Building &

Managing

Mobile

Solutions A Whitepaper

Mfuse Limited

Copyright © October 2012, Mfuse Limited Page 1

Contents Executive Summary ...................................................................................................................... 2 The Challenges in Effectively Developing and Managing Mobile Solutions .................... 3 1. Performance ........................................................................................................ 4 2. Security ................................................................................................................ 5 3. High Traffic Levels ............................................................................................. 6 4. Handset & OS Variety ....................................................................................... 7 5. Complex Back-Office Systems ......................................................................... 7 6. Internationalisation, Localisation & Personalisation. .................................. 8 7. Mission-Critical Services. .................................................................................. 8 8. Cost-Efficiency. ................................................................................................... 9 The Mfuse Approach.................................................................................................................. 10 Design, Development & Testing ............................................................................. 10 Security ......................................................................................................................... 10 Scalability ..................................................................................................................... 11 The Mfuse Platform ................................................................................................... 11 Conclusion .................................................................................................................... 12

Copyright © October 2012, Mfuse Limited Page 2

Executive Summary The mobile application industry has evolved at a breath-taking pace in the past decade. Protocols and platforms designed for low-capability handsets on low-bandwidth networks (Java ME, WAP, WML, etc.) were made obsolete by rapid advances in devices, operator networks and software platforms. Today’s mobile technologies include mobile-optimised websites and web-apps built with HTML5, OS-specific native application platforms and, in the middle, a variety of hybrid platforms that aim towards the ‘write-once access-anywhere’ ideal. Whichever technology is chosen, rich, powerful, engaging sites and apps are not only possible now, but are considered the norm. Whilst the options and possibilities have grown, the challenges for businesses and system architects remain much as they have always been. Namely how to capitalise on this potential in a secure, scalable, cost-effective manner whilst maintaining an edge over the competition and providing users with the experience and functionality they expect. Mfuse was originally established in 2002 to fill a gap in the market and to provide clients not just with mobile applications that go beyond the norm, but also with the highest levels of scalability, security, transaction management, back-office and API integration, and service management that are demanded by leading enterprise and B2C businesses. Since then, Mfuse has grown with the industry. It has seen the coming and going of technologies such as WAP, Java ME and, through continuous investment in R&D, user experience and via close-collaboration with its clients, has remained on the cutting edge of the mobile and tablet application space. As a result, the Mfuse Mobile Application Development Platform (MADP) that is used by our teams internally has developed with our business to where it is today - providing enterprise-level services and device-aware rendering across the spectrum of mobile and tablet devices that are found in both developed and developing territories. In this whitepaper we examine the challenges in more detail and also discuss the approach taken by the Mfuse offering and its Mobile Application Development Platform to tackle them.

Copyright © October 2012, Mfuse Limited Page 3

The Challenges in Effectively Developing and Managing Mobile

Solutions Mfuse specialises in both mobile application development and also in understanding the broader requirements for the development and management of enterprise-level and large-scale B2C systems. The issues that need to be overcome are familiar to anyone with experience designing, building or managing systems of this scale - regardless of the type of device used to access them: 1. Performance: Providing users with the performance they expect from their site or app. 2. Security: Providing users with the security they deserve. 3. High-Traffic Levels: Scaling systems to cope with high levels of concurrent traffic, both as the norm and during extreme peaks around significant events. 4. Handset & OS Variety: Giving users with the most capable devices the best possible experience, whilst still supporting those with less able devices (or lower bandwidth networks at that point in time). 5. Complex Back Office Systems: Integrating with complex (and often remote) back-office systems in a transactional and performant manner. 6. Internationalisation, Localisation and Personalisation: Efficient support for internationalisation, localisation, personalisation, etc. 7. Mission-critical Services: Hosting and managing high-volume mission-critical services. 8. Cost-Efficiency: How to do all of the above in a cost-effective manner. Whilst these are all typical problems in the development and management of any large-scale system, those systems that support users with primarily mobile or tablet devices have specialised requirements (and solutions) in all of these areas. The lessons that Mfuse has learnt, the Mobile Application Development Platform (MADP) that it has built and evolved, and the processes it has put in place in the last decade put Mfuse in a unique position to be able to understand and effectively solve these issues.

Copyright © October 2012, Mfuse Limited Page 4

1. Providing users with the performance they expect from their site or app. Today’s users expect fast loading times, responsive applications and dynamic information at their fingertips. This can be difficult to achieve at the best of times, once outside the controlled conditions of a campus or enterprise. On high-latency, low-bandwidth mobile networks it becomes a true challenge, especially if users are contending for bandwidth in a congested cell (e.g. at a concert or football match). All areas of the architecture require attention in order to achieve the speeds necessary to give users the performance they are accustomed to. Applications must be efficient, communication protocols must be light and highly optimised and data must be manipulated and cached at numerous points to ensure it is as close as possible to the users, whilst balancing this with the need to always keep it current and accurate. The applications Mfuse typically builds for its clients need to solve all these problems two-fold, i.e. in terms of (i) the server application, the application running on the user’s device and the communications between the two, and (ii) the server application and the manner in which it communicates with clients’ back-office systems and third-party feeds. To meet the challenges of application execution on a user’s device, it is critical to understand the wide range of capabilities that are out there. Application logic and richness of functionality must be tailored to the device in question with full support for the latest smartphones and a graceful degradation in functionality as the capabilities decrease. Expecting an app (or mobile-optimised website) that doesn’t tailor itself in this manner to equally please an iPhone 5 user, the user of a two-year old HTC and the user of a four year old BlackBerry is unrealistic. Data transmission between the application and user’s device must be kept to an absolute minimum and be heavily optimised in order to achieve satisfactory performance across a mobile network. Assets should be cached where supported by the handset, though the caching support declared by the OS manufacturer is not always stable or complete, which

Copyright © October 2012, Mfuse Limited Page 5

can result in obsolete imagery and even logic (e.g. JavaScript) being cached beyond its use-by-date and potentially causing incompatibilities with the server application. Different devices provide varying levels of support for both HTTP Header-based caching and HTML5 Local Storage-based caching and a strategy that caters for both methods (and the varying levels of compatibility across Operating Systems within each method) is required for an optimised approach covering all users. Highly dynamic or volatile data needs handling more carefully and is best cached where there is more control, including in the server application, in the network appliances and perhaps in the client application (e.g. natively or using HTML5 Local Storage). The same rules apply when integrating with other feeds for data, e.g. third-party news and content, live video-streams, etc. Data and content often requires careful aggregation and manipulation before it is consumed, especially where the APIs from which it is sourced are not designed with the specific needs of the application in mind and therefore often bear little if any resemblance to the application’s use cases. 2. Providing users with the security they deserve. Thankfully, all of today’s major platforms support standard secured communication protocols, such as HTTPS, and the days of designing custom protocols to work around the deficiencies of, say, Java ME certificate management are behind us. Nevertheless, data communication is just one aspect of security that needs to be addressed. Security must be treated as a first-class requirement right the way through the development and hosting/management processes and throughout the entire architecture. System access must be locked down and audited, firewalls must be correctly configured (and regularly exercised through penetration testing), patch management must be well disciplined, multiple levels of physical security must be in place in the datacentre; these and many related aspects of security are givens in today’s modern multiuser systems. Equally, as the exponential growth in ecommerce has driven online payments to the forefront of security officers’ concerns, the relevant organisations have come together and formed new processes and standards that must be adhered to (e.g. the PCI DSS1) by any sizable business expecting to be able to responsibly manage card payments. Security is something we must all be concerned about and treat seriously throughout the entire architecture and all business processes. 1 See https://www.pcisecuritystandards.org

Copyright © October 2012, Mfuse Limited Page 6

3. Scaling systems to cope with high levels of concurrent traffic, both as the norm and during extreme peaks around significant events. Mfuse has seen mobile progress from a niche channel with relatively little traffic, to becoming a dominant force that is driving technical and social change and gaining board-level attention with even our biggest clients. Given the on-going increase in online activity and that mobile Internet usage will soon overtake non-mobile access2, the need to scale efficiently is paramount. Mfuse now sees mobile traffic levels breaking previous records on an almost weekly basis and approaching 25%-30% of all digital access within our clients. In addition, we see huge spikes in traffic (with record numbers of user sessions and transactions) around live events, recent examples in the sporting world being Grand National 2012 3 and the European Football Championships4. Coping with these demands requires:

• Technical expertise when designing and building solutions, e.g. around the additional complexities of secure, high-volume session management and distributed multi-tier data caching. Whilst these are often solved through the use of third-party technologies built for these purposes, they rarely work out-of-the-box for high-volume situations and never take the specifics of mobile environments into account. • Creativity and agility when hosting and managing these services. Mfuse has long understood the need to build support for all these issues and more into its MADP and has continuously updated and enhanced it over the years to keep it current and best-of-breed. The Technical Services team is second to none when it comes to understanding how to cater for high-load situations for the clients that ask us to host and manage their mobile services. It also has a wealth of experience going beyond the usual online service management (in itself not to be underestimated) and into the subtle differences found with users that access the service via mobile cell gateways and operator networks – rendering, for example, some of the more usual load-balancing techniques ineffective. 2 This has been widely predicted for a number of years to happen around 2013/14 (e.g. see http://www.gartner.com/it/page.jsp?id=1278413) and the trend towards this is certainly being borne out by our clients. 3 See http://en.wikipedia.org/wiki/Grand_National 4 See http://en.wikipedia.org/wiki/Euro_2012

Copyright © October 2012, Mfuse Limited Page 7

4. Giving users with the most capable devices the best possible experience, whilst still supporting those with less able devices (or lower bandwidth networks at that

point in time). While cross-browser incompatibilities have made this a concern for web designers since the early days of the WWW, it has greater significance in the mobile domain where the overall variation in capabilities is much larger, not just amongst smartphones, but also across feature phones - for those wishing to have a broader reach across demographics or territories. Most of Mfuse’s clients require applications that support not just the latest version of Apple iOS and Android and that take advantage of their full capabilities, but also provide a gracefully degrading service right down to feature phones that don’t even have dynamic functionality capability (e.g. JavaScript support). For these reasons, the mobile ‘channel’ needs to be considered as multiple channels with each divided into sub-channels providing a grouping across similar device families and a product offering that spans them all. Beyond this (and also driving the routing between channels and sub-channels), an intimate knowledge of the device making a request is required, including details of handset, operating system and version, screen-size and various capabilities including ability to support JavaScript, CSS 3 / WebKit extensions and so on. In a similar vein, there is little point trying to serve a data-rich and highly-dynamic, bandwidth-intensive service to a smartphone user with a poor signal reception or in a high-contention area, as the chances of it reaching the device or performing well are remote. Hence, it is important to recognise such scenarios and gracefully downgrade (automatically and/or at the user’s request) through the service quality levels. Enabling this switching is critical (as is, of course, providing multiple QoS levels in the first place). 5. Integrating with complex (and often remote) back-office systems in a

transactional and performant manner. In many respects, this has little to do specifically with mobile, although it is worth pointing out that the skills required to build mobile applications are often very different to those for building complex back-end systems, especially those that integrate tightly into others, so it is key to ensure you (or your supplier) have capabilities in both areas if integration requirements are anticipated. One particular area in which we have learnt that mobile affects this is where integrating into back-office APIs built for other purposes or channels. A common requirement is to

Copyright © October 2012, Mfuse Limited Page 8

integrate with an API designed to support an existing website. A mobile product’s design and user journeys will be very different to those of a traditional website or desktop application, due to the differences in screen size and interaction conventions. A single page on a website often translates into a number of smaller broken-down pages in a mobile application. Conversely, it is not uncommon to find a single page in a mobile application aggregating information and interaction that might be found spread across a number of pages in a traditional website, in order to reduce the number of clicks (and server interactions across a mobile network) to achieve some given goal. The result is often that APIs that serve websites perfectly well are far from ideal when looked at from the perspective of a mobile product and rarely have operations that map neatly to the application’s use cases. Hence, particular skills and experience are beneficial to be able to aggregate and cache effectively in order to decouple the mobile product from the back-office API. Support for this within the chosen MADP is invaluable.

6. Efficient support for internationalisation, localisation, personalisation, etc. Again, these are not necessarily issues that are specific to mobile, but they certainly have an added emphasis when dealing with a mobile product and the possibilities they bring, for example through location-awareness. Again, support within the MADP for such concerns is essential. 7. Hosting and managing high-volume mission-critical services. This subject overlaps everything that has been discussed above. For a high-volume system to be hosted and managed effectively, it needs to have been designed with security, scalability and ease of configuration and internationalisation in mind from the start. However, it also requires a deep understanding of the underlying infrastructure requirements and the specifics of the mobile space. In high-profile transactional sites, we

Copyright © October 2012, Mfuse Limited Page 9

find DDOS attacks are common, outages at independent nodes in a network path between a distributed application and back-office occur more often than we would like (and never at a civilised time of day), patch and configuration management require high levels of discipline and a constant increase in demand and throughput a fact of life. Some of these require no knowledge of mobile. Others would have left Mfuse floundering were it not for a highly skilled team and a far-reaching knowledge of the mobile space. 8. How to do all of the above in a cost-effective manner. There is, of course, no silver bullet! Building and managing Internet-scale mobile services for enterprise or B2C consumption requires skill and experience across a wide range of disciplines. Many MADPs are now available to help with the building of such services and Mfuse indeed has its own that it has honed over many years. However, the selection and use of a MADP will not in itself bring success; skill and experience in the field and disciplines related to mobile development are crucial. Mfuse has a solid track record in solving these problems and the approach taken is discussed in the following section.

Copyright © October 2012, Mfuse Limited Page 10

The Mfuse Approach The Mfuse approach consists of a thoroughly modern development methodology, a MADP developed and refined over a decade to support our applications and a philosophy that puts the client’s needs at the forefront and utilises a wealth of mobile expertise to fulfil them. Design, Development and Testing Mfuse takes a modern approach to development and tailors its processes to clients’ specific needs wherever necessary. Product Definition and User Experience workshops usually kick the process off, followed by rapid prototyping and plenty of opportunity for early feedback. We have a strong team of business analysts, user experience and design experts with a wealth of mobile experience that are committed to producing the best applications available. Development itself uses agile methodologies that are tailored to our specific requirements, though we can accommodate particular clients’ needs, e.g. working collaboratively with a strictly Scrum methodology with one of our clients. Again, prototyping is used heavily, alongside Test Driven Development5 practises and iterative development, always with the aim of delivering often and getting early feedback. Our QA team are engaged from the start and Continuous Integration and Delivery 6 techniques are applied throughout. We place great emphasis on testability and rigorous quality control is paramount. We are a software development company at heart and all these things matter to us. We develop systems as we feel they should be developed and believe that sound practises and modern processes are critical in the delivery of today’s software solutions, mobile or not. Security The security of our clients and their end users is at the heart of everything we do. Our early adoption of PCI is an illustration of this; around 2004/2005 the major credit card 5 See http://en.wikipedia.org/wiki/Test-driven_development 6 See http://en.wikipedia.org/wiki/Continuous_integration and http://en.wikipedia.org/wiki/Continuous_delivery

Copyright © October 2012, Mfuse Limited Page 11

companies aligned their individual security and fraud prevention programmes and released the PCI DSS1. Mfuse has been committed to PCI since the beginning and it, along with all aspects of data- and physical-security, underpins all our systems and processes. Scalability Due in part to our expertise and also our cost-effectiveness, most of our clients ask us to host and manage their mobile and tablet services for them, including the very large that have significant hosting capability of their own. These have been long-term arrangements and continue to be so and this is testament to our abilities to provide secure and scalable services for serious, large-scale B2C sites and web-apps. We employ a redundant and highly dynamic virtualised environment that enables us to respond quickly both to failure modes and user demands and we anticipate moving further into Cloud-based environments, for those clients that would be compatible, in 2013. The Mfuse Platform Mfuse’s Mobile Application Development Platform started life as a small collection of tools and utility classes and, over the following decade, has evolved into a full-fledged and mature platform that solves all of the problems we encounter when developing large scale mobile solutions. This provides the foundations for everything we do, whilst continually evolving to support the changes in mobile and server-side technologies and incorporating best-of-breed open frameworks.

Copyright © October 2012, Mfuse Limited Page 12

Conclusion There are a number of approaches that can be taken to overcome the challenges presented when developing large, enterprise or B2C mobile applications and websites. The approach that Mfuse takes has been honed, tried and tested over the last decade and enables us to provide our clients with industry-leading applications. While many of the challenges will in principle be familiar to developers, architects and IT managers outside of the mobile space, the specifics of the mobile space and the solutions it requires can pose problems - especially around the areas of pan-handset support. It is ironic that whilst everybody has long predicted convergence of mobile technologies, the reality is continued divergence, especially when you get into the detail. We expect this trend to continue for some time before the industry standardises across OSs and platforms. In the meantime, the need for specialist solutions to specialist needs within the mobile industry will persist. Mfuse are more than happy to discuss these problems and their solutions in further detail. Please do contact us for more information: Mfuse Limited www: www.mfuse.com 3rd Floor, Mitre House tel: +44 (0)20 7154 2070 177 Regent Street email: info@mfuse.com London W1B 4JN