The big news of the week in the mobile world is that Nokia is buying Symbian and open sourcing it. One of the reaction papers that I read about that claims that this deal reveals the true value of a mobile operating system, which of course is null, zip, zero. If this is true, it is no good news for companies who sell operating system and related middleware and components.
Of course, the message is not that simple. If the operating system has no value according to the authors, it does not mean that the entire mobile software stack has no value:
Furthermore, in my opinion, the rise of application execution environments (AEEs) like Java, Flash (Adobe), Dalvik (Google) and Silverlight (Microsoft) will be where much of the future application development takes place, as opposed to natively at the OS level. This rips further value from the OS since, as long as the handset supports a popular AEE, the actual core OS becomes irrelevant.
That statement is a bit more optimistic for system software vendors. The part that lost its value is the part that should not be exposed. From my point of view, this is quite right: distributing native code is a bad idea, as it removes any possibility to actually verify the code, run it in a sandbox, and otherwise ensure that it does not harm other applications on the device. Some people go even further by predicting that widget frameworks will be the big winners in the hand (by adding yet another layer of control over applications).
Now, let’s move to smart cards. What is the value of a smart card OS? I would like it not to be zero, because this would be bad news for smart card software vendors, and also for traditional card manufacturers. There are at least two arguments in favor of that approach:
- Smart card software remains quite monolithic, and the operating system is hard to separate from the application environment. This has been true for Java Card 2, and it should remain true for Java Card 3. This does not mean that it isn’t possible to define a Hardware Abstraction Layer (HAL) for a specific card software component; it just means that it is not possible today to build a smart card software stack simply by putting together COTS components.
- Smart card software is hard to completely open source, because of the strong security requirements, and the need to resist attacks by an organized hacker community. Smart card software developers have always been very secretive about their software, and the various countermeasures developed by vendors have a value.
I like to believe in these arguments, but I am not sure that I do. Security features are good to build a reputation, but they are really hard to monetize. They may help you win a contract, but it will be hard to ask a premium price for security features. As for the monolithic software, the argument does not really stand either: if a vendor was to propose an off-the-shelf application environment with highly desirable features and a well-defined HAL, it would most likely reduce the value of whatever lies between the chip and the HAL to something close to 0.
So yes, smart cards are like mobile devices. There is no value in the operating system. The real value is in the services, and a part of this value can be associated to the application execution environments that help service providers write valuable services efficiently and securely.
Wow, this article made me think.
On the one hand I can follow your arguments, on the other hand I see successfull commercialized mobile device OSs like Brew, Symbian and Windows Mobile. I don’t like this software is not free, but you can make money with it.
If the real value is in the services, then Android is the right direction.
Regarding the statement “countermeasures developed by vendors have a value” I am not so sure about, as any secretive security measures we deemed to fail ..
It seems that Symbian never made any money (or at least, I read that it never made enough money to cover its costs), and Windows Mobile is quite likely to be losing money, at least for now.
So, from your three examples, we are left with Brew. We may add the iPhone software, even though Apple’s costs are quite opaque. Still, I would not count on mobile operating systems to make money.
And about the smart card countermeasures, they actually hava a value, even if you can’t monetize them directly. By raising the costs of entering the market (and getting their security certified), some vendors may actually succeed in keeping the cheapest options at bay, and this may allow them to sell at better prices.
Still, I would like to remind that I am not saying that operating systems have no value. They do, but it is hard to market. Google and Nokia can make money with Android and Symbian, but they will have to do more than just selling system software: they will need to build an ecosystem around their systems; if it thrives, there is an opportunity to get the value out of the operating system.