sort of mobile application. Let me know if you think I’ve missed anything.

Lost and Found

Losing your laptop or phone is one of the most devastating things that can happen. Not only is there a loss of whatever data wasn’t backed up, a loss of business continuity as you find and re-build a replacement, but there’s also the potential of loss of critical data. This is actually one area the phone is substantially better – you can carry it with you everywhere. Like I discussed before, you’re far more likely to bring your phone with you to the bathroom than act like a nut-job and bring your laptop. It’s just a fact. Even if you’re extremely good about keeping your laptop bag with you at all times, it’s just far more likely that you’ll be separated from it than from a smart phone.

But I’d be remiss in saying that a smart phone is a perfect solution. It too can and does get separated from your hands. You go through an airport, it’s out of your hands. You want to show someone a video? There it is, in someone’s hands, unlocked. I have even been told I can’t bring my cell phones into a meeting – so there it sits in some basket outside of my direct line of sight. Let’s ignore the threat of malware for this post, because that’s a different threat vector in a number of ways.

So what do you do when your cell phone is stolen to prevent bad things from happening beyond the immediate loss of the hardware? There are some pre-emptive steps you can take and some things you’ll have to do after the fact:

Let’s start with the pre-emptive steps:

  • Keeping your phone locked with a password is the first line of defense. If you can limit it to a number of failures before being wiped that further increases your safety. If your phone is locked, the data within should be safe barring any other vulnerabilities in the phone. I really recommend a relatively short timeout (E.g. Less than 5 minutes) before the screen locks, but not so short (Eg. Less than two minutes) that you have to type your password/passphrase often in public, as that creates more likely opportunities for shoulder surfing the password/passphrase.
  • Disable Wifi on the phone when out in public. You don’t want the phone connecting to a random Wifi and being man in the middled so that content it sends over the wire is visible. Apple has made a lot of progress here by requiring that apps communicate over HTTPS, but that’s still not 100% rolled out, given that there are many apps that have circumvented this rule.
  • Disable any notifications so they aren’t readable on the locked screen so that information isn’t leaked to whomever has the phone ahead of time. This often requires a lot of configuration of each app’s notifications.
  • Use a long passcode/passphrase instead of the short 4 digit pins or equivalent, so that brute force is significantly more difficult. I know it’s annoying, especially when you’re in a hurry, but it does provide a significant barrier to someone breaking into the phone once it’s outside of your control.

After the fact:

  • Use any/all services you have to locate the phone. Maybe your friend picked it up for you at the bar. You can attempt to call it as well. At this point it’s probably gone and you can move onto the following. On trick is to allow one of your close friends to always have access to your phone’s location. That’s a lot of trust though, and understandably comes with its own risks.
  • Remote wipe the device if you can.
  • Immediately change all passwords to all of the services you use, and ideally lock that phone out from any APIs it is authorized to once the phone is deemed lost.
  • Disable VPN accounts, and any SSH keys you use. As an aside I don’t recommend SSH keys as the only line of defense for exactly this reason – if the machine is compromised they have instant access to the remote server. I prefer SSH keys be used to jump to bastion hosts or VPN tunnels, but then passwords be used from that point on, so that even if an attacker does get access to the bastion host, they can’t pivot into the other machines because they lack the password. Passwords are easy to brute force though, so that’s why you use them only after a key is required. It’s a bit like second factor auth in a way.
  • Assume email has been compromised, shut down the accounts immediately. This is one of the most critical steps, because email typically has a lot of passwords, and PII in it. And worse yet, most of the services you use require an email for password reset. Once they have access to email they have access to everything. This means every password needs to be changed that exists in your email, and anywhere you use that password should also be changed.
  • Assume that all apps that have access to your credit cards have been compromised – think things like Uber, and Amazon. Unfortunately this means you need to cancel your credit card immediately.
  • Assume all chat clients that you have logged into have been compromised. iMessage, SMS, Facebook, Instagram, Snapchat, Signal, Twitter, Yahoo!, MSN, IRC, Slack, Hipchat, WeChat, Skype, etc… etc… Only chat clients with ephemeral OTR are reasonably safe because they auto-delete content over time, but even still, the adversary can read recent messages and contact your contacts as you, so you’ll need to disable the account/change passwords, etc if that’s possible.

The nice part though, is that while all that stuff sounds bad, if you follow the very first step, you may have no issues at all to worry about other than replacing the device. So in many ways the primary defense really is the best one – a good password and keeping it locked when it’s out of your sight.

Democratization of Users

I like the fact that mobile phones have helped democratize the Internet. Anyone with a smart phone (which can be extremely inexpensive these days) can do practically all of the same things that can be done on a laptop with a few notable exceptions. It’s no longer only the realm of the elite to have email, or websites, or make their dreams come true, as long as the capital requirements are low enough. Pretty cool actually.

However, I have noticed a number of things that make this dream a bit more difficult than it has to be. Here are some examples:

  • Some companies require you to call in to do certain functions. For example if you want to increase the amount putting into your mortgage, your bank will force you to call in, despite the fact that this is an extremely easy change. They want to add the extra hurdle so people don’t do it as often – it cuts down on the interest they earn. So you don’t just need a smart phone, you also need a data plan or a landline somewhere. Thankfully banks have toll free numbers, but still. It shows that they intentionally treat online users differently than phone users.
  • Many apps do not have the full features of the site. For instance, Shutterstock has a wonderful app that has no functionality at all to allow the user to sign up. This has got to be an oversight, or a roadmap item. Why would you make your users go through more hoops to give you money? Either way, you’re required to use their website.
  • Often times the mobile website has incredibly limited functionality compared to a traditional browser. I even encountered a website today as a matter of fact (not to pick on them too much, but it’s a good example) where Shutterstock’s mobile interface has an out of date SSL/TLS certificate. There’s pretty much no chance this would have happened if it had been their main website – people would complain. So mobile users have little recourse.

When mobile starts being treated as a first-class citizen, it will encourage people to consume more, and therefore it will increase revenue. There have been a number of apps where I would have happily given money if they had only had a functional purchasing flow in the application. This points to a bigger problem of democratization. All users should be treated with the same respect, and be given the same options, regardless of what tools they have. Though I think it’s a big enough investment and a small enough customer base, that most companies will take a long time to get there.

The external pressure of annoyed customers who abandon, and companies like Google who penalize websites that aren’t mobile friendly, do give some hope. But other issues like a disparate ecosystem of phone sizes/shapes/functionality do a lot to undermine the app developer. But we might get there someday. I’m a big fan of democratization, because it puts everyone on equal footing, and gives them the tools they need to be successful with whatever setup they want to use, be it a massive desktop, a portable laptop or an ultraportable smartphone.

Fan Review #1

I got a message from Peter Wilfahrt who is the first person to come forward to tell me they are using their smartphone as their primary work environment, like I have. I think it’s worth hearing it straight from his mouth:

Servus RSnake,

Thanks for inspiring me and others to try living by a smartphone. I challenged myself to use just a smartphone for 30 days even in my office environment.

That’s a bit tricky because as a consultant I’m doing a lot of presentations and on office days writing for strategic papers and advisories, statements and comments for government and enterprises. Besides the normal pen-testing and development work.

Therefore I’m using a lot of “Pages” for writing or better “Mail” with a minority of formatting and sending the info to our communications department to pimp it up for marketing and CI.

For tech work I’m using “Serverauditor” because it’s one of the SSH apps I found that can work with port forwarding and ssh keys.

What I found and what’s a bit challenging is that the iPhone hotspot is not routing through a VPN. Just connections from the phones itself but no tethering .

Keep on your writings, I’m looking forward to some cool tips!

Peter

I think Peter has some great points and I’ll definitely be diving into all of this at some point. With regard to the hotspot, that isn’t something I’ll necessarily ever have to deal with, since I don’t intend to use laptops (maybe other people will, but for me, this is a non-issue). Either way, this is really exciting to see others taking up this rather difficult but fun challenge. The photo of this post is his, and shows his setup, which is almost identical to mine. I’m sensing a theme here, maybe there are just some set-ups that work best, and we’re already getting close to finding them!

Big thanks to Peter for sending this over. If you have similar stories, please share them with me and I’ll post them if they’re interesting.

Workflows

One of the more common complaints I hear about trying to use the phone is that it’s slow. These people don’t necessarily mean processor speed, or refresh speed, or anything related to hardware specs per se, for the most part. I think a lot of people feel that the modern cell phone is useful but slow because the workflow is tedious.

Let’s take the example of editing a Word Document hosted on your computer but saved through Dropbox. Without having to do anything special, it is synced to your local computer. Let’s walk through the two workflows of editing a Word Document. Computer first – and let’s use Windows 10 as an example:

  • Mouse over to your Windows Icon start menu button.
  • Click “File Explorer”
  • Click “Dropbox” and find the file in question
  • Double click the file.
  • Edit the file
  • Save or Save-As if you want to save a new version for revision control instead.

On smart phones, it’s a bit more annoying:

  • Click on the Dropbox icon to launch Dropbox and wait a moment.
  • Find the file.
  • Tap the file and wait for it to download, unless you’ve already selected it to be stored locally.
  • Click the button to edit it.
  • Select Word to open it (there’s no option to remember)
  • Wait for Word to download the file (despite the fact that it might be local to Dropbox) and open the document inside of Word
  • Technically you can edit directly at this point, but Word encourages you to select the button to put it into mobile friendly mode – and they should, because it’s a much easier mode to edit in. The problem being that is another step, and it lacks pagination and pagecount information which can be useful. It’s also got quirks where the cursor goes below the navigation bar at the bottom in landscape mode.
  • At this point you don’t have many options, because auto-save is enabled. Normally I’d say this is a great thing, but if you need to do revision control you don’t really have an option to “save-as”. You’re going to be saving over the original document, unless you took an initial step to make a copy.

I fully realize there are ways around some of this, but ironically, this is one of the best flows that I’ve found. The Dropbox/Word integration workflow is straightforward, the functionality is largely there, and despite the form factor, you can do what you want. I’d even say the functionality nearly mirrors the laptop/desktop environment. But the differences in workflow are substantially different even in this relatively good use case. It’s worthy of noting that most workflows are not nearly this nice either, which I’ll talk about in depth later.

As smartphone app developers think through the design, they should do their best to force the fewest clicks possible, and make the design as intuitive and easy to control as possible, because anything other than that is a time-waster and discourages use. If people aren’t going to use the app, the developers have wasted a lot of time building it – they might as well do it correctly, right?