I want virtualisation on my iPhone, and I want it NOW

You're holding the next virtual battleground in the palm of your hand

Top three mobile application threats

Analysis By turning computers into software, virtualisation can increase security and free us from underlying complex hardware. Systems can be deployed in moments, and we're offered much better efficiency and flexibility.

Which are all really good things, albeit things commonly associated with PCs and servers. But virtualisation would be just as good on smartphones. So where’s our virtual mobile? And what will it look like when it turns up?

ARM has had virtualisation extensions since ARMv7, but the ARM-powered world is nothing like the realm of x86. For a very large part of that latter market, x86 means more than just a processor architecture: there is a great deal of platform standardisation based on the mutant monster offspring of the original IBM PC.

Such a broad, well-documented set of standards makes it very possible for an x86 hypervisor to host any x86-compatible guest operating system or virtualised application efficiently.

Unfortunately, there’s no such common hardware underpinning for ARM systems.

SoC it to 'em, that's part of ARM's charm

At the hardware level, different ARM platforms, even those running common operating systems, present wildly differing selections of chips, memory maps, and peripheral configurations. ARM defines the instruction set and a few basic bits and pieces, but the individual manufacturers of countless system-on-chips (SoCs) ultimately decide where all the magic control switches are hidden on their silicon.

There’s some consolidation going on, as industry economics push engineers into using truly all-in-one SoC designs such as Samsung’s Exynos series - and some SoC architects like keeping things the same across generations, as that reduces the amount of time needed to develop the software that runs on the things.

But that doesn't mean you can download a virtualisation app for your phone that can easily boot a generic "ARM-compatible" OS on top of the operating system installed on the handset.

A stock x86-64 Linux, Windows or BSD will painlessly start up in your choice of x86 hypervisor, be it VirtualBox, KVM and so on. But you won't be able to do the same on your mobile: you won't be able to find a generic ARM version of those OSes that'll Just Work™ in a generic ARM hypervisor app – because no one can decide on a common, generic platform*.

Which is not to say that there isn’t room for multiple kernels on today's ARM-driven smartphones. ARM, the company, has been pushing its TrustZone concept as the preferred way it packages virtualisation. In short, it allows a secure OS to run separately from the operating system the user fiddles with.

In practice, this puts security-conscious tasks like crypto, payment systems and anti-piracy controls in their own hardware-protected virtual Trusted Execution Environments or TEEs, from whence they can communicate safely with the main OS. Third parties like Trustronic have taken this and built development platforms for TEEs and the chunks of trusted code they run - rather cutely called trustlets.

A Samsung Galaxy S3

A Galaxy S3 Android phone ... that's running Microsoft DRM

But, as ARM told The Register, “the successful virtualization solution should be invisible to the consumer”. Indeed, the first mass-market phone to use this system was the Samsung Galaxy S3, which runs a secure microkernel called Mobicore and a handful of trustlets handling stuff like Microsoft’s PlayReady DRM (yes, your Android phone has Microsoft DRM in it). And it’s most certainly invisible to the consumer - if not to security researchers.

For many useful and important tasks, like giving your IT manager his own secure playpen on your phone to run buttoned-down corporate things, this gives control freaks the warm fuzzies when trying to ride herd on BYOD. The rest of us, conditioned by long experience, know that ‘trust’ in the context of hiding things from users generally means that genuine trust is thin on the ground - you’re not trusted to follow the rules, and you can’t trust the rules won’t change.

Virtualisation in the PC world means more freedom, not less: you want to run multiple operating systems, you want to make applications work where they weren’t intended, you want to move and multiply, backup and transfer, no matter what.

And this is coming, despite the general "look away, nothing to see" approach of much of the ARM virtualisation movement to date. It has to. With ARM and friends really very keen to see the architecture move into the data centre and cloud infrastructures - the biggest hive of virtual activity on the planet - a solid, bare-metal approach to proper full-fat virtualisation can’t come soon enough.

The big guns are already up and running. KVM and Xen have code to play with, if you’ve got the right development system or, at a push, the right Chromebook.

Things are more complicated on handsets. Both Samsung and VMware have dual persona systems, Knox and Horizon Workspace, that look a bit like virtualisation but are software-managed work and play environments that don’t rely on full-blown hypervisor control. But Samsung is also working with Red Bend, a mobile software management company with TRUE, a bare-metal hypervisor-based dual persona system, but that’s not part of Knox.

Missing from all of the above is Apple, which is really not happy with people messing about below the bonnet of iOS. With iOS 7, it introduced per-app security settings for things like compulsory VPN access, remote configuration and so on, effectively wrapping sensitive corporate apps in something approaching a virtual environment. But it’s not any closer to a dual persona approach, and nowhere near bare metal. APIs or nothing is the Apple creed. It dare not go the full monty: Android can’t get there fast enough.

ARM itself will talk about bare-metal hypervisors running multiple operating systems, but only for its recently announced ARMv8-R design. That’s aimed at the embedded world of cars, industrial control and smart things in general - but as ARM itself points out, even lightweight OSes of the sort it envisions running on the ARMv8-R can be pretty functional GUI-based Linux/Android derivatives: the borders between classic embedded systems blinking lights and running motors and the sort of smarts in a modern phone are increasingly fuzzy. That there will be a lot more ARM virtualization across all its platforms is not in doubt.

There’s a major split coming in mobile virtualisation. The techniques, code and capabilities to do full-on hypervisors on Android phones and tablets are moving into reality, a movement that can only be accelerated by the promise that such a move could smooth out Android fragmentation, increase security without compromising openness, and open up such transgressive horizons as running iOS apps - even iOS itself - alongside Android on the same hardware.

Under no conceivable alignment of the planets will this happen in the Apple ecosystem, where we’ll get what we’re given when Apple wants to give it. Apple’s certainly got a plan in mind, given the way iOS 7 has evolved its enterprise chops, but any argument about the better approach between the two platforms must, perforce, be religious, at least until things mature.

What is unarguable, though, is that after years of convergence, some genuine differential capabilities will appear again between the two platforms.

God help us all. ®


* Yes, you can install, for example, Qemu on your Android mobe, emulate a Versatile dev kit, and run a flavour of Debian GNU/Linux on it, or run Microsoft Windows on an emulated x86 platform. But that's awkward, you won't find that on iOS, and it doesn't address the lack of a standardised ARM hardware system – something that's enraged Linux kernel supremo Linus Torvalds - sub-ed

Combat fraud and increase customer satisfaction

More from The Register

next story
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
US mobile firms cave on kill switch, agree to install anti-theft code
Slow and kludgy rollout will protect corporate profits
Leaked pics show EMBIGGENED iPhone 6 screen
Fat-fingered fanbois rejoice over Chinternet snaps
Microsoft lobs pre-release Windows Phone 8.1 at devs who dare
App makers can load it before anyone else, but if they do they're stuck with it
Report: Apple seeking to raise iPhone 6 price by a HUNDRED BUCKS
'Well, that 5c experiment didn't go so well – let's try the other direction'
Feast your PUNY eyes on highest resolution phone display EVER
Too much pixel dust for your strained eyeballs to handle
Rounded corners? Pah! Amazon's '3D phone has eye-tracking tech'
Now THAT'S what we call a proper new feature
Oh no, Joe: WinPhone users already griping over 8.1 mega-update
Hang on. Which bit of Developer Preview don't you understand?
Zucker punched: Google gobbles Facebook-wooed Titan Aerospace
Up, up and away in my beautiful balloon flying broadband-bot
Sony battery recall as VAIO goes out with a bang, not a whimper
The perils of having Panasonic as a partner
prev story


Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.