Bulk Assign Categories to Multiple Posts

October 14th, 2008

Here’s a cool new wordpress plugin that allows you to assign one or more categories to multiple posts in a single shot, with or without preserving existing categories.

This plugin will be very useful when you are migrating to your own wordpress blog, hosted on your domain. The default wordpress functionality is that, you can assign new categories to posts only by editing each post and changing the category assigned to it. So, if you have a large number of posts, then it will be a nightmare.

Enter this plugin.

With this plugin, assigning multiple categories to one or more posts is a breeze. Pop the plugin’s PHP file to your wordpress plugin directory, activate it and click on “Assign Categories” under the Manage menu. The page will show the list of available categories, followed by the available blog posts. You can select the categories, select the required posts and then click on “Assign Categories” at the bottom of the page. Now, all your posts will be assigned the new categories. 

Currently, the plugin is in “beta”. The beta will go off in a few days and will contain search functionality also. The plugin has been updated with search functionality. Please download the plugin again.

The plugin is licensed under GPL v2 (the same as wordpress).

Download the plugin, take it for a test drive and let me know.

Posted by Aswin Anand Filed in Technology, techblog, wordpress
8 Comments »

Dissecting iMobile - Security Analysis of ICICI Mobile Banking App

September 27th, 2008

ICICI Bank’s iMobile website has some of the worst server side validations ever, which is what prompted me to download the mobile app’s JAR file, study it in detail and write this post. According to the website, until the Reserve Bank of India comes out with mobile banking guidelines and approves it, mobile banking is supposed to be halted. Technically, it means that, all existing users shouldn’t be able to use the service what-so-ever and new user signups should be prevented & a notification stating that they should retry later should be shown.

Therefore, in this scenario, I shouldn’t have been able to download the app to my mobile device. The website of ICICI fails in not enforcing this by providing the following ways:

  1. Existing users who have already installed the app are given an option to ‘Upgrade’ from within the mobile app itself. This opens up a webpage in the phone’s native browser, whose URL is http://mobile.icicibank.com/upgrade?version=null.
  2. The actual iMobile website has some stupid javascript validation, which is very easy to bypass using modern browsers. Heck, just by browsing the HTML source code of the page, you will be able to easily find the URL for the application JAR files. Put 2 and 2 together and you will be able to download the app.

Which brings me to explain Step 2 in detail:

On any browser, go to View->Source. This will display the source code of the rendered HTML page. Notice the first <script> tag. It contains many functions & the most important functions to us are “submitForm” and “displayOption”. The line of interest in submitForm method is document.jump1.action="https://infinity.icicibank.co.in/web/apps/"+fileName;. That line pretty much gives away everything. All you have to do is, navigate to the above mentioned URL and append a filename to it for download.

What filename do you have to give and How?

That’s where our displayOption function is very useful. That function contains a set of simple If-Else conditional statements, which have the respective filenames. For e.g. if you want to download “M20P1520ALL1.jar”, then just append it to the URL & access it using the address bar. Therefore, the URL becomes https://infinity.icicibank.co.in/web/apps/M20P1520ALL1.jar :) Being a JAR file, most browsers will display a “Save As” dialog box. Now, just download the file and transfer it to your mobile. The application is fairly straight forward.

Where ICICI Bank failed?

  1. They should have disabled the link mentioned in #1 above and replaced it with some text that says, “RBI mobile banking guidelines blah blah…”. But some clever users will bookmark the link to the JAR file and try to access the JAR file by bypassing the link itself. When they do that, the web server should return a “404 - Resource Not Found” error. Got it? Implementing this is pretty simple.
  2. There shouldn’t have been such a lot of useless javascript on the page. Firstly, they should have removed the device selection drop down box. Secondly, they should have replaced this page with an alternative. Thirdly, this mobile banking link should have been removed in the home page itself. Fourthly, they should have validated on the server for JAR file downloads and should have displayed the “404 - Resource Not Found” error page.
  3. Ok. Leave aside #1 and #2. At least the mobile app should have thrown soft errors when users try to access mobile banking from the JavaME app. Any bank would store all activity data for a certain period of time. So when you access the bank’s service from a mobile device, the server software surely knows about it, which means, the server software should have returned errors to the user instead of allowing the user to do transactions.
  4. There’s one more bug in the app itself. When you launch the app, it will prompt you to sync the data on the device to its servers for faster access the next time. When you click “OK” to synchronize, it will wait for a few minutes and show a message as, “There is no data to synchronize”. When you proceed further and try to access your info, it will again prompt you to sync the data. That’s frustrating. Either you should sync the data properly or you should access the server every time over a secure channel. As simple as that. That’s not followed too.
For me, all these things imply only thing. ICICI wants the existing users to continue using the app, thereby disobeying RBI’s orders or they are having some really bad programmers who don’t know the stuff they are doing. At a time when people fear about Google tracking their internet usage, this is MY/YOUR FINANCIAL INFORMATION, which is at risk Right?

That was a long post already :) We still have some more to go. Lets take a break.

Tea Break Image Credits

Back? Ok :D Now, lets dissect the actual JAR file and look into the technical details of its implementation.

The Manifest File:

Rename the .JAR extension to .ZIP extension and extract it to your favourite folder. Open the “META-INF” folder and open the “MANIFEST.MF” file in a text editor. As you will note, it contains lots of very valuable information, especially the socket URLs of various mobile service providers. User agent is also very interesting. When sending HTTP requests through the application, it uses that property for setting the “user-agent” HTTP header. They also have debug strings enabled, which means by snoping around using a good file manager for your mobile, you will be able to get technical errors! thereby, letting us know how the app works itself, what requests it sends, its behaviour etc.

Another important item is, “MIDlet-Name” property in the manifest. This property determines what name the user sees after he installs the app on his mobile. Using the same name, when future upgrades are made available, the app is just replaced in place of the old one, which means, if you modify the “MIDlet-Name” property and install the app again, you will have 2 copies of the same app. THIS SHOULD NEVER BE ALLOWED FOR A HIGHLY CRITICAL FINANCIAL APPLICATION. Isn’t it? As an example, try changing the MIDlet-Name of the Yahoo! Go JAR file and try to install the app again on your mobile. My E51 shows an “Invalid JAR” error message because of MD5 sum checks etc.

Some more Holes:

Now, move back to the folder where the JAR file has been extracted. It contains a bunch of .class files. Pass it through a decompiler. You will get “perfect” java source code files. The code looks obfuscated. But its not obfuscated enough. Anybody will be able to make good sense from the source code. All the URLs, all the used strings and everything else will be clearly visible. By using the app on your mobile side-by-side, you will be easily able to go through the source code. All in all, I wouldn’t use this app anymore until the security measures are tighter.

What should the bank do here?

  1. Shouldn’t allow the installation of 2 apps of the same JAR with different names. Take this example of the Yahoo! Go JAR file.
  2. I guess these mobile providers’ socket URLs are used for a one time basis to send verification SMS. If that be the case, they shouldn’t be present in the manifest file for a variety of reasons that I won’t discuss here.
  3. There’s an interesting property named “WSCDomainName” in the manifest file. I guess it expands to “Web Service Client Domain Name”, though I’m not sure about it. Suggestion: Encrypt the name value pairs.
  4. Most importantly, sign the application using the Java Signed program. C’mon, users are doing financial transactions and a signed app will increase their confidence of using this application.

Suggestion for Users:

Users should install these kinds of apps on their mobile’s inbuilt memory, instead of the memory card. That is, when you connect your phone to the PC in thumb drive mode, all the RMS file stores for the mobile app are clearly visible. There are many decoders available on the internet that can read content from the RMS file stores. When you store this app on your mobile’s inbuilt memory, you can’t read those stores directly and there are a number of checks in place, that prevent reading it.

Thats about it !

Of course, this blog post can’t be termed as a full fledged security analysis. But most of what has been ignored by the bank are mere basics. They must have more secure systems in place.

If you liked this article, kindly do me a favour by digging it. Thanks for your time.

Posted by Aswin Anand Filed in Technology, mobile, mobility, techblog
12 Comments »

Send Free SMS - Web Service

July 17th, 2008

27/Sep/2008 - Important Update 3: The web service has been updated yet again. If you are using the script on your own server, then please download the zip file again. Extract this zip file in the same place where sendsms.php is currently located and you should be good to go.

02/Sep/2008 - Important Update 2: The web service has been updated. If you are using the script on your own server, then please download the zip file again. Extract this zip file in the same place where sendsms.php is currently located. The zip file now contains an extra file named “htmlparser.inc” (version 1.2) from PHP HTML Parser. It’s an awesome library to parse HTML using PHP.

Important Update: After this comment from cssk, the web service has been updated. If you are using the script on your own servers, please download it again from here and just replace the existing file. Others, who are just accessing the URL on my domain needn’t make any changes to their code.

Hi friends, if you are in India and if you are developing software prototypes which has to send SMS alerts to various Indian mobile numbers, you needn’t spend a lot to buy SMS credits at the various sites. Over the last weekend, I spent some time hacking up a quick SOAP based web service which you can consume in your programs.

Before we proceed further, here are a few things you have to do:

  1. Get an account at http://www.way2sms.com/. Its a free SMS service and has tons of advantages; including 92 characters per message (rest of the characters are ads) and unlimited number of messages per day.
  2. Now you can invoke the web service in two ways from my domain itself. Web service endpoints and other notes given below.
  3. You can get the PHP source code and set it up in your own server.

Invoking the Web Service:

  1. The web service end point is at http://www.aswinanand.com/sendsms.php?wsdl. More details on how to consume a web service using Visual Studio is available here. Feel free to try with other languages and IDEs and let me know.
  2. Instead of consuming the web service, you can invoke the URL directly with the four parameters. Parameters are:
    • uid = your way2sms user id
    • pwd = your way2sms password
    • phone = semicolon separated list of phone numbers
    • msg = actual text message
  3. An example URL format is http://www.aswinanand.com/sendsms.php?uid=__USER_ID__&pwd=__PWD__&phone=__NUMBER__&msg=__MSG__.

Setting up the web service in your hosting space:

  1. Grab the SMS web service source code from here. The source code is licensed under “Creative Commons Attribution-Noncommercial”. Make sure you agree to the license terms before downloading :-) and kindly link back here or digg it.
  2. Get the NuSoap library and upload it to your server. You may want to change line number 50 in our web service source code to point to the proper location of NuSoap on your server.
  3. Now as mentioned in the section above, you can now use the web service from your domain. Just replace “http://www.aswinanand.com/” with “http://www.your-domain.com/path/to/source/” and you should be good to go on your own :D

Improvements:

Of course, there are lots of improvements that can be made to this service. Way2SMS console gives you a list of all the messages that have been sent from your account so far. So, you could write another web method and expose it; which returns all the messages so far in the form of RSS feed, ATOM feed or JSON.

Any text after the 92nd character in the SMS is cut off. We could write a simple loop after line 36 to send multiple messages if the number of characters exceeds 92.

We should also be able to retrieve the list of contacts that are saved in Way2SMS as JSON feeds and reuse them to send messages instead of typing in mobile numbers directly.

I will update the script as and when time permits and update this space. Keep watching for more. This sort of web services can be developed for almost all SMS web sites. If you are developing a similar script for other SMS websites, let me know.

Some boring blah blahs:

  1. The code is not production grade. It was hacked quickly over a weekend. So use it at your own risk.
  2. You cannot hold me responsible for whatever problems that may occur for you in using this web service.

You could also do me a small favour by digging this post. Thanks!

Posted by Aswin Anand Filed in Technology, techblog, webservice
85 Comments »

RSS Feed Proxy - Finally one data format to parse all feeds

July 12th, 2008

Hey guys! I discovered two feed proxies.

  1. http://www.netvibes.com/proxy/feedProxy.php?test=1&url=__FEED_URL__
  2. http://my.live.com/cfw/news.aspx?fetchurl=__FEED_URL__

Replace the __FEED_URL__ with the feed URL of your choice. Of the two feed proxies above, I like Netvibe’s proxy as the best because of the following reasons:

  1. Feed output is JSON. This means that, netvibes has done all the necessary work to convert feeds of any type (RSS, ATOM, RDF etc.) into JSON.
  2. If you are writing a script to examine feeds from various sites, you have only one data structure to deal with ;-)
  3. Almost all programming languages support JSON. Refer to www.json.org for JSON libraries available for various programming languages.
  4. JSON by itself is very lightweight and eliminates most of the overhead of XML, thereby preserving bandwidth.
  5. A simple program in VB.NET to parse a JSON structure and get the required feed data in a Dictionary datatype is only about 9 lines of code. In Ruby, it will be even lesser. Compare the same with XML output. Even though feed parsers are available, you have to create your own wrapper above everything to get everything to work out properly. Reuse what you already have (DRY Principle). Netvibes has already done the bull work to convert all kinds of feeds into a common format.
  6. Best of all, no authentication is necessary to access these links :D

Live.com’s feed proxy returns the actual feed output. So, if the feed you are referring to gives RSS output, this proxy returns that. The same happens with ATOM, RDF etc. Keep watching this space. I will update the post with other feed proxy URLs that I encounter. If you go across any, please mention them in the comments section.

 

Posted by Aswin Anand Filed in Technology, techblog
1 Comment »

NTFS, Gmail Keyboard Shortcuts

April 18th, 2008

Two things today:

Few days ago, I was searching for information on NTFS and found 2 amazing articles from the good old MSJ (Microsoft Systems Journal). The links are below. Do go through them when you find time. Even though the articles are old, they offer a wealth of information.

  1. Windows NT 5.0 File System - http://www.microsoft.com/msj/1198/ntfs/ntfs.aspx
  2. NTFS Change Journal - http://www.microsoft.com/msj/0999/journal/journal.aspx

There are lot more articles available. I will post the links as and when I read them. Nice stuff !

As you already know, I have enabled keyboard shortcuts on my gmail account. Gmail actually shows you the list of available shortcuts right inside your mailbox, without us having to visit the keyboard shortcuts page. To access the list of keyboard shortcuts, you need to press “?” key, which is “Shift + /“. You will get the translucent black popup as shown in the below screenshot. You can press any key to close it.

Keyboard Shortcuts

Click the image to see a larger version.

Posted by Aswin Anand Filed in Technology, techblog
No Comments »

New post on tech blog

February 8th, 2007

After a long time, I have done a post on my tech blog. The post is about “sc.exe”

Read about it.

Posted by Aswin Anand Filed in Casually Speaking ..., techblog
No Comments »