SecurityFocus on mobile devices for the first time?

SecurityFocus Newsletter #485 is I think the first issue of the newsletter where mobile devices are listed. 2 issues have been reported one about the iPod Touch and iPhone and the other about the Nokia 6131, both are vulnerable to remote attacks on the browser.

The interest for security on mobile browsers is yet another proof that mobile is about to take over the rest of connected-electronics.

4. Nokia 6131 Multiple Vulnerabilities BugTraq ID: 30716 Remote: Yes Last Updated: 2009-01-05 Relevant URL: http://www.securityfocus.com/bid/30716 Summary: Nokia 6131 is prone to multiple vulnerabilities.


The device is affected by URI-spoofing and denial-of-service issues.

Remote attackers may spoof the source URI of a site to direct users to a malicious location and trigger crashes in an affected device.

23. Apple iPhone and iPod Touch Prior to Version 2.0 Multiple Remote Vulnerabilities BugTraq ID: 30186 Remote: Yes Last Updated: 2009-01-05 Relevant URL: http://www.securityfocus.com/bid/30186 Summary: Apple iPhone and iPod touch are prone to multiple remote vulnerabilities:


1. A vulnerability that may allow users to spoof websites.
2. An information-disclosure vulnerability.
3. A buffer-overflow vulnerability.
4. Two memory-corruption vulnerabilities.
Successfully exploiting these issues may allow attackers to execute arbitrary code, crash the affected application, obtain sensitive information, or direct unsuspecting victims to a spoofed site; other attacks are also possible.

These issues affect iPhone 1.0 through 1.1.4 and iPod touch 1.1 through 1.1.4.

webKit the official mobile browser?

Initially Nokia announced the decision of using the webKit browser in their mobile devices in the S60 series and they called it S60 Browser (running on the S60WebKit). That was already a landmark, I think.

Apple of course boosted the users of webKit and Safari releasing the windows version of Safari and then Safari in the iPhone.

Google followed announcing webKit in Android and now with Chrome.

MOTOMAGX is a linux platform by Motorola. They use it for some of their PDA’s. The other day I received their newsletter that among the other things mentioned widgets for MOTOMAGX and guess what? The official browser is the webkit.

A lot of big companies are jumping on the webKit band-wagon, but I think my original question still stands, Will Apple share ownership of the webKit? It’ll be especially interesting to see how Google will contribute and try to take control of the platform as now they have a lot of interest in making sure it goes in the right direction. So far it looks like Nokia did not have much voice in the project, at least from what I see.

Flash, Flashlite, SVG and Java

Flash is a huge success on the web. It’s been like that for a long time now.

SVG is a recommendation (read standard) by the W3C that should address some of the functionalities of Flash.

While Flash Lite has been very successful in Japan for many years (and I think simply because DoCoMo decided it would be the default on all devices), it has struggled in the rest of the world.

In the last couple of years Nokia, Sony Ericsson and other top vendors have more or less quietly implemented SVG Tiny (a subset of SVG for mobile devices). From my perspective it seemed like SVG would take over Flash (Lite) in the mobile space, but it looks Adobe is moving to make sure this does not happen.

A few news that I’ve read in the last couple of weeks, all within just a few days:

Adobe’s Open Screen Project
Sony Ericsson’s Project Capuchin
Nokia’s screencast about JSR-226

Has Nokia run out of names?

Nokia always named their mobile devices with numbers. Most of the times 4 numbers, sometimes 3. In the last few years they started also using letters such as N and E.

Many have tried to find some reasoning behind the numbers, but no real rule was ever found (at least that I know of). Anyway, it looks like Nokia might have run out of numbers. Today, while checking on Forum Nokia I noticed a device that was advertised as new, but did not sound so, to me. A little research on the Forum itself shows that the “new” device is the 3120 classic, but there’s also an older 3120! So why is the new one called “classic”? Shouldn’t it be called “new” or something?

Well, for all of us (OK, I’m the only one) trying to remember all model names, it’s going to be harder now.

PLUG: luckily you’ll find both in DeviceAtlas (Nokia 3120 classic and Nokia 3120).

Nokia N-Gage?

In the last few days the N-Gage has come back into the news.

Surely the N-Gage is an interesting platform, if only because it allows for multiplayer gaming while on the move. What better transport if not GSM and UMTS? PSP and the DS are no where near that, so Nokia should be ahead of the competition, unfortunately the platform is not as good and the games are lacking. Not a small problem if Nokia wants the N-Gage to be successful.

According to M:Metrics, in February:
+ 48.4 million people played a mobile game
+ 20.2 million played a game they previously downloaded
+ 7.6 million downloaded a new game

These numbers are all up from the same period last year (February 2007), when:
+ 45.2 million played a mobile game
+ 18.5 million played a game they had previously downloaded
+ 6.8 million downloaded a new game.

Among Nokia owners, in February, 20.1 percent (5.9 million people) played a mobile game, against a market average of 21.4 percent. Other Nokia stats:

+6.2 percent of Nokia owners played a game they had previously downloaded (versus 8.9 percent market average)
+2.7 percent downloaded a new game (versus 3.4 percent market average)

“Nokia is currently underperforming in the games market today primarily due to the fact that the US market is flooded with low-end, free Nokia phones that came with carrier contracts,” said Mark Donovan, senior analyst, M:Metrics. “Today, N-Series devices are still quite expensive and are not widely distributed in carrier channels, resulting in low market adoption. However, among those toting high-end Nokia devices on the Symbian operating system, 30.8 percent played a mobile game, indicating that mobile gaming is a popular activity on these phones.”

Will Apple share ownership of the webKit?

Android SDK has been released. There are videos that explain how the platform works and that the browser is based on the webKit. This was a bit of a surprise for me, I think I was not even considering that Google could go for something that is not Mozilla/Firefox.

Anyway I think this is great news and means that the webKit will keep growing and more sites will work on my Mac. Actually most sites already work, but sometimes I have to fire up Firefox or Camino, especially for AJAX-intensive sites.

Anyway, today, during Future of Mobile, I asked Dan Appelquist (another happy Mac user) if he thought Apple would let any other company take control of the core of the browser. My feeling, so far, is that Nokia is using the engine, but more in their own separate silo and not with Apple… And I have to admit this feeling is not because I think Nokia is evil and do not want to share, but actually because Apple wants to have full control on the browser and does not care to get changes and updates from Nokia!
Dan, on the other side, thought that Apple would have to let go a little bit of control on it so that Google and Nokia would get some space in the project.

Well, it looks like he knows what he’s talking about, see this post on Surfin’ Safari about Android committing changes to SVN.

Now I’m even happier.

First impressions about Nokia MOSH

I had just posted about Nokia MOSH and it’s a restricted beta, luckily I already got my password to access it. I created an account and uploaded my first content. I was really testing the site in parallel on my Mac and on my mobile phone.

Very first impression is that it’s an interesting new social site. It has all the common features such as upload a photo, invite a friend, exchange messages. The first question that comes to my mind is “So what’s new?”. Not very much I’d say, if you don’t consider that it’s made for mobile devices first and ALSO features a web interface. The main concept here is to be able to upload contents from your mobile device. This is nice and probably Nokia’s commitment is promising, but I don’t see it SO different from what Flickr Mobile has been offering for a while or even ShoZu.

But the very first question that came to my mind even before completing the registration was how they would recognize devices. The e-mail clearly stated that they will do their best to support all devices. Well, look at the image below and think…

I believe they are using WURFL. Not very hard to guess since it’s free and very well supported by many developers, but at the same time you might expect a different approach from Nokia. Are they using WURFL as-is? Did they patch and optimize the Nokia devices? Are they going to give back to the community?
How can I say it’s WURFL? If you look at the screenshot you can see a few things that hinted this to me such as “Research in Motion Ltd” instead of “RIM” or “Blackberry” that are much better known names than the complete company name. Another thing is the duplicated “Vitelcom” and “VITELCOM for Telefonica Movistar”, I remember adding those values and wondering if they should be merged or not. Then there are a few brands that you would not expect to be possible to be picked from a list of devices such as “W3C”, “WAPUniverse” and “WinWAP Technologies” (the first one is obviously not a device manufacturer and the other two are companies selling a browsing software). Also, if you look at the list of Sony Ericsson devices, you can see the “W810”, “W810i” and “W810c”, but the “W810” does not exist, it’s a virtual that device we defined in WURFL and the different localized versions (i for Europe, c for China and a for Americas) inherit from it most of their capabilities if not all.

Going back to the service, I liked that once I completed the registration it suggested to point the browser of my mobile device to a mosh.nokia.mobi. Accessing the site via your desktop browser provides the very same interface… Since they have a version optimized for desktop PC’s it would be good to be automatically redirected to the other version OR have a link. Nokia, if you are reading, I suggest you use is_wireless_device from WURFL.

One bug that I already found was that when trying to upload from the mobile, I could specify the tags. There was no mention of how to do it, so I used commas as on blogger.com, but this did not work, so the upload was not successful. Since I was using Opera, I could not pick a file from the filesystem, but I had to use the camera, so I had to take another picture and, even worse, some, but not all of the information I had provided was lost such as the tags (of course) and the content title. This one needs to be fixed.

Questions still open are:

is the site able to recognize the device while browsing and let me know which contents will be appropriate? Using Opera Mini it did not seem to pick it up correctly (but the pages looked very good).
how will they be able to keep out pirated contents. I have uploaded one image and it is now waiting for approval, but still I can’t imaging people at Nokia testing all the applications on any possible device.

Nokia suggests WURFL for device recognition

Nokia recently (May 29, 2007) released Version 1.0 of a document describing the guidelines to develop Mobile Web sites specific for their devices, of course. The document is specifically aimed to developers and authors that want to target the most recent and advanced mobile browsers, based on Apple’s Webkit. The document is called “Nokia Web Browser Design Guide” and you can download it for free (after registering) from Forum Nokia.

It is good to see another big company, shortly after Ericsson, to suggest WURFL.

Vodafone explains removal of N95 VoIP

According to Vodafone it is better to remove VoIP functionality from the Nokia N95 because the quality is not good enough. Read more here:Vodafone explains removal of N95 VoIP

I think that if Vodafone is saying it so loud it must be true or Nokia would be VERY upset. If it is true then it’s a bad thing for Nokia with all the expectation for this device.

Open-Source as in “work for free”?

It seems like I really can’t sleep tonight. Too many thoughts rambling in my mind and sleeping is probably the last thing I can do. I will try to tire myself until I fall asleep on this chair writing something here on the blog as I haven’t been really good at writing in the last few weeks.

Coming back to the subject of this post, a few weeks ago I was browsing and for some reason I stumbled upon Ari Jaaksi’s Blog, a Nokia guy that follows the development of the N800 among the other things. Specifically I read about the development on the N800 and Ari gave his Status Report regarding the available software. What strikes me is that the N800 is already on the market (and so was at the time of the article) and Nokia is asking people to do some open-source development to add software and features that were present in the N770, but that Nokia could not make work for the N800 in time for the launch.
I am a big supporter of how Nokia helps developers and I think they are the best in the mobile space, but honestly, this really seems to me like asking the open-source community to take over some development that Nokia could not or did not want to do.

I don’t think this is fair to the developers that will eventually do the work (if any). They are effectively working for free to give some more profit to Nokia. It’s an open call from Nokia to ask for free support.
One thing is to develop a software and open your API (and maybe eventually making some money out of this as Google does) another thing is to ask someone to do the work you did not want to do and also expect it to be free.