Along with the unveiling of prototype handsets using Google?s Android mobile application development platform at the Mobile World Congress in Barcelona, came the promise — one more time– of write once, run anywhere.

And while write once, run many gives application developers a maximum market for their applications, industry experts have their doubts that Android or any other mobile solution can fulfill the promise.

Bob Egan, chief analyst with the Tower Group, points out that differentiation often takes place at the hardware level, such as optimizing battery management or display characteristics.

Anthony Meadow, principal at Bear River Associates, a leading mobile development company said the ability to achieve write once, run many depends on how the hardware and software developers do their respective work, the problem being that everyone wants to be different. “How can a hardware manufacturer differentiate their product from everybody else’s and at the same time be compatible with the standards they want to set?” he said

Making it even harder to achieve standardization is the plain fact that handset manufacturers are not standing still. New features are constantly being added. Offering music downloads, pictures, and video is practically old school. Now, handset manufacturers and the carriers are talking about new security features like embedded security credentials for a boarding pass or entry to a company, or loading loyalty cards.

“When you start thinking of taking handsets to the next level, there is a whole new set of complexities,” said Egan.

So while a cross platform mobile SDK would be welcomed by developers, especially Google, which needs to put its services on as many devices as possible in order to grow, the hardware subtleties are the things that come up to bite people, adds Egan.

Meadow at Bear River admits that if Google had a tough certification program, it would be possible to get much closer to the write once, run anywhere prize.

Google certainly has a great deal of clout in many parts of the high tech industry, but is it powerful enough to make demands on the telecommunications industry as well? Both Microsoft and Palm tried that before with very stringent certification processes for their platform. But it never really worked. “They couldn’t keep everybody in line,” said Meadow. “It was a lot more pain and trouble to get J2ME apps running on different cell phones.”

While the Open Handset Alliance [OHA] — founded by Google — is touted as the way to get many companies on board, in fact there are only four handset manufacturers who are members: HTC, LG, Motorola, and Samsung.

Tower Group’s Egan says he hasn’t seen anything out of the OHA to indicate it’s doing anything different than what has been done in the past.?

Meadow doesn’t put much faith in the clout of the OHA either. “People join everything that comes along. It is an exercise in PR to be seen as supporting this and being associated with Google,” he said.

So while a write once, run many platform is the holy grail for developers, if you look at what happened with J2ME on smartphones, there were inherent limitations in how it was implemented as a platform, and for many developers it was a lot more pain and trouble to get J2ME applications running on different cell phones than it was worth.

While both Egan and Meadow are withholding final judgment, they both say they haven’t seen enough that is different — despite that fact that this is Linux-based rather than Java — to make them feel any more positive about Android’s future success.

Developers can add another mobile open-application development platform to the mix, this time from AOL.

AOL announced on Monday that in the middle of the year it hopes to release a platform that developers can use to create applications that can run on any mobile phone. The platform will be open, so that developers can improve it as they like, said Jai Jaisimha, vice president of mobile product and technology development at AOL.

The AOL Open Mobile Platform is based on technology that AOL acquired from a company called Airmedia last year. It requires an application on the mobile phone. The program, which is so small it's comparable in size to an average graphic, works in conjunction with back-end servers that take care of converting the application to the format the device requires.

Currently, developers who want to write applications for mobile devices face a daunting task because they must customize their application for the various popular phone operating systems. "So what this platform does is eliminate the need to learn all those different platforms because you can use a device agnostic markup language," said Jaisimha. The platform uses an XML-based markup language.

Even phones that run the same operating system often have different requirements, however. The phone application from AOL already works on more than 150 handsets, and since the application is open, developers will be able to tweak it to work on any additional handsets, Jaisimha said.

Developers will be able to use AOL services as part of their applications, but they don't have to. They also have the option to use AOL's advertising platform as a way to earn revenue from their programs.

AOL's idea has benefits over some other platforms. For example, developers who write applications in the Symbian environment or who plan to write Android applications are limited to phones running those operating systems.

But AOL isn't alone in its approach. Java Micro Edition, which runs on the majority of phones, was designed to allow developers to create Java applications that run on many phones. However, Java applications still often must also be tweaked for particular handsets. Plus, phone manufacturers must license JME from Sun if they intend to alter the program at all, which most do.

AOL also faces competition in Yahoo, which recently released documentation that lets developers build mobile widgets. That means AOL will compete with it for developer attention.

In addition, AOL faces the hurdle of distributing the handset application, a notable challenge because mobile users are typically disinclined to download anything onto their phones. Because the client is so small, developers can build it into their applications, so end-users could download the client along with the application, Jaisimha said. "But we also certainly hope and expect that carriers and device manufacturers will integrate the platform into devices," he said.

AOL is now entering into talks with developers who want to begin working on the platform immediately. It will otherwise keep developers up-to-date on the availability of the platform on its developer site .

A new survey by IAG Consulting finds that among two-thirds of companies polled, it is "improbable" that an IT project will be considered an overall success due to inadequately or improperly gathered business requirements.

Fifty percent of these companies' projects could be termed "runaways," marked by at least two of these three factors: Taking more than 180 percent of estimated time to be completed, going over 160 percent of the established budget, and delivering less than 70 percent of the desired capabilities.

The other 32 percent of the companies surveyed enjoy a "probable" chance of success for IT project, according to the study, which surveyed more than 100 midsized and Fortune 1000 companies in North America.

"The numbers here came back far, far bigger than we ever expected," said Keith Ellis, vice president of IAG, which is based in the U.S. and Canada. The independent company focuses on business requirements analysis.

"One big reason that really stands out for me is that people tend to look at requirements as a document, not as a process. If you do that, you're going to fail," Ellis said. "Here's one of those cases where the means is as or more important as the end."

Good requirements analysis can ensure a project's scale is minimized, but not at the expense of meeting a business' needs, according to the study. Another hallmark sees changes to requirements occurring infrequently, because the proper level of consensus has already been reached.

The study weighed development projects, which cost at least $250,000 and involved "significant new functionality," as opposed to matters like maintenance or a rollout of new client machines. The projects consisted of either internally developed software or application implementations. Their average scope was $3 million, according to IAG.

The damage was worst when non-IT business analysts were in charge of the requirements. Those projects came in at nearly double their budgets and took more than 245 percent of their allotted time, according to IAG.

When IT workers managed the requirements analysis, the results were only slightly better, with budget overruns at 163 percent and time at 172 percent.

The best results came when business and IT worked together on defining requirements. There, budgets ran an average of 143 percent and time, 159 percent.

The study suggested many companies are working on an ad-hoc basis. More than half "did not have professional, trained staff dedicated to the function of getting requirements, and the vast majority view the process of getting requirements to be inefficient," the report states.

Companies should form a "center of excellence" for business-requirements gathering managed by both IT and business employees, the study concluded.

IAG conducted the study with the help of analyst Michael O'Neil and Info-Tech Research Group over the past several months, Ellis said.

Attackers continue to use well-worn techniques, such as SQL injection, to exploit holes in popular Web applications but have also moved on to other targets, including government sites, and newer exploit methods, such as cross-site request forgery, according to the latest report filed by the Web Applications Security Consortium.

The nonprofit industry group released the findings of its annual Hacking Incidents Database report this week, and despite the fact that cyber-criminals are still capable of using familiar means like SQL injection to victimize e-commerce sites and other transactional systems, a growing number of assailants are broadening their efforts and capabilities and going after new sets of targets, the research contends.

Based on WASC’s in-depth investigations into roughly 80 individual attacks carried out during calendar 2007, the group concludes that data theft remains the primary goal of most incidents, representing 42 percent of all the events.

Surprisingly, site defacement — thought to be a dying art in the world of profit-driven hacking — actually still accounted for 23 percent of the attacks covered in the report, followed by exploits aimed at planting malware on sites at roughly 15 percent.

And while the lion’s share of the incidents studied by the group revolved around the attempted theft of sensitive data that could be sold on the underground market or used to carry out fraud, the phishing threats of years past are increasingly becoming outnumbered by attacks that utilize malware code hidden on legitimate Web applications to victimize unsuspecting end-users, the group said.

Of all the threats studied by WASC in its report, 67 percent were designed specifically to derive some form of profit — pointing to continued growth in the professionalism of those responsible for the attacks, researchers said.

“One of the biggest issues is that so much of this activity is being delivered directly though legitimate Web sites that are being hacked,” said Ryan Barnett, a project leader at WASC who also serves as director of application security training at applications firewall vendor Breach Security, which sponsored the 2008 report.

“It used to be that as long as users didn’t go to certain Web sites they’d be safe, but obviously, that’s changing,” he said. “SQL injection still works surprisingly well, so we’re seeing plenty of those across the board, but you do also begin to see more use of things like cross-site request forgery, to which even greater numbers of sites might be vulnerable.”

SQL injection, which attempts to use security vulnerabilities occurring in the database layer of applications to compromise them, still remains a weak point in some widely-used Web systems, in particular e-commerce sites, a reality that the researcher views as surprising based on the well-established history of the technique. However, CSRF threats, which attempt to hijack authenticated Web sessions to carry out their ploys, are becoming more common, while still far less frequent than SQL injections, according to the expert. Indeed, CSRF threats accounted for only 2 percent of the incidents tracked by WASC for the 2007 report, while SQL injections represented 20 percent, the most popular format for exploit.

Unintentional information disclosure, which involves sites that emanate such detailed authentication failures that hackers may use them to find a way in, was the second most popular format for attackers to break into applications at 15 percent, followed by cross-site scripting exploits, which use malware planted on legitimate sites to subvert end-users’ machines, at 12 percent of the incidents.

In terms of the types of organizations being assailed by the attacks tracked by WASC, the group found that government agencies actually represented the largest group of targets.

Perhaps because financial services companies and retailers have improved their applications defenses, hackers have moved on to the government set as well as educational institutions, the report contends.

Some 29 percent of the incidents covered in the report targeted government agencies, followed by education at 15 percent, and retailers and media outlets tied at 12 percent.

In addition to attempts to steal data, WASC contends that government agencies may also be getting hacked by parties looking to embarrass or disable the organizations’ sites based on ideological goals. Because government agencies are forced to report more of their security incidents publicly, hackers may merely be trying to force the organizations to admit that they have been exploited in public, the researchers said.

Microsoft said its $44.6 billion offer to purchase Yahoo is "fair" and hinted that it may pursue a hostile takeover of the Internet company, according to a statement Microsoft made Monday in response to Yahoo's formal rejection of its buyout offer.

In a statement, Microsoft said it's "unfortunate" that Yahoo "has not embraced" its proposal to combine the two companies, and the rejection of the offer "does not change our belief in the strategic and financial merits of our proposal."

The company also hinted that it may take the offer directly to Yahoo's shareholders, a move that could result in a hostile takeover.

"As we have said previously, Microsoft reserves the right to pursue all necessary steps to ensure that Yahoo's shareholders are provided with the opportunity to realize the value inherent in our proposal," Microsoft said in its statement.

Earlier Monday, Yahoo formally rejected Microsoft's bid to acquire the company in a half-stock/half-cash purchase, saying it undervalued Yahoo.

On Feb. 1, Microsoft offered to pay $31 per share for half of Yahoo's outstanding shares in cash — about $22.3 billion — and 0.9509 of a Microsoft share for the other half. Microsoft's half-cash/half-stock offer to Yahoo was valued at about $44.6 billion at the time it was made; Yahoo's share price was $19.18 at the time.

However, since then Microsoft's stock has gone down while Yahoo's has risen, making the deal, under its current terms, worth less than when it was originally offered. This led to speculation that Yahoo might look for other suitors; the company is reportedly looking for about $40 per share. Yahoo's share price closed at $29.87 Monday; Microsoft's closed at $28.21.

Some have speculated that Microsoft would raise its offer to the company to about $35 per share — about midway between its original offer and Yahoo's target price — but in its statement on Monday, the company seemed adamant about keeping the offer as it stands.

"We are offering shareholders superior value and the opportunity to participate in the upside of the combined company," Microsoft said. "Based on conversations with stakeholders of both companies, we are confident that moving forward promptly to consummate a transaction is in the best interests of all parties."

Microsoft's offer to purchase Yahoo is an attempt to join forces and improve both companies' positions against Google in online advertising and services. However, many questioned both the logistical complexity and cultural differences involved in combining the companies, and there are fears that it will thwart rather than help their efforts to compete with Google.

Yahoo is reportedly in talks with both AOL and Google to try to avoid being acquired by Microsoft. Analysts said Monday that Yahoo's initial rejection of the offer is more of an attempt to elicit a higher bid — either from Microsoft or another company. If none comes, the company might decide in the future to accept Microsoft's offer as it stands, they said.