Cloud first, mobile last.
That’s about how you can sum up Microsoft’s earnings for the last quarter. Microsoft’s cloud revenue is on a steady trajectory up—$4.4 billion in the last year—as it rolls out Office 365 and Azure services to its core customers. Azure is probably the most potent weapon in Microsoft’s current arsenal, and will be the backbone of almost everything it does going forward.
Mobile is a different story. Microsoft officially completed the acquisition of Nokia in the quarter on April 25. The hardware division of Microsoft, which includes the new Nokia division, added $1.99 billion in revenue to Microsoft’s coffers, while posting $692 billion in operating income losses.
“Our results reflect our customers’ long-term commitments to our products and services, and strong execution by our field teams. We are thrilled with the tremendous momentum of our cloud offerings with Office 365 and Azure both growing over 100% again,” Microsoft chief operating officer Kevin Turner said in the earnings release.The Productivity Company
CEO Satya Nadella has shifted Microsoft's focus in the past week or two. Its latest iteration makes it a “platform and productivity” company with Azure at the center.
“I’m proud that our aggressive move to the cloud is paying off—our commercial cloud revenue doubled again this year to a $4.4 billion annual run rate,” Nadella said in the earnings release.
Microsoft is in a bitter fight with major rivals like Apple, Google and Amazon over the Holy Grail of technology: devices, developers and cloud. The company is excelling in the cloud area, growing Azure and Windows 365 to become the core of its future. Meanwhile, it continues to show minimal growth in the area of devices, especially smartphones.
Compare the headlines for the earning results (“Microsoft Cloud Growth Drives Strong Fourth-Quarter Results”) to last week’s announcement of layoffs that cut 12,500 people from its recently acquired smartphone manufacturing business in Nokia.
Whenever Nadella talks about the current technological landscape in which Microsoft competes, he always says “mobile first, cloud first.” Yet the cloud and productivity tools like Office 365 will always come first at Microsoft. Increasingly, devices are something that Microsoft essentially has to write off on its balance sheet, like the $692 in operating expenses for Nokia in the last quarter or the $900 million hit that Microsoft took for extra Surface RT inventory last year.
Even Microsoft's bread and butter wasn't delivering. Windows-licensing revenue grew 3% in the quarter, with 11% growth for Windows Pro. Windows is not a loss for Microsoft at this point, but it's sure not close to growing the way the company's cloud and productivity services are.
Lead image by Owen Thomas for ReadWrite
Security researcher Jonathan Zdziarski started a firestorm over the weekend when he presented findings that Apple has—apparently deliberately—created undocumented "backdoors" in its iOS operating system that third parties could use to siphon personal data from iPhones and iPads under certain circumstances without notice, much less consent of the user.
Apple, meanwhile, has taken issue with Zdziarski's analysis, although its response—such as it is—falls short of a complete denial.
It's a complicated issue, so here's a quick FAQ to help you sort through it all.
Should I panic?
No. In a blog post summarizing his work, Zdziarski includes this helpful note: "DON'T PANIC."
The backdoors he describes aren't the sort of thing your average cybercriminal can easily exploit. There's no evidence that they've been used for identity theft or any sort of related criminal attack on iPhone or iPad data. At least so far, that is.
See also: The Bugs Are Piling Up In Apple's iOS 7
On the other hand, if you think the NSA or regular law enforcement might be tracking you, then Zdziarski might have described some of the backdoors by which their agents could be delving into your digital life.
Beyond that, they're an intriguing mystery—one that Apple has yet to explain.
Hold on a moment. What's a backdoor?
Like the word suggests, a backdoor is a simple or unguarded route into an otherwise secure system. Think Matthew Broderick's character in War Games sussing out a way to access WOPR by guessing a backdoor password specific to the system's creator (his dead son's name—a classically terrible password, by the way).
How would the NSA (or whoever) make use of these backdoors?
Zdziarski, a forensics expert and one-time iOS jailbreaker who's written several books about iPhone development, described three iOS services that appear to have an unusual degree of access to raw and potentially sensitive data gathered by or stored on the phone. These services are also apparently designed to collect that information, package it and dump it out upon request, either via USB or wirelessly over Wi-Fi.
These features are undocumented, meaning that they're not described by Apple in the sort of detail it normally provides to third-party developers who might make use of them. According to Zdziarski, however, they are installed and active on roughly 600 million iOS devices. They provide no indication that they're operating, and there's no way for users to turn them off.
Perhaps most ominous, these services can send out unencrypted information even if users have chosen to encrypt the data they back up through iTunes. Zdziarski calls this behavior "bypassing backup encryption" and considers it deceptive at best.
That all sounds pretty panic-worthy. Isn't it?
Turns out there's a catch. These services only work when an iPhone or iPad is "paired" to a trusted device, such as the computer you run iTunes on. (Bluetooth pairing with, say, a set of headphones doesn't count.) That greatly limits the ability of any attacker to exploit these services and rifle through your iPhone.
It is, however, possible to spoof that pairing. Every pairing generates a set of cryptographic keys and certificates designed to identify trusted devices to one another—and on the iPhone side, those keys and certificates are never deleted unless the user does a full restore or a factory reset on the device. Prior to iOS 7—the version used by most iPhones—pairing happened automatically without any user intervention. (iOS 7 now requires the user to approve pairing with a "trusted" device.)
As Zdziarski put it in a March 2014 technical journal article describing his findings: "[E]very desktop that a phone has been plugged into (especially prior to iOS 7) is given a skeleton key to the phone." And that skeleton key is transportable, because a sufficiently motivated attacker can copy pairing keys and certificates from one computer to another.
Who would go to all the trouble of tracking down those keys and copying them?
Well, the police might, if they thought you were involved with organized crime. So might the NSA, the FBI or a number of other intelligence agencies. And of course some of these outfits could also create seemingly innocuous "paired" devices such as an alarm clock or charging station that would run malicious code once connected to your phone.
As noted above, though, it's not the sort of thing your average Belarusan hacker is likely to use to take over your phone any time soon.
OK, tell me more about these undocumented services. What are they and what do they do?
In a presentation he made at the Hope X hacker conference in New York this past weekend, Zdziarski focused on three particular services known by the technical names com.apple.pcapd, com.apple.mobile.file_relay and com.apple.mobile.house_arrest. (You can see the slides from Zdziarski's talk—all 58 of them—here.)
The pcapd service starts what security professionals call a "packet sniffer" on an iOS device—basically, software that records all data traffic to and from your iPhone. It's installed by default on all iOS devices, and operates whether a phone is in "developer mode" or not, suggesting that it's not a developer-specific feature. And it gives the user no warning when it's activated.
"This means anyone with a pairing record can connect to a target device via USB or Wi-Fi and listen in on the target’s network traffic," Zdziarski wrote in his March paper.
The file_relay service, according to Zdziarski, exists to vacuum up large volumes of raw data from particular sources on an iPhone and then to dump it out in unencrypted form. Several years back, file_relay appeared fairly innocuous. In iPhoneOS 2.0 (an early predecessor to iOS), it was only able to access six data sources, including "Apple Support," "network," and "CrashReporter."
By iOS 7, however, file_relay's reach had expanded to include 44 data sources, many of which specifically address the owner's personal information. These include the address book, accounts, GPS logs, maps of the phone's entire file system, a collection of all words typed into the phone, photos, notes, calendar files, call history, voicemail and other records of personal activity that have been cached in temporary files.
Small wonder Zdziarski calls file_relay "the biggest forensic trove of intelligence on a device's owner" and a "key 'backdoor' service" that provides a significant amount of data that "would only be relevant to law enforcement or spying agencies."
The third service, house_arrest, originally allowed iTunes to copy documents to and from third-party apps. Now, however, house_arrest has access to a much broader array of app-related data, including photos, databases, screenshots and temporary "cached" information.
Couldn't these services have legitimate functions?
Maybe, although it's difficult to understand why they they'd have such apparently untrammeled access to so much information. That's a pretty major security failing under any circumstance.
Zdziarski also runs through a number of possible explanations—that they might be used in iTunes or Xcode (Apple's iOS app-development environment), or in developer debugging, or by Apple support, or in Apple engineering debugging—and shoots each one down in turn.
It's very difficult to construct an explanation for legitimate, non-surveillance uses of services that aren't documented, that bypass backup encryption, that have access to otherwise inaccessible user data and that give the user no notification that they're accessing and dumping out information. Oh, and whose code Apple has maintained and updated across several versions of iOS.
Given Apple's historical issues with lack of cooperation and infighting between technical teams, it's also conceivable that these services grew without much direction at all, almost by accident, as engineers struggled to solve other technical problems without writing a whole bunch of new code. Call this the it-ain't-pretty-but-it-works explanation.
Is it plausible? Your guess is as good as mine. And it's still a major security fail.
What does Apple have to say about all this?
In classic fashion, not very much. Apple didn't get back to me when I emailed it for comment, although I'll keep trying.
Apparently, however, it did email a statement to Tim Bradshaw, a reporter for the Financial Times, who tweeted it:
The statement, of course, is rife with ambiguity. Is Apple referring specifically to pcapd, file_relay and house_arrest here, or just issuing a general statement about its diagnostic functions?
And it fails to address most of Zdziarski's basic questions. If these services are diagnostic functions, why aren't they documented? Why do they operate even if users haven't agreed to send diagnostic information to Apple? Why can't users deny their consent to having information taken off their devices this way? Why can't users turn these services off?
It is certainly interesting that Apple feels compelled to deny that it has even "worked with any government agency from any country" to engineer backdoors into its products or services. Especially since Zdziarski hadn't accused them of such.
Does Zdziarski have thoughts about Apple's statement?
Does he ever. In a new blog post Monday night, he summed up his reaction this way:
I understand that every OS has diagnostic functions, however these services break the promise that Apple makes with the consumer when they enter a backup password; that the data on their device will only come off the phone encrypted. The consumer is also not aware of these mechanisms, nor are they prompted in any way by the device. There is simply no way to justify the massive leak of data as a result of these services, and without any explicit consent by the user.
I also contacted Zdziarski for comment, but haven't heard back.
If you're a LinkedIn member, this might mean more advertising for you.
The San Francisco-based firm provides advertising tools for businesses, and already worked with LinkedIn to place ads on the site for its customers.
According to a post by LinkedIn executive David Thacker, one of the company's fastest-growing ad products are sponsored updates, or posts companies pay to show you when you log into the site. With the Bizo acquisition, users might see more ads like this, in part because LinkedIn will be using Bizo’s services and salespeople to sell more ads.
Other products, like Sponsored InMail, might also see a boost, given Bizo's experience with targeted email marketing. Currently LinkedIn allows advertisers to purchase access to your inbox, but users only see a maximum of one sponsored email every 60 days. To date, I haven’t received one, but with LinkedIn amping up its marketing and advertising efforts, it might only be a matter of time.
Lead photo by Link Humans on Flickr; LinkedIn + Bizo image via LinkedIn
The Platform is a regular column by mobile editor Dan Rowinski. Ubiquitous computing, ambient intelligence and pervasive networks are changing the way humans interact with everything.
The middle class of mobile app developers is completely non-existent.
According to a research survey from market research firm VisionMobile, there are 2.9 million app developers in the world who have built about two million apps. Most of those app developers are making next to nothing in revenue while the very top of the market make nearly all the profits. Essentially, the app economy has become a mirror of Wall Street.
According to the survey: “The revenue distribution is so heavily skewed towards the top that just 1.6% of developers make multiples of the other 98.4% combined.”
About 47% of app developers make next to nothing. Nearly a quarter (24%) of app developers who are interested in making money from their apps are making nothing at all. About another quarter (23%) make less than $100 a month from each of their apps. Android is more heavily affected by this trend, with 49% of app developers making $100 or less a month compared to 35% for iOS.
As you can see, only 6% of Android developers and 11% of iOS developers make more than $25,000 per month, numbers that make it extremely hard to build a real, sustainable business with mobile apps.
If we chop off the top and the bottom of the market, that leaves a “middle class," which is extremely poor, struggling to make any kind of money. About 22% of developers earn between $100 and $1000 a month off their mobile apps. The higher end of that scale isn’t bad for hobby developers, but professional app makers can’t get by on that. VisionMobile draws an “app poverty line” at apps that make less than $500 a month, leaving 69% of all app developers in this category.
That leaves a very thin middle class that makes between $1,000 and $10,000 a month per app. To put that in perspective, the American middle class at large earns between $40,000 and $95,000 annually (with the “middle-middle” making $35,000 and $53,000 per year).
So what happened to all the riches in the app economy? The fact is that the money dried up a long time ago and only the top of the food chain makes any real money. The developer middle class is small and struggling while two-thirds of developers trying to make money off their apps may just look towards other ways to employ their skills.
Vision Mobile concludes:
More than 50% of app businesses are not sustainable at current revenue levels, even if we exclude the part-time developers that don’t need to make any money to continue. A massive 60-70% may not be sustainable long term, since developers with in-demand skills will move on to more promising opportunities.The Balloon Effect
The death of the developer middle class should come as no surprise to industry watchers. The app economy has mirrored the rest of the mobile industry of the last several years.
The first comers to the industry carved out names for themselves and benefited from the unexpected popularity of the smartphone (led by Apple’s iPhone and the App Store). Copycats and entrepreneurs raced to get in on the riches, creating a bloated app store filled with poor and mediocre apps to fill just about every product category you could think. This pushed out quality (but limited) market apps. The revenue consolidates at the top of the market
App store inventories continue to grow, one poor app after another. This will lead to the eventual realignment of the developer pool, building mobile apps as they struggle to find revenue or venture money to grow their businesses. In the past, I have called this the balloon effect. We've have seen it in smartphone manufacturing (where middle tier players like HTC get pushed out as Samsung and Apple dominate) and developer services where companies struggle to compete against each other and industry heavyweights. Eventually, these companies are either bought or merge. (StackMob and Parse were acquired, PlayHaven and Kontagent merged to become Upsight.)
The app economy is one of the foundational elements of the mobile industry, so the balloon effects take longer to manifest but the impact is much broader on the developer community.The Sparrow In The Coal Mine
Developer David Barnard offers a cautionary tale about an app called Sparrow.
We’ve all read stories about and been enthralled by the idea of App Store millionaires. As the story goes… individual app developers are making money hand over fist in the App Store! And if you can just come up with a great app idea, you’ll be a millionaire in no time!
Sparrow was an app built by a three-person team which became five people after a venture capital seed round. It started as a paid app in the Mac App Store and then the iOS App Store, with plans for a Windows app on the way. Sparrow debuted well and had a couple popularity spikes with new releases and media coverage. But Sparrow was not long for the world. It could not sustain the popularity needed to make enough revenue for its team to make the riches its efforts may have deserved. Eventually Sparrow sold to Google—a quality outcome. But most developers will never see the same type of popularity spikes, venture capital investment or exit to a huge company experienced by Sparrow.
If a well received, well-made and popular app like Sparrow could not hack it in the mobile app business, the average indie developer has little chance to make a dent without stumbling upon a mega hit, a la Flappy Birds (developed by a lone programmer in Vietnam). The kicker is that Sparrow’s tale … is from 2012.
Two years later, the opportunities for apps like Sparrow have more or less dried up as thousands of apps have filled its category, making it harder for app publishers to stand out from the crowd. For every Instagram success story, there are thousands of apps that make little to no money and have no prospect of success in the near future.
Barnard summed it up well, diagnosing the prognosis of the app developer middle class in 2012.
Given the incredible progress and innovation we’ve seen in mobile apps over the past few years, I’m not sure we’re any worse off at a macro-economic level, but things have definitely changed and Sparrow is the proverbial canary in the coal mine. The age of selling software to users at a fixed, one-time price is coming to an end. It’s just not sustainable at the absurdly low prices users have come to expect. Sure, independent developers may scrap it out one app at a time, and some may even do quite well and be the exception to the rule, but I don’t think Sparrow would have sold-out if the team—and their investors—believed they could build a substantially profitable company on their own. The gold rush is well and truly over.
Top image courtesy of Flickr user Bennet.