Tag Archives: mobile

Starbucks App == Mobile + Convenience

Posted on by

The Starbucks App for Android 2.0 is out on Google Play (see announcement on VentureBeat).

Good to see…

(I was one of the people who contributed design & dev to this product, specifically the Card Management tab/functionality, plus some other.)

Starbucks have proven, starting with their iOS app, that consumers are ready for mobile payments — as of April 2012, Starbucks apps have done over 42M mobile payment transactions (see announcement on VentureBeat).

Awesome…

Convenience is always a big winner. In the case of Starbucks it is about payments, rewards and store information right on the palm of your hands.

There is another important aspect here. It also shows that stores must have the whole infrastructure in place to be successful:

  1. The POS that are enabled with the appropriate readers and software,
  2. The devices/smartphones with the SW and functions (the apps), and,
  3. The scalable service infrastructure with the appropriate back-end integrations, and the right kind of services-and content — in the case of Starbucks, authentication, payments, rewards, store information and related-integrations.

It is then that users will adopt this in masses; and, yes, it is about convenience.


(Card management tab with Pay Now, and embedded PayPal Integration for Card Reload)

Digital cards are at the center of the app. The app, which is global-ready, allows smartphone-users to load the digital cards (dollars, pounds, etc, depending on country) via credit cards and/or PayPal — all within the app, thus maximizing the user experience. The digital cards are then scanned at the stores. For this, the app uses 2D-barcodes that are scanned/read by the POS using regular barcode scanners, consummating the transaction.

Looking forward, this app is a good candidate for NFC and/or other proximity-based technologies. If the NFC infrastructure was in place, that is, the readers and the NFC-capable smartphones, I will bet that it would also be a winner. But full, pervasive NFC deployments are still are a few years away, delaying its adoption. As a result, today, 2D-barcodes is the way to go.


(This is not real, just a concept scenario that I put together for the Starbucks app with NFC support)

As mobile app designers, the important thing is to design your application in a way that 2D-barcodes or NFC or other are just interaction channels — the key is keeping the rest of the app- and related supporting infrastructure (servers, authentication, exposed services, payment infrastructure and so on) properly abstracted. As a side note, this is a reason why Square is ready for the future — it has all the infrastructure in place, and today their reader is the Square-reader, and tomorrow it can be something else. Starbucks is ready too.

ceo

Security & Privacy on Mobile Apps, Part 3 – PCI Compliance

Posted on by

This is Part 3 of a series on Security & Privacy for Mobile Apps.

Part 1 of this series introduced main concepts related to security on mobile apps. Part 2 went deeper into the security elements and guidelines related to security and privacy on mobile applications. In this Part 3, I will cover security from the PCI compliance perspective.

Handling Personal or Sensitive Information

Personal and sensitive information include any information that is critical for a user, for example credit card numbers, credit card validation codes, social security numbers, driver’s license numbers, name, addresses and date of birth, and other Personally Identifiable Information (PII). Any such information must be properly handled and secured.

When dealing with credit cards in particular, you may have to adhere to strict security requirements such as the ones as defined by the Payment Card Industry Security Standards Council, or PCI for short. The PCI council defined a number of requirements and certification to help to ensure both devices and software applications all take the proper steps to protect cardholder data. The PCI council consists of the following companies: American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc.

Even if your application is not handling cardholder information, the requirements by the PCI council are good guidelines to follow if your mobile (web) application deals with personal sensitive information of any kind.

PCI Data Security Standard (DSS) requirements

Let’s take a look at the PCI Data Security Standard (DSS) requirements. These requirements apply to “any entity that stores, processes, and/or transmits cardholder data.” In short, “if your business accepts or processes payment cards, it must comply with the PCI DSS.” Note that “to comply”, means that the payment application must pass a PCI-provided assessment.

Table 1: Payment Application DSS Requirement

   Source: Payment Card Industry Security Standards

The PCI Data Security Standard defines fourteen (14) requirements — some technical while other operational — that affect both the server-side and client/mobile-side of the payment application. Let’s cover each of these requirements in some more detail:

1. Do not retain full magnetic stripe, card validation code or value or PIN block data

How to: Always prompt for such information; never store locally on the device. Always prompt for PIN.

2. Provide secure password features

How to: Always prompt for PIN before allowing access to the app’s critical paths or sensitive information. Use the PIN to secure application data.

3. Protect stored cardholder data

How to: Do not store cardholder information on the device. Tokenize access to critical information (tokens are covered below). Use the PIN to secure application data.

4. Log application activity

How to: Keep a local log of critical activities, such as when user logs into the application, performs a purchase, and so on. This typically is a circular log. Provide the means to remotely access or upload the log as needed.

5. Develop secure applications

How to: Design and implement the mobile application with security in mind. Do this by implementing the different requirements being discussed in this article.

6. Protect wireless transmissions

How to: Perform all communication over an encrypted secure connection (typically over HTTPS/TLS).

7. Test applications to address vulnerabilities

How to: Implement a robust test-suite that includes automated and manual testing that validates that no access to critical application paths is possible unless the user authorizes it via a PIN, that API calls and data over network connections is in fact being encrypted, that no credit card information is stored locally, and that any personal information stored in local data is properly encrypted.

8. Facilitate secure network implementation

How to: See #6 above

9. Do not store cardholder data on a server connected to the Internet

How to: Design a network architecture that separates production systems from the public Internet. Deploy production servers with critical/personal information behind a firewall.

10. Facilitate secure remote software updates

How to: Only trust software updates from trusted sources. Leverage app stores/markets and app signing for native applications. Leverage centralized approach of mobile web apps. Perform all software updates over a secure network connection.

11. Facilitate secure remote access to application

How to: See #10. In addition, see #6 — all remote/network communication shall only be done over secure network connections.

12. Encrypt sensitive traffic over public networks

How to: See #6 above

13. Encrypt all non-console administrative access

How to: See #4 and #6 and #10. All access to secure data, administrative or not, shall be done over secure connections.

14. Maintain instructional docs and training programs for customers, resellers and integrators

How to: From the mobile application perspective, provide FAQ and Help pages that describe the privacy and security aspects of the application. Include Privacy terms and conditions.

Other PCI Information and/or Requirements

The following two tables show the general PCI goals vs. requirements, and PIN-entry device security requirements.

Table 2: PCI Data Security Standard (DSS) requirements

   Source: Payment Card Industry Security Standards

Note that most of these requirements on Table 2 were covered on the previous section.

Table 3: PCI PIN Entry Device Security Requirements

   Source: Payment Card Industry Security Standards

And these requirements on Table 3 are related to physical devices, in particular device characteristics and management requirements.

Conclusion

On this 3-part series we have covered security on mobile applications – introduction, elements and guidelines for secure mobile apps, and PCI requirements for mobile payment applications. At the end, it is about protecting the user by protecting related critical information –credit card numbers, credit card validation codes, social security numbers, driver’s license numbers, name, addresses and date of birth, and other Personally Identifiable Information (PII); all such information must be properly handled and secured.

As privacy continues to become more critical over time, with the number of apps exponentially increasing, and with potential legislation in the future, having clear privacy and security implementation, wording/messaging and responsibilities are all very important.

Finally, as product owners and developers, we are all responsible for properly implementing our mobile applications and protecting the user…

Resources

On Mobile Industry Numbers and Mobile Jobs

Posted on by

The other day I tweeted this:

(URL: https://twitter.com/eortiz/status/223096404233564160)

Then I read at the Royal Pingdom blog some interesting Internet 2011 in numbers; looking at the mobile-related numbers, we have:

Mobile (July 2012)

  • 1.2 billion – The number of active mobile broadband subscriptions worldwide in 2011.
  • 5.9 billion – The estimated number of mobile subscriptions worldwide in 2011.
  • 85% – Percentage of handsets shipped globally in 2011 that included a web browser.
  • 88% – Apple iPad’s share of global tablet web traffic in December.

    So the mobile space is a pretty hot space indeed. Let’s now look at some mobile-related job salary numbers, courtesy of Indeed Salary; note these are *average* salaries:

    Mobile Architect

    Mobile Developers

    Mobile Designer

    Mobile Web Developer

    Android Developer

    iOS Developer

    Windows Mobile Developer

    BlackBerry Developer

    Symbian OS Developer

    Mobile Product Manager

    I actually find this quite low for Mobile Product Managers.

    Mobile Project Manager

    Let’s now look at some trends, courtesy of Indeed Trends. Interesting is how it starts to trend up towards the end of 2010 for all the top mobile OS platforms –iOS, Android, HTML5:

    iOS Job Trends

    HTML5 Job Trends

    Android Job Trends

    Mobile-app Job Trends

    Symbian OS Job Trends

    Note the roller-coaster trend for Symbian OS…

    Windows Mobile Job Trends

    Interesting!

    BlackBerry Job Trends

    Conclusion

    So in conclusion, the mobile space is red HOT… The demand is there. It definitely is a good time to be a mobile technologist, developer, product manager, and so on… globally!

    CEO

    Security & Privacy on Mobile Apps, Part 1 – Introduction

    Posted on by

    This is Part 1 of a series on Security & Privacy for Mobile Apps.

    (Note: in this article mobile apps means both native and webapps)

    Are you Serious About Security on your mobile apps or webapps?

    Security and privacy is an area that too often is not being properly addressed on mobile apps in general. From the product requirements, to the design and implementation of the mobile app, properly securing sensitive information means addressing this end-to-end: on the device/smartphone, through the network, and on the servers on the cloud.

    Examples of sensitive information:

    • Personal Identifiable Information (PII)
    • Cardholder and other credit card information
    • Health/medical information
    • Tracking users/geo-location

    And it is not only about collecting or not sensitive information, but also about 1) preventing others from gaining access to the sensitive data collected by your app, and 2) how to communicate to the user about how the app itself deals with such sensitive data.

    As product owners and developers, we all should follow proper security and privacy guidelines, regardless of the kind of application. But when dealing with critical or sensitive information, we must go beyond guidelines and treat privacy and security as application requirements.

    Increase in Apps with privacy & security requirements

    Developers do need to be serious about security and privacy on their mobile apps:

    But many developers find addressing privacy/security as challenging:

    Why the need to be explicit about security and privacy?

    Addressing security/privacy goes beyond protecting and securing data. It is a fact that security/privacy on mobile apps can quickly become confusing. And this impacts how we tell the users about what the application does with sensitive data. Typically this communication is done via privacy terms and/or policies that are hundreds of lines long and hard to read on a mobile device, thus many people simply skip reading it.

    Simplifying privacy communication — a case for “Classifying Apps”?

    Imagine that we can abstract and simplify how we communicate to the users the matters related to privacy/security. And idea is on classifying the Apps based on how they handle sensitive data, for example:

    • Class A — Collects data
    • Class B — Stores data
    • Class C — Shares data
    • Class D — Tracks the user
    • Any other?

    Regardless, think about these classes when designing your application, and crafting your privacy policy documents.

    Now imagine that these classifications are standardized, and with this, the Privacy wording for each these classes of apps is standardized as well — all with the goal of making such wording very clear and easy to understand, standard, and referenceable — similar in idea to how licenses such as GPL, MIT, Apache have been defined, standardized and used all around.

    With such “standardization”, mobile apps would have a very clean, simple privacy policy that is familiar in wording and meaning, for example:

    Privacy Policy — this application:

    1. Collects Data
    2. Shares data
    3. Tracks the user

    Please click on the appropriate hyperlink for more information.

    I would seeing an initiative of some kind to do just this (I’m investigating this as we speak). If you have any thoughts, please drop me a line. Perhaps there is something out there already that I haven’t seen yet. If there is nothing there yet, I believe it is worth it to follow up on this and come up with simple, consistent, familiar privacy messaging (and badge?) across platforms and applications.

    Conclusion

    Personal and sensitive information include any information that is critical for a user, for example credit card numbers, credit card validation codes, social security numbers, driver’s license numbers, name, addresses and date of birth, and other Personally Identifiable Information (PII). Any such information must be properly handled and secured.

    As privacy continues to become more critical over time, with the number of apps exponentially increasing, and with potential legislation in the future, having clear privacy and security wording/messaging and responsibilities is very important. And as product owners and developers, you/we are responsible!

    Related

    /CEO

    Introduction to jQuery Mobile (May 2012)

    Posted on by

    See my latest article, Introduction to jQuery Mobile (developerWorks).

    This article, an update to my original Intro to jQuery Mobile (Feb 2011), introduces the basics in the latest version of jQuery Mobile. Learn about browser support, the UI components, and the API.

    “Summary: Get an introduction to the jQuery Mobile framework. Learn the basics of the framework and how to write a functional mobile web application user interface. In this article, an example guides you through basic pages, navigation, toolbars, list views, form controls, and transition effects.”

    Link: Introduction to jQuery Mobile (developerWorks).

    Related links:
    * jQuery Mobile developer site
    * Original article: Intro to jQuery Mobile (Feb 2011)

    ceo

    On Ambient and (Mobile) Context

    Posted on by

    Recently I have been seeing the word “ambient” used a lot to describe “context”; a good example is Alohar Mobile and its Mobile Ambient Analytics Platform. Alohar Mobile are also the makers of Placeme.

    Is Ambient the new Context?

    It is not. Context is more than just ambient information; ambient information is a subset of Context:

    • ambient: “of the surrounding area or environment”
    • context: “the set of circumstances or facts that surround a particular event, situation, etc.”

    The following illustrates the elements of the mobile context:

    The Mobile Context, May 2012

    Read more about the mobile context — see the original The Mobile Context blog.

    Ambient information is about sensory information while context is much more complex. Context is about the (set of) information related to a given user-event-in-time. It is the intersection or overlap of the different sets/elements above, at any given point in time, as it relates to a given event (search, browse, gift, purchase) for a given user.

    Those who are able to truly capture, analyze and understand Context, are the ones who will be able to bring true meaning to (and reap the benefit$ from) Mobile.

    ceo