As many of our readers know, I am a major proponent of mobile-friendly web design and browsing. Very few browsers in the mobile world are powerful enough to support modern w3c technologies (IE, NetFront, Opera & OpenWave) however they are good enough to do some basic browsing and even have SSL support. But especially in the case of IE (which is used a lot with PocketPCs & WinCE), Microsoft is still bundling a variant of IE 4.0.1 with WinCE. And we all know how insecure 4.0.1 is…The fault is not Microsoft’s though. The fault is solely the company’s that sells the devices. You see, the same rules do not apply in the embedded world as they do in the desktop world. The company that wrote the OS does not have to release updates to faulty software to end users. Its responsibility is solely towards the integrator companies, not end users. If the integrator company (e.g. PalmOne, HP, Dell, SONY, Sharp etc) do not ask for updates, the OS company does not have to provide any. That’s how the embedded eco-system works.
More over, an update would have to target many different PDAs and their revisions, which is not practical, as these integrators usually tweak the OS defaults creating small incompatibilities very often. So, if a security update was to take place, it would have to target a gazillion different models. This is very common on PocketPCs and Palm devices (the differences between Clies and Palms are quite big under the hood). And no, the Zaurus is not any better in this respect either: the Familliar Linux distribution still uses Dillo & Konqueror 2.x, versions that haven’t been updated for quite some time while the official Sharp ROM uses Opera and Netfront which are also not updated regularly and in fact, they never had security updates specific to their PDA model.
And even if there is a way to update PDA browsers, it’s almost out of the question for phone browsers. Their ROM would have to be flashed and that costs money as it must be done by a carrier’s outlet as these devices are even more customized than PDAs are. Very rarely we see phones that can be flashed via USB at home.
The only browsers that are on the advantage here are Opera for smaprtphones (not for Zaurus) and NetFront for PocketPCs (not for Clie or Zaurus) and other third party browsers (e.g. AvantGo, Xiino, Minimo, Blazer) that do not get installed by the integrator, but they were installed manually by the user. These versions don’t have the integrator’s specific changes in them, they are more generic, and so the danger of breaking default settings when upgrading them is much smaller.
Problem is, neither of these third party browsers actually release security updates. NetFront releases barely one version per year and Opera is not much better in this respect either. And when they release updates, it’s mostly about bug fixes or new features. There are almost no security updates to be seen in their changelogs. And I refuse to believe that these browsers don’t have security gotchas. They all do.
The whole mobile browsing reality has not been taken seriously by companies yet. This is a huge problem. They think “oh, who’s gonna view a bank account with Pocket IE?” and yet there are many people who do and they might already be victims of URL spoofing.
I have said it many times and I will have to say it again: if you think that your desktop might be insecure, you have seen nothing yet. Mobile devices and especially mobile browsing is many times more insecure than your desktop. At least on the desktop you get regular updates or you can change your browser or operating system. In the mobile world you can’t do jack about it.
I thought you said mobile computing is dying.
No, pure PDAs are dying. But phones and smartphones-PDA hybrids are thriving.
Besides, there are 10 million pure-PDA users out there. Even if their market is transformed to phone-PDAs these days, these people still use these devices. Companies should take resposibility on these products they released and offer upgrades for at least a 2 year life cycle.
Microsoft is still bundling IE 5.0x with these OSes. And we all know how unsecure 5.0.x is.
In many cases it is impractical to update these devices for many technical reasons.
However, that’s part of the point with Microsoft and why they’re interested in this market. Microsoft always put slightly crap technology into initial products (and let’s face it, they have done with Windows Mobile), especially within markets that they don’t yet dominate, to give people no option but to upgrade everything later on when they do dominate it (or at least have greater market share). This makes way for new releases of products (Windows Mobile) that they are actually serious about and they feel that they’ve eventually got right.
Yep, a lot of the problem with updating mobile devices now is the differentiation that providers do with them. It’s almost the same as the Linux desktop distribution world at the moment. One option would be standardisation, and that would suit Microsoft down to the ground. Unfortunately, it’s not palatable for everyone else.
Companies should take resposibility on these products they released and offer upgrades for at least a 2 year life cycle.
Funny you should mention resposibility . The upgrade is to throw the device away and get a new one. That’s something that’s been practised in the PC industry, and is taken on to another level with mobile devices.
>In many cases it is impractical to update these devices for many technical reasons.
Yep, that’s what the article says too.
But it’s not just Microsoft to blame or its OEMs. My SonyEricson phone keeps crashing and there were never updates released for it. It seems that these gadget devices are usually released in one-go and then they never work on updates. Like a single-use toilet paper.
>The upgrade is to throw the device away and get a new one
This does NOT guarantee that security holes are fixed. It simply guarantees (possibly) a newer version of the browser. But that doesn’t mean the browser in question that’s bundled was EVER tested properly for security holes.
>That’s something that’s been practised in the PC industry
This is not true. We are not talking about faulty hardware here, we are talking about security holes. And any major desktop OS provides security updates. And that’s what I want for mobile browsers/OSes too.
And yes, the way to go would be to standardize and not create custom versions of mobile OSes that break from model to model. Standardization is important to be able to rollout effectively fixes.
I remember similar thing on the pc when the internet was on the rise 10 years ago. There were many versions of Netscape and IE back then (probably mostly just co-branded), and some versions were incompatible with some sites, and plugins, etc.
It’s going to be a mess for a while, until companies decide that it is beneficial for them to adhere to some set of standards standards.
Who wants to browse the web on a tiny display and have to scroll 19 times just to view the entire page??? NOT ME!
I browse OSAlert with my SonyEricson regularly and it’s pretty usable at 128×160 (check the link in the story for proof).
I am sure that users who own smartphones with bigger screens are in an even better situation than I am. Mobile browsing is possible, if done right.
i am very happy with Webviewer. It is small,fast and I can visit all my favorites websites without any problem. Netfront is awesome too but big. Opera is nice too but if there is a problem with the proxy server, forget it.
i love my n-gage qd.
-2501
I kind of find mobile browsing handy. On my SX1 I get to check stocks and sports scores on my yahoo, get the latest from /. and, of course, OS News looks great on mobile Opera. As screens get better (think PSP) and speeds get faster (at least 3G) we’ll see these become very real devices.
What browser is this? Is this Symbian’s native browser that comes with the n-gage? Can you tell me if osnews renders ok with it, with no ads and with no vertical sidebar? Thx!
check this out….you can try it first if you want. i hope you like it.
http://shop.my-symbian.com/PlatformProductDetail.jsp?siteId=695&jav…
or go to http://www.reqwireless.com/webviewer.html
-2501
Ah, yes, now I understand. You meant the Reqwireless WebViewer, which is java-based. Do you like that browser? I find it underwelming personally… I used its emulator in the past, osnews works fine with it, but the browser is not very capable. Try the emulator here:
http://www.reqwireless.com/demo-webviewer.html
i visit osnews.com everyday and it renders osnews.com just perfect. it doesn’t come with the n-gage but you can buy it at
my-symbian.com , handango.com or reqwireless.com . this version is for the S60 series and it is just 51k!
-2501
> I visit osnews.com everyday and it renders osnews.com just perfect
Thanks, yes. I have added mobile support for it about 8 months ago or so. The emulator doesn’t look good, I hope the phone version looks more appealing.
i don’t have too much memory left so this one works perfect. make sure you select the option “Enable images”. i think it renders images better than Netfront. The only bad thing about it is that you can’t download files to your cell phone.
-2501
yeah…also pocket ie can only do auth basic (clear text) in response to a 401 challenge. This means ssl must be used. Major bummer for me (don’t want to do ssl for an embedded web server I developed)
Like a single-use toilet paper.
Er… do you know of any other kind?
This does not move me as much as other OSAlert. I don’t own a PDA for self-protection. I’m sure I’d lose the thing or forget it somewhere and then some dushbag gets his mits on my personal data. That’s not happening.
For the same reason I have a cell phone that allows me to make a phone call and send these annoying little text messages. I don’t need it for anything else. I don’t want it for anything else.
The more of your life you store on these gizmos, the more you’re afraid someone is going to run off with it. And, if you’re in the spotlight and known for depending on that kind of technology, you’re going to be a natural target for people who are very interested in the contents of your PDA-ish type device. I know Paris Hilton having her phone hacked brings a smile to the face of the people reading these pages. But there will be people who will have data actually worth stealing on their PDAs.
How many laptops, PDAs and cell phones are lost/forgotten/stolen every year? How much information is on these devices that you really can’t stand other people messing around with?
I’m not having a PDA. I’m not important enough to be an interesting target [not by a long stretch] but somebody might think I am and the net result is I lost my PDA. Not worth it.
Eugenia, when visiting osnews with opera on my sx1(series60) there is no “view all comments” link, is it normal?
Yes, this is normal. Offline-browser users (e.g. AvantGo, Plucker) have asked to take this out so when they configure their fetchers to download two level of osnews pages they don’t have to download huge duplicated pages that in some cases even drive them out of drive space. Some had even asked me to take out the printer-friendly version but I had to say “no” on this one, as it’s used a lot by mobile browsers that can’t do tables well (e.g. AU).
Also, many mobile browsers crash or stop downloading after 32 or 64KBs of data, and so we have to be carerful to not serve big pages like the “view all comments” which in some cases are extremely large.
This is not true. We are not talking about faulty hardware here, we are talking about security holes. And any major desktop OS provides security updates. And that’s what I want for mobile browsers/OSes too.
Unfortunately it is true. Updates are provided in the PC world because they’re much easier to do, and they’re just demanded. However, through various means Microsoft and Intel have grown rich from subtly forcing people to jack it all in and get a new computer at regular intervals.
In the mobile world, they want to take that on to another level.
> Microsoft and Intel have grown rich from subtly forcing people to jack it all in and get a new computer at regular intervals.
I had my previous PC for 5 years, I am not one of these people that buy PCs for no good reason. I bought my new PC just 2 weeks ago, and I intend to keep it for at least 4-5 more years.
there is another web browser for the S60 series called
Doris….check it out!
http://www.handango.com/PlatformProductDetail.jsp?siteId=1&platform…
-2501
Yup. OSAlert already supports Doris too. We have support for 70 mobile browsers.
Curious, Windows Mobile OS is not binary compatible with typical Win32 executables, right? Moreover, does IE4.0 on Mobiles support ActiveX and such? Has there been security breaches in the past? Don’t mean to ask these questions as a troll. Ultimately, you’re right. Security is something that we should always keep in the back of our minds these days. I’m just wondering where we are in the overall scheme of things and how much risk we are taking on today.