Eclipse survey finds Linux dominance, apparent endemic security apathy

The Eclipse Foundation has published its third annual IoT Developer Survey, charting the popularity of languages and operating systems among IoT developers and projects, and this year’s results are good news for Linux and Canonical. However, for security aficionados, the survey makes for grim reading, and while Thread and LPWAN are both seeing growth, a key takeaway is the distance between GE’s Predix and the big-three IoT cloud platforms.

The report notes that there is a more diverse set of industries represented by the respondents, with Industrial Automation, Smart Cities, and Energy Management seeing significant growth compared to the year before. IoT platform/middleware was the most popular are, with 41.6% of the vote, followed by Home Automation on 41.1%, and Industrial Automation on 36.4%.

As for key concerns, security is still the main worry for developers, dipping 0.7% compared to 2016, to 46.7%. Notably, Interoperability has fallen substantially since 2016, falling from 29.4% to 24.4% – which Eclipse suggests could be a sign that work on standards and middleware has lessened this concern. Continuing the trend of dips, both Connectivity and Hardware Integration, the other two chief concerns, fell by around 1%, to 21.4% and 19.3% respectively.

The next focus for the Eclipse survey was IoT the choice of security-related tech. The results are not encouraging for overall IoT security. Communication Security was the highest response, with just 48.3% of responses, followed by Data Encryption on 43.2%. JSON or Similar Web Token was in third with 34.4%, followed by Public Key Infrastructure on 27.2%, and OAuth and OpenID in fifth-place with 24.3%.

Sixth went to Over the Air (OTA) Updates, on just 18.5%, and the seventh most prevalent response was that no security technology was being used – at 16.4% of the replies. That’s somewhat staggering, and is hopefully indicative of the lack of priority that security takes in developer projects – something that is hopefully heavily corrected before they become live deployments.

As for hardware-based security, the results appear worse, although the proportion of software-only developers in the survey isn’t clear and could well be skewing the results. Either way, Secure Boot was used by 11.4%, Hardware Security Modules by 10.6%, Trusted Platform Modules (TPM) by 10%. Combined with the poor apparent OTA usage, these answers don’t bode well for the number of secure devices in the field.

For developers focused on constrained devices, the most popular programming language was C, which held 56.4% of the vote, followed by C++ with 38.3%, and Java with 21.2%. Python (20.8%) sat in fourth place, with Assembler (20.8%) just behind. Once outside the top-five, the remainder hold much smaller shares, and include JavaScript (10.3%), Node.js (8.5%), Lua (7.1%), C# (5.7%), PHP (3%), Ruby (2%), R (1.8%), Go (1.8%), and Swift (1.4%). Other totaled 3.4%.

For the more powerful IoT gateways, C is far less dominant, with the top-four standing as Java (40.8%), C (30.4%), Python (29.9%), and C++ (28.1%), with Node.js in fifth-place on 17.3% and JavaScript behind it at 16.7%.

Moving up the stack and into IoT cloud solutions, Java sits in pole-position with 46.3%, followed by JavaScript (33.6%), Node.js (26.3%), and Python (26.2%). PHP took fifth-place on 16.4%, with C++ behind it with 11.6%, and then C# on 10.5%. Notably, R rose to eighth-place with 8.4% – a promising sign for the increasingly popular language.

As for the device operating systems, the Raspberry Pi’s Raspbian took first-place, with 45.5% of developers saying they used the OS in their IoT solutions. That’s a surprisingly high figure, and perhaps indicative of the early-stage scale of IoT projects that might shift over time as projects move away from the popular developer system.

Ubuntu took second-place with 44%, followed by Android in third with 21.8%, and Yocto in fourth on 14.1%. Fifth-place went to the Other section, with 12.4%, followed by non-Linux with 9.2%. Next was OpenWrt or equivalent on 9%, and uClinux took eighth-place with 3.8%. Huawei’s LiteOS accounted for just 1.7% of the responses, with Tizen behind on 1.5%, and Ostro Linux rounding out the responses with 1.1%.

Linux is used on 44.1% of constrained devices, according to the survey, which places No OS / Bare Metal in second with 27.6%, with FreeRTOS and Kontiki apparently experiencing growth. For gateways, Linux accounts for some 66.9% of devices, with Windows in second-place on 20.5% – a big jump for Microsoft’s OS, according to Eclipse.

Higher up the stack again, in the IoT Cloud Platforms, Amazon’s AWS is still the leader, with 42.7% of the respondents saying they used it. Next was Microsoft’s Azure on 26.7%, followed by Google’s Cloud Platform on 20.4%.Fourth-place belonged to Private/On-Premise clouds, with 18.4% of replies, and IBM’s Bluemix was in fifth. Eclipse notes that the Private/On-Premise has plummeted, after scoring 34.9% in 2016, potentially as a sign that the IoT Cloud Platforms are now sufficiently mature to encourage developer adoption.

While the top-three will be accustomed to occupying those top spots, IBM can take some consolation in what looks like a competitive share. GE and its Predix platform, meanwhile, sits in last place on just 5.7%, which doesn’t bode well for a system that GE has been working on for quite a while now. Notably, Don’t Know scored 11.9% and Other hit 9.1%, with None on 13.2%. Red Hat’s Open Shift accounted for 7.9%.

The final question concerned connectivity protocols at the edge, and while TCP/IP, WiFi, and Ethernet have always been the top-three responses, Bluetooth, LPWAN, and 6LoWPAN have all posted significant growth in the 2017 survey.

In last-place was Thread, the Google/Nest-backed mesh protocol for smart home devices, which grew from 1.8% in 2015, to 4.8% the next year, and now to 6.4%. UPnP has remained pretty consistent, at around 8%, but 6LoWPAN has jumped from 12.9% in 2015, to 16.2% in 2016, and now up to 21.4%.

For longer-range protocols, the LPWAN segment (no breakdown, but containing LoRa, Sigfox, and LTE-M) rose from 17.3% in 2016 to 22.4% in this year’s results, and cellular (again, no breakdown) declined slightly. Thread doesn’t appear to have cannibalized ZigBee interest, and while 2016 was a dip, ZigBee has returned to its 2015 level of interest – above Serial, LPWAN, 6LoWPAN, UPnP, and Thread.