A recent study by researchers at North Carolina State University and the University of Oregon describes a threat scenario that allows attackers to exploit cloud-based resources for malicious purposes like cracking passwords or launching denial-of-service attacks. The study has gotten a lot of attention, including articles in reputable sources like Dark Reading, Ars Technica and Network World.

In order to optimize the performance of mobile apps or browsers, some computation-heavy functions have been offloaded to cloud-based resources, which in turn access backend resources and Web pages. This creates a middle ground in the cloud that is exploited in the attack, which the authors call “Browser Map Reduce (BMR)”. In reading the paper, it’s clear that this is a legitimate threat. The authors actually carried it out using free resources, although they limited the scope in order not to be abusive.

Aside from questions of curiosity around the mechanics of the vulnerability, the obvious question is this: How can we mitigate this threat? Here are a few perspectives here as well as a method for each.

Apps – This “cloud offload” architecture has arisen because of the processing limitations of mobile devices. When a backend resource is requested by a mobile user, it makes sense to have the data returned in the most consumable format, in order to optimize user experience. Whenever possible, instead of doing this through “browser offload”, data should be returned as JSON objects. This API approach is a proven method that works for mobile devices and is not subject to the BMR threat.

Cloud Services – This threat should not be viewed as a dismissal of the “cloud offload” approach. Cloud-based resources are necessary for handling caching, data indexing and other key functions in the mobile paradigm. However, it serves as a warning that these dedicated cloud-based resources cannot be considered part of a walled garden that includes the associated mobile app. The resource’s entry point must be protected against attackers. Layer 7’s SecureSpan Mobile Access Gateway is an ideal choice for this access control, as it uses identity-based measures to ensure that only requests from legitimate sources are serviced.

Web-Based Resources – Although the backend Web resource was not exploited in this scenario, the study is a reminder that the topology of the mobile Web is changing and increasing in complexity. P2P app-to-API connections cannot be assumed and therefore inbound API calls cannot be implicitly trusted. API access must be controlled and the SecureSpan API Proxy is a leading solution for this purpose.

To sum up, this is a legitimate threat but not a reason to abandon the use of cloud-based resources for mobile app optimization. Be aware of the threats, employ the mitigations and then you can continue to enjoy the exciting growth of the mobile Web.

I’m excited to welcome back our API Evangelist Alex Gaber to do his second Tech Talk. Back by popular demand, Alex will take your questions on Optimizing Cloud-Driven Mobile Apps. Alex is a dynamic speaker who knows the app economy inside and out, has built several of his own mobile apps and regularly host hackathons all over the globe.

Building cloud- and API-driven mobile apps introduces complex challenges around syncing, caching and securing data. So, connect live with Layer 7 on Tuesday November 20, at 9am Pacific Time, when Alex will be answering your questions about how to address these challenges. Alex will also provide insight into a range of related best practices, including techniques for building cross-platform applications in HTML 5.

Click here to get the full event details and a reminder in your calendar. On the day of the event, join the event at layer7.com/live and tweet questions to #layer7live.

When a mobile app is dependent upon APIs, many new challenges are introduced to the developer. To provide the best possible user experience (UX), a mobile app should be snappy and responsive. Often though, in the reality of cell phone networks that are bottlenecked and over capacity, a dependence on a fast data connection can lead to a UX nightmare.

Tomorrow (that’s Friday November 9) at 10:30am, I’ll be discussing the challenges of mobile app UX at QCon in San Francisco. In a presentation called “HTML5 Cross-Platform Mobile Apps Integrating APIs”, I’ll be outlining significant challenges around API-driven mobile apps, as well as mistakes developers commonly make, and suggesting best practices for addressing them.

I hope you can make, if you’re at the show. Also, be sure to visit Layer 7 at booth #11.

On Tuesday, Apple launched the iPad mini. Apple events in the fall of 2012 may no longer command the social anticipation they did just a few years ago but they remain flash points for technology reporting. This release brought on more than its share of speculation that the mini is simply an overdue acknowledgement that Amazon got something right with Kindle and that Apple has quietly slipped into following mode. Some pundits have seized on the angle that Apple’s new tablet appeared to contradict Steve Jobs’ famous trashing of the 7″ form factor. But in all of the hullabaloo, one observation seems to be missing: that a tablet of this size is tailor-made for inclusion into the dashboard of your car.

Nothing dates a car like its electronics. And nothing is more tragic that the user experience of pretty much every single in-car navigation and music system. The luxury car segment can do Corinthian leather and wood grain appointments like no industry on earth. They can build a magnificent driving machine that powers through rain and snow like it was a sunny day in LA. But ask them to do a screen-based app and you get something that looks like it was designed on a TRS-80.

I didn’t renew the trial SiriusXM in my 4Runner because I couldn’t stand its programming compared with what I could stream from my iPhone using Bluetooth. Every time I rent a car, I use my phone-based Navigon app over any provided GPS because my app is just better. I’m hooked on Waze, despite how few people use it up here in Vancouver (you should sign up — the more people who use it, the better the traffic data is). The apps on my phone are always up-to-date and I replace the hardware every couple of years for the latest model (which is good enough for me; after all, it’s only a phone).

All cars need is a standard, lockable frame where you can plug in the device of your choice, plus a standardized connector. Then let free market competition and innovation prevail over apps. Tomorrow’s gear heads aren’t going to be like the hot rodders of my Dad’s generation or the tuner kids of a decade ago. They are going to be geeks with apps using APIs.

That’s what the iPad mini is for.

(It’s interesting to note that the wifi-only mini does not have GPS but the cellular version does…)

Layer 7 recently partnered with the folks at AT&T, to be a frequent sponsor on their hackathon circuit. AT&T hackathons provide a launching pad for developers to come solve big problems, learn about APIs, get inspired, win prizes and possibly launch new products. Take a look at the Layer 7 site for information on upcoming hackathons and join us if you can! In the meantime, here’s an overview of some recent AT&T events we participated in.

Mobile App Hackathon, Denver, CO (August 17-18). Layer 7 brought payment APIs that gave developers tools for integrating payments into apps and we were onsite providing technical support for iOS, Android and HTML5. Layer 7 also provided Apple TVs as prizes for the team that achieved the best technical integration of our customer API. The winning app was Open Perks, designed to make redeeming digital coupons and loyalty rewards easier.

Social Good Mobile App Hackathon, New York, NY (September 25-26). Apps built over the course of this weekend aimed to solve major social issues – for example, by alerting people when blood donation banks need their certain blood type or by improving support systems for alcoholics. We were there to offer onsite technical assistance and help teams with user experience/user interface design as well as general prototyping best practices.

Hack Across the Pond Mobile App Hackathon, London, UK (October 5-7). This hackathon – produced in partnership with the MIT Sloan Business Club and the UK Trade & Investment Agency – aimed to bring together developers in Boston and London. Utilizing simulcast video streaming, developers worked together on projects at both sites. We were onsite in London, providing organizational and technical assistance.

New York City Mayor Bloomberg’s Truancy Task Force & NYC Digital Hackathon, New York, NY (Oct 12-13). Onsite at AT&T’s downtown NYC office, we were again honored to be included in a prestigious group of sponsors. We gave a presentation on How APIs are Changing the World and it was a pleasure to work with and provide technical support to members of New York’s thriving, innovative developer community.