iPhone and Android herald the end of the FUD /certification model ..

I don’t often go to high street electronics shops but recently I did.

In the UK .. shopping at the high street stores (Dixon’s, Currys and PC world) .. is not the best of experiences. One special factor stands out .. and it is the ‘hard sell’ on ‘after sales service’. The salesperson is VERY keen to sell you some form of ‘mastercare’ (I think that’s what they call it) – even for the most mundane of items.

Recently, a 3 salesman also called me asking for my interest in the Dog got your phone scheme ..

Expect more of this .. Much more .. especially with the coming demise of the ‘secure/reliability business model’ on mobile phones.

We are seeing a new trend with both Android and the iPhone.

The ‘security/reliability’ business model seems to be under threat.

Fear, uncertainty and doubt has always been a business model – its best proponent being the old style IBM.

In our industry, FUD exists in the form of ‘security’ as a business model.

The thinking goes something like this: The mobile device is mass market. It must work 100% in all scenarios in a simple and a predictable way. If it does not, we will replicate the ‘problems’ of the PC. The operators will have to support all these calls for service (and already these costs are too high). So, let us err on the side of caution .. and lock everything down.

The end result is a market which does not exist for mobile data services.

Both the iPhone and Google are taking on the FUD model – and thereby causing a profound change in the ecosystem.

The iPhone’s strategy is to cut down the friction/fat in the value chain by providing a unified ecosystem and serving their customers through fantastic products. Google’s strategy is to also unify the value chain and make it easier for people to use products across the Web and the Mobile Web(Google products that is!).

To achieve this goal – both iPhone and Google(Android) have to be more open. Specifically, they have to overcome the drawbacks/friction of the software certification model on mobile devices.

The problem is: certification has drifted away from being a virtue(a genuine means to protect consumers) to a vice(a business model, which acts as a market inhibitor)

Dennis says at wapreview in How to define open mobile

>>>

Packaging an application for deployment should not require any additional licenses, certifications or third party testing. Code signing can be supported to insure application authenticity and integrity but should not be required for any type of access.

I’m sure there will be a lot of resistance to the open security model that points 3, 4 and 5 define. I expect carriers and software publishers to defend the current Byzantine maze of application signing. Security is very important, especially to users, but the current mobile security model is totally broken and is severely restricting mobile application development and innovation. Users, not carriers and device vendors should own security. It looks like Google agrees. As I understand it, Android security is completely user driven. All 3rd party applications are treated equally. There are no certificates and no privileged security domains in the Android security model. Applications must declare their intention to use each specific sensitive resource (network, messaging, camera, location, etc.). At install time the user given the choice of allowing temporarily, allowing permanently or disallowing that application’s access to each protected resource. That is the open way to do security, with all applications treated equally and the user alone deciding which vendors and applications to trust.

<<<

And again in Why Android matters

>>>

Imagine if developers of PC applications were required to obtain a costly Microsoft or Apple certification before their applications could save files or connect to the network. Had that sort of restriction had been in effect 30 years ago most of us would still be using typewriters. The current signed security model in mobile along with the high price and unpredictability of metered data plans have had a huge negative effect on innovation in mobile services and applications.

The signing model took control of security away from the user and gave it to the carrier, Android puts the user back in control of his own security, something that has worked pretty well on the PC. Sure there are risks in an open application environment like Android or the PC but with risk comes reward. The reward with Android will be the availability of an enormous library of ground breaking software.

<<<

The problems encountered in this scenario are well documented especially with Java certification issues.

In contrast, Android and also the iPhone take a much more liberal view.

iPhone developers pay $99 a year, and apparently get automatic certification of all their apps. (I still need to study the iPhone SDK to understand more)

And, Android’s security model is a prompting model.

Applications must include a manifest stating what sort of potentially dangerous features they want to use, such as making phone calls.

Another good discussion HERE

There are obvious drawbacks – especially in explaining this mechanism to the user and to be sure, many elements of Android and the Iphone security models are unknown – for example – we don’t know who signs the applications for Android (yet)

There are also the more traditional arguments between the merits / demerits of open source vs. proprietary software – but these are not the critical issue

I think the critical issue is – open-source environment would provide a good phone experience and reduce the cost of a phone by 10%

If that is correct, open source is here to stay on mobile device and the drive towards more open devices (not just via open source but also in general) heralded by iPhone and Android(and also Nokia) will be irreversible.

So, how will this play out in the future?

I see a majority of open devices but ironically a large number of completely locked down devices. Dean Bubley had a report with similar insights – have asked Dean for comments.

The factors leading to closed devices include – a demographic who will always want closed devices, security(protection of minors), services that depend on the telecoms bearer/QOS model.

I see this to be a small set – but existing none the less.

What is clear is: the FUD based model based on certification which we see today may well be coming to an end. It will be complemented by a more ‘Insurance/ sales support’ type of model for a majority of phones which will be completely open. There will be always a market for devices that are fully locked.

Thoughts?