The potential impact of Spectre on mobile performance and security

Much has been written about the Meltdown and Spectre vulnerabilities in contemporary CPUs in the first days of 2018. This is a hardware issue that be mitigated via software patches, but this comes at the cost of significant reduction in performance for many CPU bound workloads.

The Meltdown vulnerability was discovered in x86 architecture processors, which are mostly used in servers, workstations and laptops. These all devices that spend (most of) their time connected to electric outlets, but mobile devices are also affected. Here ARM CPUs are the norm and x86 is a curiosity.

There are some results which show degraded performance on running web applications after Meltdown patches; Reddit and Epic Games being examples. This increases cost of hosting large web properties, but with horizontal scaling this can be solved. The same goes for workstations and to a large extent laptops.

With mobile devices using Android and iOS the reduction in performance is potentially more significant than in the server room. The battery life in smartphones has hovered around the single day mark ever since release of the iPhone in 2007. Apparently raw capacity remains a limiting factor for battery life.

A majority of web usage is now done using mobile devices. With billions of active devices in use around the globe the performance reduction in computing leads to more sluggish experiences for a very large audience. The parsing of megabytes of JavaScript on page load was already a concern before these vulnerabilities, but this is further amplified by Spectre patches.

Mobile devices already use techniques to conserve power on network and CPU usage. If initial claims reporting significant impacts on iOS performance after the Spectre patch in 11.2.2 are true — then this can be a significant setback for mobile devices’ battery life. This affects all use, reducing standby as well.

Not applying software updates to preserve performance is not an option, as users are performing sensitive activities like banking on their smartphones. A worse battery life is a small price to pay for security provided by the patches. Millions of smartphones and tablets will never receive updates.

Perhaps clever engineering can mitigate possible performance reductions over time, but security will remain a concern. Because of it’s sheer size, the mobile market is an interesting target for malicious parties. It remains to be seen how the mobile industry will be impacted by the CPU vulnerabilities, both in terms of battery life and security.

-- Jani Tarvainen, 10/01/2018