Ever since I discovered Opera Mini, I had installed it on my first mobile (K300i) and now the latest Opera Mini 5 beta is present on my Nokia E51. Few months ago a new browser came up for S60 3rd Edition Mobiles named Skyfire. The main selling point of this browser was almost full support for javascript and Adobe Flash with near desktop experience; which enabled us to watch YouTube videos on the mobile!

I had been using both browsers side by side for a few months now & came to feel that Opera Mini is a lot better for daily use and Skyfire is better for those one off toughie websites that must work with javascript and other stuff enabled.

Here’s an example: Recently, I started accessing my twitter account through Dabr from Opera Mini. The mobile UI rocks and zoom in and zoom out is instant. It happens in the client side. Opera Mini has an intelligent mix of client side and server side operations, whereas, all operations from Skyfire require an active internet connection. At best, internet access from mobiles through GPRS still remains patchy & hence, Skyfire should have that intelligent mix of operations and where possible, operations should be done at the client rather than server.

Opera desktop’s goodness of Speed Dial has arrived on Opera Mini 5. It’s awesome and saves you tons of clickety-clicks, which are irritating on a mobile. The whole menu system has been completely revamped. UI is smooth and fast (which is a downside with Skyfire)!

The best feature of Opera Mini of all is tabbed browsing. That blows away any other mobile browser on the planet. Being fast and loading heavy pages on separate tabs is a pretty awesome thing. By long pressing on a link, you can open them in new tabs inside Opera Mini. Hence, the Dabr + Opera Mini seems to beat any other twitter competition. Saved pages are really saved pages. They can be accessed even when there’s no connectivity.

Recently we had to book tickets to watch a movie at Mayajaal and Skyfire displayed the website amazingly well. Opera Mini suffered there. Similarly, Opera Mini rocks in opening popup windows (when clicked explicitly), whereas Skyfire fails. All in all, if you are going on a long journey with conservative power, Opera Mini is the way to go. Or if you want near desktop experience on your mobile for all websites, then Skyfire is the way to go.

Skyfire Gripes:

  1. No tabbed browsing.
  2. No landscape view of web pages and videos.
  3. Phone heats up after about 15 minutes of usage. Doesn’t ever happen with Opera Mini.
  4. Compared to Opera Mini, it is very heavy on battery.
  5. No option to logout from your Skyfire account. You have to manually delete the “Preferences” file to logout.
  6. The assumption that an active internet connection is always available.
  7. Proxy server support and proxy authentication i.e. HTTP code 407. I have been asking this for so long that I’m beginning to feel that this feature won’t come at all.

Opera Mini Gripes:

  1. No flash support.
  2. Javascript should be supported better.
  3. Zoom in to images is dismal. I hope this issue will be corrected when Opera Mini 5 comes out beta.
  4. This browser also doesn’t have support for proxy servers and proxy authentication.

What are your opinions on these two browsers? What browser are you using on your mobile phone?

There are a number of use-cases for which you would want to browse a mobile-optimized website on your PC. When you visit the mobile website on your PC’s web browser, the website displays the full content much to your dismay. However, when you visit the browser on a mobile, it displays a perfectly mobile optimized page.

In these cases, there are some simple steps that you can follow to open mobile websites on your PC:

  1. Download and install the latest version Firefox from http://www.getfirefox.com/.
  2. Visit Firefox Add-ons page and download the Modify Headers addon.
  3. Install the addon and restart firefox.
  4. From the firefox window, select “Tools” menu & click on “Modify Headers” option (Tools -> Modify Headers).
  5. The window will open as shown:
    Modify Headers Addon Window Click to enlarge
  6. Below the title bar, there’s a drop down. Select “Add” from the drop down box.
  7. Now in the text box next to the drop down, type “user-agent”.
  8. In the third text box, paste this string – Mozilla/5.0 (SymbianOS/9.2; U; Series60/3.1 NokiaE51-1/100.34.20; Profile/MIDP-2.0 Configuration/CLDC-1.1 ) AppleWebKit/413 (KHTML, like Gecko) Safari/413.
  9. Click on “Save”.
  10. The screen should look like as shown in the screen shot below:
    Filled screen of the addon Click to enlarge
  11. Using the buttons on the Modify Headers addon window, you can enable or disable particular items.
  12. That’s it! Whenever you want to view a mobile website, just go to Tools->Modify Headers and enable the user agent you added in step 8. When you don’t need it, just open this window and disable it.
  13. You can close addon window after you have enabled/disabled items.
  14. Enjoy! 🙂

Behind the Scenes:

Most mobile websites make use of the HTTP header called “User-Agent”. This header tells the server what kind of web browser the user has. So, mobile websites usually look for the name of the device manufacturer in the User-Agent header. If it matches one of the manufacturers then the mobile optimized web page is sent.

That’s about it! Hope you enjoyed this brief.

Now go and figure out how to display the iPhone version of Facebook on your PC 😉

ICICI Bank’s iMobile website has some of the worst server side validations ever, which is what prompted me to download the mobile app’s JAR file, study it in detail and write this post. According to the website, until the Reserve Bank of India comes out with mobile banking guidelines and approves it, mobile banking is supposed to be halted. Technically, it means that, all existing users shouldn’t be able to use the service what-so-ever and new user signups should be prevented & a notification stating that they should retry later should be shown.

Therefore, in this scenario, I shouldn’t have been able to download the app to my mobile device. The website of ICICI fails in not enforcing this by providing the following ways:

  1. Existing users who have already installed the app are given an option to ‘Upgrade’ from within the mobile app itself. This opens up a webpage in the phone’s native browser, whose URL is http://mobile.icicibank.com/upgrade?version=null.
  2. The actual iMobile website has some stupid javascript validation, which is very easy to bypass using modern browsers. Heck, just by browsing the HTML source code of the page, you will be able to easily find the URL for the application JAR files. Put 2 and 2 together and you will be able to download the app.

Which brings me to explain Step 2 in detail:

On any browser, go to View->Source. This will display the source code of the rendered HTML page. Notice the first <script> tag. It contains many functions & the most important functions to us are “submitForm” and “displayOption”. The line of interest in submitForm method is document.jump1.action="https://infinity.icicibank.co.in/web/apps/"+fileName;. That line pretty much gives away everything. All you have to do is, navigate to the above mentioned URL and append a filename to it for download.

What filename do you have to give and How?

That’s where our displayOption function is very useful. That function contains a set of simple If-Else conditional statements, which have the respective filenames. For e.g. if you want to download “M20P1520ALL1.jar”, then just append it to the URL & access it using the address bar. Therefore, the URL becomes https://infinity.icicibank.co.in/web/apps/M20P1520ALL1.jar 🙂 Being a JAR file, most browsers will display a “Save As” dialog box. Now, just download the file and transfer it to your mobile. The application is fairly straight forward.

Where ICICI Bank failed?

  1. They should have disabled the link mentioned in #1 above and replaced it with some text that says, “RBI mobile banking guidelines blah blah…”. But some clever users will bookmark the link to the JAR file and try to access the JAR file by bypassing the link itself. When they do that, the web server should return a “404 – Resource Not Found” error. Got it? Implementing this is pretty simple.
  2. There shouldn’t have been such a lot of useless javascript on the page. Firstly, they should have removed the device selection drop down box. Secondly, they should have replaced this page with an alternative. Thirdly, this mobile banking link should have been removed in the home page itself. Fourthly, they should have validated on the server for JAR file downloads and should have displayed the “404 – Resource Not Found” error page.
  3. Ok. Leave aside #1 and #2. At least the mobile app should have thrown soft errors when users try to access mobile banking from the JavaME app. Any bank would store all activity data for a certain period of time. So when you access the bank’s service from a mobile device, the server software surely knows about it, which means, the server software should have returned errors to the user instead of allowing the user to do transactions.
  4. There’s one more bug in the app itself. When you launch the app, it will prompt you to sync the data on the device to its servers for faster access the next time. When you click “OK” to synchronize, it will wait for a few minutes and show a message as, “There is no data to synchronize”. When you proceed further and try to access your info, it will again prompt you to sync the data. That’s frustrating. Either you should sync the data properly or you should access the server every time over a secure channel. As simple as that. That’s not followed too.
For me, all these things imply only thing. ICICI wants the existing users to continue using the app, thereby disobeying RBI’s orders or they are having some really bad programmers who don’t know the stuff they are doing. At a time when people fear about Google tracking their internet usage, this is MY/YOUR FINANCIAL INFORMATION, which is at risk Right?

That was a long post already 🙂 We still have some more to go. Lets take a break.

Tea Break Image Credits

Back? Ok 😀 Now, lets dissect the actual JAR file and look into the technical details of its implementation.

The Manifest File:

Rename the .JAR extension to .ZIP extension and extract it to your favourite folder. Open the “META-INF” folder and open the “MANIFEST.MF” file in a text editor. As you will note, it contains lots of very valuable information, especially the socket URLs of various mobile service providers. User agent is also very interesting. When sending HTTP requests through the application, it uses that property for setting the “user-agent” HTTP header. They also have debug strings enabled, which means by snoping around using a good file manager for your mobile, you will be able to get technical errors! thereby, letting us know how the app works itself, what requests it sends, its behaviour etc.

Another important item is, “MIDlet-Name” property in the manifest. This property determines what name the user sees after he installs the app on his mobile. Using the same name, when future upgrades are made available, the app is just replaced in place of the old one, which means, if you modify the “MIDlet-Name” property and install the app again, you will have 2 copies of the same app. THIS SHOULD NEVER BE ALLOWED FOR A HIGHLY CRITICAL FINANCIAL APPLICATION. Isn’t it? As an example, try changing the MIDlet-Name of the Yahoo! Go JAR file and try to install the app again on your mobile. My E51 shows an “Invalid JAR” error message because of MD5 sum checks etc.

Some more Holes:

Now, move back to the folder where the JAR file has been extracted. It contains a bunch of .class files. Pass it through a decompiler. You will get “perfect” java source code files. The code looks obfuscated. But its not obfuscated enough. Anybody will be able to make good sense from the source code. All the URLs, all the used strings and everything else will be clearly visible. By using the app on your mobile side-by-side, you will be easily able to go through the source code. All in all, I wouldn’t use this app anymore until the security measures are tighter.

What should the bank do here?

  1. Shouldn’t allow the installation of 2 apps of the same JAR with different names. Take this example of the Yahoo! Go JAR file.
  2. I guess these mobile providers’ socket URLs are used for a one time basis to send verification SMS. If that be the case, they shouldn’t be present in the manifest file for a variety of reasons that I won’t discuss here.
  3. There’s an interesting property named “WSCDomainName” in the manifest file. I guess it expands to “Web Service Client Domain Name”, though I’m not sure about it. Suggestion: Encrypt the name value pairs.
  4. Most importantly, sign the application using the Java Signed program. C’mon, users are doing financial transactions and a signed app will increase their confidence of using this application.

Suggestion for Users:

Users should install these kinds of apps on their mobile’s inbuilt memory, instead of the memory card. That is, when you connect your phone to the PC in thumb drive mode, all the RMS file stores for the mobile app are clearly visible. There are many decoders available on the internet that can read content from the RMS file stores. When you store this app on your mobile’s inbuilt memory, you can’t read those stores directly and there are a number of checks in place, that prevent reading it.

Thats about it !

Of course, this blog post can’t be termed as a full fledged security analysis. But most of what has been ignored by the bank are mere basics. They must have more secure systems in place.

If you liked this article, kindly do me a favour by digging it. Thanks for your time.

Java ME – OTA Problems

December 7th, 2007

OTA means “Over The Air provisioning” – which also means downloading a Java ME app directly on your mobile phone. Therefore, OTA means, just plain downloading. That’s all!

But there are some problems. I developed a simple application using netbeans 6 and wanted to do a OTA deployment of the application. Hence, both the JAD & JAR files were uploaded to the web server. Now, I opened the web browser on my mobile and typed out the url of the JAD file. Usually, there is a property called on the JAD file called MIDlet-Jar-URL. It contains the link to the jar file. E.g. If suppose the JAD is located at http://aswinanand.com/app.jad, the MIDlet-Jar-URL in the JAD file will contain related properties of the JAR file including its download link. 

Hence, when a mobile identifies a JAD file, it will search for MIDlet-Jar-URL property, fetch the download link & download and install the application on your phone. What happened here was that, even though the JAD file was in perfect condition, it just got rendered as plain text on the mobile’s browser. The JAR was not downloaded and installed. Soon, I found out that the MIME type of JAD was different and that, for JAD files, “Content-Type” HTTP header has to be set to “text/vnd.sun.j2me.app-descriptor“. For JAR files, the “Content-Type” HTTP header has to be set to “application/java-archive“.

My web server runs apache. Hence, I just created a .htaccess file with the following entries:

  1. AddType text/vnd.sun.j2me.app-descriptor .jad
  2. AddType application/java-archive .jar

Now the JAD file was recognized perfectly by the phone :-). The JAR was downloaded and installed properly :D. More info on OTA can be obtained from here.

Mobile Apps

December 18th, 2006

Buying a fair enough mobile at a decent rate was one of the best things that happened to me since “thayir sadham” (curd rice) and “avakai oorga” (a South Indian mango pickle) :-). Today I activated GPRS and BOOM!!, a world of beautiful internet connectivity opened up. It was like moving from a pre-telephonic era to a modern era. It was like inhaling the fragrance of fresh flowers. Being connected is a boon.

I downloaded Opera Mini and Gmail for mobiles. Both are excellent pieces of software. I had been using the desktop version of Opera since a long time. The mobile version is superb. Speed is very good. The pages are rendering very well. The best feature of opera mini is the status bar. You have to see it to believe why it’s so cool. It also has a feature for reading and subscribing to feeds. Overall, it’s been a very satisfying experience.

Gmail for mobiles is amazing as well. Just as the web client is satisfying, gmail for mobile even goes a step forward. It brings the same web interface to the small screen. Gmail on the web has keyboard shortcuts. Even the mobile version has this. You can press the various numbers to activate certain menu items. For e.g. pressing ‘4’ activates the reply screen. ‘*’ key is used to ‘star’ a message. What’s more, you can view attachments right from the app itself. Nearly every feature of the web version is available in the mobile version.

Getjar.com is a superb site that has a very good collection of mobile applications for almost all models of mobiles. Check it out. If the GPRS rates come down a little bit, I would definitely go for a regular connection and ofcourse a better mobile with a bigger and better screen.

The list seems endless…