Password Managers Relieve Password Headaches

Passwords Are a Hassle

I’ll be the first to admit I can’t remember all my passwords. Most of us can’t, so we pick a few passwords that are easy to remember and then use them with multiple sites. This results in two immediate problems. A password manager can help with both of these problems. First, passwords that are easy to remember are typically also easy to guess. Second, a compromised password is a risk to every site where it has been reused. A password manager both of these problems since it can generate a secure and unique password for each site, but only requires that you remember a single password to unlock the database. While it is possible, to create passwords that are secure and memorable, it is more difficult to do this with the significant number of passwords we frequently use in modern life. I detailed some additional problems with passwords in previous articles Your NYE Resolution—Pick Better Passwords and Data Evaporation and the Security of Recycled Accounts. I find that password manager with solid browser integration is well worth the initial setup time and expense.

While there are many good options, my password manager of choice is 1Password from AgileBits that is available for Mac OS X, Windows, and the iPhone, iPad, iPod Touch. I consider it an indispensable tool and I use it daily both on my desktop and my phone. 1Password integrates with many popular browsers, which makes logging into web sites faster and more convenient. The application allows me to easily switch between multiple browsers and multiple devices without worrying, which browser I might have saved a particular password.

When I first looked at 1Password in 2006, I thought there was no way I would be willing pay for it since all modern browsers ship with password management functionality. Shortly after I started testing the application I found it so convenient, I changed my mind and purchased it. Nearly six years and many major upgrades later, I have no regrets. I have nearly eight hundred logins saved in 1Password. Even though I regularly clean out duplicates and entries for dead services, this is still a ridiculous number of accounts. Look at it this way, I test services so you don’t have to.

We All Forget Passwords

A 2007 paper A Large-Scale Study Of Web Password Habits of more than half a million users found that about 1.5% of all Yahoo! users forgot their password each month. Yahoo Mail alone has more than 200 million accounts, so this is a significant number. The authors found that the “average user has 6.5 passwords, each of which is shared across 3.9 different sites. Each user has about 25 accounts that require passwords, and types an average of 8 passwords per day.”

Complicated Passwords and Compact Keyboards Don’t Mix

The current crop of smartphones ship with highly capable browsers, but entering lengthy passwords on a phone keyboard is even more error prone and frustrating on the desktop. Here again, a password manager can reduce the complexities of entering many different password strings on a mobile device. The application allows you to make a mobile keyboard optimized and possibly simplified password that protects your longer more complex passwords and notes. This is of course a security tradeoff.

Mobile Safari on the iPhone and iPad does not permit plugins, so the 1Password application on iOS devices embeds a browser that is able to offer the automatic login feature. I prefer the default browser, but unfortunately there is no option for direct integration. The 1Password bookmarklet makes it relatively quick to look up an entry in the database and then copy and paste long passwords from its database far more easily than trying to type them in by hand

Other Advantages of 1Password

I regularly use multiple browsers. I also frequently delete my cookies and browser settings when I test services. This would typically cause a nightmare of needing to re-authenticate to each web site where I deleted the cookies. Since all of my login information is stored in 1Password rather than the browser, I don’t have to care about which browser I am currently using or even if my cookies still exist.

Since 1Password is also a general form filler it can cope with login forms that have partial entries or multi-stage. For example, many services require that users re-enter their password to access account management features even if they are already logged in. This is to prevent another person from simply walking up to your unattended computer from viewing or making changes to billing information, email forwarding, and passwords. In most cases, 1Password is able treat the re-authentication sign in forms exactly like a standard sign in form.

Some sign in forms are multi-stage where login process is split across several forms. For example, many online banks are multi-stage sign in forms. In the first stage, the user enters a username and their browser must acquire a cookie from the bank. If the user does not already have a cookie from a previous session, the user must enter a second authentication factor such responding to a text message with a unique code or entering the code from a hardware token. Next, on a second form on a separate page the user enters a password.

In cases where 1Password is confused by multiple stage forms, the work around for this type of site is to simply make two separately named entries in 1Password. For example, the first entry would contain the username and the second entry would contain the password. The user must go through the full sign in process the first time to received a cookie from the bank by completing the two-factor authentication process and has create a 1Password entry for each step in the form. Each subsequent login to the bank will be treated like all other sites and can be automated with the auto-login and auto-submit features.

Here is a small laundry list of other features I regularly use and appreciate about 1Password.

  • General form saving support. 1Password can save and replay many kind of web forms, which is a useful feature if you find yourself filling out the same information over and over again.
  • Support for “identities” where the application stores commonly used bits of information such as name, email, phone number and can populate this information into many types of forms with little effort.
  • Basic anti-phishing protection since by default 1Password will only post usernames, passwords, and other forms back to the same domain name as the original.
  • The application can generate random passwords with several different templates that will satisfy most password requirements.
  • In addition to usernames, passwords, forms and identities, 1Password also supports encrypted notes.
  • The Mac OS X desktop application will sync over the local wired network and WiFi for iOS devices
  • 1Password will sync with Dropbox for all desktop and mobile applications including Windows and Android

Limitations of 1 Password

There are several important limitations with 1Password. The application cannot handle login forms built with Adobe Flash. Previous generations of 1Password supported login forms with HTTP basic authentication, however the new plugin architecture for Safari and Chrome do not offer support for HTTP basic. AgileBits says it is working on a solution for Firefox.

The features of the Windows version of 1Password are not quite yet on part with the Mac, for example it only supports 32-bit Internet Explorer, 32-bit Firefox, Chrome, and Safari. This said that covers most browsers that user’s need.

Pricing

1Password for Mac and 1Password for Windows is $49.99, 1Password Pro is $14.95 is available for iPhone, iPad, and iPod touch.

1Password Bookmarklet Gone Missing

If you are a frequent 1Password user, particularly on iOS devices, you may have noticed that AgileBits discontinued support for the 1Password bookmarklet, which was the best option for integrating with Mobile Safari rather than the integrated browser in the application. Fortunately, Kevin Yank and * have produced a working 1Password bookmarklet. I have reproduced it here:

javascript:window.location='onepassword://'+window.location.href.substring(window.location.href.indexOf('//')+2)

You should follow me on Twitter.

How and Why to Sniff Smartphone Network Traffic

Smartphone Network Connection Monitoring

Tools for monitoring and modifying connections between web browsers and web servers are essential for debugging, testing, optimizing performance, and assessing vulnerabilities of web-based applications and native applications. Developers, security professionals, and anyone with an interest in gaining insight into the lower levels of web traffic commonly use these tools.

There are many mature options for monitoring connections from desktop machines. Unfortunately, there are fewer tools to monitor connections on smartphones and these tools often require more complex configurations, as the monitoring software must run on a separate device. In this article, I present an overview of tools and methods for monitoring network connections on Smartphones including devices based on Apple’s iOS–iPhone, iPod Touch, iPad), Google’s Android OS, BlackBerry OS, and Symbian. This article focuses on inspecting HTTP and HTTPS traffic, although many of the tools and techniques described work equally well to analyze other protocols.

This article is the first part in a series: The articles in the series include:

  • An overview of the tools and techniques for monitoring smartphone network connection
  • Pros, cons, and limitations for monitoring smartphone network connections
  • Network monitoring for security analysis and self-defense

Why Monitoring is Useful

Potential use cases for monitoring HTTP and HTTPS traffic–the two primary protocols of the Web:

  • Inspecting network traffic often simplifies debugging AJAX XMLHttpRequest requests, compressed content encoding, and cookies.
  • Network connection details such as number of HTTP requests, DNS lookups, cache hits are also valuable for optimizing web application performance.
  • Many tools allow modifying requests and responses to simulate valid and invalid user input when testing applications for vulnerability analysis in addition to monitoring.
  • Network monitoring is an effective way to verify that a smartphone application securely handles user authentication and identify any inappropriate transmission of personally identifiable information such as unique identifiers and location.
  • Inspecting and modifying network traffic is essential for security analysis. For example, searching for Cross Site Scripting (XSS), SQL injection, and path traversal vulnerabilities.

Types of Monitoring Tools

Common network monitoring tools come in four major varieties: browser-based development tools, general purpose packet sniffers and network protocol analyzers, specialized HTTP/HTTPS sniffers, and specialized web proxies for debugging and security analysis.

Each type of tool has advantages and disadvantages, but there is no requirement to use a single type and combinations of tools may offer more power and flexibility. This list is in no way comprehensive, there are many specialized and hybrid tools for monitoring connections.

Two LiveCD Linux distributions contain a large number of tools optimized for penetration testing a subset of which is useful for network connection monitoring. BackTrack Linux is a very well-regarded distribution. AppSecLive the OWASP Live CD Project–soon to be known as the OWASP Web Testing Environment (WTE)–is another respected collection.

See the Top 100 Network Security Tools from SecTools.org provides a larger list.

Configurations for Monitoring

I’ll talk more about the constraints and pros and cons for each option in the second piece of this article, but briefly here are several potential configurations for monitoring.

  • Simulators allow the simplest configurations where the simulator and the monitoring software run on the same machine and share a common network interface.
  • Web proxies are a convenient option as all modern browsers supported them and only require a small change in the browser settings rather than a change in the network configuration.
  • Ad-hoc networks combined with internet connection sharing are one method to gain access to traffic. If the network monitoring host is located between the mobile device and the internet, it will typically require two network interfaces, usually one wired and one wireless.
  • Network hubs are one method to work around the problems with common switched network configurations.

Limitations for Monitoring

There are significant constraints for monitoring network connections. I’m specifically talking about WiFi-based traffic and not cellular traffic. Monitoring cellular traffic is substantially more complicated and requires specialized equipment. In nearly every case, all important web-related traffic will travel over WiFi if the cellular data connection is disabled on the device.

Limited software is one constraint. For example, there is currently no way to run Webkit Web Inspector, Firebug or LiveHTTPHeaders directly on a Smartphone. Limited networking options is adds another constraint as well as added complexity to the monitoring configuration. Typically, smartphones must communicate over wireless connections rather than wired connections, which eliminates some options for monitoring network traffic. Most modern network hardware is switched, which further limits the ability to access the traffic, even when an access point is plugged into a wired network. Additionally, wireless access points protected by WPA/WPA2 encryption employ per-user keys difficulties in sniffing are similar to switched networks.

Finally, monitoring connections encrypted with SSL/TLS also requires more complex configurations. The most straightforward option involves adding a new Certificate Authority to the trusted list in the browser. This effectively creates a man-in-the-middle attack for the browser that allows decryption of the HTTPS traffic. The browser will produce a series of warning messages, but it will be possible to view the encrypted traffic.

Why Pinboard is My Favorite Bookmarking Service

Pinboard is a bookmarking service that allows you to easily save, tag, annotate, share, and archive bookmarks independent of your browser. Pinboard describes itself as “antisocial bookmarking,” which highlights its capabilities as a private and personal archiving tool compared to the social features offered by Yahoo’s Delicious service. I find Pinboard a simple, fast, and reliable way for me to save bookmarks and archive web pages for future reference. I have been happily using the service for nearly five months (Update a year) and recommend it highly.

Pinboard has become a part of my everyday online reading experience as I use it archive both a bookmark and the full text of any article I found interesting or that I plan to read later. My primary use of Pinboard is as a personal archive rather than a public bookmark sharing service, and I prefer it to Yahoo’s Delicious bookmarking service, although Pinboard has fewer options for sharing and tag management. For example, it does not support the Delicious style of aggregating multiple tags in tag bundles or the ability to share a bookmark with a specific user.

To start using the service, simply drag one of the Pinboard bookmarklets into your browser bookmark bar. The first style of bookmarklet can either open a new page or a popup window allows you to edit the URL, title, description, tags, and optionally mark the bookmark as private or “to read”. I use the send style of bookmarklet that Pinboard calls “read later.” This bookmarklet saves the page, automatically marks it as read later, and returns you to the place on the page where you left off without opening a new window or a popup. The “to read” status allows you to quickly build up a reading list without interrupting your workflow.

You can aggregate links posted to multiple services by configuring Pinboard to watch for links in your Twitter posts, Twitter favorites, or pages saved to Instapaper, Read It Later, Delicious, and Google Reader. You can easily save links from a BlackBerry or iPhone using a private email address from Pinboard. I find the ability to centralize my bookmarks from multiple services very convenient. Pinboard automatically expands any shortened links and stores the original URL. Full text search on Pinboard include the title, description, tags, and notes, but not the text contained in the pages themselves. Pinboard also allows you to narrow the results of queries with public vs. private status, starred status, and the source e.g. Twitter.

Pinboard offers a single paid add-on, that will archive the entire page, HTML, CSS, and images for each bookmark you save. You can then view the snapshot of the page, even if the original disappears. The cost for this is $25 a year minus your original sign-up price. Pinboard recently introduced a feature where all users can download an offline copy of the last 25 URLs saved. The developer says that he plans to eventually allow users to download their entire archive.

Pinboard offers multiple ways to import and export data including including a format compatible with that is compatible with Delicious. Pinboard offers both public and private RSS feeds of bookmark data including tag-based feeds. The Pinboard API is compatible with the Delicious API. This means that any application that uses the Delicious API should work with Pinboard by simply changing the URL to the API endpoint. Unfortunately, most bookmarking applications do not allow end users to change the API endpoint URL and few directly support Pinboard. On the Mac, both Delibar ($18) and Pukka ($17) desktop applications support Pinboard. The best solution for mobile devices is to use the Mobile web version of Pinboard. Update The Delibar touch application for the iPhone and iPad ($1.99) works with both Pinboard and Delicious. I recommend it.

Overall, Pinboard is an excellent option for storing and archiving bookmarks and I recommend it highly. The service is not free. Currently the price to join is $6.38 (Update $7.41) and the cost increases by a fraction of a cent for each new user. I like this pricing model as it is inexpensive and allows the developer to support the service without ads and without taking external funding. This leaves the service with a smaller, but more active user-base, and more importantly almost no spam. Recent Pinboard releases have improved bulk editing capabilities, but it is not currently possible to add or remove tags on a set of items returned from a search of your own bookmarks. Hopefully, the developers will eventually add this feature as it would make it possible to quickly and easily organize large numbers of uncategorized bookmarks. Update The developers added this functionality. Tag management is now far more flexible.

If the idea of social bookmarking seems foreign or the benefits do not seem clear, I highly recommend taking three minutes to watch the short and entertaining animated video Social Bookmarking in Plain English by Common Craft. What is Antisocial Bookmarking? is a nice post on the Pinboard blog by, Maciej Ceglowski, the founder of Pinboard explaining his reasons for creating the service.

* This article originally appeared as Why Pinboard.in Is My Favorite Bookmarking Service in my Messaging News “On Message Column.”

Update 2010-12-16 Mentioned feature additions, Delibar touch support, and price update.

You should follow me on Twitter.

iPhone Screenshot and Photo Smart Album Hack

I take a lot of screenshots when I research products, both on the desktop and on the iPhone, so having some way to automate organizing my collection is important. The problem is that screenshots images taken with the iPhone have no EXIF metadata. This means there is no straightforward way to produce a list of all your screenshots.

After a little bit of experimentation, I found a workable but not ideal solution. You can use the lack of EXIF metadata as conditions to group all the images. Screenshots are saved as PNG files on the original iPhone and the iPhone 3GS (the two models I had access to) and have no EXIF records. The only other metadata fields available are filename, file size, and modified, and imported dates. The PNG extension for the filename is the one existing feature you can search for, all others have to be unknown. I selected two features aperture and ISO, even though one would work in the hopes that this would reduce any false positives.

A Smart Folder recipe for iPhone Screenshots

  • Match all of the following conditions
  • Aperture is Unknown
  • ISO is Unknown
  • Filename contains PNG

iPhone Screenshot 3 Item Smart Folder.png

Photos taken on the iPhone are saved as JPEGs and contain EXIF metadata. The iPhone 3GS embeds many more fields than the original iPhone. The easiest feature to select is “Camera Model.” The field type must be is or is not, there is no option for contains, so you will have to specify each phone separately.

A Smart Folder recipe for iPhone Pictures

  • Match any of the following conditions
  • Camera Model is Apple iPhone
  • Camera Model is Apple iPhone 3GS

iPhone Pictures Smart Folder.png

Searching for Screenshots from the command line

All iPhone screenshot images have a width 320 pixels and height 480 pixels in portrait or landscape. It is possible search for these files using the Spotlight command line tool mdls to integrate them into other scripts. There are many other options for searching for images with the full Spotlight syntax and it is possibly to execute these as Raw Querys in the Finder or use a Spotlight front end such as HoudahSpot, but that is a topic for another post.

mdfind -onlyin $HOME/Pictures 
  'kMDItemKind == "Portable Network Graphics image" && 
  kMDItemPixelHeight == 480 && kMDItemPixelWidth == 320'

Great iPhone and iPad Apps for Reading and Sharing Docs

Instapaper, Dropbox, GoodReader, and Simplenote are my favorite applications for reading, writing, and sharing documents on the iPhone and the iPad. I have used each application for more than six months and I highly recommend all of them.

Instapaper

The Instapaper application makes it simple and pleasant to read lengthy articles on your mobile device. Instapaper is optimized for the type of articles where you find yourself starting in your browser and thinking, “I’d rather read this later”. The application automatically loads any new content from the Instapaper Web service, which reformats Web pages for small screens and strips away unnecessary elements. The service provides an experimental option to save pages formatted for the Kindle as well.

There are multiple ways to save content to the Instapaper service including a bookmarklet, email, or applications that integrate Instapaper directly. The “Read Later” bookmarklet is compatible with most desktop browsers, mobile browsers and Google Reader. Each Instapaper user receives a unique email address that will import included links and text. Many iPhone and iPad RSS feed readers, Twitter clients, and social bookmark clients support saving links to Instapaper directly. The Instapaper service allows sharing of individual articles via email, Tumblr, and several Twitter clients.

Instapaper is available in two versions, a free ad-supported version with a limit of 10 articles, and a $5 (USD) pro version with a 250-article limit. The pro version includes additional features, such as background updating, folders, remembering the last read position, tilt scrolling, multiple font options, and disabling rotation. I find that the pro version is well worth the price.

Dropbox

In a crowded market of Web-based consumer storage services, Dropbox is popular and widely praised. The minimal user interface of the desktop application is one reason for its popularity. When I say minimal user interface, in most cases I mean non-existent. This is the beauty of Dropbox. After installing the application, Dropbox appears as a folder on your desktop. The folder is essentially magic. Any files in the folder are automatically synchronized to all other machines where you have Dropbox installed. Mobile Dropbox clients synchronize with the server upon launch. In my experience, it just works, and this is high praise. Dropbox is fully accessible via a Web interface for devices without an installed Dropbox client. Dropbox saves any revisions to your files for 30 days by default. These revisions are only available via the Web interface and do not count against your storage quota.

Working with shared files on Dropbox is as easy as working with files on the desktop. Shared files and folders are synchronized with all authorized users’ accounts. My only real complaint is that sharing must be configured from the Dropbox Web interface rather than a Dropbox client, which is not intuitive. Access control for sharing is based on email addresses and can only be configured via the Dropbox Web interface. It is important to recognize that any shared files count against the storage quota for all shared accounts. Each user’s Dropbox folder has a public directory—any files placed in that directory become publicly accessible without access control. The mobile Dropbox can generate links and can be used to share individual files with any email address. Be careful, the mobile links can also share private files and currently there is no way to revoke access.

Another reason for Dropbox’s popularity is its broad platform support. Mobile clients for Dropbox are available for the iPhone, iPad, and Android devices. A BlackBerry version is in development. Desktop clients are available for Mac, Windows, and Linux. All Dropbox clients are free. The mobile Dropbox client takes advantage of the document viewers built that are part of iPhone OS to open files directly. Supported formats include plain text, RTF, Microsoft Office documents, iWork documents, PDFs, Web pages, images, music files, and videos. Dropbox only supports viewing files; files must be edited with another application.

Some mobile applications such as GoodReader can read and write files from the Dropbox service, although the process is a little convoluted. Dropbox recently added a new mobile API to allow iPad applications to easily save files to a Dropbox account. Saving files to Dropbox is far easier with the most recent version of the GoodReader iPad application due to the new APIs. Even better, the Dropbox iPad application allows you to open files directly in other applications. Hopefully the iPhone Dropbox application will gain this functionality with the next major version of iPhone OS.

Dropbox is a subscription service that uses the Amazon Simple Storage Service (S3) for the backend store. A free account is available with 2 GB of storage. There are two paid upgrade options—a 50 GB option for $10 (USD) a month or $100 (USD) a year and a 100 GB option for $20 (USD) a month or $200 (USD) a year. Paid accounts can optionally save file revision history forever.

GoodReader

GoodReader works well with long and complex PDF documents. I have used it to read PDFs that are several hundred pages long without a problem. The iPhone and iPad support PDF files natively, but navigating long documents is cumbersome as there is no support for jumping to a specific page, for using PDF bookmarks and outlines, or for searching PDF files. GoodReader supports navigation to specific page numbers, PDF bookmarks and outlines, and full text and bookmark-based search. The application includes a night mode for reading in the dark and an autoscroll mode for reading long files without having to manually select the next page.

GoodReader’s support for text files includes a number of features not available in the native viewer, including the ability to edit text files and reflow text when the font size changes or the device is reoriented. One feature, called PDF Reflow, extracts plain text from PDF files and displays it in GoodReader text file viewer so it can be reflowed, copied to the clipboard, or edited. PDF Reflow should not be confused with accessible PDFs that are sometimes called reflowable PDFs.

GoodReader supports file transfer over WiFi in addition to many storage services including POP and IMAP email servers, WebDAV servers, Apple’s MobileMe, Dropbox, Box.net, Google Docs, and FTP servers. There are two versions of GoodReader for the iPhone. The standard version is $0.99 (USD). Access to POP and IMAP email servers, Google Docs, and FTP servers require a $0.99 (USD) in-app upgrade purchase each. GoodReader Light includes all available types of server access and is available for free on the iPhone, however it is limited to storing five files. GoodReader for the iPad is currently on sale for $0.99 (USD) and includes all available types of server access.

Simplenote

Simplenote is a note taking application for the iPhone and iPad that automatically synchronizes with the Simplenote Web service. The application has a basic feature set, but it works very well and is easy to use. Notes are stored as plain text and can be forwarded as email messages or deleted individually. Unfortunately, there is no mechanism to work with multiple notes at once. The built in search is fast and searches incrementally as you type, to quickly narrow down the list of notes with the search term. Options include changing the sort order, preview, link detection, and display of file modification dates. If the user has installed TextExpander, snippets will expand automatically. All notes can also be viewed or edited in any Web browser using the Simplenote Web service.

Currently, support for the iPad is limited to the same feature set as the iPhone aside from running in full screen mode. The developer plans to add additional iPad specific features shortly. The Simplenote API enables synchronization with multiple desktop applications including Notational Velocity—a simple, fast, stable note taking application for Mac OS X. This means I can create notes, make changes or additions either on the desktop or my iPhone and they are automatically synchronized. I am very happy with the setup.

Simplenote is free and ad-supported. A $9 (USD) a year premium add-on removes ads, provides an automatic backup, an RSS feed, the ability to create notes by email, access to beta versions, and prioritized support.

* This article originally appeared as Great iPhone and iPad Apps for Reading and Sharing Docs in the May 2010 issue of Messaging News.

Preparing Your Site for the iPad

The Apple iPad does an excellent job of displaying most web sites. However, there are a few obstacles you may want to avoid. There are also a few customizations that will make your site look even better on the iPad. I will summarize the most important issues you should start to plan for and the differences between the iPad browser, the iPhone browser, and desktop browsers. As an added benefit, most improvements made for the iPad will also benefit users with an iPhone or an iPod Touch. There is list of resources to find more information and a list of tools to help you test your site at the end of the article.

Differences in Mobile Safari on the iPad

The primary differences you should account for first are:

  • No support for plugins such as Adobe’s Flash or Sun’s Java for ads, navigation, and multimedia
  • The fixed viewable screen size (viewport) may affect your layout
  • The touch screen is the primary means of interaction and offers different modes of user control

Unlike most desktop browsers, the iPad does not support plugins such as Flash or Java. Any navigation elements, embedded audio and video, or banner ads written in Flash or Java will not appear. Based on public statements, Apple is unlikely to support either language in the future. This means you will need to provide alternative or fallback navigation elements and multimedia embedding options. Apple’s official recommendation is to avoid plugins entirely and use HTML5 elements across your site. Navigation elements may be implemented with standard AJAX techniques. If your revenue depends on banner advertising delivered via Flash or Java, you will need to need to make some changes. If your ad server supports mobile devices, you can turn this on for iPad users. An alternative is to treat mobile users the same as email campaign advertisements. Today at the iPhone OS 4.0 press event, apple announced its own mobile ad platform and ad network called iAd, implemented entirely in HTML5. The mobiThinking Guide to Mobile Advertising Networks in the references surveys most of the available mobile ad network options.

The standards and implementations of HTML5 audio and video tags are still evolving and making your content available in all browsers is still complicated. Supporting HTML5 H.264 encoded video with a fallback to Flash for browsers that do not support it is likely your most straightforward solution. In the references, I have linked to some of John Gruber’s articles on H.264 and Flash that explain the problem in more detail. Video for Everybody from Camen Design and the upcoming SublimeVideo from Jilion are two options for hosting HTML5 friendly video on your site.

The iPad has a 9.7-inch touch-sensitive screen, a fast processor, and fast network connectivity. It provides a web browser experience that is much closer to the desktop experience than a smartphone. This means you should avoid sending iPad users to versions of your site optimized for mobile phones if you are sniffing for iPhone or mobile user agents. If you look at the user-agent strings for the iPad and the iPhone, you will notice that the iPad user-agent lists “like Mac OS X” rather than “iPhone OS.” Both browsers include the “Mobile” in the user-agent string. Most browsers have mechanisms to change the user agent string. I’ve listed some of these in the references.

The current version of iPhone OS (version 3.1.3) uses the following user agent string (line artificially wrapped):

Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_1_3 like Mac OS X; en-us)
    AppleWebKit/528.18 (KHTML, like Gecko)
    Version/4.0 Mobile/7E18 Safari/528.16

While the iPad with iPhone OS 3.2 uses the following user agent string (line artificially wrapped):

Mozilla/5.0 (iPad; U; CPU OS 3_2 like Mac OS X; en-us)
    AppleWebKit/531.21.10 (KHTML, like Gecko)
    Version/4.0.4 Mobile/7B367 Safari/531.21.10

The iPad viewport is set to 980 pixels wide, in portrait mode the iPad is 768 pixels wide, but the content will scale to 980 pixels. If you have content that wider than the viewport that uses fixed CSS positioning, that content may end up off screen and your users will not see it since they can not resize the window in Mobile Safari.

Users control the iPad with a multi-touch interface and a touch screen keyboard. The “Apple iPhone Human Interface Guidelines: Introduction” is a great document for starting to think about multi-touch user interaction as the metaphors and modes of physical interaction differ. For example, a flick action rather than a mouse controls scrolling and a pinching action controls how a page scales up and down.

There are other issues, some of which Apple may resolve in a future update. In John Gruber’s review of the iPad, he points out that often only a single page is held in memory at one time, subsequent pages often take all the memory available for web pages. This means that if you could loose form data on a page that you have not submitted if you open another page. The memory problem could also appear on AJAX heavy pages.

iPhone OS User Base

Apple announced the iPad at then end of January and released specifications, documentation, and a software development kit (SDK) for those paid members of the iPhone developer program under an non-disclosure agreement. The WiFi only model of iPad began shipping this week and Apple released the SDK to everyone registered in the Apple Developer Program. Apple announced that it sold more than 300,000 iPads on the first day and more than 450,000 as of April 8th. The iPhone OS platform user base is significant. Steve Jobs announced that there were 75 Million iPhones and iPad Touch devices running iPhone OS at the iPad launch in January. The Apple’s 2010 Q1 filing said that it had sold more than 42 million iPhones total. Today at the iPhone OS 4.0 launch Jobs announced that there were 85 million iPhone OS devices.

Mobile Safari on the iPad uses the open source WebKit rendering engine as do iPhone, and iPod Touch devices. Testing your site with the WebKit rendering engine is now essential. Desktop versions of the Safari browser, Google’s Chrome browser, all iPad, iPhone, and iPod Touch devices, Android devices, Palm webOS devices, Symbian Series 60 (S60) devices all use WebKit. RIM has stated that future BlackBerry devices will use WebKit. This means that every major smartphone browser aside from Windows Mobile will be WebKit-based in 2010.

Testing Your Site on the iPad

Testing your site directly on an iPad is the only way to guarantee that your experience will match your visitors with iPads. There are numerous reports by developers of minor differences between the iPad and the iPad in a simulator.

However, next to owning an iPad, the iPhone simulator comes closest to rendering your site as an iPad would. The iPhone simulator that ships with the iPhone SDK 3.2 has an iPad mode under the device option. Anyone can register as an Apple Developer for free and then download the SDK. The iPhone SDK includes the XCode development environment and is nearly a 2.5 gig download, it also only works on Mac OS X 10.6.2 (Snow Leopard) or higher.

The paid iPhone Developer Program is $99 a year. The subscription allows developers to submit native iPhone and iPad applications to Apple’s App Store. Apple also allows paid developers early access to upcoming versions of its SDK such as the iPhone OS 4.0 SDK announced today.

iPad Peek by Pavol Rusnak is a web service that allows you to see what your web site will look like on an iPad. It is free and the source code is available under an open source license. Three things will make your experience with iPad Peek closer to than of an actual iPad.

  • Use a browser with a WebKit-based rendering engine, preferably Safari, since it is the most similar to the iPad browser. Chrome will works too.
  • Disable all plugins in your browser. Otherwise your browser will still load the plugins even though an iPad would not.
  • Change your user agent string in your browser to match the iPad one listed earlier.

Apple’s Official Developer Documentation

Other Resources

Tools

The easiest way to change your user agent in Safari is to use the option in the developer menu. The easiest way to change the user agent in Chrome and Firefox (uses the Gecko rendering engine, not WebKit) is to use an extension.

Further Reading

John Gruber at Daring Fireball has written a series of posts about Flash, HTML5, and H.264 video. They are really worth reading for background on the technical and political issues related to HTML5.

* This article originally appeared as Preparing Your Site for the iPad in my Messaging News “On Message Column.”

Smartphone Phishing Protection Needs Improvement

Recent versions of desktop Web browsers and email clients feature phishing and malware protection in addition to improved security notifications and indicators. Unfortunately, many of these improvements have not reached their mobile device counterparts. While the patterns of use and the threat model for Web browsing and email on mobile devices differ from desktop applications, as smartphones become more capable they present an increasingly attractive target. Institutions and services that wish to protect their mobile user base should seriously consider server-based filtering for both email and Web content on mobile devices. Currently, it is difficult–to nearly impossible–to verify the authenticity of email messages and the destination of hyperlinks on many common smartphones.

Many organizations employ network filtering and threat detection. Modern desktop browsers offer additional protection by displaying warnings for potential phishing sites, sites known to contain malware, and for invalid or expired SSL certificates. It is a rare organization or email provider that does not filtering their email for spam and viruses. Most modern Web browsers and desktop email clients can utilize third-party software and blacklists to display warnings for potential phishing attacks, viruses, and other types of malware. Blacklist-based security notifications have begun to appear in smartphone Web browsers, although they have been slow to arrive for mobile email clients.

In my column You Can Fool Some of the People All of the Time: Research on Usability, Security and Phishing, I summarized research papers on phishing vulnerabilities from both academia and industry. In closing the column, I discussed potential areas of weakness in mobile and embedded browsers found by researchers. One year later, these platforms face increased attacks. According to a 2009 study by Pew Internet and American Life, 55 percent of U.S. adults connect to the Internet via a WiFi enabled laptop, smartphone, or consumer device. Of U.S. adults, 39 percent connect wirelessly via a laptop, 32 percent with a mobile phone (19 percent on a typical day), 12 percent with a desktop computer, 9 percent with a game console, 7 percent with a PDA type device, 5 percent with an MP3 player, and 1 percent with an ebook reader. This means that a significant portion of any user base is likely to spend at least some time connected via insecure and unfiltered networks. Users with mobile devices are far more likely to connect via an unsecured WiFi network when they are outside of a standard enterprise network. VPN and enterprise WiFi security on mobile devices require complicated configuration and are typically only used when configured or provisioned by IT staff.

Although consumers increasingly use mobile devices for high value interactions such as online banking and making significant purchases, there has been little published research investigating authentication and authorization from these devices. Many mobile devices have reduced keyboards, which make long complicated passwords cumbersome and error prone. The small size of mobile screens may limit the ability to view credentials while typing, which creates further difficulties when logging in and provides fewer options to display security indicators. Advance Web browsers available on the iPhone, Android-based devices, and those using the Opera mobile browser are capable of rendering most modern Web pages. These browsers still involve tradeoffs; often requiring the user to pan and zoom or the browser to reformat the page due to limited screen size.

Given the constraints imposed by mobile devices, security indicators and warnings need more effective designs for a wide deployment. I attempt to provide a picture of the variation in current security indicators and warnings as and show the difficulty of verifying the authenticity of content. My test equipment included an iPhone 3GS running iPhone OS 3.1.3, an HTC Magic running Android 1.5, a Motorola Droid running Android 2.0, and a BlackBerry Bold 9000 running BlackBerry OS 4.6.304. All four devices left significant room for improvement. Security researcher Aviv Raff discovered many of the issues described here in 2008. Joshua Perrymon at PacketFocus provided more detail in his PhishCamp project in 2009.

Security indicators and additional warnings presented by desktop browsers, email clients, and most Web mail clients provide some additional protection to users, although usability research shows that few users notice security indicators without training and quickly cease to pay attention to frequent warnings. On desktop browsers, users can view the URL of a hyperlink by placing the mouse over the link and viewing the URL in the status bar. Most desktop email clients will display the same information in a mouse tooltip. Unfortunately, the status bar is often turned off by default in many browsers and must be enabled manually. Even though few people may take advantage of this feature, it is one of the only mechanisms to verify that a link that displays http://www.mybank.com/ does not in fact point to a clever facsimile that is a phishing site. None of the mobile email applications had the ability to display the full headers of an email, which is another method that can give an indication that an email might have been forged. Most Web mail services have an option to display full headers, although the feature is often difficult to locate.

Many mobile browsers also provide a feature to display the URL for a hyperlink. For example, on both the iPhone and the Android browsers, if the user clicks and holds a link in either the browser or email client the URL is then displayed in a separate window. The Blackberry is able to view the link by selecting a menu item. Both the iPhone and the Android devices truncated long URLs in the separate display. Only the BlackBerry browser was capable of displaying the full link, even for very long URLs. The iPhone display truncates the middle portion of long URLs and indicates the truncated portion with an ellipsis. The Android devices truncated the end of the URL, but provided no indication that the URL was truncated. Both the iPhone and the Android devices displayed more of the URL in landscape mode than portrait mode. The problem as described by Raff is more complicated as the phishing site may use a much longer URL that takes advantage of the truncated portion to hide the fact that the destination is not legitimate.

User testing shows that SSL certificate warnings are of limited use. The problem is described in detail in Crying Wolf: An Empirical Study of SSL Warning Effectiveness presented at the 2009 Usenix Security Symposium. There are currently so few means of verifying the authenticity of sessions on mobile sites, that these warnings should not be immediately discounted. Of the browsers on all three platforms tested, only the iPhone OS browser displayed an indicator that distinguished between standard SSL certificates and Extended Validation (EV) certificates. The Android and Blackberry devices did not make a distinction between the two types of certificates. All three browsers displayed warnings for mismatched SSL certificates. Every major desktop browser provides a mechanism to verify the authenticity of an SSL certificate, although only the Android browser provided this option on the mobile devices tested. The Android browser provided an additional indicator by displaying a lock with a question mark for sites where the hostname on the SSL certificate did not match the site.

The results from my limited test clearly indicate that the current generation of smartphones leaves much to be desired in terms of protection from phishing and other types of forged content. Support organizations should consider offering enhanced filtering for email and Web browsing on mobile devices until the situation improves. End-users should be even more critical of content viewed on a mobile device and should consider verifying the content via another channel when there is a high value transaction. This article provides an overview of a subset of the current problems on mobile devices. In future columns, I will cover additional problems with security on mobile devices including limited verification of SSL certificates in both email and for over the air provisioning mechanisms, and security concerns on devices such as the browsers available in hundreds of millions of gaming consoles.

* This article originally appeared as Smartphone Anti-Phishing Protection Leaves Much to Be Desired in the March 2010 issue of Messaging News

You should follow me on Twitter.