tag:blogger.com,1999:blog-66909162717138091382024-03-05T03:41:01.011-05:00Applications Are People TooApplication Anthropomorphization <br> Application Anthropology <br> Technical Tribal KnowledgeAppsRpeople2http://www.blogger.com/profile/08529547238174325669noreply@blogger.comBlogger78125tag:blogger.com,1999:blog-6690916271713809138.post-85440919244111566622020-08-21T09:59:00.000-04:002020-08-21T09:59:01.531-04:00This blog is no longer maintained - please visit https://www.qi-fense.com/blog<p> This blog is no longer maintained - please visit https://www.qi-fense.com/blog</p>AppsRpeople2http://www.blogger.com/profile/08529547238174325669noreply@blogger.com0tag:blogger.com,1999:blog-6690916271713809138.post-50155220576365349862019-07-10T14:21:00.000-04:002019-08-15T14:06:45.261-04:00Welcome to my INDEX<br />
<div class="MsoNormal">
I realized that I have completely neglected my private blog (this one) in favor of corporate, LinkedIn, and the occasional guest blog – but I still
point readers here from time-to-time – so until I resume publishing posts here first, here’s an index into a cross-section of
my “other” blog posts…<o:p></o:p><br />
<br />
August 14, 2019 <a href="https://www.linkedin.com/pulse/application-risk-landscape-invisibility-sebastian-holst/" target="_blank">Application Risk Landscape (In)Visibility</a><br />
<br />
July 23, 2019 <span style="background-color: white; color: #303030; font-family: "Helvetica Neue", Arial, sans-serif; text-align: center;"><a href="https://secureflo.net/blog/ciso-23-nycrr-500/" target="_blank">Has your CISO signed off on your 23 NYCRR 500 development practices?</a></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
June 25, 2019 <a href="https://www.preemptive.com/blog/article/1122-are-xamarin-android-app-users-at-risk/90-dotfuscator">Are
Xamarin.Android app users at risk?</a><o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
June 19, 2019 <a href="https://www.preemptive.com/blog/article/1121-changes-are-coming-for-us-copyright-should-developers-even-care/106-risk-management">Changes
are coming for US Copyright – Should Developers Even Care?</a><o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
March 5, 2019 <a href="https://www.preemptive.com/blog/article/1099-supplier-and-supply-chain-risk-fuels-application-shielding-innovation/111-press-releases">Supplier
and Supply Chain Risk Fuels Application Shielding Innovation</a><o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
October 10, 2018 <a href="https://www.preemptive.com/blog/article/1066-rogue-apps-facilitating-theft-from-developers-and-consumers/106-risk-management">Rogue
Apps: Facilitating Theft from Developers and Consumers</a><o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
September 12, 2018 <a href="https://www.preemptive.com/blog/article/1058-multi-year-developer-survey-reveals-evolving-practices-and-foreshadows-further-change/91-dotfuscator-ce">Multi-Year
Developer Survey Reveals Evolving Practices and Foreshadows Further Change</a><o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
July 30, 2018 <a href="https://www.preemptive.com/blog/article/1046-latest-nist-publications-reinforce-the-importance-of-application-hardening-in-securing-data/106-risk-management">Latest
NIST Publications Reinforce the Importance of Application Hardening in Securing
Data</a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
February 8, 2018 <a href="https://www.preemptive.com/blog/article/980-an-app-hardening-use-case-filling-the-pci-prescription-for-preventing-privilege-escalation-in-mobile-apps/106-risk-management">An
app hardening use case: Filling the PCI prescription for preventing privilege
escalation in mobile apps</a><o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
January 5, 2018 <a href="https://www.preemptive.com/blog/article/978-encryption-s-unfortunate-unavoidable-and-unfix-able-gap-and-how-to-fill-it/106-risk-management">Encryption’s
unfortunate, unavoidable, and unfix-able gap - and how to fill it</a><o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
October 19, 2017 G<a href="https://www.mobilize.net/blog/preemptive_security">uest blog:
(.NET) App Security - What every dev needs to know</a><o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
September 27, 2017 <span style="mso-bidi-font-weight: bold;"><a href="https://www.linkedin.com/pulse/gdpr-application-development-question-asked-answered-sebastian-holst/">GDPR
and Application Development: My question to the EDCC - asked and answered</a><o:p></o:p></span></div>
<div class="MsoNormal">
<span style="mso-bidi-font-weight: bold;"><br /></span></div>
<div class="MsoNormal">
<span style="mso-bidi-font-weight: bold;">September 20, 2017 <a href="https://www.linkedin.com/pulse/gdpr-dtsa-etc-app-dev-law-sebastian-holst/">GDPR,
DTSA, ETC: App Dev and the law</a><o:p></o:p></span></div>
<div class="MsoNormal">
<span style="mso-bidi-font-weight: bold;"><br /></span></div>
<div class="MsoNormal">
<span style="mso-bidi-font-weight: bold;">September 1, 2017 <a href="https://www.linkedin.com/pulse/still-my-beating-heart-sebastian-holst/">Be
still my beating Heart</a><o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
August 16, 2017 <a href="https://www.preemptive.com/blog/article/954-gdpr-liability-software-development-and-the-new-law/106-risk-management">GDPR
liability: software development and the new law</a><o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
August 13, 2017 <a href="https://www.preemptive.com/blog/article/953-app-dev-the-gdpr-three-tenets-for-effective-compliance/106-risk-management">App
dev & the GDPR: three tenets for effective compliance</a><o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
June 26, 2017 <a href="https://www.preemptive.com/blog/article/927-the-six-degrees-of-application-risk/90-dotfuscator">The
Six Degrees of Application Risk</a><o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
May 8, 2017 <a href="https://www.preemptive.com/blog/article/920-like-magicians-hackers-do-not-reveal-their-tricks-but-we-will/90-dotfuscator">Like
magicians, hackers do not reveal their tricks – but we will</a><o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
April 24, 2017 <span style="mso-bidi-font-weight: bold;"><a href="https://www.linkedin.com/pulse/software-pirates-protect-booty-version-2-pun-still-intended-holst/">Software
Pirates protect their booty Version 2 (pun still intended)</a></span></div>
AppsRpeople2http://www.blogger.com/profile/08529547238174325669noreply@blogger.com0tag:blogger.com,1999:blog-6690916271713809138.post-50216676888526740562017-10-02T12:20:00.004-04:002017-10-02T12:20:49.710-04:00The Six Degrees of Application Risk Originally posted on June 26, 2017https://www.preemptive.com/blog/article/927-the-six-degrees-of-application-risk/90-dotfuscator<br />
<br />
<div style="background-color: white; box-sizing: border-box; color: #484848; font-family: Lato, Arial, sans-serif; font-size: 14px; margin-bottom: 10px;">
Cyber-attacks, evolving privacy and intellectual property legislation, and ever-increasing regulatory obligations are now simply “the new normal” – and the implications for development organizations are unavoidable; application risk management principles must be incorporated into every phase of the development lifecycle.</div>
<div style="background-color: white; box-sizing: border-box; color: #484848; font-family: Lato, Arial, sans-serif; font-size: 14px; margin-bottom: 10px;">
Organizations want to work smart – not be naïve – or paranoid. Application risk management is about getting this balance right. How much security is enough? Are you even protecting the right things?</div>
<div style="background-color: white; box-sizing: border-box; color: #484848; font-family: Lato, Arial, sans-serif; font-size: 14px; margin-bottom: 10px;">
The six degrees of application risk offer a basic framework to engage application stakeholders in a productive dialogue – whether they are risk or security professionals, developers, management, or even end users.</div>
<div style="background-color: white; box-sizing: border-box; color: #484848; font-family: Lato, Arial, sans-serif; font-size: 14px; margin-bottom: 10px;">
With these concepts, organizations will be in a strong position to take advantage of the following risk management hacks (an unfortunate turn of a phrase perhaps) that reduce the cost, effort, complexity, and time required to get your development on the right track.</div>
<img src="https://cdn-preemptive-com.s3.amazonaws.com/images/web/blog/six-degrees-1.png" style="background-color: white; border: 0px; box-sizing: border-box; color: #484848; font-family: Lato, Arial, sans-serif; font-size: 14px; max-width: 100%; vertical-align: middle; width: 665px;" /><span style="background-color: white; color: #484848; font-family: Lato, Arial, sans-serif; font-size: 14px;"></span><br />
<h3 style="background-color: white; box-sizing: border-box; color: #222222; font-family: "PT Sans", sans-serif; font-size: 18px; font-weight: normal; line-height: 25.2px; margin-bottom: 10px; margin-top: 20px; padding: 0px 0px 10px; position: relative;">
Six Degrees of Application Risk</h3>
<div style="background-color: white; box-sizing: border-box; color: #484848; font-family: Lato, Arial, sans-serif; font-size: 14px; margin-bottom: 10px;">
The following commonly used (and related) terms provide a minimal framework to communicate application risk concepts and priorities.</div>
<ol style="background-color: white; box-sizing: border-box; color: #484848; font-family: Lato, Arial, sans-serif; font-size: 14px; margin-bottom: 10px; margin-top: 0px;">
<li style="box-sizing: border-box;"><strong style="box-sizing: border-box;">Gaps</strong> are (mostly) well-understood behaviors and characteristics of an application, its runtime environment, and/or the people that interact with the application. As an example, .NET and Java applications (managed applications) are especially easy to reverse-engineer. This isn’t an oversight or an accident that will be corrected in the “next release.” Managed code, by design, includes significantly more information at runtime than its C++ or other native language counterparts – making it easier to reverse-engineer.</li>
<li style="box-sizing: border-box;"><strong style="box-sizing: border-box;">Vulnerabilities</strong> are the subset of Gaps that, if exploited, can result in some sort of damage or harm. If, for example, an application was published as an open source project – one would not expect that reverse engineering an instance of that application would do any harm. After all, as an open source project, the source code would be published alongside the executable. In this case, the Gap (reverse engineering) would NOT qualify as a Vulnerability.</li>
<li style="box-sizing: border-box;"><strong style="box-sizing: border-box;">Materiality</strong> is the subjective (but not arbitrary) assessment of how likely a vulnerability will be exploited combined with the severity of that exploitation. The likelihood of a climate-changing impact of a meteor hitting earth in the next 3 years is significantly lower than the likelihood of an electrical fire in your home. This distinction outweighs the fact that a meteor impact will obviously do far more harm than a single home fire. This is why we, as individuals, invest time and money preventing, detecting, and impeding electrical fires while taking no preemptive steps to mitigate the risks of a meteor collision.</li>
<li style="box-sizing: border-box;"><strong style="box-sizing: border-box;">Priority</strong> ranking of vulnerabilities helps to ensure that our limited resources are most effectively allocated. Vulnerabilities are not all created equal and, therefore, do not justify the same degree of risk mitigation investment. Life insurance is important – but medical insurance typically is seen as “more material” justifying greater investments.</li>
<li style="box-sizing: border-box;"><strong style="box-sizing: border-box;">Appetite</strong> for risk is another a subjective (but not arbitrary) measure. Appetite is synonymous with tolerance. Organizations cannot eliminate risk – but each organization must identify those vulnerabilities whose combined likelihood and impact are simply unacceptable. Some sort of action is required to reduce (not eliminate) those risks to bring them to within tolerable levels. Health insurance does not reduce the likelihood of a health-related incident – it reduces some of the harm that stems from an incident when it occurs. While many individuals have both life and health insurance, there are many who feel that they can tolerate living without life insurance but cannot tolerate losing health insurance.</li>
<li style="box-sizing: border-box;"><strong style="box-sizing: border-box;">Material risks</strong> are those vulnerabilities whose risk profile are intolerably high. Material risks are, by definition, any vulnerability that merits some level of investment to bring either its likelihood and/or its impact down to within tolerable levels. Ideally, once all risk management controls are in place, there are no “intolerable risks” looming.</li>
</ol>
<h2 style="background-color: white; box-sizing: border-box; color: #222222; font-family: "PT Sans", sans-serif; font-size: 20px; font-weight: normal; line-height: 28px; margin-bottom: 10px; margin-top: 20px; padding: 0px 0px 10px; position: relative;">
Applying the Six Degrees of Application Risk</h2>
<div style="background-color: white; box-sizing: border-box; color: #484848; font-family: Lato, Arial, sans-serif; font-size: 14px; margin-bottom: 10px;">
Extending these concepts into the development process, at a high level, translate into the following activities:</div>
<ul style="background-color: white; box-sizing: border-box; color: #484848; font-family: Lato, Arial, sans-serif; font-size: 14px; margin-bottom: 10px; margin-top: 0px; padding-left: 20px;">
<li style="box-sizing: border-box;">Inventory relevant “gaps” across your development and production environments</li>
<li style="box-sizing: border-box;">Identify the vulnerabilities within the collection of gaps</li>
<li style="box-sizing: border-box;">Assess and prioritize according to your organization’s notions of materiality</li>
<li style="box-sizing: border-box;">Agree on a consistent definition of your organizations tolerance for these vulnerabilities (appetite)</li>
<li style="box-sizing: border-box;">Identify the vulnerabilities that present a material risk</li>
<li style="box-sizing: border-box;">Select and implement controls to mitigate these risks</li>
<li style="box-sizing: border-box;">Measure, assess, and correct on an ongoing (periodic) basis</li>
</ul>
<div style="background-color: white; box-sizing: border-box; color: #484848; font-family: Lato, Arial, sans-serif; font-size: 14px; margin-bottom: 10px;">
Simple right?</div>
<h2 style="background-color: white; box-sizing: border-box; color: #222222; font-family: "PT Sans", sans-serif; font-size: 20px; font-weight: normal; line-height: 28px; margin-bottom: 10px; margin-top: 20px; padding: 0px 0px 10px; position: relative;">
Effective Application Risk Management Hacks</h2>
<div style="background-color: white; box-sizing: border-box; color: #484848; font-family: Lato, Arial, sans-serif; font-size: 14px; margin-bottom: 10px;">
Incorporating any new process or technology into a mature development process is, in and of itself, a risky and potentially expensive proposition.</div>
<blockquote style="background-color: white; border-bottom-color: rgb(31, 73, 125); border-left: 5px solid rgb(31, 73, 125); border-right-color: rgb(31, 73, 125); border-top-color: rgb(31, 73, 125); box-sizing: border-box; color: #484848; font-family: Lato, Arial, sans-serif; font-size: 17.5px; margin: 0px 0px 20px; padding: 10px 20px;">
The threat of increasing development complexity or cost, or compromising application quality or user experience is often motivation enough to maintain the status quo.</blockquote>
<h3 style="background-color: white; box-sizing: border-box; color: #222222; font-family: "PT Sans", sans-serif; font-size: 18px; font-weight: normal; line-height: 25.2px; margin-bottom: 10px; margin-top: 20px; padding: 0px 0px 10px; position: relative;">
Avoid unnecessary waste and risk – follow-the-leaders</h3>
<div style="background-color: white; box-sizing: border-box; color: #484848; font-family: Lato, Arial, sans-serif; font-size: 14px; margin-bottom: 10px;">
There is an old saying in risk management that “you don’t have to be the fastest running from the bear – you just don’t want to be the slowest.” Hackers mostly attack targets of opportunity and regulators and the courts typically look for “reasonable” and “appropriate” controls. It is often much more efficient to benchmark and adapt the practices of your peers rather than develop your own risk management and security practices from the ground-up. There are many sources from which to choose.</div>
<ul style="background-color: white; box-sizing: border-box; color: #484848; font-family: Lato, Arial, sans-serif; font-size: 14px; margin-bottom: 10px; margin-top: 0px; padding-left: 20px;">
<li style="box-sizing: border-box;">Benchmark your practices against your organization’s</li>
<ul style="box-sizing: border-box; margin-bottom: 0px; margin-top: 0px; padding-left: 20px;">
<li style="box-sizing: border-box;">peers (similar organizations)</li>
<li style="box-sizing: border-box;">customers (their risks are often, by extension, your risks)</li>
<li style="box-sizing: border-box;">suppliers (they are experts in their specialty and/or may pose a risk if they do not live up to your appetite for risk)</li>
</ul>
<li style="box-sizing: border-box;">Embrace well-understood and common practices</li>
<ul style="box-sizing: border-box; margin-bottom: 0px; margin-top: 0px; padding-left: 20px;">
<li style="box-sizing: border-box;">Adopt an accepted a standard or open risk management framework.</li>
<li style="box-sizing: border-box;">Monitor regulatory and legislative developments</li>
<li style="box-sizing: border-box;">Track relevant breaches and exploits and the aftermath</li>
</ul>
</ul>
<img src="https://cdn-preemptive-com.s3.amazonaws.com/images/web/blog/six-degrees-2.png" style="background-color: white; border: 0px; box-sizing: border-box; color: #484848; font-family: Lato, Arial, sans-serif; font-size: 14px; max-width: 100%; vertical-align: middle; width: 783px;" usemap="#AnthemDataBreach" />AppsRpeople2http://www.blogger.com/profile/08529547238174325669noreply@blogger.com0tag:blogger.com,1999:blog-6690916271713809138.post-34685511494013497942017-10-02T12:16:00.004-04:002017-10-02T12:16:39.474-04:002nd Sneak Peek: 84% of dev teams fail to secure in-app IP from debugger hacks - and that's not the half of it! Originally posted on October 7, 2016https://www.preemptive.com/blog/article/893-2nd-sneak-peek-84-of-dev-teams-fail-to-secure-in-app-ip-from-debugger-hacks-and-that-s-not-the-half-of-it/90-dotfuscator<br />
<br />
<div style="background-color: white; box-sizing: border-box; color: #484848; font-family: Lato, Arial, sans-serif; font-size: 14px; margin-bottom: 10px;">
In the first "peek" into our soon to be published application risk management survey results, we shared that 58% of the respondents reported making ongoing development investments specifically to manage “application risk.” See <a href="https://www.preemptive.com/blog/article/892-managing-application-vulnerabilities-an-early-peek-into-improved-controls-for-your-code-and-data/90-dotfuscator" style="background: transparent; box-sizing: border-box; color: #2a5db0; margin: 0px; padding: 0px; text-decoration-line: none; transition: background-color 0.2s linear, color 0.2s linear;">Managing Application Vulnerabilities (an early peek into improved controls for your code and data)</a></div>
<div style="background-color: white; box-sizing: border-box; color: #484848; font-family: Lato, Arial, sans-serif; font-size: 14px; margin-bottom: 10px;">
Digging into the survey numbers, respondents divided their “application risk” into six subcategories and in the following proportions:</div>
<table class="table table-striped" style="background-color: white; border-collapse: collapse; border-spacing: 0px; box-sizing: border-box; color: #484848; font-family: Lato, Arial, sans-serif; font-size: 14px; margin-bottom: 20px; max-width: 100%; width: 783px;"><tbody style="box-sizing: border-box;">
<tr style="box-sizing: border-box;"><th style="background-color: #f9f9f9; border-top: 1px solid rgb(237, 237, 237); box-sizing: border-box; line-height: 1.42857; padding: 15px; text-align: left; vertical-align: middle;">Risk Subcategories</th><th style="background-color: #f9f9f9; border-top: 1px solid rgb(237, 237, 237); box-sizing: border-box; line-height: 1.42857; padding: 15px; text-align: left; vertical-align: middle;">% of respondents reporting app risk</th></tr>
<tr style="box-sizing: border-box;"><td style="border-top: 1px solid rgb(237, 237, 237); box-sizing: border-box; line-height: 1.42857; padding: 15px; vertical-align: middle;">Intellectual property (IP) theft from code analysis (via reverse engineering)</td><td style="border-top: 1px solid rgb(237, 237, 237); box-sizing: border-box; line-height: 1.42857; padding: 15px; vertical-align: middle;">38%</td></tr>
<tr style="box-sizing: border-box;"><td style="background-color: #f9f9f9; border-top: 1px solid rgb(237, 237, 237); box-sizing: border-box; line-height: 1.42857; padding: 15px; vertical-align: middle;">Data loss and (non-application) trade secret theft</td><td style="background-color: #f9f9f9; border-top: 1px solid rgb(237, 237, 237); box-sizing: border-box; line-height: 1.42857; padding: 15px; vertical-align: middle;">37%</td></tr>
<tr style="box-sizing: border-box;"><td style="border-top: 1px solid rgb(237, 237, 237); box-sizing: border-box; line-height: 1.42857; padding: 15px; vertical-align: middle;">IP theft through app abuse (elevated privilege, unauthorized data access, etc.)</td><td style="border-top: 1px solid rgb(237, 237, 237); box-sizing: border-box; line-height: 1.42857; padding: 15px; vertical-align: middle;">36%</td></tr>
<tr style="box-sizing: border-box;"><td style="background-color: #f9f9f9; border-top: 1px solid rgb(237, 237, 237); box-sizing: border-box; line-height: 1.42857; padding: 15px; vertical-align: middle;">Operational disruption (malware, DDoS, etc.)</td><td style="background-color: #f9f9f9; border-top: 1px solid rgb(237, 237, 237); box-sizing: border-box; line-height: 1.42857; padding: 15px; vertical-align: middle;">32%</td></tr>
<tr style="box-sizing: border-box;"><td style="border-top: 1px solid rgb(237, 237, 237); box-sizing: border-box; line-height: 1.42857; padding: 15px; vertical-align: middle;">Regulatory and other compliance violations (privacy, financial, quality, audit, etc.)</td><td style="border-top: 1px solid rgb(237, 237, 237); box-sizing: border-box; line-height: 1.42857; padding: 15px; vertical-align: middle;">26%</td></tr>
<tr style="box-sizing: border-box;"><td style="background-color: #f9f9f9; border-top: 1px solid rgb(237, 237, 237); box-sizing: border-box; line-height: 1.42857; padding: 15px; vertical-align: middle;">Financial theft</td><td style="background-color: #f9f9f9; border-top: 1px solid rgb(237, 237, 237); box-sizing: border-box; line-height: 1.42857; padding: 15px; vertical-align: middle;">18%</td></tr>
</tbody></table>
<div style="background-color: white; box-sizing: border-box; color: #484848; font-family: Lato, Arial, sans-serif; font-size: 14px; margin-bottom: 10px;">
It’s important to keep in mind that the risks enumerated above are NOT synonymous with technical vulnerabilities; there are multiple paths that a bad actor can take (for example) to “misappropriate” IP and trade secrets – multiple technical vulnerabilities to exploit – and multiple non-technical vulnerabilities too of course (social engineering, armed robbery, etc.).</div>
<div style="background-color: white; box-sizing: border-box; color: #484848; font-family: Lato, Arial, sans-serif; font-size: 14px; margin-bottom: 10px;">
The table above shows that, while financial theft is surely among the most significant risks most any business faces, only 18% of the development teams in our survey work on applications where attacks against their applications in particular might reasonably lead to financial theft.</div>
<h2 style="background-color: white; box-sizing: border-box; color: #222222; font-family: "PT Sans", sans-serif; font-size: 20px; font-weight: normal; line-height: 28px; margin-bottom: 10px; margin-top: 20px; padding: 0px 0px 10px; position: relative;">
Production debugger use for hacking and tampering left unchecked</h2>
<div style="background-color: white; box-sizing: border-box; color: #484848; font-family: Lato, Arial, sans-serif; font-size: 14px; margin-bottom: 10px;">
The survey showed that, while development teams were invested in mitigating these six application risk categories, a majority of development teams did not have effective controls to prevent one specific technical vulnerability; <em style="box-sizing: border-box;">the unauthorized use of a debugger against applications running in production</em>.</div>
<div style="background-color: white; box-sizing: border-box; color: #484848; font-family: Lato, Arial, sans-serif; font-size: 14px; margin-bottom: 10px;">
In fact, <em style="box-sizing: border-box;">in every risk category</em>, the majority of development teams:</div>
<ul style="background-color: white; box-sizing: border-box; color: #484848; font-family: Lato, Arial, sans-serif; font-size: 14px; margin-bottom: 10px; margin-top: 0px; padding-left: 20px;">
<li style="box-sizing: border-box;">Recognized that this kind of debugger attack IS a material threat, AND</li>
<li style="box-sizing: border-box;">Acknowledged that they DO NOT have adequate controls in place to mitigate this threat.</li>
</ul>
<div style="background-color: white; box-sizing: border-box; color: #484848; font-family: Lato, Arial, sans-serif; font-size: 14px; margin-bottom: 10px;">
For illustration, lets dig deeper into one of the six risk categories to see how this pattern plays out.</div>
<h2 style="background-color: white; box-sizing: border-box; color: #222222; font-family: "PT Sans", sans-serif; font-size: 20px; font-weight: normal; line-height: 28px; margin-bottom: 10px; margin-top: 20px; padding: 0px 0px 10px; position: relative;">
Digging deeper: IP theft from code</h2>
<div style="background-color: white; box-sizing: border-box; color: #484848; font-family: Lato, Arial, sans-serif; font-size: 14px; margin-bottom: 10px;">
The chart below shows that 84% of respondents who identified IP theft from their code as a material risk also identified production debugger hacking as a significant and <strong style="box-sizing: border-box;">Unprotected</strong> technical vulnerability.</div>
<img class="img-responsive" src="https://cdn-preemptive-com.s3.amazonaws.com/images/web/blog/survey2.png" style="background-color: white; border: 0px; box-sizing: border-box; color: #484848; display: block; font-family: Lato, Arial, sans-serif; font-size: 14px; height: auto; max-width: 100%; vertical-align: middle; width: 783px;" /><br />
<h2 style="background-color: white; box-sizing: border-box; color: #222222; font-family: "PT Sans", sans-serif; font-size: 20px; font-weight: normal; line-height: 28px; margin-bottom: 10px; margin-top: 20px; padding: 0px 0px 10px; position: relative;">
Risks are like potato chips; you can ever have just one</h2>
<div style="background-color: white; box-sizing: border-box; color: #484848; font-family: Lato, Arial, sans-serif; font-size: 14px; margin-bottom: 10px;">
Unmanaged technical vulnerabilities are never a good thing, but this gets exponentially worse if a single vulnerability increases risk across <em style="box-sizing: border-box;">multiple risk categories</em> rather than just one. …and, according to our survey respondents, failing to prevent production debugger hacking most definitely falls squarely into this category.</div>
<div style="background-color: white; box-sizing: border-box; color: #484848; font-family: Lato, Arial, sans-serif; font-size: 14px; margin-bottom: 10px;">
To further raise the stakes for development teams, our survey clearly showed a strong correlation across risk categories. In other words, once an application has the potential to pose one kind of risk, it is extremely likely that it will pose a risk across multiple categories – thus increasing the potential damage of unchecked technical vulnerabilities like production debugger hacking.</div>
<h2 style="background-color: white; box-sizing: border-box; color: #222222; font-family: "PT Sans", sans-serif; font-size: 20px; font-weight: normal; line-height: 28px; margin-bottom: 10px; margin-top: 20px; padding: 0px 0px 10px; position: relative;">
Digging (even) deeper: IP theft from code risk as a leading indicator for additional application risks</h2>
<div style="background-color: white; box-sizing: border-box; color: #484848; font-family: Lato, Arial, sans-serif; font-size: 14px; margin-bottom: 10px;">
According to our respondents, apps that have IP inside code that need protecting are much more likely to pose additional risks as well.</div>
<img class="img-responsive" src="https://cdn-preemptive-com.s3.amazonaws.com/images/web/blog/survey21.png" style="background-color: white; border: 0px; box-sizing: border-box; color: #484848; display: block; font-family: Lato, Arial, sans-serif; font-size: 14px; height: auto; max-width: 100%; vertical-align: middle; width: 783px;" /><br />
<div style="background-color: white; box-sizing: border-box; color: #484848; font-family: Lato, Arial, sans-serif; font-size: 14px; margin-bottom: 10px;">
What's the take-a-way from the illustration above?</div>
<div style="background-color: white; box-sizing: border-box; color: #484848; font-family: Lato, Arial, sans-serif; font-size: 14px; margin-bottom: 10px;">
If you're protecting IP inside your app - <strong style="box-sizing: border-box;">you're over 11 times more likely than other development groups to ALSO have IP at risk from app attacks even though that IP lives outside of your app</strong>. ...and <em style="box-sizing: border-box;">you're roughly 2X more likely to face risks across the remaining four application risk categories...</em></div>
<div style="background-color: white; box-sizing: border-box; color: #484848; font-family: Lato, Arial, sans-serif; font-size: 14px; margin-bottom: 10px;">
Also, if you've got un-managed technical vulnerabilities - to the extent that these vulnerabilities may factor into multiple risk categories, <em style="box-sizing: border-box;">the danger each vulnerability poses is likely to be many times greater than you suspect</em>.</div>
<div style="background-color: white; box-sizing: border-box; color: #484848; font-family: Lato, Arial, sans-serif; font-size: 14px; margin-bottom: 10px;">
If you’re interested in getting the final numbers (<em style="box-sizing: border-box;">and an even deeper dive into both the risks and controls to effectively mitigate these risks</em>), I expect to be publishing results in the next 1-2 weeks <a href="https://www.preemptive.com/anti-debug-top-5" style="background: transparent; box-sizing: border-box; color: #2a5db0; margin: 0px; padding: 0px; text-decoration-line: none; transition: background-color 0.2s linear, color 0.2s linear;">HERE</a> (there's already a link to a related white paper on this page for download too so check that out now if you like).</div>
AppsRpeople2http://www.blogger.com/profile/08529547238174325669noreply@blogger.com0tag:blogger.com,1999:blog-6690916271713809138.post-13910674707043986542017-10-02T12:14:00.000-04:002017-10-02T12:14:03.517-04:00Trade Secrets and Software: don’t give one up for the other Originally posted on August 5, 2016https://www.preemptive.com/blog/article/867-trade-secrets-and-software-don-t-give-one-up-for-the-other/90-dotfuscator<br />
<br />
<div class="blog-carousel-header" style="box-sizing: border-box; color: #484848; font-family: Lato, Arial, sans-serif; font-size: 14px; margin-bottom: 0px; padding-bottom: 10px; position: relative;">
<div class="clearfix" style="box-sizing: border-box;">
</div>
</div>
<div class="TzArticleDescription" style="box-sizing: border-box; color: #484848; font-family: Lato, Arial, sans-serif; font-size: 14px; padding-bottom: 15px;">
<div style="box-sizing: border-box; margin-bottom: 10px;">
The true value of trade secrets – as with any class of intellectual property – is directly proportional to the owner’s ability to enforce their rights through criminal and civil actions.</div>
<div style="box-sizing: border-box; margin-bottom: 10px;">
For the first time, under the recently enacted <a href="https://www.congress.gov/bill/114th-congress/senate-bill/1890/text" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; box-sizing: border-box; color: #2a5db0; margin: 0px; padding: 0px; text-decoration-line: none; transition: background-color 0.2s linear, color 0.2s linear;" target="_blank">Defend Trade Secrets Act</a>, a company can pursue claims for trade secret theft in a US federal court and seek remedies such as a seizure order to recover stolen secrets plus get compensated for damages and potentially impose punitive fines as well (making trade secret theft protection on par with other forms of intellectual property infringement i.e., patent, copyright, and trademarks).</div>
<div style="box-sizing: border-box; margin-bottom: 10px;">
However, to take full advantage of these remedies, companies must identify trade secrets in advance and implement reasonable secrecy measures to protect them.</div>
<div style="box-sizing: border-box; margin-bottom: 10px;">
Applying these general rules to application development and operations requires a specialized legal strategy further buttressed by “technical foresight,” e.g. an enhanced DevOps process.</div>
<div style="box-sizing: border-box; margin-bottom: 10px;">
The following videos offer application stakeholders:</div>
<ul style="box-sizing: border-box; margin-bottom: 10px; margin-top: 0px; padding-left: 20px;">
<li style="box-sizing: border-box;">An overview of the legal requirements to successfully protect their rights in a court of law (<a href="https://youtu.be/zW9zSmpa6HE" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; box-sizing: border-box; color: #2a5db0; margin: 0px; padding: 0px; text-decoration-line: none; transition: background-color 0.2s linear, color 0.2s linear;" target="_blank">Winning a Theft of Trade Secrets Action</a> - 5 minutes),</li>
<li style="box-sizing: border-box;">A dual-pronged methodology that combines legal strategies with technical foresight to meet those requirements (<a href="https://youtu.be/Il6no7YFArU" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; box-sizing: border-box; color: #2a5db0; margin: 0px; padding: 0px; text-decoration-line: none; transition: background-color 0.2s linear, color 0.2s linear;" target="_blank">Protecting Trade Secrets through Legal Strategy & Technical Foresight</a> - 9 minutes), and</li>
<li style="box-sizing: border-box;">Technology to effectively meet these regulatory obligations while also materially improving application and data security (<a href="https://youtu.be/Y1SkH2tSy6Q" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; box-sizing: border-box; color: #2a5db0; margin: 0px; padding: 0px; text-decoration-line: none; transition: background-color 0.2s linear, color 0.2s linear;" target="_blank">Android Application Risk Management and Protection: Before, During, and After the Hack</a> - 10 minutes).</li>
</ul>
<div style="box-sizing: border-box; margin-bottom: 10px;">
For a general framework on how to manage application risk and value, see <a href="https://youtu.be/IDeutLISdvg" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; box-sizing: border-box; color: #2a5db0; margin: 0px; padding: 0px; text-decoration-line: none; transition: background-color 0.2s linear, color 0.2s linear;" target="_blank">Application Risk Management in a nutshell</a> - 8 minutes.</div>
</div>
AppsRpeople2http://www.blogger.com/profile/08529547238174325669noreply@blogger.com0tag:blogger.com,1999:blog-6690916271713809138.post-37821270102929163682017-10-02T12:11:00.004-04:002017-10-02T12:11:33.033-04:00Defend Trade Secrets Act codifies “open season” on app reverse engineering Originally posted May 13, 2016https://www.preemptive.com/blog/article/851-obama-signs-trade-secret-legislation-codifying-an-open-season-on-app-reverse-engineering/91-dotfuscator-ce<br />
<br />
<h2 style="background-color: white; box-sizing: border-box; color: #222222; font-family: "PT Sans", sans-serif; font-size: 20px; font-weight: normal; line-height: 28px; margin-bottom: 10px; margin-top: 20px; padding: 0px 0px 10px; position: relative;">
Code obfuscation and the doctrine of “contributory negligence”</h2>
<div style="background-color: white; box-sizing: border-box; color: #484848; font-family: Lato, Arial, sans-serif; font-size: 14px; margin-bottom: 10px;">
On May 11, 2016, President Obama signed the <a href="http://www.usatoday.com/story/news/politics/2016/05/11/obama-signs-trade-secrets-bill-allowing-companies-sue/84244258/" style="background: transparent; box-sizing: border-box; color: #2a5db0; margin: 0px; padding: 0px; text-decoration-line: none; transition: background-color 0.2s linear, color 0.2s linear;">Defend Trade Secrets Act of 2016</a>.</div>
<div style="background-color: white; box-sizing: border-box; color: #484848; font-family: Lato, Arial, sans-serif; font-size: 14px; margin-bottom: 10px;">
Enjoying unprecedented bipartisan support (Senate 87-0 and the House 410-2), this bill expands trade secret protection across the US and substantially increases penalties for criminal misconduct – and what could go wrong with that?</div>
<div style="background-color: white; box-sizing: border-box; color: #484848; font-family: Lato, Arial, sans-serif; font-size: 14px; margin-bottom: 10px;">
After all, according to the Commission on the Theft of American Intellectual Property, <strong style="box-sizing: border-box;">the theft of trade secrets costs the economy more than $300 billion a year.</strong> …and, thanks in large part to technology, trade secrets have never been easier move, to copy, and to steal. In fact, in their 5 year strategic plan, the FBI labeled trade secrets as "one of the country's most vulnerable economic assets” precisely because they are so transportable.</div>
<div style="background-color: white; box-sizing: border-box; color: #484848; font-family: Lato, Arial, sans-serif; font-size: 14px; margin-bottom: 10px;">
…and nothing in today’s world is more mobile than application software</div>
<div style="background-color: white; box-sizing: border-box; color: #484848; font-family: Lato, Arial, sans-serif; font-size: 14px; margin-bottom: 10px;">
If you were to assume that this bill has been custom-tailored to protect the trade secrets embedded in application software - you would be in good company</div>
<div style="background-color: white; box-sizing: border-box; color: #484848; font-family: Lato, Arial, sans-serif; font-size: 14px; margin-bottom: 10px;">
In her <a href="http://www.huffingtonpost.com/michelle-k-lee/protecting-americas-secre_b_9904770.html" style="background: transparent; box-sizing: border-box; color: #2a5db0; margin: 0px; padding: 0px; text-decoration-line: none; transition: background-color 0.2s linear, color 0.2s linear;" target="_blank">most recent blog post</a> praising the Defend Trade Secrets Act, Michelle K. Lee, Under Secretary of Commerce for Intellectual Property and the current USPTO Director writes, "No matter the industry, whether telecommunications or biotechnology, traditional or advanced manufacturing or <strong style="box-sizing: border-box;">software</strong>, trade secrets are an essential driver of innovation and need to be afforded proper protections.” … “Trade secret owners now also have the same access to federal courts long enjoyed by the holders of other types of IP.”</div>
<div style="background-color: white; box-sizing: border-box; color: #484848; font-family: Lato, Arial, sans-serif; font-size: 14px; margin-bottom: 10px;">
...but do we really? Do software developers really now "enjoy the same access to federal courts?" Sort of – maybe – OK – maybe not.</div>
<div style="background-color: white; box-sizing: border-box; color: #484848; font-family: Lato, Arial, sans-serif; font-size: 14px; margin-bottom: 10px;">
I’ll be writing a lot about this topic in the coming weeks and months, but, for now, let’s just drop to the bottom line. Without special care, <strong style="box-sizing: border-box;">Application owners have been stripped of every protection granted under the Defend Trade Secrets Act (DTSA)</strong>.</div>
<div style="background-color: white; box-sizing: border-box; color: #484848; font-family: Lato, Arial, sans-serif; font-size: 14px; margin-bottom: 10px;">
Let me explain. The DTSA applies exclusively to VALUABLE information that is both SECRET and has been STOLEN (the legal term is “acquired through Improper Means”).</div>
<div style="background-color: white; box-sizing: border-box; color: #484848; font-family: Lato, Arial, sans-serif; font-size: 14px; margin-bottom: 10px;">
<strong style="box-sizing: border-box;">Developer ALERT:</strong> The DTSA explicitly EXCLUDES reverse engineering as an improper means. The DTSA states that Improper Means DOES NOT include “<u style="box-sizing: border-box;">reverse engineering</u>, independent derivation, or <u style="box-sizing: border-box;">any other lawful means of acquisition</u>.”</div>
<div style="background-color: white; box-sizing: border-box; color: #484848; font-family: Lato, Arial, sans-serif; font-size: 14px; margin-bottom: 10px;">
Is this an oversight? Did the legal staff of the Senate Judiciary Committee (who authored this bill) accidentally use this overloaded development term?</div>
<div style="background-color: white; box-sizing: border-box; color: #484848; font-family: Lato, Arial, sans-serif; font-size: 14px; margin-bottom: 10px;">
<strong style="box-sizing: border-box;">The answer is an unequivocal no</strong> – the exclusion of reverse engineered software is intentional and by design.</div>
<div style="background-color: white; box-sizing: border-box; color: #484848; font-family: Lato, Arial, sans-serif; font-size: 14px; margin-bottom: 10px;">
I recently found myself in a briefing on Capitol Hill with senior legal counsel inside the Senate Judiciary Committee (the agenda was encryption that day – not trade secrets) – but I asked this question directly – “Did the committee intentionally include language that would exempt any intellectual property that could be accessed via reverse engineering of applications?” He did not hesitate – in fact, to be honest, he was emphatic. “Yes” he said, “if I can see your IP with a reverse engineering tool – it’s mine.”</div>
<div style="background-color: white; box-sizing: border-box; color: #484848; font-family: Lato, Arial, sans-serif; font-size: 14px; margin-bottom: 10px;">
OUCH – is this the end of days? Is every algorithm and process embedded in your software officially free for the taking?</div>
<div style="background-color: white; box-sizing: border-box; color: #484848; font-family: Lato, Arial, sans-serif; font-size: 14px; margin-bottom: 10px;">
Thankfully – no – it’s not nearly that dire.</div>
<div style="background-color: white; box-sizing: border-box; color: #484848; font-family: Lato, Arial, sans-serif; font-size: 14px; margin-bottom: 10px;">
First – whether or not your IP is covered under this law – obfuscating .NET, Android, Java, or iOS apps make reverse engineering much harder. Code obfuscation will prevent – or at least reduce the number of times that your IP is lifted through reverse engineering.</div>
<div style="background-color: white; box-sizing: border-box; color: #484848; font-family: Lato, Arial, sans-serif; font-size: 14px; margin-bottom: 10px;">
<strong style="box-sizing: border-box;">The real question is whether application obfuscation can be used to extend the protections of the DTSA to include application software in a court of law.</strong></div>
<h2 style="background-color: white; box-sizing: border-box; color: #222222; font-family: "PT Sans", sans-serif; font-size: 20px; font-weight: normal; line-height: 28px; margin-bottom: 10px; margin-top: 20px; padding: 0px 0px 10px; position: relative;">
“Reasonable Efforts” and “The Doctrine of Contributory Negligence”</h2>
<div style="background-color: white; box-sizing: border-box; color: #484848; font-family: Lato, Arial, sans-serif; font-size: 14px; margin-bottom: 10px;">
How do you ensure employees don’t publicize your textual and image-based trade secrets (and exempt these from protection as well)?</div>
<div style="background-color: white; box-sizing: border-box; color: #484848; font-family: Lato, Arial, sans-serif; font-size: 14px; margin-bottom: 10px;">
You make sure employees know that they are secret through clear markings, communication, and education – and you secure relevant documents with physical and electronic locks. These are called “affirmative steps” that demonstrate concrete efforts to preserve confidentiality.</div>
<div style="background-color: white; box-sizing: border-box; color: #484848; font-family: Lato, Arial, sans-serif; font-size: 14px; margin-bottom: 10px;">
Failure to take these kinds of reasonable efforts lead to The Doctrine of Contributory Negligence.</div>
<div style="background-color: white; box-sizing: border-box; color: #484848; font-family: Lato, Arial, sans-serif; font-size: 14px; margin-bottom: 10px;">
This “doctrine” captures conduct that falls below the standard to which one should conform for one’s own protection. When you fall below this standard, courts will often treat your information as public – and, to the extent you rise above that standard – courts are typically more willing to accept both the secret nature and the value of the IP in question.</div>
<div style="background-color: white; box-sizing: border-box; color: #484848; font-family: Lato, Arial, sans-serif; font-size: 14px; margin-bottom: 10px;">
Unfortunately, applications are not documents - and so standard “electronic and physical locks” do not apply.</div>
<div style="background-color: white; box-sizing: border-box; color: #484848; font-family: Lato, Arial, sans-serif; font-size: 14px; margin-bottom: 10px;">
However, code obfuscation does apply here. Obfuscation <em style="box-sizing: border-box;">is</em> a well-understood, widely practiced, and recognized practice to prevent reverse engineering. Code obfuscation does not guarantee absolute secrecy – but it is unquestionably recognized as a “reasonable step” to preserve secrecy – it’s a lock on a front door that sends an unmistakable message to anyone who approaches – if I’m obfuscated – keep out.</div>
<div style="background-color: white; box-sizing: border-box; color: #484848; font-family: Lato, Arial, sans-serif; font-size: 14px; margin-bottom: 10px;">
<em style="box-sizing: border-box;">Will development organizations who fail to include basic code obfuscation fall prey to the ominous sounding “Doctrine of Contributory Negligence?”</em></div>
<div style="background-color: white; box-sizing: border-box; color: #484848; font-family: Lato, Arial, sans-serif; font-size: 14px; margin-bottom: 10px;">
<em style="box-sizing: border-box;">Can application obfuscation send a clear enough message to the courts to bring back trade secret theft protection under the newly minted Defend Trade Secrets Act?</em></div>
<div style="background-color: white; box-sizing: border-box; color: #484848; font-family: Lato, Arial, sans-serif; font-size: 14px; margin-bottom: 10px;">
These and other pressing Intellectual Property questions will be answered in upcoming episodes of “As the IP World Turns” (or, more realistically, my next blog post)</div>
<div style="background-color: white; box-sizing: border-box; color: #484848; font-family: Lato, Arial, sans-serif; font-size: 14px; margin-bottom: 10px;">
In the meantime, don’t forget to take reasonable precautions to protect any potential software trade secrets from reverse engineering.</div>
AppsRpeople2http://www.blogger.com/profile/08529547238174325669noreply@blogger.com0tag:blogger.com,1999:blog-6690916271713809138.post-59798118886796254572017-10-02T12:10:00.003-04:002017-10-02T12:10:31.666-04:00Reconciling GooglePlay's security recommendations with Xamarin deployment Originally posted February 25, 2016https://www.preemptive.com/blog/article/837-reconciling-googleplay-s-security-recommendations-with-xamarin-deployment/90-dotfuscator<br />
<br />
<div style="background-color: white; box-sizing: border-box; color: #484848; font-family: Lato, Arial, sans-serif; font-size: 14px; margin-bottom: 10px;">
<strong style="box-sizing: border-box;">An app control that both Microsoft and Google can get behind? What about Xamarin?</strong></div>
<div style="background-color: white; box-sizing: border-box; color: #484848; font-family: Lato, Arial, sans-serif; font-size: 14px; margin-bottom: 10px;">
First - Congratulations Xamarin (and Microsoft) - as someone who has used Xamarin personally and worked with the people professionally, I see this as a win-win-win (for Xamarin, Microsoft, and, last but not least, developers!).</div>
<div style="background-color: white; box-sizing: border-box; color: #484848; font-family: Lato, Arial, sans-serif; font-size: 14px; margin-bottom: 10px;">
To the topic at hand... One might argue that the phrase "GooglePlay security recommendations" is a contradiction in terms or even oxymoronic - but I take a different view. If (EVEN) Google recommends a security practice to protect your apps - then it must REALLY be a basic requirement - one that should not be ignored.</div>
<div style="background-color: white; box-sizing: border-box; color: #484848; font-family: Lato, Arial, sans-serif; font-size: 14px; margin-bottom: 10px;">
I'm talking about basic obfuscation to prevent reverse engineering and tampering.</div>
<div style="background-color: white; box-sizing: border-box; color: #484848; font-family: Lato, Arial, sans-serif; font-size: 14px; margin-bottom: 10px;">
Here's an excerpt from Android's developer documentation</div>
<div style="background-color: white; box-sizing: border-box; color: #484848; font-family: Lato, Arial, sans-serif; font-size: 14px; margin-bottom: 10px;">
"To ensure the security of your application, particularly for a paid application that uses licensing and/or custom constraints and protections, it's very important to obfuscate your application code." ...and they go on to write "The use of ProGuard or a similar program to obfuscate your code is strongly recommended for all applications that use Google Play Licensing." (I did NOT add the emphasis)</div>
<div style="background-color: white; box-sizing: border-box; color: #484848; font-family: Lato, Arial, sans-serif; font-size: 14px; margin-bottom: 10px;">
For those unfamiliar with ProGuard - it's a free/open source obfuscator - quite a good one really for the money ;) - but seriously - it's kind of an analog to Dotfuscator Community Edition included with Visual Studio (also for free). The point being that both Google and Microsoft have long recognized that basic controls to prevent reverse engineering need to be ubiquitously available to every developer (no one is suggesting all apps be obfuscated).</div>
<div style="background-color: white; box-sizing: border-box; color: #484848; font-family: Lato, Arial, sans-serif; font-size: 14px; margin-bottom: 10px;">
...but what about Xamarin apps targeting Android or iOS? ...not so much. ProGuard cannot obfuscate Xamarin apps - nor can any of the other native Java/Android obfuscators (including PreEmptive's own DashO). ...But (good news) Dotfuscator Professional can. ...But (bad news) it's not free. Still, if you're serious about this topic, you'd probably want something other than the "free version" on either platform. Here's a link to a PreEmptive blog post on how to protect your Xamarin apps with Dotfuscator (both iOS and Android): Xamarin Applications and Dotfuscator.</div>
<div style="background-color: white; box-sizing: border-box; color: #484848; font-family: Lato, Arial, sans-serif; font-size: 14px; margin-bottom: 10px;">
Question: Given the Microsoft Xamarin acquisition, should we (PreEmptive/Microsoft) consider extending Dotfuscator CE (the free one) to provide comparable protection to Android and iOS apps generated by Xamarin as we do for .NET apps today (and since 2003)?</div>
<div style="background-color: white; box-sizing: border-box; color: #484848; font-family: Lato, Arial, sans-serif; font-size: 14px; margin-bottom: 10px;">
Let me know your thoughts - I really do want to hear from Xamarin developers (and the app owners that employ them :).</div>
AppsRpeople2http://www.blogger.com/profile/08529547238174325669noreply@blogger.com0tag:blogger.com,1999:blog-6690916271713809138.post-86317846375704944092017-10-02T12:09:00.002-04:002017-10-02T12:09:16.011-04:00GET THIS DEVELOPMENT QUESTION WRONG – AND YOU MAY WELL BE AT RISK. originally posted November 19, 2015 <div style="background-color: white; box-sizing: border-box; margin-bottom: 10px;">
<span style="box-sizing: border-box; font-size: 14px;"><span style="color: #484848; font-family: Lato, Arial, sans-serif;"><b>https://www.preemptive.com/blog/article/827-get-this-development-question-wrong-and-you-may-well-be-at-risk/91-dotfuscator-ce</b></span></span></div>
<div style="background-color: white; box-sizing: border-box; color: #484848; font-family: Lato, Arial, sans-serif; font-size: 14px; margin-bottom: 10px;">
<strong style="box-sizing: border-box;">Question:</strong> True or False, Seat belts are to Driver Safety as Obfuscation is to Application Risk Management</div>
<div style="background-color: white; box-sizing: border-box; color: #484848; font-family: Lato, Arial, sans-serif; font-size: 14px; margin-bottom: 10px;">
The correct answer is <strong style="box-sizing: border-box;">FALSE!</strong></div>
<div style="background-color: white; box-sizing: border-box; color: #484848; font-family: Lato, Arial, sans-serif; font-size: 14px; margin-bottom: 10px;">
The equivalence fails because a seat belt is a device and obfuscation is a control. Why might you (or the application stakeholders) be in danger? First, read through the key descriptors of these two controls.</div>
<img class="img-responsive" src="https://cdn-preemptive-com.s3.amazonaws.com/images/web/blog/risk2.png" style="background-color: white; border: 0px; box-sizing: border-box; color: #484848; display: block; font-family: Lato, Arial, sans-serif; font-size: 14px; height: auto; max-width: 100%; vertical-align: middle; width: 761px;" /><br />
<div style="background-color: white; box-sizing: border-box; color: #484848; font-family: Lato, Arial, sans-serif; font-size: 14px; margin-bottom: 10px;">
<em style="box-sizing: border-box;">Table 1: contrasting application risk management with driver safety risk management.</em></div>
<div style="background-color: white; box-sizing: border-box; color: #484848; font-family: Lato, Arial, sans-serif; font-size: 14px; margin-bottom: 10px;">
To pursue application development opportunities as aggressively as possible (but not too aggressively to create unnecessary risk), organizations must also manage application threats and risks through a mix of proactive, detective and responsive <em style="box-sizing: border-box;">controls;</em>controls that are, in an ideal scenario, supported by strong analytics and based on strategic objectives, risk appetite and capacity.</div>
<div style="background-color: white; box-sizing: border-box; color: #484848; font-family: Lato, Arial, sans-serif; font-size: 14px; margin-bottom: 10px;">
If your organization has not settled on objectives, organizational risk tolerance, and what levels of investment you’re prepared to make to achieve these objectives, you can’t possibly have an effective risk management program.</div>
<h2 style="background-color: white; box-sizing: border-box; color: #222222; font-family: "PT Sans", sans-serif; font-size: 20px; font-weight: normal; line-height: 28px; margin-bottom: 10px; margin-top: 20px; padding: 0px 0px 10px; position: relative;">
Effective application risk management;</h2>
<div style="background-color: white; box-sizing: border-box; color: #484848; font-family: Lato, Arial, sans-serif; font-size: 14px; margin-bottom: 10px;">
Consistency and efficiency requires sustained investments in the following:</div>
<h3 style="background-color: white; box-sizing: border-box; color: #222222; font-family: "PT Sans", sans-serif; font-size: 18px; font-weight: normal; line-height: 25.2px; margin-bottom: 10px; margin-top: 20px; padding: 0px 0px 10px; position: relative;">
Implement an effective feature set aligned with control categories (proactive, detective, and responsive).</h3>
<div style="background-color: white; box-sizing: border-box; color: #484848; font-family: Lato, Arial, sans-serif; font-size: 14px; margin-bottom: 10px;">
Effective risk management supports all three control “dimensions.”</div>
<img class="img-responsive" src="https://cdn-preemptive-com.s3.amazonaws.com/images/web/blog/risk3.png" style="background-color: white; border: 0px; box-sizing: border-box; color: #484848; display: block; font-family: Lato, Arial, sans-serif; font-size: 14px; height: auto; max-width: 100%; vertical-align: middle; width: 783px;" /><br />
<div style="background-color: white; box-sizing: border-box; color: #484848; font-family: Lato, Arial, sans-serif; font-size: 14px; margin-bottom: 10px;">
<em style="box-sizing: border-box;">Table 2: Mapping of application hardening features to three categories of control.</em></div>
<div style="background-color: white; box-sizing: border-box; color: #484848; font-family: Lato, Arial, sans-serif; font-size: 14px; margin-bottom: 10px;">
This is not an exhaustive list of techniques and technologies to secure applications; and feature “bake-offs” are always suspect. However, if you don’t assess your risk (which has nothing to do with how easy it is to exploit an application vulnerability), you won’t know if a normal 3 point seat belt is sufficient (for a mainstream car) or if you need a child seat or a 5 point harness required by NASCAR.</div>
<h3 style="background-color: white; box-sizing: border-box; color: #222222; font-family: "PT Sans", sans-serif; font-size: 18px; font-weight: normal; line-height: 25.2px; margin-bottom: 10px; margin-top: 20px; padding: 0px 0px 10px; position: relative;">
Quality</h3>
<div style="background-color: white; box-sizing: border-box; color: #484848; font-family: Lato, Arial, sans-serif; font-size: 14px; margin-bottom: 10px;">
As “the last step” before digital signing and application distribution, quality issues that may arise have the potential to have catastrophic impact on deployment and production application service levels.</div>
<h3 style="background-color: white; box-sizing: border-box; color: #222222; font-family: "PT Sans", sans-serif; font-size: 18px; font-weight: normal; line-height: 25.2px; margin-bottom: 10px; margin-top: 20px; padding: 0px 0px 10px; position: relative;">
Timeliness</h3>
<div style="background-color: white; box-sizing: border-box; color: #484848; font-family: Lato, Arial, sans-serif; font-size: 14px; margin-bottom: 10px;">
Three factors drive release cycles for PreEmptive Solutions application protection and risk management products; <em style="box-sizing: border-box;">the latter two are unique to the larger security and risk management category.</em></div>
<ol style="background-color: white; box-sizing: border-box; color: #484848; font-family: Lato, Arial, sans-serif; font-size: 14px; margin-bottom: 10px; margin-top: 0px;">
<li style="box-sizing: border-box;"><strong style="box-sizing: border-box;">New product features and accrued bug fixes:</strong> this is typically the sole driving force for new software product releases.</li>
<li style="box-sizing: border-box;"><strong style="box-sizing: border-box;">Updates to OS, runtime, and specialized runtime frameworks:</strong> delayed support for new formats and semantics would result in delays in developer support for those platforms or will force poor risk management practices on the platforms that most likely need protection most of all.</li>
<li style="box-sizing: border-box;"><strong style="box-sizing: border-box;">Emergence of new threats and malicious patterns and practices:</strong> as with anti-virus software, bad actors are constantly searching for ways to circumvent security controls. Without consistent tracking of this activity and timely updates to react to these developments, application security technology can quickly be rendered as obsolete.</li>
</ol>
<h3 style="background-color: white; box-sizing: border-box; color: #222222; font-family: "PT Sans", sans-serif; font-size: 18px; font-weight: normal; line-height: 25.2px; margin-bottom: 10px; margin-top: 20px; padding: 0px 0px 10px; position: relative;">
Low friction</h3>
<div style="background-color: white; box-sizing: border-box; color: #484848; font-family: Lato, Arial, sans-serif; font-size: 14px; margin-bottom: 10px;">
In order to be effective and consistently applied, the configuration and implementation of proactive, detective, and corrective controls cannot require excessive time or expertise. Specific areas where PreEmptive Solutions invests to reduce development and operational friction include:</div>
<div style="background-color: white; box-sizing: border-box; color: #484848; font-family: Lato, Arial, sans-serif; font-size: 14px; margin-bottom: 10px;">
</div>
<ul style="background-color: white; box-sizing: border-box; color: #484848; font-family: Lato, Arial, sans-serif; font-size: 14px; margin-bottom: 10px; margin-top: 0px; padding-left: 20px;">
<li style="box-sizing: border-box;">Automated detection and protection of common programming frameworks, e.g. WPF, Universal Applications, Spring, etc.</li>
<li style="box-sizing: border-box;">Custom rule definition language to maximize protection across complex programming patterns at scale.</li>
<li style="box-sizing: border-box;">Specialized utilities to simplify debugging of hardening applications.</li>
<li style="box-sizing: border-box;">Automated deployment: support for build farms, dynamically constructed virtual machines, command line integration, MSBuild, Ant, etc. come standard with PreEmptive Solutions’ professional SKUs.</li>
<li style="box-sizing: border-box;">Cross-assembly hardening to extend protection strategies across distributed components and for components built in different locations and at different times.</li>
<li style="box-sizing: border-box;">Support for patch and incremental hardening to minimize and simplify updates to hardened application components.</li>
</ul>
<h3 style="background-color: white; box-sizing: border-box; color: #222222; font-family: "PT Sans", sans-serif; font-size: 18px; font-weight: normal; line-height: 25.2px; margin-bottom: 10px; margin-top: 20px; padding: 0px 0px 10px; position: relative;">
Responsive support</h3>
<div style="background-color: white; box-sizing: border-box; color: #484848; font-family: Lato, Arial, sans-serif; font-size: 14px; margin-bottom: 10px;">
Should critical issues arise, live support can prove to be the difference between applications shipping on time or suffering last-minute and unplanned delays.</div>
<h3 style="background-color: white; box-sizing: border-box; color: #222222; font-family: "PT Sans", sans-serif; font-size: 18px; font-weight: normal; line-height: 25.2px; margin-bottom: 10px; margin-top: 20px; padding: 0px 0px 10px; position: relative;">
Vendor viability</h3>
<div style="background-color: white; box-sizing: border-box; color: #484848; font-family: Lato, Arial, sans-serif; font-size: 14px; margin-bottom: 10px;">
Applications can live in production for years – and with extended application lifecycles comes the requirement to secure these applications across evolving threat patterns, runtime environments, and compliance obligations.</div>
AppsRpeople2http://www.blogger.com/profile/08529547238174325669noreply@blogger.com0tag:blogger.com,1999:blog-6690916271713809138.post-72888465441074576702015-10-09T11:16:00.000-04:002015-10-09T11:16:14.548-04:00EU's highest court throws out privacy framework for US companies: small businesses suffer<h2 style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; box-sizing: border-box; color: rgba(0, 0, 0, 0.85098); font-family: 'Helvetica Neue'; font-size: 24px; font-stretch: inherit; font-weight: 400; line-height: 1.16667; margin: 5px 0px; outline: 0px; padding: 0px; vertical-align: baseline;">
<strong style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; line-height: inherit; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">Three ways that small tech businesses are just like every other small business – <em style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">except when we’re not</em></strong></h2>
<div style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; box-sizing: border-box; color: #232629; font-family: Georgia, serif; font-size: 18px; font-stretch: inherit; line-height: 32px; margin-bottom: 32px; outline: 0px; padding: 0px; vertical-align: baseline;">
Here’s the issue; small tech companies have all of the awesome characteristics of small businesses in the broadest sense (they’re job creators, innovators, revenue makers…) <strong style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; line-height: inherit; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">but</strong> they often find themselves having to navigate complex regulatory and compliance issues that have historically been reserved for (large) multi-national corporations – all while building their businesses on technology that’s evolving way faster than the regulations that govern them. <em style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">(As a footnote here, let me throw in a commercial plug for <a href="http://actonline.org/" rel="nofollow" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; box-sizing: border-box; color: #8c68cb; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; outline: 0px; padding: 0px; text-decoration: none; vertical-align: baseline;" target="_blank">ACT</a> – a trade association focused on exactly these issues).</em></div>
<div style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; box-sizing: border-box; color: #232629; font-family: Georgia, serif; font-size: 18px; font-stretch: inherit; line-height: 32px; margin-bottom: 32px; outline: 0px; padding: 0px; vertical-align: baseline;">
Tuesday's nullification of the Safe Harbor framework (a system that streamlined the transfer of EU user data to US businesses) in what everyone pretty much agrees was a consequence of the NSA spying scandals is a perfect example. In this case, we see how small tech businesses can get caught in the middle of a p^%*ing match between the EU and the US federal govt. …and I don’t care what side of the aisle you’re on – <em style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">everyone loves small business growth and innovation right?</em>Here’s a great bipartisan issue that our lawmakers should be able to address – don’t you think?</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtjA1KUWAn9LKJF7prMTYP8Bti_lgUNHzCf-AIwb0RWgwuMBD85v_IVz07O0Uz9ihVZR2qdk1BNLe5AuZRGwY5opbmyp4wO1qcyRDl6d80OVim6mbYVKcGdIF5GkByTa8hE9jjAAr1jwE/s1600/safeharborgraph.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="225" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtjA1KUWAn9LKJF7prMTYP8Bti_lgUNHzCf-AIwb0RWgwuMBD85v_IVz07O0Uz9ihVZR2qdk1BNLe5AuZRGwY5opbmyp4wO1qcyRDl6d80OVim6mbYVKcGdIF5GkByTa8hE9jjAAr1jwE/s640/safeharborgraph.png" width="640" /></a></div>
<div style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; box-sizing: border-box; color: #232629; font-family: Georgia, serif; font-size: 18px; font-stretch: inherit; line-height: 32px; margin-bottom: 32px; outline: 0px; padding: 0px; vertical-align: baseline;">
<strong style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; box-sizing: border-box; color: rgba(0, 0, 0, 0.85098); font-family: inherit; font-size: 20px; font-stretch: inherit; font-style: inherit; font-variant: inherit; line-height: inherit; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">Three ways that small tech businesses are just like every other small business – <em style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">except when we’re not</em></strong></div>
<div style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; box-sizing: border-box; color: #232629; font-family: Georgia, serif; font-size: 18px; font-stretch: inherit; line-height: 32px; margin-bottom: 32px; outline: 0px; padding: 0px; vertical-align: baseline;">
<strong style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; line-height: inherit; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;"><em style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">One:</em></strong><em style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;"> Like every small business, we can’t afford to have a permanent team of lawyers on our payroll</em> …<strong style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; line-height: inherit; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">but</strong> small tech businesses can go international overnight - having to navigate across international jurisdictions.</div>
<div style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; box-sizing: border-box; color: #232629; font-family: Georgia, serif; font-size: 18px; font-stretch: inherit; line-height: 32px; margin-bottom: 32px; outline: 0px; padding: 0px; vertical-align: baseline;">
The Safe Harbor system eliminated a raft of complexity and potentially 1000’s of hours of legal work required to manage EU user data – making it feasible for small tech businesses to do business inside the EU.</div>
<div style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; box-sizing: border-box; color: #232629; font-family: Georgia, serif; font-size: 18px; font-stretch: inherit; line-height: 32px; margin-bottom: 32px; outline: 0px; padding: 0px; vertical-align: baseline;">
<em style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">Small businesses simply cannot be expected to navigate a maze of international privacy obligations</em> – each with their own rules – and penalties. Without the Safe Harbor system (or something to replace it), previously open markets will soon be out of reach.</div>
<div style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; box-sizing: border-box; color: #232629; font-family: Georgia, serif; font-size: 18px; font-stretch: inherit; line-height: 32px; margin-bottom: 32px; outline: 0px; padding: 0px; vertical-align: baseline;">
<strong style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; line-height: inherit; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;"><em style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">Two:</em></strong><em style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;"> Like every small business, we often rely on 3rd party service providers for professional services (legal, payroll, HR, etc.)</em> …<strong style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; line-height: inherit; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">but</strong> small tech business also rely upon 3rd party providers for services rendered <strong style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; line-height: inherit; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">inside</strong> their apps (versus inside their offices) <em style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">while those apps are being used by their clients</em>; for example, payment processing and <em style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">application analytics</em>.</div>
<div style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; box-sizing: border-box; color: #232629; font-family: Georgia, serif; font-size: 18px; font-stretch: inherit; line-height: 32px; margin-bottom: 32px; outline: 0px; padding: 0px; vertical-align: baseline;">
This distributed notion of computing introduces multiple layers of business entities at the very sensitive point where the application is being used in production – exponentially expanding the legal and compliance problems (each service provider must also have their own agreements within each country/jurisdiction).</div>
<div style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; box-sizing: border-box; color: #232629; font-family: Georgia, serif; font-size: 18px; font-stretch: inherit; line-height: 32px; margin-bottom: 32px; outline: 0px; padding: 0px; vertical-align: baseline;">
<em style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">This is now more than just unmanageably large and expensive –it’s potentially unsolvable.</em> Small businesses deal with lots of unknowns, (security vulnerabilities for example), but this new wrinkle will almost certainly have a chilling effect – either on how we serve EU markets AND/OR how we rely on 3rd party service providers (a core development pattern that, if abandoned, would make US dev firms less competitive).</div>
<div style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; box-sizing: border-box; color: #232629; font-family: Georgia, serif; font-size: 18px; font-stretch: inherit; line-height: 32px; margin-bottom: 32px; outline: 0px; padding: 0px; vertical-align: baseline;">
<strong style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; line-height: inherit; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;"><em style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">Three:</em></strong><em style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;"> Like every small business, small tech companies cannot change direction with the swipe of a pen the way laws and regulations can come and go.</em></div>
<div style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; box-sizing: border-box; color: #232629; font-family: Georgia, serif; font-size: 18px; font-stretch: inherit; line-height: 32px; margin-bottom: 32px; outline: 0px; padding: 0px; vertical-align: baseline;">
<em style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">While the Safe Harbor framework was instantaneously nullified with one verdict, applications that were compliant moments before are now potentially in jeopardy</em> – and they’re still running and still sending data – whether the app owner likes it or not.</div>
<div style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; box-sizing: border-box; color: #232629; font-family: Georgia, serif; font-size: 18px; font-stretch: inherit; line-height: 32px; margin-bottom: 32px; outline: 0px; padding: 0px; vertical-align: baseline;">
Bottom line, this is a regulatory and governance issue and we need governments to work out……</div>
<div style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; box-sizing: border-box; color: #232629; font-family: Georgia, serif; font-size: 18px; font-stretch: inherit; line-height: 32px; margin-bottom: 32px; outline: 0px; padding: 0px; vertical-align: baseline;">
Everyone loves small businesses right? We need…</div>
<ul style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; box-sizing: border-box; color: rgba(0, 0, 0, 0.701961); font-family: Georgia, serif; font-size: 18px; font-stretch: inherit; line-height: 27px; margin: 0px 0px 15px; outline: 0px; padding: 0px 0px 0px 35px; vertical-align: baseline;">
<li style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: 32px; margin: 0px 0px 15px; outline: 0px; padding: 0px; vertical-align: baseline;">To know what’s expected of us</li>
<li style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: 32px; margin: 0px 0px 15px; outline: 0px; padding: 0px; vertical-align: baseline;">Agreement on what compliance looks like</li>
<li style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: 32px; margin: 0px 0px 15px; outline: 0px; padding: 0px; vertical-align: baseline;">Visibility into enforcement and penalty parameters</li>
</ul>
<div style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; box-sizing: border-box; color: #232629; font-family: Georgia, serif; font-size: 18px; font-stretch: inherit; line-height: 32px; margin-bottom: 32px; outline: 0px; padding: 0px; vertical-align: baseline;">
Then, we can do what we know how to do – make smart technical and business development investments.</div>
<h1 style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; box-sizing: border-box; color: #737679; font-family: 'Helvetica Neue'; font-size: 32px; font-stretch: inherit; font-weight: 400; line-height: 1.25; margin: 0px 0px 15px; outline: 0px; padding: 0px; vertical-align: baseline;">
Other material</h1>
<div style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; box-sizing: border-box; color: #232629; font-family: Georgia, serif; font-size: 18px; font-stretch: inherit; line-height: 32px; margin-bottom: 32px; outline: 0px; padding: 0px; vertical-align: baseline;">
Here are three more links:</div>
<div style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; box-sizing: border-box; color: #232629; font-family: Georgia, serif; font-size: 18px; font-stretch: inherit; line-height: 32px; margin-bottom: 32px; outline: 0px; padding: 0px; vertical-align: baseline;">
Two days ago, when the Safe Harbor ruling first came down, I posted an explanation of how (<strong style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; line-height: inherit; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">Link 1</strong>) <a href="http://www.preemptive.com/pa" rel="nofollow" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; box-sizing: border-box; color: #8c68cb; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; outline: 0px; padding: 0px; text-decoration: none; vertical-align: baseline;" target="_blank">PreEmptive Analytics</a> can re-direct application usage data to support the kind of seismic shifts in architecture that might follow (<strong style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; line-height: inherit; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">Link </strong><strong style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; line-height: inherit; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">2</strong>) <a href="https://www.linkedin.com/pulse/how-todays-safe-harbor-ruling-impact-users-analytics-services-holst" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; box-sizing: border-box; color: #8c68cb; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; outline: 0px; padding: 0px; text-decoration: none; vertical-align: baseline;" target="_blank">here</a>.</div>
<div style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; box-sizing: border-box; color: #232629; font-family: Georgia, serif; font-size: 18px; font-stretch: inherit; line-height: 32px; margin-bottom: 32px; outline: 0px; padding: 0px; vertical-align: baseline;">
That same evening, I was put in touch with Elizabeth Dwoskin, a WSJ reporter who was writing a piece on the impact that this sudden move would have on small businesses – my conversations with her are actually what prompted this post (WSJ has already posted her <em style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">well-written</em> article,(<strong style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; line-height: inherit; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">Link </strong><strong style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; line-height: inherit; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">3</strong>) <a href="http://www.wsj.com/articles/small-firms-worry-as-big-data-pact-dies-1444256220" rel="nofollow" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; box-sizing: border-box; color: #8c68cb; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; outline: 0px; padding: 0px; text-decoration: none; vertical-align: baseline;" target="_blank">Small Firms Worry, as Big-Data Pact Dies</a>).</div>
<div style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; box-sizing: border-box; color: #232629; font-family: Georgia, serif; font-size: 18px; font-stretch: inherit; line-height: 32px; margin-bottom: 32px; outline: 0px; padding: 0px; vertical-align: baseline;">
You might ask, if her article is so well-written (which it is), why would I have anything to add? She was looking for a “man-on-the-street” (dev-in-the-trenches) perspective on this one particular news item, BUT, the Safe Harbor ambush is just one example of the larger issues I hope I was able to outline here.</div>
AppsRpeople2http://www.blogger.com/profile/08529547238174325669noreply@blogger.com0tag:blogger.com,1999:blog-6690916271713809138.post-72907748820757273592015-10-09T11:13:00.004-04:002015-10-09T11:13:57.221-04:00How will today's Safe Harbor ruling impact users of multi-tenant application analytics services?<div style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; box-sizing: border-box; color: #232629; font-family: Georgia, serif; font-size: 18px; font-stretch: inherit; line-height: 32px; margin-bottom: 32px; outline: 0px; padding: 0px; vertical-align: baseline;">
Earlier today, the Safe Harbor system was just overturned (see <a href="http://www.beneschlaw.com/EU--US-Safe-Harbor-Ruled-Invalid-10-06-2015/" rel="nofollow" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; box-sizing: border-box; color: #8c68cb; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; outline: 0px; padding: 0px; text-decoration: none; vertical-align: baseline;" target="_blank">Europe-U.S. data transfer deal used by thousands of firms is ruled invalid</a>). </div>
<div style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; box-sizing: border-box; color: #232629; font-family: Georgia, serif; font-size: 18px; font-stretch: inherit; line-height: 32px; margin-bottom: 32px; outline: 0px; padding: 0px; vertical-align: baseline;">
The legal, operational, and risk implications are huge for companies that have, up until today, relied on this legal system (either directly or through third parties that relied on Safe Harbor) to meet EU's privacy obligations. </div>
<div style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; box-sizing: border-box; color: #232629; font-family: Georgia, serif; font-size: 18px; font-stretch: inherit; line-height: 32px; margin-bottom: 32px; outline: 0px; padding: 0px; vertical-align: baseline;">
<em style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">What are the implications for application analytics solutions</em> (homegrown or commercially offered)? It's not clear at this moment in time, but one thing is for sure - it is a lot harder to turn off an application, re-architect a multi-tier system, or force an upgrade than it is to simply sign a revised privacy agreement. </div>
<div style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; box-sizing: border-box; color: #232629; font-family: Georgia, serif; font-size: 18px; font-stretch: inherit; line-height: 32px; margin-bottom: 32px; outline: 0px; padding: 0px; vertical-align: baseline;">
<span class="underline" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; outline: 0px; padding: 0px; text-decoration: underline; vertical-align: baseline;">Multi-national companies that continue to transfer and process personal data from European citizens</span> without implementing an alternative contractual solution or receiving the authorization from a data protection authority <span class="underline" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; outline: 0px; padding: 0px; text-decoration: underline; vertical-align: baseline;">are at risk for legal action, monetary fines, or a prohibition on data transfers from the EU to US. </span></div>
<div style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; box-sizing: border-box; color: #232629; font-family: Georgia, serif; font-size: 18px; font-stretch: inherit; line-height: 32px; margin-bottom: 32px; outline: 0px; padding: 0px; vertical-align: baseline;">
If this transfer of data is embedded inside an application/system's architecture - then a wholesale development/re-architecture plan may be required. Of course, re-architecting systems to keep data local within a country or region, may simply be impossible (efficiency, cost effective, ...) UNLESS the system is, itself, built to provide that kind of flexibility already. </div>
<div style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; box-sizing: border-box; color: #232629; font-family: Georgia, serif; font-size: 18px; font-stretch: inherit; line-height: 32px; margin-bottom: 32px; outline: 0px; padding: 0px; vertical-align: baseline;">
Happily, PreEmptive Analytics is. </div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEifT-KUG7xmbsaIjknq2xaAUP40wBFubwUpz4Z2zzMHdZbYEqvD_w0rkK2Rx9_Hd0nVCzxFPbHjiSAAaoV7WM9bb9zT7-U5EW6ISOD_OWIAfcOQCPAxk3vOPwVXcZk8o2iz5vbBnKaD_Rk/s1600/safe+harbor+graphic2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="313" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEifT-KUG7xmbsaIjknq2xaAUP40wBFubwUpz4Z2zzMHdZbYEqvD_w0rkK2Rx9_Hd0nVCzxFPbHjiSAAaoV7WM9bb9zT7-U5EW6ISOD_OWIAfcOQCPAxk3vOPwVXcZk8o2iz5vbBnKaD_Rk/s640/safe+harbor+graphic2.png" width="640" /></a></div>
<ul style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; box-sizing: border-box; color: rgba(0, 0, 0, 0.701961); font-family: Georgia, serif; font-size: 18px; font-stretch: inherit; line-height: 27px; margin: 0px 0px 15px; outline: 0px; padding: 0px 0px 0px 35px; vertical-align: baseline;">
<li style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: 32px; margin: 0px 0px 15px; outline: 0px; padding: 0px; vertical-align: baseline;"><strong style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; line-height: inherit; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">PreEmptive Analytics endpoints</strong> (in addition to on-prem of course) can live inside any Microsoft Azure VM. Clients with very specific requirements as to where their actual VM’s are being hosted would always be able to meet those requirements with us. …and what about when a client gets even more specific (country borders for example) or when they want to support multiple jurisdictions with one app? (this leads to the second point…)</li>
<li style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: 32px; margin: 0px 0px 15px; outline: 0px; padding: 0px; vertical-align: baseline;"><strong style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; line-height: inherit; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">PreEmptive Analytics instrumentation</strong> supports runtime/dynamic selection of target endpoints. While this would take a little bit of custom code on the developer’s part – our instrumentation would allow an application – at runtime – to determine where it should send it’s telemetry (perhaps a service that is called at startup that has a lookup table – if the app is running in Germany – send it to …, if it’s in China, send it to …, if it’s in the US…). This would allow an app developer with an international user base to support conflicting privacy and governance obligations with one application.</li>
</ul>
<div style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; box-sizing: border-box; color: #232629; font-family: Georgia, serif; font-size: 18px; font-stretch: inherit; line-height: 32px; margin-bottom: 32px; outline: 0px; padding: 0px; vertical-align: baseline;">
It may turn out that keeping German application analytics data in Germany may be as important to US companies now as it is to German companies. One thing's for sure - the cadence and road map for application analytics cannot be tied to the cadence and road map of any one application - the two have to live side-by-side - but independently.</div>
AppsRpeople2http://www.blogger.com/profile/08529547238174325669noreply@blogger.com0tag:blogger.com,1999:blog-6690916271713809138.post-12586186659752900012015-09-01T15:30:00.000-04:002015-09-01T15:30:59.188-04:00When it comes to application risk management, you can't do it alone.I’m often asked to estimate how many developers are required to obfuscate and harden their applications against reverse engineering and tampering – and when they say “required,” what they usually mean is what is the bare minimum number of developers that need to be licensed to use our software.<br />
<br />
Of course it's important to get the number of licensed users just right (if the count is too high, you're wasting money - but, if it's too low, you're either not going to be efficient or effective - or worse still - you're forced to violate the license agreement to do your job).<br />
<br />
Yet, as important as this question seems, it's not the first question that needs answering.<br />
<br />
Staffing to <i>effectively </i>manage application risk is not the same as counting the number of concurrent users required to run our (or any) software at a given point in time.<br />
<br />
Consider this:<br />
<br />
<i>How many people are required to run our application hardening products on a given build of an application? </i><b>Actually, none at all, </b>both <a href="http://www.preemptive.com/products/dotfuscator/overview" target="_blank">Dotfsucator for .NET</a> and <a href="http://www.preemptive.com/products/dasho/overview" target="_blank">DashO for Java</a>) can be fully integrated into your automated build and (continuous) deployment processes.<br />
<br />
<i>However, how many people does it take to effectively <u>protect your application assets against reverse engineering and tampering</u>? </i><span style="color: red;"><b>The answer can be no less than two.</b></span> Here’s why…<br />
<br />
<ul>
<li>Application risk management is made up of one (or more) controls (<i>processes not programs</i>). These controls must first be defined, then implemented, then applied consistently, and, lastly, monitored to ensure effective use.</li>
<li>Application hardening (obfuscation and tamper defense injection) is just such a control – a control that is embedded into a larger DevOps framework – and a control that is often the final step in a deployment process (followed only by digital signing).</li>
</ul>
<br />
<br />
Now, in order to be truly effective, application hardening cannot create more risk than it avoids – <i>the cure cannot be worse than the disease.</i><br />
<br />
What risks can come from a poorly managed application hardening control (process)?<br />
<br />
If an application hardening task <i>fails and goes undetected</i>,<br />
<br />
<ul>
<li>the application may be distributed <i>unprotected </i>into production and <b>the risk of reverse engineering and tamper go entirely unmanaged,</b> or </li>
<li>the application may be shipped in a damaged state causing <b>runtime failures in production.</b></li>
</ul>
<br />
<br />
If an application hardening task <i>failure <u>is </u>detected</i>, but the root cause cannot be quickly fixed, then the application can't be shipped; <b>deadlines are missed and the software can't be used.</b><br />
<br />
<i>So, what’s the minimum number of people required to protect an application against reverse engineering and tampering?</i><br />
<br />
You’ll need (at least) one person to define and implement the application hardening control.<br />
<br />
…and you’ll need one person to manage the hardening control (monitor each time the application is hardened, detect any build issues, and resolve any issues should they arise in a timely fashion).<br />
<br />
Could one individual design, implement and manage an application hardening control? Yes, one person can do all three tasks for sure.<br />
<br />
<b>However</b>, if the software being protected is released with any frequency or with any urgency, one individual cannot guarantee that he/she will be available to manage that control on every given day at every given time – they simply must have a backup – a "co-pilot."<br />
<br />
No organization should implement an application hardening control that’s dependent on one individual – there must be at least two individuals trained (and authorized) to run, administer, and configure your application hardening software and processes. The penalty for unexpected shipping delays and/or shipping damaged code or releasing an unprotected application asset into “the wild” is typically so severe that even though the likelihood of such an event occurring on any given day may seem remote - it cannot be rationalized.<br />
<br />
This is nothing new in risk management – every commercial plane flies with a co-pilot for this very reason – and airline manufacturers do not build planes without a co-pilot’s seat. It would be cheaper to build and fly planes that only accommodate one pilot – and it wouldn’t be an issue for most flights – but <i>to ignore the risk that having a single pilot brings would be more than irresponsible – it would be unethical.</i><br />
<br />
<i>Are there other reasons for additional people and processes to be included? </i>Of course – but these are tied to development methodologies, architecture, testing and audit requirements of the development organization, etc. These are not universal practices.<br />
<br />
If reverse engineering and/or application tampering pose Intellectual Property, privacy, compliance, piracy, or other material risks, they need to be managed accordingly - as a resilient and well-defined process. Or, in a word, when it comes to application risk management, you can't do it alone.<br />
<div>
<br /></div>
<div>
<a href="https://youtu.be/LVb5x-fpFpA" target="_blank">Why are people who need people the luckiest people in the world? Because they have a backup to protect their applications against unplanned delays, reverse engineering and tampering!</a><br />
<br />
<br /></div>
AppsRpeople2http://www.blogger.com/profile/08529547238174325669noreply@blogger.com0tag:blogger.com,1999:blog-6690916271713809138.post-71721727450003097102015-06-23T13:57:00.003-04:002015-06-23T14:17:12.577-04:006 signs that you may be overdue for a mobile application risk reviewEvery organization must ultimately make their own assessment as to the level of risk they are willing to tolerate – and mobile application risk is no exception to this rule.<br />
<br />
Yet, given the rapidly changing mobile landscape (inside and outside of every enterprise), organizations need to plan on regular assessments of their mobile risk management policies – especially as their mobile applications grow in importance and complexity.<br />
<div>
<br /></div>
<div>
Here are 6 indicators that you may be overdue for a mobile application risk assessment.<br />
<div>
<ol>
<li><i>E</i>arlier PC/on-premises equivalents ARE hardened and/or monitored. <i>Perhaps these risks need to be managed on mobile devices too – or, conversely, the risks no longer need to be managed at all.</i></li>
<li>Enterprise mobile apps are distributed through public app marketplaces like Google Play or iTunes. <i>Using public marketplaces exposes apps to potentially hostile users and can be used as a platform to distribute counterfeit versions of those very same apps.</i></li>
<li>Mobile apps are run within a BYOD infrastructure alongside apps and services outside of corporate control. <i>Access to a device via third-party software can lead to a variety of malicious scenarios that include other apps (yours) installed on the same device.</i></li>
<li>Mobile apps embed (or directly access) proprietary business logic. <i>Reverse engineering is a straight forward exploit. Protect against IP theft while clearly signaling an expectation of ownership and control – which is often important during a penalty phase of a criminal and/or civil trial.</i></li>
<li>Mobile apps access (or have access to) personally identifiable information (or other data governed by regulatory or compliance mandates). <i>Understanding how services are called and data is managed within an app can readily expose potential vulnerabilities and unlock otherwise secure access to high-value services.</i></li>
<li>Mobile apps play a material role in generating or managing revenue or other financial assets. <i>High value assets or processes are a natural target for bad actors. Piracy, theft, and sabotage begins by targeting “weak links” in a revenue chain. An app is often the first target.</i></li>
</ol>
Want to know more about how PreEmptive Solutions can help reduce IP theft, data loss, privacy violations, software piracy, and other risks uniquely tied to the rise of enterprise mobile computing? </div>
<div>
<br /></div>
<div>
Visit <a href="http://www.preemptive.com/">www.preemptive.com</a> - or contact me here - i'd welcome the contact.<br />
<br />
In the meantime, here’s an infographic identifying leading risk categories stemming from increased reliance on mobile applications. The vulnerabilities (potential gaps) call out specific tactics often employed by bad actors; the Controls identify corresponding practices to mitigate these risks.<br />
<br />
The bottom half of the infographic maps the capabilities of PreEmptive Solutions Mobile Application Risk Portfolio across platforms and runtimes and up to the risk categories themselves.</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi38ZdpLFL7UwP9KUpWJ7mcedrNuSFTdWkVQgr7aMEVVtStKUDv86Y75xAF0yEKnEtq9rl0XaFCMClC1DXAvnmOuVBfpQ43QjeVA4ROqhnLUm1XD8dDe9PcQiaGJR9DHmtMERNgvIbvKWM/s1600/blog+mobile+table.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="326" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi38ZdpLFL7UwP9KUpWJ7mcedrNuSFTdWkVQgr7aMEVVtStKUDv86Y75xAF0yEKnEtq9rl0XaFCMClC1DXAvnmOuVBfpQ43QjeVA4ROqhnLUm1XD8dDe9PcQiaGJR9DHmtMERNgvIbvKWM/s640/blog+mobile+table.png" width="640" /></a></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
For more information on PreEmptive Solutions Enterprise Mobile Application Risk product portfolio, check out: <a href="http://apps-are-people-too.blogspot.com/2015/06/preemptive-solutions-mobile-application.html" target="_blank">PreEmptive Solutions’ mobile application risk management portfolio: four releases in four weeks.</a></div>
AppsRpeople2http://www.blogger.com/profile/08529547238174325669noreply@blogger.com0tag:blogger.com,1999:blog-6690916271713809138.post-10484581262067654902015-06-19T22:46:00.000-04:002015-06-20T10:45:00.137-04:00ISV App Analytics: 3 patterns to improve quality, sales, and your roadmapApplication analytics are playing an increasingly important role in DevOps and Application Lifecycle Management more broadly – but ISV-specific use cases for application analytics have not gotten as much attention. ISV use cases – and by extension, the analytics patterns employed to support them – are unique. Three patterns described here are Beta, Trial, and Production builds. Clients and/or prospects using these “product versions” come with different expectations and hold different kinds of value to the ISV – and, as such – each instance of what is essentially the same application should be instrumented differently.<br />
<h2>
The case for injection</h2>
Typically, application instrumentation is implemented via APIs inside the application itself. While this approach offers the greatest control, any change requires a new branch or version of the app itself. With injection – the process of embedding instrumentation post-compile – the advantage is that you are able to introduce wholly different instrumentation patterns without having to rebuild or branch an application's code base.<br />
<br />
The following illustration highlights the differences in instrumentation patterns across product version – patterns that we, at PreEmptive, use inside our own products.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiKHXaAV0xksBZpZu4KygOxveyvOmHMf_Jwgsi_8cLvoFicgHMP36ohphZdEmcXNRiZR1KveD9eiQqF8Rh9dG52SUJwicx44MIre0oP6qUCkBPhfMvk4WtV_8G_enH5QsmZGuQC_EGNV8Y/s1600/isv+blog+1.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiKHXaAV0xksBZpZu4KygOxveyvOmHMf_Jwgsi_8cLvoFicgHMP36ohphZdEmcXNRiZR1KveD9eiQqF8Rh9dG52SUJwicx44MIre0oP6qUCkBPhfMvk4WtV_8G_enH5QsmZGuQC_EGNV8Y/s640/isv+blog+1.jpg" width="640" /></a></div>
<br />
<br />
<h3>
Beta and/or Preview</h3>
<ul>
<li>Measure new key feature discovery and usage </li>
<li>Track every exception that occurs throughout the beta cycle </li>
<li>Measure impact and satisfaction of new use cases (value versus usage) </li>
<li>*PreEmptive also injects “Shelf Life” – custom deactivation behaviors triggered by the end of the beta cycle </li>
</ul>
<br /><h3>
Trial</h3>
<ul>
<li>License key allowing for tracking individual user activity in the context of the organization they represent (the prospective client) - this is CONNECTED to CRM records after the telemetry is delivered</li>
<li>Performance and quality metrics that are likely to influence outcome of a successful evaluation through better timed and more effective support calls </li>
<li>Feature usage that suggest user-specific requirements – again, increasing the likelihood of a successful evaluation </li>
<li>* Preemptive injects “Shelf Life” logic to automatically end evaluations (or extend them) based upon sales cycle </li>
</ul>
<h3>
Production</h3>
<ul>
<li>Enforce organization’s opt-in policy to ensure privacy and compliance. NO personally identifying information (PII) is collected in the case of PreEmptive’s production instrumentation. </li>
<li>Feature usage, default setting, and runtime stack information to influence development roadmap and improve proactive support. </li>
<li>Exception and performance metrics to improve service levels. </li>
<li>* PreEmptive injects Shelf Life functionality to enforce annual subscription usage. </li>
</ul>
<br />The stakeholders and their requirements are often not well understood at the start of a development project (and often change over time). Specifically, sales and line of business management may not know their requirements until the product is closer to release – or after the release when there's greater insight into the sales process. A development team could not use an analytics API even if they had wanted to. …and this is one very strong case for using analytics injection over traditional APIs.<h2>
PreEmptive Solutions ISV application analytics examples</h2>
Here are recent screen grabs of Dotfuscator CE usage (preview release) inside Visual Studio 2015.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhnZeDcWytYcWJg1bidnIlhL01e-IvqwgQhIk4h8IrnL5uuD26AjhTziVQctLWHtFDvjsMvo42O9bWDtOHjwO8PMjiCOwnUnAx7LL42mPb3_0Y8d1rmnTC1qtZxv96gSo9QQjZ-AKvSx-A/s1600/isv+blog+2.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="382" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhnZeDcWytYcWJg1bidnIlhL01e-IvqwgQhIk4h8IrnL5uuD26AjhTziVQctLWHtFDvjsMvo42O9bWDtOHjwO8PMjiCOwnUnAx7LL42mPb3_0Y8d1rmnTC1qtZxv96gSo9QQjZ-AKvSx-A/s640/isv+blog+2.jpg" width="640" /></a></div>
Here is a similar collection of analytics Key Performance Indicators (KPIs) – this time focusing on current user evaluations.<br />
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhghwqnMQsez1AQ4KjmbETYz5Gr03WvyIycAP1V9-Z1xg9r98QUl6jK8tfnce-E8eNFCwZtc3sJecRbXwJxkTVyGVNP_ncEqjlWV5PjyGtCGub-R4aivZK4JWQN2-L6AdeqgwhSoOI4qDg/s1600/isv+blog+3.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhghwqnMQsez1AQ4KjmbETYz5Gr03WvyIycAP1V9-Z1xg9r98QUl6jK8tfnce-E8eNFCwZtc3sJecRbXwJxkTVyGVNP_ncEqjlWV5PjyGtCGub-R4aivZK4JWQN2-L6AdeqgwhSoOI4qDg/s640/isv+blog+3.jpg" width="640" /></a></div>
<br />
<br />
<div>
…and lastly, here are a set of representative KPIs tracking production usage of DashO for Java.</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRR2rAebH0HNGA2vfiIQN-Uhg3guec4GMHj3LJgO6hFH_IlWfwaJ7rE3A5APONnEqjt8H-VN3w0fZvWkXT55QTr2g6-0k0DFyRkbII0qXyU1aW88QmLQFJ3lx9RKiz1JL9HOcWxQdNDww/s1600/isv+blog+4.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="316" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRR2rAebH0HNGA2vfiIQN-Uhg3guec4GMHj3LJgO6hFH_IlWfwaJ7rE3A5APONnEqjt8H-VN3w0fZvWkXT55QTr2g6-0k0DFyRkbII0qXyU1aW88QmLQFJ3lx9RKiz1JL9HOcWxQdNDww/s640/isv+blog+4.jpg" width="640" /></a></div>
<div>
<br /></div>
If you’re building software for sale – and you’d like to streamline your preview releases, shorten your sales cycles and increase your win rates – and better align your product roadmap with what your existing clients are actually doing – then application analytics should be a part of your business – and – most likely – injection as a means of instrumentation is for you as well.AppsRpeople2http://www.blogger.com/profile/08529547238174325669noreply@blogger.com0tag:blogger.com,1999:blog-6690916271713809138.post-60632474813317371392015-04-15T15:18:00.001-04:002015-04-15T15:18:52.980-04:00Five tenets for innovation and sustained competitive advantage through application developmentI'm privileged to spend most of my working days in front of smart people doing interesting work across a wide spectrum of industries - and in the spirit of "ideas don't have to be original - they just have to be good(c)" (the copyright is my attempt at humor RE other people's good ideas versus my silly aphorism) - anyhow, back to my central point - mobile, cloud, the rise of big data, etc. are all contributing to a sense that business (and the business of IT) is entering an entirely new phase fueled by technology, globalization, etc... and with this scale of change comes confusion ...but in spite of all this background noise, I'm witnessing many of our smartest customers and partners converge on the following five tenets - tenets that I know are serving some of the smartest people in the coolest organizations extremely well - cheers.<div class="MsoNormal" style="margin-bottom: 3.0pt; margin-left: .25in; margin-right: 0in; margin-top: 0in; mso-list: l0 level1 lfo1; tab-stops: list .5in; text-indent: -.25in;">
<b><br /></b></div>
<div class="MsoNormal" style="margin-bottom: 3.0pt; margin-left: .25in; margin-right: 0in; margin-top: 0in; mso-list: l0 level1 lfo1; tab-stops: list .5in; text-indent: -.25in;">
<b>1.<span style="font-size: 7pt; font-stretch: normal; font-weight: normal;"> </span></b><b style="text-indent: -0.25in;">Organizations must innovate or be rendered
obsolete.</b></div>
<div class="MsoNormal" style="margin-bottom: 3.0pt; margin-left: .5in; margin-right: 0in; margin-top: 0in; mso-list: l0 level2 lfo1; tab-stops: .5in; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-family: "Arial","sans-serif"; mso-fareast-font-family: Arial;">•<span style="font-family: 'Times New Roman'; font-size: 7pt; font-stretch: normal;">
</span></span><!--[endif]--><b>Challenge</b>:
Applications now serve as a hub of innovation and a primary means of differentiation
– across every industry and facet of our modern economy.<o:p></o:p></div>
<div class="MsoNormal" style="margin-bottom: 6.0pt; margin-left: .5in; margin-right: 0in; margin-top: 0in; mso-list: l0 level2 lfo1; tab-stops: .5in; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-family: "Arial","sans-serif"; mso-fareast-font-family: Arial;">•<span style="font-family: 'Times New Roman'; font-size: 7pt; font-stretch: normal;">
</span></span><!--[endif]--><b><i>Response</i></b><i>:
Innovative organizations use applications to uniquely engage with their markets
and to streamline their operations. </i><o:p></o:p></div>
<div class="MsoNormal" style="margin-bottom: 3.0pt; margin-left: .25in; margin-right: 0in; margin-top: 0in; mso-list: l0 level1 lfo1; tab-stops: list .5in; text-indent: -.25in;">
<!--[if !supportLists]--><b>2.<span style="font-size: 7pt; font-stretch: normal; font-weight: normal;"> </span></b><!--[endif]--><b>Genuine innovation is a continuous process
– to be scaled and sustained.<o:p></o:p></b></div>
<div class="MsoNormal" style="margin-bottom: 3.0pt; margin-left: .5in; margin-right: 0in; margin-top: 0in; mso-list: l0 level2 lfo1; tab-stops: .5in; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-family: "Arial","sans-serif"; mso-fareast-font-family: Arial;">•<span style="font-family: 'Times New Roman'; font-size: 7pt; font-stretch: normal;">
</span></span><!--[endif]--><b>Challenge</b>:
Development/IT must internalize evolving business models and emerging
technologies while sustaining ongoing IT operations and managing increasingly
complex regulatory and compliance obligations. <o:p></o:p></div>
<div class="MsoNormal" style="margin-bottom: 6.0pt; margin-left: .5in; margin-right: 0in; margin-top: 0in; mso-list: l0 level2 lfo1; tab-stops: .5in; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-family: "Arial","sans-serif"; mso-fareast-font-family: Arial;">•<span style="font-family: 'Times New Roman'; font-size: 7pt; font-stretch: normal;">
</span></span><!--[endif]--><b><i>Response</i></b><i>:
Leading IT organizations imagine and deliver high-value applications through agile
feedback-driven development practices and accelerated development cycles that
place a premium on superior software quality and exceptional user experiences.</i><o:p></o:p></div>
<div class="MsoNormal" style="margin-bottom: 3.0pt; margin-left: .25in; margin-right: 0in; margin-top: 0in; mso-list: l0 level1 lfo1; tab-stops: list .5in; text-indent: -.25in;">
<!--[if !supportLists]--><b>3.<span style="font-size: 7pt; font-stretch: normal; font-weight: normal;"> </span></b><!--[endif]--><b>Modern applications bring modern risks.<o:p></o:p></b></div>
<div class="MsoNormal" style="margin-bottom: 3.0pt; margin-left: .5in; margin-right: 0in; margin-top: 0in; mso-list: l0 level2 lfo1; tab-stops: .5in; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-family: "Arial","sans-serif"; mso-fareast-font-family: Arial;">•<span style="font-family: 'Times New Roman'; font-size: 7pt; font-stretch: normal;">
</span></span><!--[endif]--><b>Challenge</b>: In order to sustain competitive advantage through application
innovation, organizations must effectively secure and harden their application
asset portfolios against the risks of revenue loss, Intellectual Property
theft, denial of service attacks, privacy breaches, and regulatory and
compliance violations. <o:p></o:p></div>
<div class="MsoNormal" style="margin-bottom: 6.0pt; margin-left: .5in; margin-right: 0in; margin-top: 0in; mso-list: l0 level2 lfo1; tab-stops: .5in; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-family: "Arial","sans-serif"; mso-fareast-font-family: Arial;">•<span style="font-family: 'Times New Roman'; font-size: 7pt; font-stretch: normal;">
</span></span><!--[endif]--><b><i>Response</i></b><i>:
Successful organizations ensure that security, privacy, and monitoring
requirements are captured and managed throughout the application lifecycle from
design through deployment and deprecation – as reflected in appropriate investments and upgrades in processes and technologies.</i><o:p></o:p></div>
<div class="MsoNormal" style="margin-bottom: 3.0pt; margin-left: .25in; margin-right: 0in; margin-top: 0in; mso-list: l0 level1 lfo1; tab-stops: list .5in; text-indent: -.25in;">
<!--[if !supportLists]--><b>4.<span style="font-size: 7pt; font-stretch: normal; font-weight: normal;"> </span></b><!--[endif]--><b>Every organization is a hybrid organization
– every IT project starts in the middle.<o:p></o:p></b></div>
<div class="MsoNormal" style="margin-bottom: 3.0pt; margin-left: .5in; margin-right: 0in; margin-top: 0in; mso-list: l0 level2 lfo1; tab-stops: .5in; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-family: "Arial","sans-serif"; mso-fareast-font-family: Arial;">•<span style="font-family: 'Times New Roman'; font-size: 7pt; font-stretch: normal;">
</span></span><!--[endif]--><b>Challenge</b>:
Organizations must balance the requirement to innovate with the requirement to
operate competitively with existing IT assets. <o:p></o:p></div>
<div class="MsoNormal" style="margin-bottom: 6.0pt; margin-left: .5in; margin-right: 0in; margin-top: 0in; mso-list: l0 level2 lfo1; tab-stops: .5in; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-family: "Arial","sans-serif"; mso-fareast-font-family: Arial;">•<span style="font-family: 'Times New Roman'; font-size: 7pt; font-stretch: normal;">
</span></span><!--[endif]--><b><i>Response</i></b><i>:
Mature organizations do not hard-wire development, security, analytics, or
DevOps practices to one technology generation or another. The result is
materially lower levels of technical debt and the capacity to confidently
embrace new and innovative technologies and the business opportunities they
represent. </i><o:p></o:p></div>
<div class="MsoNormal" style="margin-bottom: 3.0pt; margin-left: .25in; margin-right: 0in; margin-top: 0in; mso-list: l0 level1 lfo1; tab-stops: list .5in; text-indent: -.25in;">
<!--[if !supportLists]--><b>5.<span style="font-size: 7pt; font-stretch: normal; font-weight: normal;"> </span></b><!--[endif]--><b>Enterprise IT requirements cannot be
satisfied with consumer technologies – shared mobile platforms and BYOD
policies do not alter this tenet.<o:p></o:p></b></div>
<div class="MsoNormal" style="margin-bottom: 3.0pt; margin-left: .5in; margin-right: 0in; margin-top: 0in; mso-list: l0 level2 lfo1; tab-stops: .5in; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-family: "Arial","sans-serif"; mso-fareast-font-family: Arial;">•<span style="font-family: 'Times New Roman'; font-size: 7pt; font-stretch: normal;">
</span></span><!--[endif]--><b>Challenge</b>:
Enterprise security, compliance, and integration requirements cannot (and will
not) be satisfied by mobile/web development and analytics platforms designed
for consumer-focused, standalone app development (and the business models they
support). <o:p></o:p></div>
<br />
<div class="MsoNormal" style="margin-bottom: 6.0pt; margin-left: .5in; margin-right: 0in; margin-top: 0in; mso-list: l0 level2 lfo1; tab-stops: .5in; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-family: "Arial","sans-serif"; mso-fareast-font-family: Arial;">•<span style="font-family: 'Times New Roman'; font-size: 7pt; font-stretch: normal;">
</span></span><!--[endif]--><b><i>Response</i></b><i>:
Mature IT organizations drive mobile app innovation without compromising core
enterprise ALM, analytics, or governance standards by extending proven
practices and enterprise-focused platforms and technologies. </i><o:p></o:p></div>
AppsRpeople2http://www.blogger.com/profile/08529547238174325669noreply@blogger.com0tag:blogger.com,1999:blog-6690916271713809138.post-55882819078153810552015-04-07T14:19:00.002-04:002015-04-07T15:47:40.004-04:00Darwin and Application Analytics<h2>
<span style="font-size: large;">Survival of the fittest</span></h2>
Technological evolution is more than a figure of speech. <br />
<br />
Survival, e.g. adoption (technology proliferation and usage) favors the species (technology) that adapts most effectively to environmental changes and most successfully competes for limited resources required for day-to-day sustenance. In other words, the technology that is most agile wins in this winner take all Darwinian world.<br />
<br />
You might think you know where I’m headed – that I’m going to position application analytics and PreEmptive Analytics in particular as being best able to ensure the agility and resilience applications need to survive – and while that’s true – that’s not the theme of today’s post.<br />
<div>
<br />
<h2>
<span style="font-size: large;"> A rose by any other name… and applications are (like) people too!</span></h2>
Today’s theme is on properly classifying application analytics (and PreEmptive Analytics in particular) among all of the other related (and in some cases, competing) technologies – are they fish or fowl? Animal, vegetable, or mineral? Before you can decide if application analytics is valuable – you have to first identify what it is and how it fits into your existing ecosystem – food chain - biosphere.<br />
<br />
In biology, all life forms are organized into a hierarchy (taxonomy) of seven levels (ranks) where each level is a super set of the levels below. Here, alongside people and roses, is a proposed “taxonomic hierarchy” for application analytics.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiMgYrJ5lre3KiF1Zdzr1O5sdz3Lo9ny6kvVnJPOuXuUotvaDDkWL6zXDDwX-o3kHcfyTvo-qh5dpV3JYwcOsCGEBMneHgukr7JcFmu0DJt-qkQMQM8AlDrA9okDyS1xZfjWL24EalnOUY/s1600/taxonomy.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiMgYrJ5lre3KiF1Zdzr1O5sdz3Lo9ny6kvVnJPOuXuUotvaDDkWL6zXDDwX-o3kHcfyTvo-qh5dpV3JYwcOsCGEBMneHgukr7JcFmu0DJt-qkQMQM8AlDrA9okDyS1xZfjWL24EalnOUY/s1600/taxonomy.png" height="328" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<h2>
<span style="font-size: large;">What’s the point here? </span></h2>
<br />
What does this tell us about the species “PreEmptive Analyticus”? The hierarchy (precedence of the levels) and their respective traits are what ultimately gives each species their identity. ...and this holds true for application analytics (and PreEmptive Analytics in particular) too.<br />
<br />
<b>Commercial </b>Class software is supported by a viable vendor (PreEmptive Solutions in this case) committed to ensuring the technology’s lasting Survival (with resources and a roadmap to address evolving requirements). <br />
<br />
<i>Homegrown solutions are like mules – great for short term workloads, but they’re infertile with no new generations to come or capacity to evolve. </i><br />
<br />
<b>Analytics</b> is the next most significant rank (Order) – PreEmptive Analytics shares a common core of functionality (behavior) with every other commercial analytics solution out there today (and into the future) <br />
<br />
HOWEVER, while common functionality may be shared, it is not interchangeable. <br />
<br />
<i>Hominids are characterized as Primates with “relatively flat faces” and “three dimensional vision” – both humans and chimpanzees obviously qualify, but no one would confuse the face of a human for that of a chimpanzee. Each species uniquely adapts these common traits to compete and to thrive in its own way. </i><br />
<br />
The <b>Family </b>(analytics focused more specifically on software data) and the <b>Genus </b>(specifically software data emitted from/by applications) each translate into increasingly unique and distinct capabilities – each of which, in turn, drive adoption. <br />
<br />
<i>In other words, in order to qualify as a Species in its own right, PreEmptive Analytics must have functionality driving its own proliferation and usage (adoption) distinct from other species e.g. profilers, performance monitors, website monitoring solutions, etc. while also establishing market share (successfully competing). </i></div>
<div>
<i><br /></i>
<br />
<h2>
<span style="font-size: large;">How do you know if you've found a genuine new species?</span></h2>
<br />
According to biologists and zoologists alike, the basic guidelines are pretty simple, you need a description of the species, a name, and some specimens. <br />
<br />
In this spirit, I offer the following description of PreEmptive Analytics – for a sampling of “specimens” (case studies and references) - contact me and I’m more than happy to oblige…<br />
<br />
<i>The definition enumerates distinguishing traits and the "taxonomic ranking" that each occupies - so this is not your typical functional outline or marketecture diagram.</i></div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjInRcL-gTQLOwT0qTjn5UrWb1cNXTDRVgiFTNFaRUaewYwAOkImdxihq0XnVqtZrtayqzpNsra7NGSRNTaTD_NqxcsztNo-SCY94-kBNp9qmdS_oDR869_gIckeUxw6yDKRaCec6Cn3t0/s1600/species.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjInRcL-gTQLOwT0qTjn5UrWb1cNXTDRVgiFTNFaRUaewYwAOkImdxihq0XnVqtZrtayqzpNsra7NGSRNTaTD_NqxcsztNo-SCY94-kBNp9qmdS_oDR869_gIckeUxw6yDKRaCec6Cn3t0/s1600/species.png" height="322" width="640" /></a></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<br />
<br />
CAUTION – keep in mind that common capabilities can be shared across species, but they are not interchangeable - each trait is described in terms of its general function, how it's been specialized for PreEmptive Analytics and how/why its adaptable to our changing world (and therefore more likely to succeed!) - <i>I’m not going to say who’s the monkey in my analytics analogy here, but I do want to caution against bringing a chimp to a do a (wo)man’s job. </i><br />
<br />
<div>
<h2>
<span style="font-size: large;">PreEmptive Analytics </span></h2>
<h3>
<span style="font-size: large;">Core Analytics functionality</span></h3>
<b>Specialized:</b> The <i>ingestion, data management, analytics computations, and the visualization </i>capabilities include “out of the box” support for application analytics specific scenarios including information on usage, users, feature usage patterns, exceptions, and runtime environment demographics. <br />
<br />
<b>Adaptable:</b> In addition to these canned analytics features, extensibility points (adaptability) ensure that whatever unique analytics metrics are most relevant to each application stakeholder (product owner, architect, development manager, etc.) can also be supported. </div>
<div>
<br />
<h3>
Software Data (Family traits) </h3>
<br />
<i>Incident Detection: </i>PreEmptive Analytics (for TFS) analyzes patterns of application exceptions to identify production incidents and to automatically schedule work items (tasks). <br />
<br />
<i>Data transport: </i>The PreEmptive Analytics Data Hub routes and distributed incoming telemetry to one or more analytics endpoints for analysis and publication. <br />
<br />
<b>Specialized: </b>“Out of the box” support for common exception patterns, automatic offline-caching and common hybrid network scenarios are all built-in. <br />
<br />
<b>Adaptable: </b>User-defined exception patterns and support for on-premises deployments, isolated networks, and high volume deployments are all supported. </div>
<div>
<br />
<h3>
<span style="font-size: large;">Application Data (Genus traits) </span></h3>
<i>Application instrumentation</i> (collecting session, feature, exception, and custom data): PreEmptive Analytics APIs plus Dotfuscator and DashO (for injection of instrumentation without coding) support the full spectrum of PC, web, mobile, back-end, and cloud runtimes, languages, and application types. <br />
<br />
<i>Application quality</i> (ensuring that data collection and transmission does not compromise application quality, performance, scale…): PreEmptive Analytics runtime libraries (regardless of the form of instrumentation used) are built to “always be on” and to run without impacting the service level of the applications being monitored. <br />
<br />
<i>Runtime data emission and governance</i> (opt-in policy enforcement, offline-caching, encryption on the wire…): The combination of the runtime libraries and the development patterns supported with the instrumentation tools ensure that security, privacy and compliance obligations are met. <br />
<br />
<b>Specialized: </b>the instrumentation patterns support every scale of organization from the entrepreneurial to the highly regulated and secure. <br />
<br />
<b>Adaptable: </b>Application-specific data collection, opt-in policy enforcement, and data emission is efficiently and transparently configurable supporting every class of application deployment from consumer to financial, to manufacturing, and beyond… </div>
<div>
<br />
<h3>
<span style="font-size: large;">PreEmptive Analytics (Species traits) </span></h3>
<br />
Every organization must continuously pursue differentiation in order to remain relevant (to Survive). In a time when almost all business that organizations do is digitized and runs on software, <u>custom applications are essential in providing this differentiation. </u><br />
<br />
<b>Specialized:</b> PreEmptive Analytics has integrated and adapted all of these traits (from instrumentation to incident detection) to focus on connecting application usage and adoption to the business imperatives that fund/justify their development. As such, PreEmptive Analytics is built for the non-technical business manager, application owners, and product managers as well as development managers and architects. <br />
<br />
<b>Adaptable: </b>Deployment, privacy, performance, and specialized data requirements are supported across industries, geographies, and architectures providing a unified analytics view on every application for the complete spectrum of application stakeholder.<br />
<br />
<i><span style="color: #274e13;">So what are you waiting for? Put down your brontosaurus burger and move your development out of the stone age.</span></i></div>
AppsRpeople2http://www.blogger.com/profile/08529547238174325669noreply@blogger.com0tag:blogger.com,1999:blog-6690916271713809138.post-10040902499291685832015-03-23T12:14:00.000-04:002015-03-23T14:01:01.611-04:00Application Analytics: measure twice, code onceMicrosoft recently announced the availability of <a href="https://www.visualstudio.com/en-us/news/vs2015-vs.aspx">Visual Studio 2015 CTP 6</a> – included with all of the awesome capabilities and updates was the debut of Dotfuscator Community Edition (CE) 2015. …and, in addition to updates to user functionality (protection and analytics instrumentation capabilities), this is the first version of Dotfuscator CE to include it’s own analytics (we’re using PreEmptive analytics to anonymously measure basic adoption, usage, and user preferences). Here’s some preliminary results… (and these could all be yours too of course using the very same capabilities from PreEmptive Analytics!)<br />
<div class="separator" style="clear: both;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0obcnIA4SgGcy3eBh6ruonKeAXe42BrWXxNsTyvQnWjNzEpbhSsymiZU55EsupMxDsBbHukwPDvPVIUfD9Zt330Vp9iFYN06t5lS3_bgigGR8L89RAOsaoeqPPD-mzn2yMLYchta-Zf8/s1600/CE+blog+2015+1.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0obcnIA4SgGcy3eBh6ruonKeAXe42BrWXxNsTyvQnWjNzEpbhSsymiZU55EsupMxDsBbHukwPDvPVIUfD9Zt330Vp9iFYN06t5lS3_bgigGR8L89RAOsaoeqPPD-mzn2yMLYchta-Zf8/s1600/CE+blog+2015+1.png" height="323" width="640" /></a></div>
<div class="separator" style="clear: both;">
<br /></div>
<div class="separator" style="clear: both;">
Users by day comparing new and returning users shows extremely low returning users – this indicates that users are validating that the functionality is present, but not actually using the technology as part of a build process – this makes sense given that this is the first month of a preview release – users are validating the IDE – not building real products on that IDE.</div>
<div class="separator" style="clear: both;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhbYJ7nQ0hYohD7r9hpq5-3K5X1hnoG5ZFM5RA3Kvj1C4ERS_t_VouQHW0RN7ZvXZiAWodUrNqCoWwXLJOpD0ey4Wfs-S_G6h6y3KoT44fwlfNWuf3c70cgoUVcmsqFNl-VhjxwolzV-SE/s1600/CE+blog+2015+2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhbYJ7nQ0hYohD7r9hpq5-3K5X1hnoG5ZFM5RA3Kvj1C4ERS_t_VouQHW0RN7ZvXZiAWodUrNqCoWwXLJOpD0ey4Wfs-S_G6h6y3KoT44fwlfNWuf3c70cgoUVcmsqFNl-VhjxwolzV-SE/s1600/CE+blog+2015+2.png" height="348" width="640" /></a></div>
<div class="separator" style="clear: both;">
<br /></div>
Feature usage and user preferences including timing of key activities like what % of users are opting in (of course opt in policy exists and is enforced), what runtimes they care about (including things like Silverlight and ClickOnce and Windows Phone…), the split between those who care about protection and/or analytics, and timing of critical activities that can impact DevOps are all readily available <br />
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiECTYHTSn8f_H8vxTz1AOGuWo7ptLwacqPYRiGJk375B7J4HI4uZJtA2k8zWbN-S4aYwUim_9Ijan5p5p5ZQ_qt2LO7p3Rc-wNd_SpK5Bkl3on_WWEg-I0Ofi1fKYPrjOLGjlea7Vc_qM/s1600/CE+blog+2015+3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiECTYHTSn8f_H8vxTz1AOGuWo7ptLwacqPYRiGJk375B7J4HI4uZJtA2k8zWbN-S4aYwUim_9Ijan5p5p5ZQ_qt2LO7p3Rc-wNd_SpK5Bkl3on_WWEg-I0Ofi1fKYPrjOLGjlea7Vc_qM/s1600/CE+blog+2015+3.png" height="248" width="640" /></a></div>
<div>
<br /></div>
<br />
<br />
Broad geolocation validates international interest and highlights unexpected synergies (or issues) that may be tied to localized issues (language, training, regulation, accessibility, etc.) <br />
<br />
This is an example of the most general, aggegrated, and generic usage collection - of course the same analytics plumbing can be used to capture all flavor of exception, user behavior, etc. - but ALWAYS determined by your own design goals and the telemetry is ALWAYS under your control and governance - from "cradle to grave." <br />
<br />
<b>BOTTOM LINE:</b> the faster you can iterate – the better your chances for a successful, agile, application launch – building a feedback driven, continuous ALM/DevOps organization cries out for effective, secure, and ubiquitous application analytics – how is your organization solving for this requirement?AppsRpeople2http://www.blogger.com/profile/08529547238174325669noreply@blogger.com0tag:blogger.com,1999:blog-6690916271713809138.post-18455140142739638362014-11-05T15:56:00.001-05:002014-11-05T15:56:22.319-05:00Application protection – why bother? <h3>
(…and, no, this is not a rhetorical question)</h3>
Why should a developer (or parent organization) bother to protect their applications? Given what PreEmptive Solutions does, you might think I’m being snarky and rhetorical – but, I assure you, I am not. The only way to answer such a question is to first know what it is you need protection from. <br /><br />If you’re tempted to answer with something like “to protect against reverse engineering or tampering,” that is not a meaningful answer – your answer needs to consider what bad things happen if/when those things happen. Are you looking to prevent piracy? Intellectual property theft? AGAIN – not good enough – the real answer is going to have to be tied to lost revenue, operational disruption resulting financial or other damage, etc. Unless you can answer this question – it is impossible to appropriately prioritize your response to these risks. <br /><br />If you think I’m being pedantic or too academic, then (and forgive me for saying this) you are not the person who should be making these kinds of decisions. If, on the other hand, you’re not sure how to answer these kinds of questions – but you understand (even if only in an intuitive way) the distinction between managing risks (damage) versus preventing events that can increase risk – then I hope the following distillation of how to approach managing the unique risks that stem from developing in .NET and/or Java (managed code) will be of value. <br /><br /><b>First point to consider:</b> managed code is easy to reverse engineer and modify by design – and there are plenty of legitimate scenarios where this is a good thing.<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEifqo9wBA9cwagpV5te1p-UIUqgYrdxFnuHLbaoLydq-xykV4Wv_bYWEHIZxXfPgXOrEjTkE3j01fK6_t8oxtTNdvlHqJJuvbR_uJBGWkZjOtBltNQvSz_ZqFUDAVDJtOAA3J3ZlPZ7eQ8/s1600/graph1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEifqo9wBA9cwagpV5te1p-UIUqgYrdxFnuHLbaoLydq-xykV4Wv_bYWEHIZxXfPgXOrEjTkE3j01fK6_t8oxtTNdvlHqJJuvbR_uJBGWkZjOtBltNQvSz_ZqFUDAVDJtOAA3J3ZlPZ7eQ8/s1600/graph1.png" /></a></div>
<br />Your senior management needs to understand that reverse engineering and executable manipulation is well-understood and widely practiced. Therefore, if this common practice poses any material risks to your organization, they are compelled to take steps to mitigate those risks – of course, if this basic characteristic of managed code does not pose a material risk – no additional steps are needed (nor should they be recommended), <br /><br /><b>Second point to consider: </b>reverse engineering tools don’t commit crimes – criminals do; but criminals have found many ways to commit crimes with reverse engineering (and other categories of) tools.<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjTBa5spB3LVbBigyqDzXYSq4obYy2RaGaom6IjP3saq_p-PjFQmEshMkxHubijBH_l-qMtMwyvJNgfYdL7izXTDA12ZTnx2qWrM1NZD8kC7vsAqVblFlnAmlCoIYc3_zNc-lbyRA9AhYw/s1600/graph2.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjTBa5spB3LVbBigyqDzXYSq4obYy2RaGaom6IjP3saq_p-PjFQmEshMkxHubijBH_l-qMtMwyvJNgfYdL7izXTDA12ZTnx2qWrM1NZD8kC7vsAqVblFlnAmlCoIYc3_zNc-lbyRA9AhYw/s1600/graph2.png" /></a></div>
<br /><br /><div class="MsoNormal">
</div>
<div>
<br /><br />In order to be able to recommend an appropriate strategy, a complete list of threats is required – simply knowing that IP theft is ONE threat is not sufficient – if the circulation of counterfeit applications pose an incremental threat – you need to capture this too. <br /><br /><b>Third point to consider: </b>Which of the incident types above are relevant to your specific needs? How important are they? How can you objectively answer these kinds of questions?</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6ud91Vkd3agoUK6FfJ8Bs84kizZ45gEKFqrBHlgYJoS7ZNOZDLuNgwVjdD1V7OSrbjnIn4gFdLjr-DEdVbgA3lShy6Y3Xn_pNP8njcSl4b7E8FcJtdIv7KBkHaj8jI90H6Wnq9ZK0-Gs/s1600/graph3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6ud91Vkd3agoUK6FfJ8Bs84kizZ45gEKFqrBHlgYJoS7ZNOZDLuNgwVjdD1V7OSrbjnIn4gFdLjr-DEdVbgA3lShy6Y3Xn_pNP8njcSl4b7E8FcJtdIv7KBkHaj8jI90H6Wnq9ZK0-Gs/s1600/graph3.png" /></a></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
Risk management is a mature discipline with well-defined frameworks for capturing and describing risk categories; DO NOT REINVENT THE WHEEL. How significant (material) a given risk may be is defined entirely by the relative impact on well-understood risk categories. The ones listed above are commonly associated with application reverse engineering and tampering - but these are not universal nor is the list exhaustive. <br /><br /><b>Fourth point to consider:</b> How much risk is too much? How much risk is acceptable (what is your tolerance for risk)? …and what options are available to manage (control) these various categories of risk to keep them within your organization’s “appetite for risk?”</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiOta2R9D0BAVmuykqj1UBLjo5FJEXj0EH5vsX5lduxQu-Wzy2Di3HcHm6KZpVHZCwfkmopUaMK4YruZ0HZC7lbf00iHrnSfPDeNyw8xXI_QdduniFuygvwqx3XIGFCsn_KVNM3FaYXlMw/s1600/graph4.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiOta2R9D0BAVmuykqj1UBLjo5FJEXj0EH5vsX5lduxQu-Wzy2Di3HcHm6KZpVHZCwfkmopUaMK4YruZ0HZC7lbf00iHrnSfPDeNyw8xXI_QdduniFuygvwqx3XIGFCsn_KVNM3FaYXlMw/s1600/graph4.png" /></a></div>
<br /><br /><br /><div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
Tolerance (or appetite) for risk is NOT a technical topic – nor are the underlying risks. For example, an Android app developed by 4 developers as a side project may only be used by a small percentage of your clients to do relatively inconsequential tasks – the developers may even be external consultants – so the app itself has no real IP, generates no revenue, and is hardly visible to your customer base (let alone to your investors). On the other hand, if the result of a counterfeit version of that app results in client loss of data, reputation damage in public markets, and regulatory penalties – the trivial nature of that Android really won’t have mattered. <br /><br />In other words, even if the technical scope of an application may be narrow, the risk – and therefore the stakeholders – can often be far reaching. <br /><br />Risk management decisions must be made by risk management professionals – not developers (you wouldn't want risk managers doing code reviews would you?).</div>
<br /><b>Fifth point to consider: </b>what controls are available specifically to help manage/control the risks that stem from managed code development?<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLGgyQtFqoX_2pP7bns-XJxHVIdwd2VWJU8Vy5JisElG_45aVEt5j6xS-DfgLn3UgVdEYPfIKssVy2jdTDzZdmNo6zS9n1dOkgBJZoBJxkkB-YSA6IuCLMGLQ4UZRfv3Nun9da8AnxmPM/s1600/graph5.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLGgyQtFqoX_2pP7bns-XJxHVIdwd2VWJU8Vy5JisElG_45aVEt5j6xS-DfgLn3UgVdEYPfIKssVy2jdTDzZdmNo6zS9n1dOkgBJZoBJxkkB-YSA6IuCLMGLQ4UZRfv3Nun9da8AnxmPM/s1600/graph5.png" /></a></div>
<div>
<br /><br /><br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
Obfuscation is a portfolio of transformations that can be applied in any number of permutations – each with its own protective role and its own side effects. <br /><br />Tamper detection and defense as well as regular feature and exception monitoring also have their own flavors and configurations. <br /><br />Machine attacks, human attacks, attacks whose goal is to generate compliable code versus those designed to modify specific behaviors while leaving others in tact all call for different combinations of obfuscation, tamper defense, and analytics. <br /><br />The goal is to apply the minimum levels of protection and monitoring required to bring identified risks levels down to an acceptable (tolerable) level. Any protection beyond that level is “over kill.” Anything less is wasted effort. …and this is why mapping all activity to a complete list of risks is an essential first step.<br /><br /><b>Sixth point to consider: </b>the cure (control) cannot be worse than the disease (the underlying risk). In other words, the obfuscation and tamper defense solutions cannot be more disruptive than the risks these technologies are designed to manage.<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDNzQOnfAOP925VArRn1jbbz5ZHOD1sXzMRiq_aV4ZaX4TjSomBaym_H4AtcnnxTupp04W0WspKN1ju5slZbwi2miZenLZEOHZOrRI0hxK4JlLVYKCbWGbfHfk16L2AGk6V6D8PsBsgtQ/s1600/graph6.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDNzQOnfAOP925VArRn1jbbz5ZHOD1sXzMRiq_aV4ZaX4TjSomBaym_H4AtcnnxTupp04W0WspKN1ju5slZbwi2miZenLZEOHZOrRI0hxK4JlLVYKCbWGbfHfk16L2AGk6V6D8PsBsgtQ/s1600/graph6.png" /></a></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<br />Focusing on the incremental risks that introducing obfuscation, tamper defense, and analytics can introduce, the following questions are often important to consider (this is a representative subset – not a complete list): <br />· Complexity of configuration <br />· Flexibility to support build scenarios across distributed development teams, build farms, etc. <br />· Debugging, patch scenarios, extending protection schemes across distinct components <br />· Marketplace, installation, and other distribution patterns <br />· Support for different OS and runtime frameworks <br />· Digital signing, runtime IL standards compliance, and watermarking workflows <br />· Mobile packaging (or other device specific requirements) <br />· For analytics there are additional issues around privacy, connectivity, bandwidth, performance, etc. <br />· For commercial products, vendor viability (will they be there for you in 3 years) and support levels (dedicated trained team? Response times?) <br /><br />So why bother? <br /><b>Only</b> if you have well-defined risks that are unacceptably high (operational, compliance, …) <br /><b>AND</b> the control (technology + process + policy) reduces the risk to acceptable levels <br /><b>WITHOUT</b> unacceptable incremental risk or expense.AppsRpeople2http://www.blogger.com/profile/08529547238174325669noreply@blogger.com0tag:blogger.com,1999:blog-6690916271713809138.post-32499767287345589102014-04-22T13:20:00.000-04:002014-04-22T13:20:28.954-04:00Cross Platform Application Analytics: Adding meat to pabulum<h4>
Could I have chosen a title with less meaning and greater hype? I seriously doubt it.</h4>
<div>
<br /></div>
<div>
We have all heard that you can gauge how important a thing or concept is to a community by the number of names and terms used to describe that thing (the cliche is Eskimos and ice) - and I proposed a corollary; you can gauge how poorly a community understands a thing or concept by how heavily it overloads multiple meanings onto a single name or term. ...and "analytics," "platform," and even "application" all fall into this latter category. </div>
<div>
</div>
What kind of analytics and for whom? What is a “platform?” And what does crossing one of these (or between them) even mean? <br /><br />In this post, I'm going to take a stab at narrowing the meaning behind these terms just long enough to share some "tribal knowledge" on what effectively monitoring and measuring applications can mean - especially as the very notion of what an application can and should be is evolving even as we deploy the ones we've just built.<br /><br /><b>Application Analytics: </b>If you care about application design and the development, test, and deployment practices that drive adoption – and if you have a stake in both the health of your applications in production and their resulting impact – then you’ll also care about the brand of application analytics that we’ll be focusing on here.<br /><br /><b>Cross Platform:</b> If your idea of “an application” is holistic and encompasses every executable your users touch (across devices and over time) AND includes the distributed services that process transactions, publish content, and connect users to one another (as opposed to the myopic perspective of treating each of these components as standalone) – then you already understand what “a platform” really means and why, to be effective, application analytics must provide a single view across (and throughout) your application platform. <div>
<br /><h2>
<span style="font-size: large;">PreEmptive Analytics</span></h2>
At PreEmptive, we’d like to think that we've fully internalized this worldview where applications are defined less by any one instance of an executable or script and more meaningfully treated as a collection of components that, when taken together, address one or more business or organizational needs. …and this perspective has translated directly into PreEmptive Analytics’ feature set.<br /><br />Because PreEmptive Analytics instrumentation runs inside a production application (as any application analytics instrumentation must), we find it helpful to divide our feature set into two buckets; <br /><br /><div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi1BQCKnZp_QDqJ0TY_1Ip3QrVqn-GG_ICY9PA_RPneqKTFwc7ZvXldnaa_cJeE987LN6mspawd_oylFg3q_s_ou8pi4LyekvD1blbocJvE-OH-Z4T3pxCvxgg9BYdGY4TfXBts6AHaCQw/s1600/blog+requiredesire.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi1BQCKnZp_QDqJ0TY_1Ip3QrVqn-GG_ICY9PA_RPneqKTFwc7ZvXldnaa_cJeE987LN6mspawd_oylFg3q_s_ou8pi4LyekvD1blbocJvE-OH-Z4T3pxCvxgg9BYdGY4TfXBts6AHaCQw/s1600/blog+requiredesire.png" height="171" width="320" /></a></div>
<div>
<ol>
<li><b>Desired, </b>e.g. those that bring value to our users like feature tracking and </li>
<li><b>Required, </b>e.g. those features that, if they do not behave, damage the very applications they are designed to measure.</li>
</ol>
</div>
</div>
<h3>
How do you decide for yourself what’s desired versus required for your organization? </h3>
<br />The list of “desired features” can literally be endless – and a missing “desired feature” can often be overlooked and forgiven because the user can be compensated with some other awesome feature that still makes implementing PreEmptive Analytics worthwhile. On the other hand, miss ANY SINGLE “required feature,” and the project is dead in the water – Violate privacy? Negatively impact performance or quality? Complicate application deployment? Generate regulatory, audit, or security risk? Any one of these issues is a deal breaker.<div>
<br /><h2>
<span style="font-size: large;">PreEmptive Analytics “required” cross platform feature set </span></h2>
<br />Here’s a sampling of the kinds of features that our users often rely upon to hit their “required” cross platform feature set: <br /><br /><b>Platform, runtime, and marketplace coverage:</b> <i>will PreEmptive Analytics instrumentation support client, middle-tier, and server-side components? </i><br /><br />PreEmptive Analytics instruments: <br /><br /><ul>
<li>All .NET flavors (including 2.0 through WinRT and WP), C++, JavaScript, Java (including 8), iOS, and Android (plus special support for Xamarin generating native mobile apps across WP, iOS, & Android). </li>
<li>Further, our instrumentation passes Apple, Microsoft, Amazon, and Google marketplace acceptance criteria. </li>
</ul>
<br /><b>Network connectivity and resilience: </b><i>will PreEmptive Analytics be able to capture, cache, and transport runtime telemetry across and between my users’ and our own networks? </i><br /><br />PreEmptive instrumentation provides: <br /><br /><ul>
<li>Automatic offline caching inside your application across all mobile, PC, cloud, and server components (with the exception of JavaScript). Special logic accommodates mobile platforms and their unique performance and storage capabilities. After automatically storing data when your application is offline, it will automatically stream the telemetry up once connectivity is reestablished. </li>
</ul>
<br />PreEmptive Analytics endpoints can provide: <br /><br /><ul>
<li>Longer-term data management for networks that are completely isolated from outside networks allowing you to arrange for alternative data access or transport while respecting privacy, security, and other network-related constraints. </li>
</ul>
<br /><b>Privacy and security at runtime and over time: </b><i>will PreEmptive Analytics provide the flexibility to enforce your current and evolving security and privacy obligations? </i><br /><br />PreEmptive Analytics instrumentation <br /><br /><ul>
<li>Only collects and transmits data that has been explicitly requested by development. There is no unintended “over communication” or monitoring. </li>
<li>When data is transmitted, telemetry is encrypted over the wire. </li>
<li>Includes an extensible Opt-in switch that can be controlled by end users or through web-service calls allowing your organization to adjust and accommodate shifting opt-in and privacy policies without having to re-instrument and redeploy your applications. </li>
</ul>
<br />PreEmptive Analytics endpoints can: <br /><br /><ul>
<li>Reside and be managed entirely under your control – either on-premises or inside a virtual machine hosted in a cloud under your direct control. </li>
<li>They can be reconfigured, relocated, and dynamically targeted by your applications – even after your applications have been deployed. </li>
</ul>
<br /><b>Performance and bandwidth: </b><i>will PreEmptive Analytics instrumentation impact my application’s performance from my users’ experience or across the network? </i><br /><br />PreEmptive instrumentation: <br /><br /><ul>
<li>Runs inside your applications’ process space in a low priority thread – never competing for system resources. </li>
<li>Utilizes an asynchronous queue to further optimize and minimize the collection and transmission of telemetry once captured inside your application. </li>
<li>Has “safety valve” logic that will automatically begin throwing away data packets and ultimately shut itself down when system resources are deemed to be too scarce – helping to ensure that your users’ experiences are never impacted. </li>
<li>Employs OS and device-specific flavors of all of the above ensuring that – even with injection post-compile – every possible step is taken to ensure that PreEmptive Analytics’ system and network footprint remains negligible. </li>
</ul>
<br /><i>What about the PreEmptive Analytics “desired” cross platform feature set? </i>(The features that make analytics worth doing) As I’ve already said, this list is literally an endless one – If I were to list only the categories (let alone the features in each category), this would make an already long post into very very long post. So, the desired feature discussion will have to come later… </div>
<div>
<br /><h2>
<span style="font-size: large;">What’s the bottom Line for “Cross Platform Application Analytics?” </span></h2>
<br /><b>Be consistent –</b> make sure your application analytics technology and practice are aligned with your definition of what an application actually is – and this is especially true when evaluating “cross-platform” architectures and semantics. A mismatch here will likely wipe out any chance of a lasting analytics solution, increase the cost of application analytics over time, and add to your technical debt. <br /><br /><b>Separate “needs” from “wants” – </b>take every action possible to ensure that your application analytics implementation does no harm to the applications being measured and monitored either directly (performance, quality, …) or indirectly (security, reputation, compliance). <br /><br />Want to put us through our paces? Visit <a href="http://www.preemptive.com/pa">www.preemptive.com/pa</a> and request an eval... <div>
<br /></div>
<div>
<br /></div>
</div>
AppsRpeople2http://www.blogger.com/profile/08529547238174325669noreply@blogger.com0tag:blogger.com,1999:blog-6690916271713809138.post-10563631780231991802013-11-07T14:34:00.002-05:002013-11-07T14:40:58.566-05:00What can Jay-Z teach us about application analytics?<h3>
If you want to move your audience, then a whole lot actually…</h3>
<br />
The gold standard for analytics is “actionable insight;” how much smarter, faster, or efficient do we become when the right people get the right information in the right format at the right time? <br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQc7NXYIsSbLTha1KSP3_q4E_VUbTprplyIr3ktKkfERn_t64gVDHmaS9vvmxUd8JXrlhN6oWB3l2EFt4n84wIofE9gTByAAq3-N3CCUIRgJmXNq2qqoK2InJUrGAQ0_V2jtRaP1jFYQY/s1600/music+and+analytics+blog2.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="133" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQc7NXYIsSbLTha1KSP3_q4E_VUbTprplyIr3ktKkfERn_t64gVDHmaS9vvmxUd8JXrlhN6oWB3l2EFt4n84wIofE9gTByAAq3-N3CCUIRgJmXNq2qqoK2InJUrGAQ0_V2jtRaP1jFYQY/s200/music+and+analytics+blog2.jpg" width="200" /></a></div>
<br />
General purpose analytics solutions are typically built to ingest anything and everything. “Adapters” translate data sources into a common (proprietary) analytics framework – and then the slicing and dicing begins! While obviously flexible, this approach only works if users have a safe and reliable means to collect (and deliver) raw data into their systems; <i><b>with application analytics, this is rarely the case. </b></i><br />
<br />
Recording applications “in the wild” is not an easy or simple task. In addition to the functional requirements to capture the right kinds of runtime telemetry, application instrumentation must meet a host of performance, privacy, quality, and security requirements as well – requirements that vary wildly by industry, use case, and target audience. …and, the demand for high fidelity application analytics has never been greater; you can thank the adoption of feedback driven-development practices coupled with the operational complexity of mobile and cloud computing plus the ever-evolving concerns around privacy and security for that. <br />
<br />
So what’s a development team to do? Well, it turns out that there’s nothing new about having to record complex real-world events and then package them up to inspire and move audiences – media moguls and hit makers have been doing all along! <br />
<br />
Developers, if you know you should be including analytics inside your application development process, I recommend that you take a page from the recording industry – it turns out they know a little something about the complexities of capturing user behavior across heterogeneous devices and in diverse settings (the only big difference is that they call their users <i>“musicians”</i>). <br />
<br />
I've taken the liberty of condensing a post from a site dedicated to teaching the art and business of audio production and mapping it to the patterns and practices of effective application analytics implementation. You can see the original post at <a href="http://www.bedroom-recording.com/recording-process.html">the recording process</a> if you want to check my work. <br />
<br />
The infograph below maps each step in "the recording process" to its app analytics analog. I've underlined key points in the original post and added my own take-away.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgtvfOdQsBzv7Tnb03xJoh5Eki_6sFXin9VYxcZ8vmNnXZwf0FGa-FiKK5tbJxxGg9Bij3O2IythKO-nRew6o3PKYTbWcokTAhAq1TRu0z1YLWTq7giRovGpe_eMZCjMUQQbBbD7MpUseY/s1600/music+and+analytics+blog1a.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="408" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgtvfOdQsBzv7Tnb03xJoh5Eki_6sFXin9VYxcZ8vmNnXZwf0FGa-FiKK5tbJxxGg9Bij3O2IythKO-nRew6o3PKYTbWcokTAhAq1TRu0z1YLWTq7giRovGpe_eMZCjMUQQbBbD7MpUseY/s640/music+and+analytics+blog1a.png" width="640" /></a></div>
<br />
<br />
People will tell you that new technology changes everything – for me, this is just one more concrete example proving just the opposite.</div>
AppsRpeople2http://www.blogger.com/profile/08529547238174325669noreply@blogger.com0tag:blogger.com,1999:blog-6690916271713809138.post-30395913932071075922013-09-16T10:38:00.004-04:002013-09-16T10:38:59.422-04:00Mobile development takes root; application analytics go mainstreamWe’ve just finished up another survey tapping ~8,000 developers; mostly (although definitely not exclusively) of the .NET variety – and I think there’s little room for doubt; the rise of mobile and modern apps is having a profound impact on the way developers work and the tools they use.<br />
<br />
<h2>
<span style="font-size: large;">What a difference a year makes</span></h2>
We did a similar survey in September 2012 (W<a href="http://apps-are-people-too.blogspot.com/2012/10/who-cares-about-application-analytics.html" target="_blank">ho cares about application analytics? Lots of people for lots of reasons</a>) and, even then, the interest in analytics was obvious – <i>but interest had not yet translated into action. </i><br />
<br />
In Sept of 2012, we reported that 77% of development and their management had identified “insight into production application usage” as influential, important or essential to their work, and 71% identified “near real-time notification of unhandled, caught, and/or thrown exceptions” in the same way.<br />
<br />
…BUT, at the same time, only 30% indicated that they were doing any kind of analytics in practice (exception reporting, feature tracking, etc.).<br />
<blockquote class="tr_bq">
<span style="font-size: x-large;">“More people believe that the world is flat than doubt the positive role of application analytics on development.”</span></blockquote>
Today, that 77% and 71% of developers who “got the value of analytics” is now a solid 100% and 99.5% respectively (for those that don’t do surveys, you have to appreciate that a 100% opinion is virtually impossible to find – you’d have a hard time getting a 100% consensus on the shape of the planet (round or flat) or even the role that aliens play in picking Super Bowl winners (are they pro AFC or pro NFC?).<br />
<br />
Even more impressive is the rise of actual use of analytics. The 30% of development teams that claimed to use some sort of analytics has, in just one year, ballooned to 62%.<br />
<br />
<h2>
<span style="font-size: large;">The rise of mobile development</span></h2>
Mobile devices have unique capabilities (accelerometer, augmented reality, gyroscope, camera/scanner, gesture recognition, GPS and navigation…) that drive unique development requirements which, in turn, spawn new development patterns and practices – and one of the most notable (in my opinion anyway) is the expectation that some form of application analytics always be included.<br />
<br />
<i>This is worth saying again; in traditional PC apps, adding analytics is the exception, not the rule – in mobile apps, the situation is reversed; embedding analytics is the norm. </i><br />
<br />
This is the other major shift in our year-over-year survey results. In 2012, only 25% of the development teams reported that they were developing mobile apps (iOS, Android, …) – in 2013, that number has more than doubled to 56%. <i>Is it a coincidence that the rise of analytics use is proportionate to the rise in mobile development?</i><br />
<br />
<h2>
<span style="font-size: large;">Analytics go mainstream</span></h2>
For analytics to “go mainstream,” mobile analytics development patterns need to be applied (and adapted) beyond narrow consumer-centric scenarios (as lucrative as those scenarios may be) to include line-of-business and “enterprise” apps (with all of the attendant infrastructure, IT governance, and data integration requirements that this implies). …and we’re seeing evidence of this too.<br />
<br />
94% of respondents are building mobile apps targeting consumers, BUT 40% are also deploying apps “used by employees” to “support a larger business,” e.g. enterprise apps!<br />
<br />
65% of enterprise mobile app dev teams (essentially the same percentage as their consumer-centric counterparts) also report using (some form) of analytics.<br />
<br />
<h2>
<span style="font-size: large;">Analytics: one size fits all?</span></h2>
Of course not – the specialization of application analytics technologies is another inevitable outcome of all of this change – and developers are on the front-lines trying to figure all of this out.<br />
<br />
The following chart lists the analytics technologies our respondents have reported using – Google’s (and to a lesser degree, Flurry’s) prominence should come as no surprise. …but what’s the deal with the homegrown category?<br />
<br />
Developers "doing it themselves" would strongly suggest that the reigning champions of consumer-centered mobile analytics are failing to meet a growing set of analytics requirements.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEilaIXvVqzaLENFXkIDH6gOq6fUUBEe9eBx_Rqh0mJOZMa3ib4d6ECAR52y7_i9Kvrq1m49Nx1lo7MMl1zKjJtXmi2UVSMwEonX2Z5ZDvgr-Rjw6Hqk4uo6uswbwweNQsYM5AwXgOiaPe8/s1600/MA+1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="329" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEilaIXvVqzaLENFXkIDH6gOq6fUUBEe9eBx_Rqh0mJOZMa3ib4d6ECAR52y7_i9Kvrq1m49Nx1lo7MMl1zKjJtXmi2UVSMwEonX2Z5ZDvgr-Rjw6Hqk4uo6uswbwweNQsYM5AwXgOiaPe8/s640/MA+1.png" width="640" /></a></div>
<div>
<div>
<i>Is it a coincidence that the homegrown and PreEmptive analytics adoption rates map </i><i>so closely to</i><i> the enterprise mobile app market share listed above? (40%)</i></div>
<div>
<i><br /></i></div>
<h2>
<span style="font-size: large;">These tools, they are a-changing</span></h2>
<div>
Analytics is not the only development tool category undergoing change and reinvention. When asked to enter specialized mobile development tools, responses included both “the familiar” and “the brand new.” (Note, this was not a multiple choice – this was an open text box where anything – or nothing – could be entered)</div>
<div>
<br /></div>
<div>
<b>The familiar: </b>Visual Studio was cited as a “specialized toolset” by 24.6% of those listing at least one specialized mobile app development tool – of the 49 unique tools that were cited, this was the #1 response – and should give the Visual Studio product team some satisfaction as they are clearly establishing Visual Studio as something more than just a .NET-centric dev environment.</div>
<div>
<br /></div>
<div>
<b>The brand new:</b> <a href="http://xamarin.com/" target="_blank">Xamarin</a>, the cross platform mobile app development platform, was the most common new – and/or truly mobile-specific – toolset (they released a major refresh of their solution in 2013). Xamarin was cited by 9.5% of those listing at least one specialized mobile app development tool. </div>
<div>
<br /></div>
<div>
<i>(Are you using Xamarin? Contact me if you’d like to learn more about our soon to be released analytics integration with Xamarin – or visit the PreEmptive website if you’re reading this during or after Q4/2013)</i></div>
<div>
<br /></div>
<div>
The complete list of tools mentioned at least once include:</div>
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxZM4te4-WJ2gppnutXUzk67qbkWWJp67HR7Jn7u6UhCXUQBjxlYdz4r0ZnDi2REwGBNm6Xj9bju7GtUt_DY3m6FPcAw9pYLZTBapvIianhtlKHUuDNlZ2iZ1t-lQen6YiJcX0HcsXkbE/s1600/ma2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="234" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxZM4te4-WJ2gppnutXUzk67qbkWWJp67HR7Jn7u6UhCXUQBjxlYdz4r0ZnDi2REwGBNm6Xj9bju7GtUt_DY3m6FPcAw9pYLZTBapvIianhtlKHUuDNlZ2iZ1t-lQen6YiJcX0HcsXkbE/s640/ma2.png" width="640" /></a></div>
<div>
<br /></div>
<div>
<i>While Visual Studio was cited most often, relative newcomer, Xamarin, is already making its mark</i>.<span class="Apple-tab-span" style="white-space: pre;"> </span></div>
<div>
<br /></div>
<div>
<h2>
<span style="font-size: large;">Game over? Are you kidding!? We haven’t even figured out the rules yet…</span></h2>
<div>
Have development organizations figured out how they’re going to tackle current and future mobile development requirements? (<i>That, my friends, is what we call a rhetorical question</i>)</div>
<div>
<br /></div>
<div>
The rise and assimilation of mobile devices is far, far from over and, sadly, I would suggest that picking new tools and expanding technical skillsets is the least of a development organizations’ worries – grappling with entirely new sets of operational, legal, social, security, and privacy obligations (that are themselves changing and often inconsistent) pose (in my view) the most serious risk (a.k.a. opportunity) for today’s development shop. </div>
<div>
<br /></div>
<div>
…and those that lack a sense of urgency around these issues, that take the posture of waiting until these issues come to them, are in for a world of hurt.</div>
<div>
<br /></div>
<div>
For example, </div>
<div>
<br /></div>
<div>
Personally Identifiable Information (PII)</div>
<div>
<ul>
<li>15% of respondents that collect personally identifiable information (PII) do not offer their users a way to opt-out </li>
<li>18% that collect PII do not offer a link to their privacy policy (there was only a 6% overlap between these two groups) </li>
</ul>
</div>
<div>
<br /></div>
<div>
To know that you’re collecting PII and to not provide these mechanisms is a serious omission (both from a development and an operations perspective) – <u>and this is the easy stuff! </u><i>This question also presumes that developers are using the most up-to-date and appropriate PII definition – a stretch to be sure.</i></div>
<div>
<br /></div>
<h2>
<span style="font-size: large;">Regulatory and Compliance</span></h2>
<div>
For those that indicated that their apps have “regulatory or compliance requirements” (29.9% of respondents) – their obligations are, by their very nature, more complex, ambiguous, and fluid.</div>
<div>
<ul>
<li>36.6% of respondents whose apps are subject to compliance and/or regulatory oversight do not offer their users a way to opt-out </li>
<li>16.7% of respondents whose apps are subject to compliance and/or regulatory oversight do not offer a link to their privacy policy.</li>
</ul>
</div>
<div>
<br /></div>
<div>
…and what about collecting application usage information?</div>
<div>
<ul>
<li>41.7% of respondents whose apps are subject to compliance and/or regulatory oversight use Google Analytics or Flurry – analytics providers whose business model is predicated on harvesting and monetizing usage telemetry! </li>
</ul>
<div>
<br /></div>
<i>Have these development organizations reconciled their regulatory obligations with Google’s and Flurry’s usage terms or privacy policies? </i></div>
<div>
<i><br /></i></div>
<h2>
<span style="font-size: large;">In confusion, there’s opportunity</span></h2>
<div>
…and I think everyone can agree – mobile application development is full of <i><u>opportunity</u></i>.</div>
</div>
<div>
<br /></div>
AppsRpeople2http://www.blogger.com/profile/08529547238174325669noreply@blogger.com1tag:blogger.com,1999:blog-6690916271713809138.post-18048551906028015032013-09-10T17:23:00.000-04:002013-09-10T21:01:54.278-04:00(Zinfandel + BBQ = $$$) - I told you so Back in February of 2011, I posted <a href="http://apps-are-people-too.blogspot.com/2011/02/riddle-me-this-where-can-french.html" target="_blank">Riddle me this! Where can French, Italians, and Germans all agree?</a> focusing on how a collection of early Windows Phone developers were leveraging analytics; the 10 apps included games, media apps, and a foodie app that paired food and wine by <a href="http://www.vinomatch.com/index.html" target="_blank">VinoMatch</a>. In this last example, our analytics tracked user behaviors (which foods users chose) and which wines they selected during the pairing.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg1B6n5UskrqDOX6Nb16DJWBx4qI3Nug4hGB0II8ApPCxoisPqZKVjFsIR5k6iD527ISl4tpbwbcZursLNt15y7BSULmRkyKGrSx8nCqKZVyDADdpLfOboqY-PAZVELtGzdpDDXbRYFj7U/s1600/zyn1.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="191" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg1B6n5UskrqDOX6Nb16DJWBx4qI3Nug4hGB0II8ApPCxoisPqZKVjFsIR5k6iD527ISl4tpbwbcZursLNt15y7BSULmRkyKGrSx8nCqKZVyDADdpLfOboqY-PAZVELtGzdpDDXbRYFj7U/s320/zyn1.jpg" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<b><i>Analysis of food selection by users' nationality showing Italians' special interest in BBQ</i></b></div>
<br />
I was surprised to learn a) Italian interest in pairing wine with BBQ and b) the implied potential to market Zinfandel to Italians as an American wine for BBQ (because Zinfandel was bred from a cheap table-variety Italian grape, Italians have typically been a hard sell).<br />
<br />
So… imagine my surprise now in 2013, as I see a series of targeted marketing campaigns with exactly this message (from multiple wineries). I wonder how many hundreds of thousands of dollars in market research these guys spent when all they had to do was instrument an app?!<br />
<span style="color: red; font-size: x-large;">Cin Cin!</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi8Oq9gdNT08aPQCZH2aSmkObRR0wA4hEez86pTutLVrw_HF_-IavWP5ma3fVQ5bDniZVp6xT-DglrvrL_JbzR5KXybXwZP5Y3zZlNidym3-_AChQP-4Mts9L24FXtiri-AdKx2vhJANZY/s1600/zyn2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="211" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi8Oq9gdNT08aPQCZH2aSmkObRR0wA4hEez86pTutLVrw_HF_-IavWP5ma3fVQ5bDniZVp6xT-DglrvrL_JbzR5KXybXwZP5Y3zZlNidym3-_AChQP-4Mts9L24FXtiri-AdKx2vhJANZY/s640/zyn2.png" width="640" /></a></div>
<div>
<br /></div>
AppsRpeople2http://www.blogger.com/profile/08529547238174325669noreply@blogger.com0tag:blogger.com,1999:blog-6690916271713809138.post-18678838398640426402013-09-09T15:44:00.001-04:002013-09-10T21:59:51.353-04:00Your phone can be a very scary placeMobile apps are changing our social, cultural, and economic landscapes – and, with the many opportunities and perks that these changes promise, come an equally impressive collection of risks and potential exploits.<br />
<br />
This post is probably way overdue – it’s an update (supplement really) to an article I wrote for The ISSA Journal on <a href="http://www.preemptive.com/images/stories/white_papers/Risks_Unique_to_Java_and_NET_ISSA1109.pdf" target="_blank">Assessing and Managing Security Risks Unique to Java and .NET</a> way back in 09’. The article laid out reverse engineering and tampering risks stemming from the use of managed code (Java and .NET). The technical issues were really secondary – what needed to be emphasized was the importance of having a consistent and rational framework to assess the materiality (relative danger) of those risks (piracy, IP theft, data engineering…).<br />
<br />
In other words, the simple fact that it’s easy to reverse engineer and tamper with a piece of managed code does not automatically lead to a conclusion that a development team should make any moves to prevent that from happening. The degree of danger (risk) should be the only motivation (justification) to invest in preventative or detective measures; and, by implication, risk mitigation investments should be in proportion to those risks (low risk, low investment).<br />
<br />
Here’s a graphic I used in 09’ to show the progression from managed apps (.NET and Java) to the risks that stem naturally from their use.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQj6o_ygtT0yr-9Cpm6ow24JooYylbIVtUg6NMT5hm2ImAfFviYyfbACLEdYO4O_aT6hPeG0fS9wrKl74L6n-xHegPADwDcNcMDdJ0TVMiYkMLUgD2EReAD0MCruXsKW1R0znPd3vglEs/s1600/and1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="193" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQj6o_ygtT0yr-9Cpm6ow24JooYylbIVtUg6NMT5hm2ImAfFviYyfbACLEdYO4O_aT6hPeG0fS9wrKl74L6n-xHegPADwDcNcMDdJ0TVMiYkMLUgD2EReAD0MCruXsKW1R0znPd3vglEs/s400/and1.png" width="400" /></a></div>
<div>
<b><i>Risks stemming from the use of Java and .NET circa 2009</i></b></div>
<div>
<br /></div>
<div>
<h2>
Managed code risks in the mobile world</h2>
<div>
Of course, managed code is also playing a central role in the rise of mobile computing as well as the ubiquitous “app marketplace,” e.g. Android and, to a lesser degree, Windows Phone and WindowsRT – and, as one might predict, these apps are introducing their own unique cross-section of potential risks and exploits. </div>
</div>
<div>
<br /></div>
<div>
Here is an updated “hierarchy of risks” for today’s mobile world:</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhRrKCSD_hDhXaOmhdzsyZqdHHRX-ZstqudWw2qFUMA4lsSzcN0AE6hV70T7dDAAvr_mW5A07xFiG_Kv4mhF888ilofvix0Qha2a6ZYBCHHDuG9Vg1NaQ4aIQLOOiTEON22Cvw7OUNg-1A/s1600/and2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="210" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhRrKCSD_hDhXaOmhdzsyZqdHHRX-ZstqudWw2qFUMA4lsSzcN0AE6hV70T7dDAAvr_mW5A07xFiG_Kv4mhF888ilofvix0Qha2a6ZYBCHHDuG9Vg1NaQ4aIQLOOiTEON22Cvw7OUNg-1A/s400/and2.png" width="400" /></a></div>
<div>
<div>
<b><i>Risks stemming from the use of Java and .NET in today’s mobile world</i></b></div>
<div>
<br /></div>
<div>
The graphic above highlights risks that have either evolved or emerged within the mobile ecosystem – and these are probably best illustrated with real world incidents and trends (also highlighted below):</div>
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgU1ES1Fh1niYChkDup0QlLlLcsC7AGcOr9A7e5JWL3QBpFpJqD8ZQD1IWerT3j9QRkfaYqlQYOh38XJfgOYEj35d-341ztazQiMc0q6w6Qx-dh2IhZ0C9W7I8FFuzLCpwZZbN5Z_fE0Zs/s1600/and3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="132" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgU1ES1Fh1niYChkDup0QlLlLcsC7AGcOr9A7e5JWL3QBpFpJqD8ZQD1IWerT3j9QRkfaYqlQYOh38XJfgOYEj35d-341ztazQiMc0q6w6Qx-dh2IhZ0C9W7I8FFuzLCpwZZbN5Z_fE0Zs/s200/and3.png" width="200" /></a></div>
<div>
<br /></div>
<div>
<div>
Earlier this year, a mobile development company <a href="http://www.android-app-development.ie/blog/2013/03/06/inserting-keylogger-code-in-android-swiftkey-using-apktool/" target="_blank">documented how to turn one of the most popular paid Android apps (SwiftKey Keyboard) into a keylogger</a> (something that captures everything you do and sends it somewhere else). </div>
<div>
<br /></div>
<div>
This little example illustrates all of the risks listed above:</div>
<div>
<ul>
<li><b>IP theft</b> (this is a paid app that can now be side loaded for free)</li>
<li><b>Content theft</b> (branding, documentation, etc. are stolen)</li>
<li><b>Counterfeiting</b> (it is not a REAL SwiftKey instance – it’s a fake – more than a cracked instance)</li>
<li><b>Service theft</b> (if the SwiftKey app makes any web service calls that the true developers must pay for – then these users are driving up cloud expenses – and if any of these users write-in for support, then human resources are being burned here too)</li>
<li><b>Data loss and privacy violations</b> (obviously there is no “opt-in” to the keylogging and the passwords, etc. that are sent are clearly private data)</li>
<li><b>Piracy</b> (users should be paying the licensing fee normally charged)</li>
<li><b>Malware </b>(the keylogging is the malware in this case)</li>
</ul>
</div>
<div>
In this scenario, the “victim” would have needed to go looking for “free versions” of the app away from the sanctioned marketplace – but that’s not always the case.</div>
</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPI5S_g-2k7Q2Wx0N_vAxM9ndhjq70TykkNST4dBpabo7_kG8nRxpgTzAPmcoESds7oXFlM3p__Mn-4xgnBfm_bFyqxZDREFvjcWmMm1hP308FT4wCnApDmjkcykBT52YqvRfUXdOju0o/s1600/and4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="98" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPI5S_g-2k7Q2Wx0N_vAxM9ndhjq70TykkNST4dBpabo7_kG8nRxpgTzAPmcoESds7oXFlM3p__Mn-4xgnBfm_bFyqxZDREFvjcWmMm1hP308FT4wCnApDmjkcykBT52YqvRfUXdOju0o/s200/and4.png" width="200" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div>
<div>
Symantec recently reported finding counterfeit apps inside the Amazon Appstore (and Amazon has one of the most rigorous curating and analysis check-in processes). I, myself, have had my content stripped and look alike apps published across marketplaces too - see my earlier posts <a href="http://apps-are-people-too.blogspot.com/2012/01/hoisted-by-my-own-petard-or-why-my-app_09.html" target="_blank">Hoisted by my own petard: or why my app is number two (for now)</a> and <a href="http://apps-are-people-too.blogspot.com/2012/05/ryan-is-lying-well-actually-stealing.html" target="_blank">Ryan is Lying – well, actually stealing, cheating and lying - again</a>). </div>
<div>
<br /></div>
<div>
Now these anecdotes are all too real, and sadly, they are also by no means unique. Trend Micro found that 1 in every 10 Android apps are malicious and that 22% of apps inappropriately leaked user data – that is crazy!</div>
<div>
<br /></div>
<div>
For a good overview of Android threats, checkout this free paper by Trend Micro, <a href="http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/reports/rpt-3q-2012-security-roundup-android-under-siege-popularity-comes-at-a-price.pdf" target="_blank">Android Under Siege: Popularity Comes at a Price</a>).</div>
<div>
<br /></div>
<h2>
To obfuscate (or not)?</h2>
<div>
As I’ve already written – you shouldn’t do anything simply to make reverse engineering and tampering more difficult – you should only take action if the associated risks are significant enough to you and said “steps” would reduce those risks to an acceptable level (your “appetite for risk.”) </div>
<div>
<br /></div>
<div>
…but, seriously, who cares what I think? What do the owners of these platforms have to say?</div>
<div>
<br /></div>
<div>
<b>Android</b> “highly recommends” obfuscating all code and emphasizes this in a number of specific areas such as: “<a href="http://developer.android.com/google/play/billing/billing_best_practices.html" target="_blank">At a minimum, we recommend that you run an obfuscation tool</a>” when developing billing logic. …and, they go so far as to include an open source obfuscator, <a href="http://developer.android.com/tools/help/proguard.html" target="_blank">Proguard </a>– where again, Android “highly recommends” that all Android apps be obfuscated.</div>
<div>
<br /></div>
<div>
<b>Microsoft</b> also recommends that all modern apps be obfuscated (see <a href="http://download.microsoft.com/download/5/8/8/588D2A2D-9AE6-4383-B081-F6BDD4445761/Windows%20Phone%20Marketplace%20Anti-Piracy%20Model.docx" target="_blank">Windows Phone policy</a>) and they also offer a “community edition” obfuscator (our own Dotfuscator CE) as a part of Visual Studio. </div>
<div>
<br /></div>
<h2>
Tamper detection, exception monitoring, and usage profiling</h2>
<div>
Obfuscation “prevents” reverse engineering and tampering; but it does not actively detect when attackers are successful (and, with enough skill and time – all attackers can eventually succeed). Nor would obfuscation defend against attacks or include a notification mechanism – that’s what tamper defense, exception monitoring, and usage profiling do. If you care enough to prevent an attack, chances are you care enough to detect when one is underway or has succeeded. </div>
<h2>
Application Hardening Options (<span style="font-size: small;"><i>representative – not exhaustive</i></span>)</h2>
<div>
If you decide that you do agree with Android’s and Microsoft’s recommendation to obfuscate – then you have to decide which technology is most appropriate to meet your needs – again, a completely subjective process to be sure, but hopefully, the following table can serve as a comparative reference.</div>
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMg1HtO0EH0sLaHe_8aKSZYvjPw2_TuO-JEhUU2j0JChnG9NKMamCleffHlq3vnBBfpSpYci25m8sKNW4oH36Qtc8T3wa24WQikhn0gMmKet91ei6crEMCU2tZmqki1TsX9jhHM2sgYQk/s1600/and5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMg1HtO0EH0sLaHe_8aKSZYvjPw2_TuO-JEhUU2j0JChnG9NKMamCleffHlq3vnBBfpSpYci25m8sKNW4oH36Qtc8T3wa24WQikhn0gMmKet91ei6crEMCU2tZmqki1TsX9jhHM2sgYQk/s640/and5.png" width="490" /></a></div>
<div>
<br /></div>
<div>
<a href="http://www.preemptive.com/" target="_blank">Learn more about PreEmptive Solutions can both secure and monitor you mobile applications.</a> </div>
<div>
<br /></div>
AppsRpeople2http://www.blogger.com/profile/08529547238174325669noreply@blogger.com0tag:blogger.com,1999:blog-6690916271713809138.post-78268397458895504082013-06-13T13:29:00.000-04:002013-06-13T13:36:10.668-04:00Mobile Analytics: like playing horseshoes or bocce ball? (When close is “good enough”)<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in;">
A recent post on Flurry’s “industry insight” blog caught my eye. The post, <a href="http://blog.flurry.com/bid/97860/The-iOS-and-Android-Two-Horse-Race-A-Deeper-Look-into-Market-Share" target="_blank">The iOS and Android Two-Horse Race: A Deeper Look into Market Share</a>, called out the fact that iOS app users spend more time inside applications than their Android counterparts and then posited three potential underlying causes (condensed here – visit their post for the full narrative):</div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in;">
</div>
<ul>
<li>One was that the two dominant operating systems have tended to attract different types of users (<i>we’ll get back to this shortly – this is close</i>).</li>
<li>A second possible reason was that the fragmented nature of the Android ecosystem creates greater obstacles to app development and therefore limits availability of app content (suggesting app quality is the driving force).</li>
<li>The third possible explanation offered by Flurry was that iOS device owners use apps so developers create apps for iOS users and that in turn generates positive experiences, word-of-mouth, and further increases in app use (combining the two reasons above I suppose).</li>
</ul>
<br />
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in;">
What struck me in this post was that, while there’s no disputing Flurry’s observation about “time spent in apps” across platforms, the lack of precision within the “<a href="http://www.flurry.com/big-data.html" target="_blank">2.8 billion app sessions</a>” they track every day made genuine root cause analysis virtually impossible – and led to, in my view, an erroneous conclusion (or, more precisely, a false set of options where the real mechanics were all but invisible). </div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in;">
Back in January, I published the blog post <a href="http://apps-are-people-too.blogspot.com/2013/01/marketplaces-matter-and-ive-got.html" target="_blank">Marketplaces Matter and I’ve got the analytics to prove it</a> where I compared two versions of one of my apps, Yoga-pedia, published through Google Play and Amazon marketplaces. What’s noteworthy here is that the apps are genuinely identical – functionality, UX, everything - …and yet, <u>the total time spent inside the app distributed through the Amazon marketplace was 40% higher than from Google Play. </u>Which, if you pivot the ratio, total time spent inside the app sourced from Google Play was 72% of the time spent inside the (identical) app sourced from Amazon. </div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in;">
Now, if I’m interpreting Flurry’s graph in the above blog for January 2013 properly (when my earlier stats were generated), it shows a nearly identical ratio (the total time in “Android apps” was ~75-80% of total time in iOS). So what does that suggest?</div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in;">
</div>
<ol>
<li>iOS users and Android users clearly use different marketplaces – but marketplace source is not something tracked.</li>
<li>iOS apps themselves are of course always different from Android apps (I have an iOS version of Yoga-pedia that is close to my Android flavors – but even these are different). This is a major variable that Flurry analytics cannot separate out – they are looking at the roll-up of all iOS apps and comparing them to all Android apps. </li>
<li>Treating all Android apps as a single data set (which includes multiple marketplaces) – further obscures what may be one of the key drivers of user behavior – the marketplace community.</li>
</ol>
<br />
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in;">
So – going back to the first hypothesis, that Android attracts a different class of user than does iOS, I think that is as close as they could come given the kind of data available – the real answer is most likely that the Apple marketplace attracts a different kind of user than does Google Play (and the mix of Amazon Android app users is probably not significant enough to move the big needle).</div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in;">
…And so that begs my original question – is this kind of imprecise (but still accurate) intelligence “good enough” (like horseshoes, bocce ball, and nuclear war)? If this was as far as true application analytics could take me – then maybe… </div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in;">
BUT, once I had identified the potential role that marketplaces can have – I was able to drill down even deeper to identify the other marketplace delta’s that were (at least to me), extremely valuable including:</div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in;">
</div>
<ul>
<li>Amazon click through rate (CTR) was 164% higher than the Google Play CTR </li>
<li>Google Play Ad Delivery Failure rate (ADFR) was 199% higher than the Amazon ADFR </li>
<li>Amazon user upgrade rate was 54% higher than the Google Play upgrade rate (from free to paid app version).</li>
</ul>
<br />
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in;">
So, in my case, owning my own data and having an instrumentation and analytics platform able to capture data points specific to my needs (precision) turns out to be very important indeed.</div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in;">
So why would anyone use technology like Flurry’s? LOTS OF REASONS relating to ad revenue and all of the other monetization services they offer app developers (that’s why they’re in business) – and that’s I guess the big point. Services and technologies like Flurry’s are built for app monetization – and to the extent that some analytics are an important ingredient in their recipe – you can bet that they’ll nail it – but to do more would be over engineering at best and, more likely, pose a material risk to their entire business model.</div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in;">
For advertising across huge inventories of mobile apps, analytics <i>should </i>be a bit like playing horseshoes – knowing that I can expect iOS to generally perform better than Android is useful. </div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in;">
On the other hand, as a development organization, if I really want to fine tune my app and optimize for adoption, specific behaviors, and operational/development ROI – I need an application analytics solution built with that use case in mind – not only are alternative analytics solutions missing key capabilities, there are solid business reasons that say those alternative technologies should actively avoid adding those very capabilities for all time.</div>
AppsRpeople2http://www.blogger.com/profile/08529547238174325669noreply@blogger.com0tag:blogger.com,1999:blog-6690916271713809138.post-81204159170317392172013-02-02T17:20:00.001-05:002013-02-02T17:20:11.970-05:00The link between privacy and analytics gets stronger still: FTC moves to establish policy and best practices in today’s mobile “Wild West”As federal and state regulatory agencies become increasingly assertive in defining and enforcing app user rights, application analytics (like <a href="http://www.preemptive.com/pa">PreEmptive Analytics</a>) that embed opt-in policy enforcement and limit data access and ownership are becoming increasingly strategic (and essential) to development organizations.<br /><br />Today, in a strong move to protect American privacy, the Federal Trade Commission published the report <a href="http://www.ftc.gov/os/2013/02/130201mobileprivacyreport.pdf">Mobile Privacy Disclosures: Building Trust Through Transparency</a> (PDF). For those that don’t want to read the entire report, checkout the coverage in the NY Times: <a href="http://www.nytimes.com/2013/02/02/technology/ftc-suggests-do-not-track-feature-for-mobile-software-and-apps.html?hpw&_r=0">F.T.C. Suggests Privacy Guidelines for Mobile Apps</a> for a nice overview (not sure how long that link will be live though). <br /><br />The take away from my perspective is this – while app marketplaces like Apple and Google and advertising services like Flurry continue to fall under increasing scrutiny, <i>the app developer is no longer flying under the radar or going to be given a pass for not understanding the rapidly emerging policies, recommended practices and general principles. </i><br /><br />From the referenced NY Times article above… <br /><br />“We‘ve been looking at privacy issues for decades,” said Jon Leibowitz, the F.T.C. chairman. “But this is necessary because so much commerce is moving to mobile, and many of the rules and practices in the mobile space are sort of like the Wild West.” <br /><br />and...<br /><br /><u>The F.T.C. also has its sights on thousands of small businesses</u> that create apps that smartphone users can download for a specific service. The introduction of the iPhone created a sort of gold rush among start-ups to create apps featuring games, music, maps and consumer services like shopping and social networking. <br /><br />“This says if you’re outside the recommended behavior, you’re at a higher risk of enforcement action,” said Mary Ellen Callahan, a partner at Jenner & Block and former chief privacy officer for the Department of Homeland Security. <br /><br />Even before this report, “the F.T.C. has not been meek,” said Lisa J. Sotto, managing partner of Hunton & Williams in New York. “They have brought a number of enforcement actions,” she said. “Those in the mobile ecosystem know they’re in the regulators’ sights.” <br /><br /><b>…but do app developers really know? </b><br /><br />In an earlier post of mine, <a href="http://apps-are-people-too.blogspot.com/2013/01/coppaesthetics-form-follows-function.html">COPPAesthetics: form follows function yet again</a>, I lay out in more detail both the privacy concepts that the FTC are developing and the technical and functional capabilities (and business models) that distinguish application analytics from the other analytics categories out there. These features include opt-in policy enforcement (for both regular usage and exception handling), encryption on the wire, greater control of data collection and more… <br /><br />COPPA is a much more formal set of requirements to protect children with severe sentencing guidelines and a growing set of precedents where app developers are being fined with increasing regularity <br /><br />– BUT there is little doubt that the FTC is not limiting itself to children’s rights – in its latest report, the FTC recommends that:<div>
<br /> “App developers should provide just-in-time disclosures and obtain affirmative express consent when collecting sensitive information outside the platform’s API, such as financial, health, or children’s data or sharing sensitive data with third parties.” (Page 29 of the report) <br /><br />If you’re building mobile apps or services that support mobile apps and have been “getting by” using marketplace and marketing analytics services to get user and app usage feedback – be very careful – expect these services to become more and more restrictive – (even dropping apps that appear to be too risky). They will (rightly so) limit their data collection to fall within (and probably well within) regulatory constraints leaving developers to operate their apps “in the dark.” (or assume the risk of non-compliance) <br /><br />Again from the NY Times article: “Morgan Reed, executive director of the <a href="http://actonline.org/">Association for Competitive Technology</a>, a trade group representing app developers, said that the organization generally supported the commission’s report but that it had some concerns about what he called “unintended consequences.” If app stores are worried about their own liability over whether they have adequately checked the privacy protections of a mobile app they sell, they might err on the side of caution and not screen for privacy at all, he said.” <br /><br />App developers are welcome to collect runtime data necessary to operate (and improve) their applications (see my COPPA post for more clarity here) – collecting data usually only becomes an issue when that data is shared or used for other purposes or by other parties – and that is at the heart of application analytics and what distinguishes it from its peers. </div>
<div>
<br /></div>
<div>
<b>Application analytics is all about improving application quality, ensuring operational excellence and delivering a superlative user experience – there is no ulterior motive or agenda. </b><br /> </div>
AppsRpeople2http://www.blogger.com/profile/08529547238174325669noreply@blogger.com1tag:blogger.com,1999:blog-6690916271713809138.post-76041490770289049402013-01-31T19:58:00.000-05:002013-01-31T19:58:44.677-05:00Marketplaces Matter and I’ve got the analytics to prove it<h2>
Background</h2>
As I've covered many times in earlier posts, I've used <a href="http://www.preemptive.com/pa" target="_blank">PreEmptive Analytics</a> to instrument a family of mobile yoga apps from <a href="http://www.themobileyogi.com/" target="_blank">TheMobileYogi</a>. These apps are deployed across iOS, Android and Windows. The yoga apps are packaged in a variety of ways. Two apps – Yoga-pedia (free) and A Pose for That (premium) – are direct-to-consumer using a “freemium” model that includes embedded ads inside yoga-pedia. There are also a white-labeled app platform that can quickly generate a “re-skinned” app personalized for yoga studios, retailers and other “wellness-centered” businesses. And with all of these combined, I’m happy to report that we've passed the 110K download mark and still growing by the thousands each week.<div>
<br /><h2>
The Issue at Hand</h2>
<div>
One adoption/monetization “variable” that is rarely measured in a clean way is the impact/influence that an app’s marketplace can have on the success of the app itself. This is in large part a practical issue – it’s not easy to compare, for example, Apple’s App Store with Google Play because the apps themselves are often quite distinct from one another – and so isolating the marketplace influence from the apps themselves can be tricky. However, with Android, we publish identical apps through two very different marketplaces; Amazon’s Android App Store and Google’s Google Play marketplace. By focusing on apps that are identical in every way BUT the API calls to the respective marketplaces, we can start to drill into the direct and indirect consequences of marketplace selection. </div>
<br /><b>Android makes up roughly 51% of TheMobileYogi downloads.</b><div>
<br /></div>
<img border="0" height="286" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg99FzIOE8dgDe0cxBhaoYUguV01yPOkeE82JApmq_pTEsna7Y-r_00T_QBTfqr8pwkg5sRyrXn1KeXIptatMMqKDfejn17e3mKDNOnDPnUzc4rpMnFN5p4Y3tIYXKCDMEZ8qZxwkWWUCE/s1600/marketplaceBlogGraph1.jpg" width="640" /><div>
<i>Android downloads combine both Amazon and Google Play adoption.</i></div>
<h2>
<br />Android Downloads of Yoga-pedia</h2>
As of January 29, 2012, the total downloads of Yoga-pedia were:<br />
<ul>
<li>21,109 Amazon (36% of the total) </li>
<li>36,981 Google Play (64% of the total) or said another way, </li>
</ul>
<b>Google Play downloads were 75% greater than from Amazon. </b><br /><br />…But downloads only tell a very small part of the story. What are users doing AFTER they download the app? How often do they use the app, for how long, and what exactly are they doing when they are inside?</div>
<div>
<br /><h2>
Yoga-pedia Sessions</h2>
Using PreEmptive Analytics Runtime Intelligence, we see that there are in fact striking differences between the Google Play user population and the Amazon user population.<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfVaPe4ZQuXzJHsU82KzX6UGTibGgw_bjKN3qqm0ew0nlg_pB0B3E_8FUw_a8uKw5MPGcfMTzmKoFWSsPabiAo6MFNPpoc6_ySg0gSlloHGVmMcthXpXusFVZNsDrw4B5NBb3PJ0nnOz8/s1600/marketplaceBlogGraph2.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfVaPe4ZQuXzJHsU82KzX6UGTibGgw_bjKN3qqm0ew0nlg_pB0B3E_8FUw_a8uKw5MPGcfMTzmKoFWSsPabiAo6MFNPpoc6_ySg0gSlloHGVmMcthXpXusFVZNsDrw4B5NBb3PJ0nnOz8/s1600/marketplaceBlogGraph2.jpg" /></a></div>
<br />One glaring difference is the total number of users in each community.<br /><br /><b>The total unique users of from Google Play is 208% higher than that of Amazon. </b><br /><br />If we were to stop here, I think our conclusion would be obvious – Google play delivers more downloads and more unique users than Amazon – and that has to make it a clear winner right? (Note, there has been no difference in marketing, advertising, etc. between the two marketplaces – specifically, we have done none). <br /><br /><i>…but if we were to stop here, we would be making a very big mistake!</i><br /><br /><h2>
How much time is spent inside the app? </h2>
Another glaring difference that our analytics reveal is the difference between the average session length of our users – Amazon users tend to stay inside the app almost 3 times longer! <br /><br />So – if we multiply the total number of sessions by the average session length, we can calculate how many hours were spent inside Yoga-pedia. <br /><ul>
<li>Amazon: (41,937 sessions) X (13.88 minutes per session) = 9,701 hours </li>
<li>Google Play: (75,346 sessions) X (5.5 minutes per session) = 6,907 hours </li>
</ul>
<b>Total time spent inside the app distributed through the Amazon marketplace is 40% higher than from Google Play. </b></div>
<div>
<b><br /></b>If I am trying to maximize ad impressions, establish a brand or hold my user’s attention toward some other objective, Amazon now looks significantly more attractive to me than Google Play.</div>
<div>
<br /><h2>
User behavior</h2>
<div>
Since Amazon users spend so much more time inside Yoga-pedia – how is their behavior different and how does that translate into measurable value? </div>
</div>
<div>
<br /><h3>
Returning users</h3>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpC5DZ07JofylqIC_Tykqag-xKEvJtyuKLaLcfGUwjPHzockhfig5AeXDtb1p0w1WLiETtpJzUAHzWkqV70Fy0RXUv3rQb1a7B0RuA4CyGiFEwY_7POjYANs-knt33MWM9PaO1PS0Pdjs/s1600/marketplaceBlogGraph3.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpC5DZ07JofylqIC_Tykqag-xKEvJtyuKLaLcfGUwjPHzockhfig5AeXDtb1p0w1WLiETtpJzUAHzWkqV70Fy0RXUv3rQb1a7B0RuA4CyGiFEwY_7POjYANs-knt33MWM9PaO1PS0Pdjs/s1600/marketplaceBlogGraph3.jpg" height="236" width="640" /></a></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<br />Returning users (in red) form the majority of the Amazon session activity – Google Play users are less likely to use the app multiple times – they are “tire kickers’ for the most part. Returning users are roughly equivalent across the two marketplaces even though there are many more Google Play users overall.<br /><br />Returning users are loyal and a lasting “relationship” can be established – whether you’re selling something, hoping to influence their behavior, or tap their expertise – recurring users are always “premium.” </div>
<div>
<br /><h3>
Ad Click Through Rate (CTR)</h3>
<div>
<br /></div>
Moving to a more concrete metric – we can compare total impressions, Ad Click through Rates (CTR) as well as Ad Server Errors – for this analysis, we’re just looking at 30 days. Note: in both cases, the apps use AdMob. <div>
<br /></div>
<div>
<table border="1" cellpadding="0" cellspacing="0" class="MsoTable15Grid5DarkAccent1" style="border-collapse: collapse; border: none; mso-border-alt: solid white .5pt; mso-border-themecolor: background1; mso-padding-alt: 0in 5.4pt 0in 5.4pt; mso-yfti-tbllook: 1184;">
<tbody>
<tr style="height: 15.75pt; mso-yfti-firstrow: yes; mso-yfti-irow: -1; mso-yfti-lastfirstrow: yes;">
<td nowrap="" style="background: #5B9BD5; border-right: none; border: solid white 1.0pt; height: 15.75pt; mso-background-themecolor: accent1; mso-border-bottom-alt: solid white .5pt; mso-border-bottom-themecolor: background1; mso-border-left-alt: solid white .5pt; mso-border-left-themecolor: background1; mso-border-themecolor: background1; mso-border-top-alt: solid white .5pt; mso-border-top-themecolor: background1; padding: 0in 5.4pt 0in 5.4pt; width: 116.75pt;" valign="top" width="156"></td>
<td nowrap="" style="background: #5B9BD5; border-bottom: solid white 1.0pt; border-left: none; border-right: none; border-top: solid white 1.0pt; height: 15.75pt; mso-background-themecolor: accent1; mso-border-bottom-alt: solid white .5pt; mso-border-bottom-themecolor: background1; mso-border-bottom-themecolor: background1; mso-border-top-alt: solid white .5pt; mso-border-top-themecolor: background1; mso-border-top-themecolor: background1; padding: 0in 5.4pt 0in 5.4pt; width: 1.0in;" valign="top" width="96">
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<b><span style="color: white; mso-themecolor: background1;">Google
Play<o:p></o:p></span></b></div>
</td>
<td nowrap="" style="background: #5B9BD5; border-left: none; border: solid white 1.0pt; height: 15.75pt; mso-background-themecolor: accent1; mso-border-bottom-alt: solid white .5pt; mso-border-bottom-themecolor: background1; mso-border-right-alt: solid white .5pt; mso-border-right-themecolor: background1; mso-border-themecolor: background1; mso-border-top-alt: solid white .5pt; mso-border-top-themecolor: background1; padding: 0in 5.4pt 0in 5.4pt; width: 94.5pt;" valign="top" width="126">
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<b><span style="color: white; mso-themecolor: background1;">Amazon<o:p></o:p></span></b></div>
</td>
</tr>
<tr style="height: 13.9pt; mso-yfti-irow: 0;">
<td style="background: #5B9BD5; border-top: none; border: solid white 1.0pt; height: 13.9pt; mso-background-themecolor: accent1; mso-border-alt: solid white .5pt; mso-border-themecolor: background1; mso-border-themecolor: background1; mso-border-top-alt: solid white .5pt; mso-border-top-themecolor: background1; padding: 0in 5.4pt 0in 5.4pt; width: 116.75pt;" valign="top" width="156">
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<b><span style="color: white; mso-themecolor: background1;">Ad
Impressions<o:p></o:p></span></b></div>
</td>
<td nowrap="" style="background: #BDD6EE; border-bottom: solid white 1.0pt; border-left: none; border-right: solid white 1.0pt; border-top: none; height: 13.9pt; mso-background-themecolor: accent1; mso-background-themetint: 102; mso-border-alt: solid white .5pt; mso-border-bottom-themecolor: background1; mso-border-left-alt: solid white .5pt; mso-border-left-themecolor: background1; mso-border-right-themecolor: background1; mso-border-themecolor: background1; mso-border-top-alt: solid white .5pt; mso-border-top-themecolor: background1; padding: 0in 5.4pt 0in 5.4pt; width: 1.0in;" valign="top" width="96">
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
53,462</div>
</td>
<td nowrap="" style="background: #BDD6EE; border-bottom: solid white 1.0pt; border-left: none; border-right: solid white 1.0pt; border-top: none; height: 13.9pt; mso-background-themecolor: accent1; mso-background-themetint: 102; mso-border-alt: solid white .5pt; mso-border-bottom-themecolor: background1; mso-border-left-alt: solid white .5pt; mso-border-left-themecolor: background1; mso-border-right-themecolor: background1; mso-border-themecolor: background1; mso-border-top-alt: solid white .5pt; mso-border-top-themecolor: background1; padding: 0in 5.4pt 0in 5.4pt; width: 94.5pt;" valign="top" width="126">
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
36,625</div>
</td>
</tr>
<tr style="height: 17.5pt; mso-yfti-irow: 1;">
<td style="background: #5B9BD5; border-top: none; border: solid white 1.0pt; height: 17.5pt; mso-background-themecolor: accent1; mso-border-alt: solid white .5pt; mso-border-themecolor: background1; mso-border-themecolor: background1; mso-border-top-alt: solid white .5pt; mso-border-top-themecolor: background1; padding: 0in 5.4pt 0in 5.4pt; width: 116.75pt;" valign="top" width="156">
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<b><span style="color: white; mso-themecolor: background1;">Ad
Delivery Failure<o:p></o:p></span></b></div>
</td>
<td nowrap="" style="background: #DEEAF6; border-bottom: solid white 1.0pt; border-left: none; border-right: solid white 1.0pt; border-top: none; height: 17.5pt; mso-background-themecolor: accent1; mso-background-themetint: 51; mso-border-alt: solid white .5pt; mso-border-bottom-themecolor: background1; mso-border-left-alt: solid white .5pt; mso-border-left-themecolor: background1; mso-border-right-themecolor: background1; mso-border-themecolor: background1; mso-border-top-alt: solid white .5pt; mso-border-top-themecolor: background1; padding: 0in 5.4pt 0in 5.4pt; width: 1.0in;" valign="top" width="96">
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
1,853</div>
</td>
<td nowrap="" style="background: #DEEAF6; border-bottom: solid white 1.0pt; border-left: none; border-right: solid white 1.0pt; border-top: none; height: 17.5pt; mso-background-themecolor: accent1; mso-background-themetint: 51; mso-border-alt: solid white .5pt; mso-border-bottom-themecolor: background1; mso-border-left-alt: solid white .5pt; mso-border-left-themecolor: background1; mso-border-right-themecolor: background1; mso-border-themecolor: background1; mso-border-top-alt: solid white .5pt; mso-border-top-themecolor: background1; padding: 0in 5.4pt 0in 5.4pt; width: 94.5pt;" valign="top" width="126">
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
425</div>
</td>
</tr>
<tr style="height: 17.5pt; mso-yfti-irow: 2;">
<td style="background: #5B9BD5; border-top: none; border: solid white 1.0pt; height: 17.5pt; mso-background-themecolor: accent1; mso-border-alt: solid white .5pt; mso-border-themecolor: background1; mso-border-themecolor: background1; mso-border-top-alt: solid white .5pt; mso-border-top-themecolor: background1; padding: 0in 5.4pt 0in 5.4pt; width: 116.75pt;" valign="top" width="156">
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<b><span style="color: white; mso-themecolor: background1;">Ad
Failure Rate<o:p></o:p></span></b></div>
</td>
<td nowrap="" style="background: #BDD6EE; border-bottom: solid white 1.0pt; border-left: none; border-right: solid white 1.0pt; border-top: none; height: 17.5pt; mso-background-themecolor: accent1; mso-background-themetint: 102; mso-border-alt: solid white .5pt; mso-border-bottom-themecolor: background1; mso-border-left-alt: solid white .5pt; mso-border-left-themecolor: background1; mso-border-right-themecolor: background1; mso-border-themecolor: background1; mso-border-top-alt: solid white .5pt; mso-border-top-themecolor: background1; padding: 0in 5.4pt 0in 5.4pt; width: 1.0in;" valign="top" width="96">
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
3.47%</div>
</td>
<td nowrap="" style="background: #BDD6EE; border-bottom: solid white 1.0pt; border-left: none; border-right: solid white 1.0pt; border-top: none; height: 17.5pt; mso-background-themecolor: accent1; mso-background-themetint: 102; mso-border-alt: solid white .5pt; mso-border-bottom-themecolor: background1; mso-border-left-alt: solid white .5pt; mso-border-left-themecolor: background1; mso-border-right-themecolor: background1; mso-border-themecolor: background1; mso-border-top-alt: solid white .5pt; mso-border-top-themecolor: background1; padding: 0in 5.4pt 0in 5.4pt; width: 94.5pt;" valign="top" width="126">
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
1.16%</div>
</td>
</tr>
<tr style="height: 15.75pt; mso-yfti-irow: 3;">
<td style="background: #5B9BD5; border-top: none; border: solid white 1.0pt; height: 15.75pt; mso-background-themecolor: accent1; mso-border-alt: solid white .5pt; mso-border-themecolor: background1; mso-border-themecolor: background1; mso-border-top-alt: solid white .5pt; mso-border-top-themecolor: background1; padding: 0in 5.4pt 0in 5.4pt; width: 116.75pt;" valign="top" width="156">
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<b><span style="color: white; mso-themecolor: background1;">Click
Through Count<o:p></o:p></span></b></div>
</td>
<td nowrap="" style="background: #DEEAF6; border-bottom: solid white 1.0pt; border-left: none; border-right: solid white 1.0pt; border-top: none; height: 15.75pt; mso-background-themecolor: accent1; mso-background-themetint: 51; mso-border-alt: solid white .5pt; mso-border-bottom-themecolor: background1; mso-border-left-alt: solid white .5pt; mso-border-left-themecolor: background1; mso-border-right-themecolor: background1; mso-border-themecolor: background1; mso-border-top-alt: solid white .5pt; mso-border-top-themecolor: background1; padding: 0in 5.4pt 0in 5.4pt; width: 1.0in;" valign="top" width="96">
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
325</div>
</td>
<td nowrap="" style="background: #DEEAF6; border-bottom: solid white 1.0pt; border-left: none; border-right: solid white 1.0pt; border-top: none; height: 15.75pt; mso-background-themecolor: accent1; mso-background-themetint: 51; mso-border-alt: solid white .5pt; mso-border-bottom-themecolor: background1; mso-border-left-alt: solid white .5pt; mso-border-left-themecolor: background1; mso-border-right-themecolor: background1; mso-border-themecolor: background1; mso-border-top-alt: solid white .5pt; mso-border-top-themecolor: background1; padding: 0in 5.4pt 0in 5.4pt; width: 94.5pt;" valign="top" width="126">
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
603</div>
</td>
</tr>
<tr style="height: 15.0pt; mso-yfti-irow: 4; mso-yfti-lastrow: yes;">
<td nowrap="" style="background: #5B9BD5; border-top: none; border: solid white 1.0pt; height: 15.0pt; mso-background-themecolor: accent1; mso-border-alt: solid white .5pt; mso-border-themecolor: background1; mso-border-themecolor: background1; mso-border-top-alt: solid white .5pt; mso-border-top-themecolor: background1; padding: 0in 5.4pt 0in 5.4pt; width: 116.75pt;" valign="top" width="156">
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<b><span style="color: white; mso-themecolor: background1;">CTR<o:p></o:p></span></b></div>
</td>
<td nowrap="" style="background: #BDD6EE; border-bottom: solid white 1.0pt; border-left: none; border-right: solid white 1.0pt; border-top: none; height: 15.0pt; mso-background-themecolor: accent1; mso-background-themetint: 102; mso-border-alt: solid white .5pt; mso-border-bottom-themecolor: background1; mso-border-left-alt: solid white .5pt; mso-border-left-themecolor: background1; mso-border-right-themecolor: background1; mso-border-themecolor: background1; mso-border-top-alt: solid white .5pt; mso-border-top-themecolor: background1; padding: 0in 5.4pt 0in 5.4pt; width: 1.0in;" valign="top" width="96">
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
0.63%</div>
</td>
<td nowrap="" style="background: #BDD6EE; border-bottom: solid white 1.0pt; border-left: none; border-right: solid white 1.0pt; border-top: none; height: 15.0pt; mso-background-themecolor: accent1; mso-background-themetint: 102; mso-border-alt: solid white .5pt; mso-border-bottom-themecolor: background1; mso-border-left-alt: solid white .5pt; mso-border-left-themecolor: background1; mso-border-right-themecolor: background1; mso-border-themecolor: background1; mso-border-top-alt: solid white .5pt; mso-border-top-themecolor: background1; padding: 0in 5.4pt 0in 5.4pt; width: 94.5pt;" valign="top" width="126">
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
1.67%</div>
</td>
</tr>
</tbody></table>
</div>
<div>
<br /></div>
<b>Amazon CTR is 164% higher than the Google Play CTR </b><br /><br /><div>
<span style="color: red;"><b>Google Play Ad Delivery Failure rate is (ADFR) 199% higher than the Amazon ADFR </b></span><br /><br />Now, it’s not really possible to isolate WHY these differences exist – but we can make some educated guesses. For CTR percentages – are Amazon users simply more conditioned or likely to buy stuff as compared to the typical Google Play user? <br /><br />For ADFR percentages, we’re using the same ad service API, so the ad service itself is not to blame. Are the devices being used by Google Play users (as a total population) of lower quality or are they connecting through networks that are not as reliable? <br /><br />Regardless, that kind of conversion delta is nothing to ignore.</div>
<h3>
<br /></h3>
<h3>
Upgrades </h3>
<div>
<br /></div>
As I've already mentioned, in addition to pushing ads, Yoga-pedia is one half of a freemium model where we hope to get these users to upgrade to our commercial version, A Pose for That. <br /><br />With PreEmptive Analytics, I’ve instrumented the app to track the feature that takes a user back to their respective marketplace (positioned on the app upgrade page). The ratio of unique users (not sessions) to upgrade clicks tells another important story; how likely is an Amazon user versus a Google Play user to upgrade to our paid app?</div>
<div>
<br /><div>
<table border="1" cellpadding="0" cellspacing="0" class="MsoTable15Grid5DarkAccent1" style="border-collapse: collapse; border: none; mso-border-alt: solid white .5pt; mso-border-themecolor: background1; mso-padding-alt: 0in 5.4pt 0in 5.4pt; mso-yfti-tbllook: 1184;">
<tbody>
<tr style="height: 15.25pt; mso-yfti-firstrow: yes; mso-yfti-irow: -1; mso-yfti-lastfirstrow: yes;">
<td nowrap="" style="background: #5B9BD5; border-right: none; border: solid white 1.0pt; height: 15.25pt; mso-background-themecolor: accent1; mso-border-bottom-alt: solid white .5pt; mso-border-bottom-themecolor: background1; mso-border-left-alt: solid white .5pt; mso-border-left-themecolor: background1; mso-border-themecolor: background1; mso-border-top-alt: solid white .5pt; mso-border-top-themecolor: background1; padding: 0in 5.4pt 0in 5.4pt; width: 130.25pt;" valign="top" width="174"></td>
<td nowrap="" style="background: #5B9BD5; border-bottom: solid white 1.0pt; border-left: none; border-right: none; border-top: solid white 1.0pt; height: 15.25pt; mso-background-themecolor: accent1; mso-border-bottom-alt: solid white .5pt; mso-border-bottom-themecolor: background1; mso-border-bottom-themecolor: background1; mso-border-top-alt: solid white .5pt; mso-border-top-themecolor: background1; mso-border-top-themecolor: background1; padding: 0in 5.4pt 0in 5.4pt; width: 99.0pt;" valign="top" width="132">
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<b><span style="color: white; mso-themecolor: background1;">Google
Play<o:p></o:p></span></b></div>
</td>
<td nowrap="" style="background: #5B9BD5; border-left: none; border: solid white 1.0pt; height: 15.25pt; mso-background-themecolor: accent1; mso-border-bottom-alt: solid white .5pt; mso-border-bottom-themecolor: background1; mso-border-right-alt: solid white .5pt; mso-border-right-themecolor: background1; mso-border-themecolor: background1; mso-border-top-alt: solid white .5pt; mso-border-top-themecolor: background1; padding: 0in 5.4pt 0in 5.4pt; width: 94.5pt;" valign="top" width="126">
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<b><span style="color: white; mso-themecolor: background1;">Amazon<o:p></o:p></span></b></div>
</td>
</tr>
<tr style="height: 16.15pt; mso-yfti-irow: 0;">
<td style="background: #5B9BD5; border-top: none; border: solid white 1.0pt; height: 16.15pt; mso-background-themecolor: accent1; mso-border-alt: solid white .5pt; mso-border-themecolor: background1; mso-border-themecolor: background1; mso-border-top-alt: solid white .5pt; mso-border-top-themecolor: background1; padding: 0in 5.4pt 0in 5.4pt; width: 130.25pt;" valign="top" width="174">
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<b><span style="color: white; mso-themecolor: background1;">Upgrade
Marketplace<o:p></o:p></span></b></div>
</td>
<td nowrap="" style="background: #BDD6EE; border-bottom: solid white 1.0pt; border-left: none; border-right: solid white 1.0pt; border-top: none; height: 16.15pt; mso-background-themecolor: accent1; mso-background-themetint: 102; mso-border-alt: solid white .5pt; mso-border-bottom-themecolor: background1; mso-border-left-alt: solid white .5pt; mso-border-left-themecolor: background1; mso-border-right-themecolor: background1; mso-border-themecolor: background1; mso-border-top-alt: solid white .5pt; mso-border-top-themecolor: background1; padding: 0in 5.4pt 0in 5.4pt; width: 99.0pt;" valign="top" width="132">
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
3,253</div>
</td>
<td nowrap="" style="background: #BDD6EE; border-bottom: solid white 1.0pt; border-left: none; border-right: solid white 1.0pt; border-top: none; height: 16.15pt; mso-background-themecolor: accent1; mso-background-themetint: 102; mso-border-alt: solid white .5pt; mso-border-bottom-themecolor: background1; mso-border-left-alt: solid white .5pt; mso-border-left-themecolor: background1; mso-border-right-themecolor: background1; mso-border-themecolor: background1; mso-border-top-alt: solid white .5pt; mso-border-top-themecolor: background1; padding: 0in 5.4pt 0in 5.4pt; width: 94.5pt;" valign="top" width="126">
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
1,620</div>
</td>
</tr>
<tr style="height: 17.5pt; mso-yfti-irow: 1;">
<td style="background: #5B9BD5; border-top: none; border: solid white 1.0pt; height: 17.5pt; mso-background-themecolor: accent1; mso-border-alt: solid white .5pt; mso-border-themecolor: background1; mso-border-themecolor: background1; mso-border-top-alt: solid white .5pt; mso-border-top-themecolor: background1; padding: 0in 5.4pt 0in 5.4pt; width: 130.25pt;" valign="top" width="174">
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<b><span style="color: white; mso-themecolor: background1;">Unique
Users<o:p></o:p></span></b></div>
</td>
<td style="background: #DEEAF6; border-bottom: solid white 1.0pt; border-left: none; border-right: solid white 1.0pt; border-top: none; height: 17.5pt; mso-background-themecolor: accent1; mso-background-themetint: 51; mso-border-alt: solid white .5pt; mso-border-bottom-themecolor: background1; mso-border-left-alt: solid white .5pt; mso-border-left-themecolor: background1; mso-border-right-themecolor: background1; mso-border-themecolor: background1; mso-border-top-alt: solid white .5pt; mso-border-top-themecolor: background1; padding: 0in 5.4pt 0in 5.4pt; width: 99.0pt;" valign="top" width="132">
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
35,312</div>
</td>
<td style="background: #DEEAF6; border-bottom: solid white 1.0pt; border-left: none; border-right: solid white 1.0pt; border-top: none; height: 17.5pt; mso-background-themecolor: accent1; mso-background-themetint: 51; mso-border-alt: solid white .5pt; mso-border-bottom-themecolor: background1; mso-border-left-alt: solid white .5pt; mso-border-left-themecolor: background1; mso-border-right-themecolor: background1; mso-border-themecolor: background1; mso-border-top-alt: solid white .5pt; mso-border-top-themecolor: background1; padding: 0in 5.4pt 0in 5.4pt; width: 94.5pt;" valign="top" width="126">
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
11,447</div>
</td>
</tr>
<tr style="height: 15.0pt; mso-yfti-irow: 2; mso-yfti-lastrow: yes;">
<td nowrap="" style="background: #5B9BD5; border-top: none; border: solid white 1.0pt; height: 15.0pt; mso-background-themecolor: accent1; mso-border-alt: solid white .5pt; mso-border-themecolor: background1; mso-border-themecolor: background1; mso-border-top-alt: solid white .5pt; mso-border-top-themecolor: background1; padding: 0in 5.4pt 0in 5.4pt; width: 130.25pt;" valign="top" width="174">
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<b><span style="color: white; mso-themecolor: background1;">Conversion
Rate<o:p></o:p></span></b></div>
</td>
<td nowrap="" style="background: #BDD6EE; border-bottom: solid white 1.0pt; border-left: none; border-right: solid white 1.0pt; border-top: none; height: 15.0pt; mso-background-themecolor: accent1; mso-background-themetint: 102; mso-border-alt: solid white .5pt; mso-border-bottom-themecolor: background1; mso-border-left-alt: solid white .5pt; mso-border-left-themecolor: background1; mso-border-right-themecolor: background1; mso-border-themecolor: background1; mso-border-top-alt: solid white .5pt; mso-border-top-themecolor: background1; padding: 0in 5.4pt 0in 5.4pt; width: 99.0pt;" valign="top" width="132">
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
9.21%</div>
</td>
<td nowrap="" style="background: #BDD6EE; border-bottom: solid white 1.0pt; border-left: none; border-right: solid white 1.0pt; border-top: none; height: 15.0pt; mso-background-themecolor: accent1; mso-background-themetint: 102; mso-border-alt: solid white .5pt; mso-border-bottom-themecolor: background1; mso-border-left-alt: solid white .5pt; mso-border-left-themecolor: background1; mso-border-right-themecolor: background1; mso-border-themecolor: background1; mso-border-top-alt: solid white .5pt; mso-border-top-themecolor: background1; padding: 0in 5.4pt 0in 5.4pt; width: 94.5pt;" valign="top" width="126">
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
14.15%</div>
</td>
</tr>
</tbody></table>
</div>
<b><div>
<b><br /></b></div>
Amazon user conversion rate is 54% higher than the Google Play conversion rate. </b><br /><h3>
<br /></h3>
<h3>
User behavior within my app</h3>
<div>
<br /></div>
Yoga-pedia offers its users two locations where a user can click to upgrade; in a “tell me more” about the premium app page and at the end of an “Intro” to the current Yoga-pedia app.<br />
<br />
By looking at the split of where users are more likely to “convert,” we can learn something important about the app’s design in general AND the differences between user patterns across marketplaces in particular. As a proportion, Amazon users are more likely to convert from the Intro page than their Google Play counterparts. The Intro page is “deeper” in the app (harder to find) and so this difference in usage pattern may imply a more thorough reading of embedded pages by Amazon users (and this would be supported by the much longer session times).<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8ChfqqFZSs_vZM9xyR_iV2e-e0dzoABij-rKamf93tXlaEGV96bBIvvy2GwfwM7-GODPsUq2A5yMHbMH84D0siXjj5Ls2xn6mFvPkWQWyul5bQwLQWhsbh291nQTvguP6VYvJj_bu2Zc/s1600/marketplaceBlogGraph4.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8ChfqqFZSs_vZM9xyR_iV2e-e0dzoABij-rKamf93tXlaEGV96bBIvvy2GwfwM7-GODPsUq2A5yMHbMH84D0siXjj5Ls2xn6mFvPkWQWyul5bQwLQWhsbh291nQTvguP6VYvJj_bu2Zc/s1600/marketplaceBlogGraph4.jpg" height="236" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br /><h2>
Exceptions </h2>
Exceptions not only interrupt a user’s experience (with all of the bad things that flow from that), they are also a material expense (support, development, etc.). Given that we are talking about two virtually identical apps – would we expect one version to be more unstable (and therefore expensive) than the other?</div>
<div>
<br /></div>
<div>
<table border="1" cellpadding="0" cellspacing="0" class="MsoTable15Grid5DarkAccent1" style="border-collapse: collapse; border: none; mso-border-alt: solid white .5pt; mso-border-themecolor: background1; mso-padding-alt: 0in 5.4pt 0in 5.4pt; mso-yfti-tbllook: 1184;">
<tbody>
<tr style="height: 15.0pt; mso-yfti-firstrow: yes; mso-yfti-irow: -1; mso-yfti-lastfirstrow: yes;">
<td nowrap="" style="background: #5B9BD5; border-right: none; border: solid white 1.0pt; height: 15.0pt; mso-background-themecolor: accent1; mso-border-bottom-alt: solid white .5pt; mso-border-bottom-themecolor: background1; mso-border-left-alt: solid white .5pt; mso-border-left-themecolor: background1; mso-border-themecolor: background1; mso-border-top-alt: solid white .5pt; mso-border-top-themecolor: background1; padding: 0in 5.4pt 0in 5.4pt; width: 125.75pt;" valign="top" width="168"></td>
<td nowrap="" style="background: #5B9BD5; border-bottom: solid white 1.0pt; border-left: none; border-right: none; border-top: solid white 1.0pt; height: 15.0pt; mso-background-themecolor: accent1; mso-border-bottom-alt: solid white .5pt; mso-border-bottom-themecolor: background1; mso-border-bottom-themecolor: background1; mso-border-top-alt: solid white .5pt; mso-border-top-themecolor: background1; mso-border-top-themecolor: background1; padding: 0in 5.4pt 0in 5.4pt; width: 58.5pt;" valign="top" width="78">
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<b><span style="color: white; mso-themecolor: background1;">Amazon<o:p></o:p></span></b></div>
</td>
<td nowrap="" style="background: #5B9BD5; border-left: none; border: solid white 1.0pt; height: 15.0pt; mso-background-themecolor: accent1; mso-border-bottom-alt: solid white .5pt; mso-border-bottom-themecolor: background1; mso-border-right-alt: solid white .5pt; mso-border-right-themecolor: background1; mso-border-themecolor: background1; mso-border-top-alt: solid white .5pt; mso-border-top-themecolor: background1; padding: 0in 5.4pt 0in 5.4pt; width: 1.25in;" valign="top" width="120">
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<b><span style="color: white; mso-themecolor: background1;">Google
Play<o:p></o:p></span></b></div>
</td>
</tr>
<tr style="height: 15.0pt; mso-yfti-irow: 0;">
<td nowrap="" style="background: #5B9BD5; border-top: none; border: solid white 1.0pt; height: 15.0pt; mso-background-themecolor: accent1; mso-border-alt: solid white .5pt; mso-border-themecolor: background1; mso-border-themecolor: background1; mso-border-top-alt: solid white .5pt; mso-border-top-themecolor: background1; padding: 0in 5.4pt 0in 5.4pt; width: 125.75pt;" valign="top" width="168">
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<b><span style="color: white; mso-themecolor: background1;">Sessions<o:p></o:p></span></b></div>
</td>
<td nowrap="" style="background: #BDD6EE; border-bottom: solid white 1.0pt; border-left: none; border-right: solid white 1.0pt; border-top: none; height: 15.0pt; mso-background-themecolor: accent1; mso-background-themetint: 102; mso-border-alt: solid white .5pt; mso-border-bottom-themecolor: background1; mso-border-left-alt: solid white .5pt; mso-border-left-themecolor: background1; mso-border-right-themecolor: background1; mso-border-themecolor: background1; mso-border-top-alt: solid white .5pt; mso-border-top-themecolor: background1; padding: 0in 5.4pt 0in 5.4pt; width: 58.5pt;" valign="top" width="78">
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
41,937</div>
</td>
<td nowrap="" style="background: #BDD6EE; border-bottom: solid white 1.0pt; border-left: none; border-right: solid white 1.0pt; border-top: none; height: 15.0pt; mso-background-themecolor: accent1; mso-background-themetint: 102; mso-border-alt: solid white .5pt; mso-border-bottom-themecolor: background1; mso-border-left-alt: solid white .5pt; mso-border-left-themecolor: background1; mso-border-right-themecolor: background1; mso-border-themecolor: background1; mso-border-top-alt: solid white .5pt; mso-border-top-themecolor: background1; padding: 0in 5.4pt 0in 5.4pt; width: 1.25in;" valign="top" width="120">
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
75,346</div>
</td>
</tr>
<tr style="height: 15.0pt; mso-yfti-irow: 1;">
<td nowrap="" style="background: #5B9BD5; border-top: none; border: solid white 1.0pt; height: 15.0pt; mso-background-themecolor: accent1; mso-border-alt: solid white .5pt; mso-border-themecolor: background1; mso-border-themecolor: background1; mso-border-top-alt: solid white .5pt; mso-border-top-themecolor: background1; padding: 0in 5.4pt 0in 5.4pt; width: 125.75pt;" valign="top" width="168">
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<b><span style="color: white; mso-themecolor: background1;">Errors<o:p></o:p></span></b></div>
</td>
<td nowrap="" style="background: #DEEAF6; border-bottom: solid white 1.0pt; border-left: none; border-right: solid white 1.0pt; border-top: none; height: 15.0pt; mso-background-themecolor: accent1; mso-background-themetint: 51; mso-border-alt: solid white .5pt; mso-border-bottom-themecolor: background1; mso-border-left-alt: solid white .5pt; mso-border-left-themecolor: background1; mso-border-right-themecolor: background1; mso-border-themecolor: background1; mso-border-top-alt: solid white .5pt; mso-border-top-themecolor: background1; padding: 0in 5.4pt 0in 5.4pt; width: 58.5pt;" valign="top" width="78">
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
1,523</div>
</td>
<td nowrap="" style="background: #DEEAF6; border-bottom: solid white 1.0pt; border-left: none; border-right: solid white 1.0pt; border-top: none; height: 15.0pt; mso-background-themecolor: accent1; mso-background-themetint: 51; mso-border-alt: solid white .5pt; mso-border-bottom-themecolor: background1; mso-border-left-alt: solid white .5pt; mso-border-left-themecolor: background1; mso-border-right-themecolor: background1; mso-border-themecolor: background1; mso-border-top-alt: solid white .5pt; mso-border-top-themecolor: background1; padding: 0in 5.4pt 0in 5.4pt; width: 1.25in;" valign="top" width="120">
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
3,150</div>
</td>
</tr>
<tr style="height: 18.85pt; mso-yfti-irow: 2; mso-yfti-lastrow: yes;">
<td style="background: #5B9BD5; border-top: none; border: solid white 1.0pt; height: 18.85pt; mso-background-themecolor: accent1; mso-border-alt: solid white .5pt; mso-border-themecolor: background1; mso-border-themecolor: background1; mso-border-top-alt: solid white .5pt; mso-border-top-themecolor: background1; padding: 0in 5.4pt 0in 5.4pt; width: 125.75pt;" valign="top" width="168">
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<b><span style="color: white; mso-themecolor: background1;">Errors
per session<o:p></o:p></span></b></div>
</td>
<td nowrap="" style="background: #BDD6EE; border-bottom: solid white 1.0pt; border-left: none; border-right: solid white 1.0pt; border-top: none; height: 18.85pt; mso-background-themecolor: accent1; mso-background-themetint: 102; mso-border-alt: solid white .5pt; mso-border-bottom-themecolor: background1; mso-border-left-alt: solid white .5pt; mso-border-left-themecolor: background1; mso-border-right-themecolor: background1; mso-border-themecolor: background1; mso-border-top-alt: solid white .5pt; mso-border-top-themecolor: background1; padding: 0in 5.4pt 0in 5.4pt; width: 58.5pt;" valign="top" width="78">
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
3.63%</div>
</td>
<td nowrap="" style="background: #BDD6EE; border-bottom: solid white 1.0pt; border-left: none; border-right: solid white 1.0pt; border-top: none; height: 18.85pt; mso-background-themecolor: accent1; mso-background-themetint: 102; mso-border-alt: solid white .5pt; mso-border-bottom-themecolor: background1; mso-border-left-alt: solid white .5pt; mso-border-left-themecolor: background1; mso-border-right-themecolor: background1; mso-border-themecolor: background1; mso-border-top-alt: solid white .5pt; mso-border-top-themecolor: background1; padding: 0in 5.4pt 0in 5.4pt; width: 1.25in;" valign="top" width="120">
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
4.18%</div>
</td>
</tr>
</tbody></table>
<br /><br />Whether or not we expected it, <b>the Google Play version of Yoga-pedia has an error rate per session that is 15% higher than its Amazon equivalent. </b><br /><br />Again – the analytics at this level can’t tell us why – but we can still make an educated guess regarding the differences in phone type and network stability of the two populations. </div>
<div>
<br /></div>
<h3>
Detail </h3>
<div>
<br />Of course, if you want to drill down into the specific exceptions (and examine stack traces, device types, carriers, etc – all of that is available through analytics as well. <br /><br />Here are exception details for the error rates described above. Anyone want to help me debug these?</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhkvJqrqVLmLKKOtgBaaJlsR47bHseQGDTyrz_9vrifLJHSMsf6DnqR2dKERvUqqGfytN5ig6W4iM9OInr4KmN2rJytCoWCgD9PIgRUrt3lfoMoF-Txmto6_rLGAW5iwIITYbDkz2o4mf0/s1600/marketplaceBlogGraph5.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhkvJqrqVLmLKKOtgBaaJlsR47bHseQGDTyrz_9vrifLJHSMsf6DnqR2dKERvUqqGfytN5ig6W4iM9OInr4KmN2rJytCoWCgD9PIgRUrt3lfoMoF-Txmto6_rLGAW5iwIITYbDkz2o4mf0/s1600/marketplaceBlogGraph5.jpg" height="270" width="400" /></a></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<h2>
<br /></h2>
<h2>
<br />Do marketplaces matter? Of course they do. </h2>
Of course, different apps will yield different results – but I don’t think that there can be any question that each marketplace comes with its own unique bundle of user experience, service level, and general appeal – and that, taken together, these attract their own distinct constituencies (communities) with their own behaviors, likes, dislikes and demographics.<br />
<br />App developers who chose to ignore the market, commerce and security characteristics that come with each marketplace will do so at their peril – the differences are real, they should influence your design and marketing requirements, and they will undoubtedly impact your bottom line and your chances of delivering a truly successful app.
<!-- Blogger automated replacement: "https://images-blogger-opensocial.googleusercontent.com/gadgets/proxy?url=http%3A%2F%2F4.bp.blogspot.com%2F-d4QgnCdkMgA%2FUQsH1fbiqUI%2FAAAAAAAAAVA%2F0ZP3gWAH2eA%2Fs1600%2FmarketplaceBlogGraph1.jpg&container=blogger&gadget=a&rewriteMime=image%2F*" with "https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg99FzIOE8dgDe0cxBhaoYUguV01yPOkeE82JApmq_pTEsna7Y-r_00T_QBTfqr8pwkg5sRyrXn1KeXIptatMMqKDfejn17e3mKDNOnDPnUzc4rpMnFN5p4Y3tIYXKCDMEZ8qZxwkWWUCE/s1600/marketplaceBlogGraph1.jpg" -->AppsRpeople2http://www.blogger.com/profile/08529547238174325669noreply@blogger.com1