Mozilla

Mobile World Congress – Biggest story out of the bag already?

mobilephonesecurity9368433312 Comments
#MWC10 – I could have sworn we’ve been here before 😉

Mobile World Congress T minus 1 and I already feel like I’ve had too many Long Island Iced Teas. I woke up to lots of leaks about Mozilla’s Boot-to-Gecko (B2G) project. It looks like they’re teaming up with LG and a lot of others to launch a web runtime based phone. I have already seen a lot of cynical comment, to the extent that a lot of people are saying it is dead on arrival. I’m not so sure. It is clear there is a market for low-end devices with front-ends for SMS-based services in emerging countries (Smart in the Philippines have already launched a phone with this in mind). HTML5 implementations have matured to the state that is ready for mobile devices too and a lot of work has gone on in industry over the years to head in this direction.

Mobile web coverage is rubbish

The biggest issue that I see is the continuing assumption that mobile web / cloud access is ubiquitous. This kind of wrong-headed thinking is sadly typical of projects which live on Silicon Roundabout in London or in the valley with great 3G or WiFi connections. This simply isn’t the case for the vast majority of users in the world. Even in the UK, rural network coverage is horrific. Attention to caching and offline browsing has been lacking.

Don’t ignore the security concerns

I worked on this exact subject for quite a while. My biggest concern however is the way in which a lot of the people involved in these projects pay complete lip service to security and privacy. If you look at the B2G wiki, there is not one single mention of security in the FAQs.

What Mozilla are doing is connecting the web to the physical features of the device. Want access to the entire user’s phonebook or location from a web application? Yep, that’s right you can have it. Authorisation is difficult (as Android permissions have shown) and history shows that both users and system developers end up going for the least common denominator when it comes to security and privacy options – they take the one that is the most easy and requires the least intervention (which in the user’s case is pretty much setting everything to no protection).

The W3C Device APIs working group have spent years wrangling with these issues and haven’t come up with a meaningful answer. Lots of people will remember me regularly telling the group that they needed to take security seriously. The EU webinos project is continuing to work on it and are thankfully taking a better approach (based on its origins, OMTP BONDI).

My hope is that more focus on B2G’s security will ensure that mobile users are not exposed to the high number of web application security issues out there.