Who’s mobile is it?
Yesterday I read two articles talking about applications allowing remote modifications of a mobile phone, i.e. software and/or firmware installations.
The first one came from Nokia at JavaOne and will result in JSR232 as a new standard. This will allow operators and helpdesks to access phone information, update the firmware or load modules needed for applications, like a missing video codec. Siemens is planning to do similar stuff using SyncML
The second one is Handango’s InHand: “Handango InHand is an intelligent, device-resident download client. Using Handango InHand, operators and OEMs can increase download revenues by delivering an on-device, fully-managed and branded customer experience on any Java-enabled mobile phone.”
I can understand the need for this kind of application, and I have no doubts that this may actually help people resolve problems with software on their phones. If used to check or set settings like GPRS profiles, email profiles and such, it could also make using enhanced features easier. The average user of a mobile phone today has no idea how to do that. Go ask your mother if she knows her GPRS APN.
BUT: from a security standpoint, there are lots of open questions. Obviously, access to such functionality must be limited to authorised parties, and be under complete control by the user. But how can your provider or phone manufacturer be authenticated? How can you autheticate yourself to all these services? Surely typing in a passcode won’t be enough. This question gets more complicated when you talk about DRM and other similar topics.
There have been multiple attempts (see Radicchio) to set standards for mobile digital identities, but up to now the operators, who are the ones managing the user’s identities anyway, can’t be bothered. From an end users standpoint, Nokia’s ventures in the Liberty Alliance Project are a good start.
The desire to access mobiles remotely is in the best interest of operators and software vendors alike. Being able to control this access is an imperative for end users. Bridging this gap with a decent identity infrastructure is a path where both sides can win. But it looks like we’re doing step 2 before step 1 again, unfortunately.