On this page:

September 15, 2014

Eurotechnology.japan

Apple Pay vs Japan’s Osaifu-keitai

What can we learn from 10+ years of mobile payments in Japan? Apple Pay mobile payments start on September 19, 2014 Japan’s Osaifu keitai mobile payments started on July 10, 2004, after public testing during December 2003 – June 2004 Two different types of Docomo‘s “Osaifu-Keitai“, manufactured by Panasonic and by SONY, were publicly tested […]

The post Apple Pay vs Japan’s Osaifu-keitai appeared first on Eurotechnology Japan.

by fasol@eurotechnology.com (Gerhard Fasol) at September 15, 2014 05:58 PM

September 14, 2014

Martin's Mobile Technology Page

Raspberry Pi Power Consumption - Measured

Pi-power-consumptionEver since I got my first Raspberry Pi I wondered how much power it really requires in my standard configuration, i.e. only with an Ethernet cable and an SD card inserted. Recently I got myself a USB power measurement tool to find out. As you can see in the picture on the left, the Raspberry Pi draws a current of 400 mA with the OS up and running and being idle. With a measured USB voltage of 5.4 V, the resulting power consumption is 2.16 Watts. At an efficiency of 90% of the power adapter itself, the total power consumption is therefore around 2.4 Watts.

by mobilesociety at September 14, 2014 05:46 AM

September 11, 2014

mobiForge blog

Emoji set to live long and prosper, thanks to Unicode

You've probably seen them. Your mom probably uses them to sign off her texts, and your teenage cousin has likely abandoned the Roman alphabet altogether in their favour. Emoji are everywhere, and love them or loathe them, they can't be ignored.

by ruadhan at September 11, 2014 12:52 PM

MobileMonday London

Mobile Miscellany, 10th September. A bumper crop of offers and discounts ...

The season of mellow fruitfulness is on us, the fruit falling from the trees in this case is Demo Night on Tuesday 16th Sept, free passes to the Service Innovation Delivery Summit, discounts on Apps World, The Mobile Academy, IPM’s Digital Disruption event and free help for start-ups from Google  …


Demo Night 16th September (Tuesday, yes, really)

Demo Night will take place at Informa's 10th Annual Service Delivery Innovation Summit at the Thistle Hotel, Marble Arch. As usual we feature a number of companies from the community representing some of the sheer range of ideas, innovation and creativity … wearables, IoT, AR, food (yes) and more will all feature! We expect that as usual it will be a lot of fun … have you booked your ticket yet? Register here (and see below if you’d like a free ticket to the whole Summit).

We’re looking forward to hearing from:
  • Good Food Talks - A web app which enables blind and visually impaired diners to read restaurant menus, quickly and easily using their smart phones
  • Swytch - Multiple UK mobile phone numbers on your existing phone
  • QuizTix - A family of original, fun and accessible quiz games offering a familiar and friendly entertainment experience
  • Mylo - A household management service, looking after all your household bills and expenses
  • Grabyo - A real time video platform that offers broadcasters the opportunity to share video clips from live broadcast TV and video feeds across Twitter, Facebook, the web and mobile.
  • Viewmaker - A cloud based augmented reality platform
  • Pronto - Order & track meals on demand, 24/7, in just 3 taps from your mobile device
  • Adsy - A mobile web app that lets you create mobile web apps
  • IFS - Using wearable technology to improve workforce efficiencies in a business environment
  • OpenTRV - An Intelligent radiator controller to save money on your energy bill, reduce carbon & control heating in each room

If you are interested in volunteering at the event and are free from 5.30pm, please do get in touch. Contact: julia@mobilemonday.org.uk

Free passes to the whole Service Delivery Innovation Summit - 16th & 17th September

Our friends at Informa have made available a number of free tickets to attend this event at which you will see a range of case studies from operators & third party developers showing examples of successful service innovation including Deutsche Telecom, Amazon and TomTom. Innovative service delivery from within the cloud will feature heavily, with a wide variety of panel discussions & opportunities for audience debate.

Get your free pass here with this priority code: I859D/MM.
Back to School with The Mobile Academy starting 30th September

The Mobile Academy, no-nonsense, practical learning from industry experts, run by MoMoLo and UCL. From developers to marketers, corporates to start-ups, The Academy brings together people with different backgrounds and levels of experience who learn from each other as well as from the experts. Read about what happened on our first four courses here.

We are running a special discount with the code MoMoLo which takes the start-up price down to £450, SMEs at £675 & Large companies at £1,350 all + VAT and booking fees. Benchmarked at over £3,000, there is nowhere else you can get this breadth of topics and quality of delivery. Perfect for those that just want to know more about mobile and/or are working on new products. Register here and get gist from our blog: http://themobileacademy.org.uk/blog/

“...The combination of excellent mobile design and technical teaching overlaid with business knowledge means that the take out from this programme is far beyond just being about mobile - it's about starting new businesses and business lines. This, along with the exposure to industry experts and other participants is invaluable for us at IBM as it broadens our outlook and introduces new ways of working. With this well rounded approach, we have found that our participants return thinking more “outside of the IBM box” and that their client interactions are deeper and broader…” Steve Devo, IBM

Startup help from Google

Startup Launch is a new programme from Google which will help you get the best out of the Google Developers platform, including:

- Mentorship from Google Developer Experts and Developer Relations
- Exclusive invitations to networking events
- Access to free training, start-up boot camps and other resources

Find out more and apply here.

Digital Disruption: The Union of Marketing and Technology, 24th September

With speakers from Samsung, Google, Westfield, Media Futures and many more, the Institute of Promotional Marketing (IPM) invites you to talk digital disruption and improve your game. This conference will explore how the latest advances will allow marketers to push the boundaries and create even better, more effective and ‘always on’ promotional campaigns which can break down barriers and influence target audiences at all the touchpoints.

We have a 15% discount with code: MoMoLo (tickets are £212.50 instead of £250). Register here.

Something special at Apps World, 12th – 13th November at ExCel, London

Apps World is back and once again, offering you 15% off passes with the code MOMO15. Register here in the next few days and you will also get the earlybird discount. You can visit the exhibition area free of charge, but you still need to register using the link above.
Following our fab night at Apps World last year, we are doing something quite special this year which we will announce in the next week. In the meantime, save the date: 12th November from 5.30pm to late!

And finally ...
Long time friend of Mobile Monday London and one of the true godfathers of Mobile, David Wood, has spent the last two years putting together his history of Symbian. Check it out here http://smartphonesandbeyond.com/

Very much looking forward to next Tuesday and seeing everyone there.

Jo

by Julia Shalet (noreply@blogger.com) at September 11, 2014 12:51 PM

September 10, 2014

Eurotechnology.japan

EU Japan management: what is the value of good management?

EU direct foreign investment into Japan could be 56% higher! With improved management skills, EU owned business in Japan could be at least € 50 billion high than it is today Many companies would wish to have a larger business in Japan, and generally the overall amount of direct EU investment in Japan is considered […]

The post EU Japan management: what is the value of good management? appeared first on Eurotechnology Japan.

by fasol@eurotechnology.com (Gerhard Fasol) at September 10, 2014 12:11 PM

MobileMonday London

Mobile Miscellany, 20 August 2014. Demo Night mid Sept, free passes to SDP Global Summit & discounts to our Autumn Academy..

DEMO NIGHT IS BACK 16th SEPT - APPLY TO DEMO...

Demo Night returns on Tuesday (yes, TUESDAY) 16th September and here is your opportunity to apply for a chance to do a 3 minute demo (no slideware) followed by audience questions.

As well as being a lot of fun, our Demo Nights (e.g. last September) have been an important step for many past presenters: a place to meet funders, find collaborators, get feedback, get some fame and of course, it's a chance to showcase the creativity and diversity of the community! There are no winners and losers - just a great chance to be part of one of the most entertaining events of the year!

Demo Night will take place at Informa's 10th Annual Service Delivery Innovation Summit (see below) at Thistle Hotel in Marble Arch, London. If you want to demo, you need to be quick! Apply here by 2nd September and good luck.

You can also register for the event here.

FREE DEVELOPER PASSES TO INFORMA SUMMIT, 16th & 17th SEPT

See a range of case studies from operators & third party developers showing examples of successful service innovation including Deutsche Telecom, Amazon and TomTom. Innovative service delivery from within the cloud will feature heavily, with a wide variety of panel discussions & opportunities for audience debate. Get your free pass here with this priority code: I859D/MM.

NEED TO KNOW MOBILE? THE MOBILE ACADEMY, IN CONJUNCTION WITH UCL, RETURNS SEPT 30th - DEC 2nd

Extremely well rated by our alumni, the fifth season of The Mobile Academy will start on 30th Sept and runs Tuesday and Thursday evenings until 2nd December. With sessions designed to give a grounding across business, design and technology, you will get need-to-know practical advice, tool-kits and one on one advice from industry experts who will share tips that you just cannot get from the text books. Develop new ideas in the heart of the tech scene with a diverse group of participants who will ready to share their skills and experience.

Discounts for Mobile Monday London-ers of course, whether you are from a large organisation, SME or are applying as an individual, enter "MoMoLo" at registration.

That's all for now - we'll be back in touch to let you know when registration is open to attend Demo Night. In the meantime, do get your applications in for Demo Night, nab your free summit pass & feel free to get in touch with contact@themobileacademy.org.uk if you have any questions about the autumn course.

by Julia Shalet (noreply@blogger.com) at September 10, 2014 12:17 PM

Open Gardens

Ardusat, Countdown Institute at CTIA connected for Good event (part of super mobility week) in Las Vegas

In October, we fully launch the Countdown Institute in Miami (lab Miami) for STEM education

Countdown is based on using Ardusat technology which allows you to conduct experiments in space on a live Cubesat based satellite

Essentially, the Ardusat is based on Cubesat and contains Arduino sensors which allows us to learn Computer Science in context of Space exploration experiments

Sunny Washington President of Ardusat is speaking at the CTIA connected for good event (part of the Super Mobility week) in Las Vegas today

It’s great to see this

The talk reflects the hard work our team in Miami has been putting in working with Ardusat (Richard, Jessica, Alex and also the faculty Nelson, Willie and Patrick)

If you are at CTIA – say Hi to the Ardusat team!

by ajit at September 10, 2014 07:13 AM

September 06, 2014

Martin's Mobile Technology Page

More Background On SUPL, A-GPS, the Almanac and Ephemeris Data

After my previous posts on how to trace and analyze A-GPS SUPL requests (see here and here) I thought I'd also write a quick post with some references to more details on the parameters that are contained in an A-GPS SUPL message. When discussing GPS, two terms are regularly mentioned, The 'Almanac' and the 'Ephemeris data'. Here's a link to some background information on those terms and here's my abbreviated version:

Almanac: This information is broadcast by each GPS satellite and contains rough orbital parameters of each satellite. This information helps a GPS receiver to find other satellites during its startup procedure once it has decoded this information from a downlink signal. Note that this information is NOT contained in a SUPL response as it only gives long term rough orbital parameters that can only be used for satellite search but not for navigation.

Ephemeris: These are the precise orbital parameters of a satellite which is only valid for a short amount of time. While each satellite broadcasts the Almanac of all satellites, a satellite only broadcasts its own Ephemeris data. SUPL responses contain the Epehemeris data of all satellites the SUPL server thinks might be visible at the rough location a mobile device is currently located, perhaps, I'm not sure, in order of certainty, as the satellite IDs in the list were not ordered. I've also run a SUPL request with a cell-id that the SUPL server did not know and as a result the server returned a very long list of Ephemeris data with ordered satellite ID numbers, probably of all the satellites it knew.

And finally, here's a link to additional background information on the individual Epehemeris parameters.

by mobilesociety at September 06, 2014 07:14 AM

September 05, 2014

Cloud Four Blog

Two pretty-good techniques for styling tricky form elements

Confession time: For most of my career, I despised form elements. Checkboxes, radios, selects and file inputs seemed to gleefully defy what little control I expected from an HTML element. Their penchant for idiosyncracy drove me to almost as much hair-pulling and teeth-gnashing as IE6 or web-safe fonts.

These days, my frustration with form elements has quieted. Partly that’s because browsers and development tools are so much better. But more significantly, I now understand the benefits of surrendering some control to the operating system. As devices continue to accept a greater and greater variety of input methods (keyboard, mouse, touch, voice, gesture, remote, etc.) while browsers adopt an astounding variety of new input types , it’s a gift for vendors to provide default experiences consistent with the user’s expectations of the platform.

So I no longer strive for “pixel perfection” when styling form elements. I don’t need absolute control. All I want is something easy to tap that feels intentional.

When the browser defaults don’t get me there, here are my go-to workarounds.

Checkboxes and Radios: Styled Sibling

This technique works in any browser that supports CSS3 selectors (basically IE9+). If you read Radio-Controlled Web Design a few weeks ago, this should feel familiar. Let’s start with a checkbox example.

We’ll need a few HTML elements:

  • The <input> itself.
  • A dummy element to style (right next to the <input>).
  • A containing <label> that passes click events to the aforementioned <input>.

I like to wrap the <input> and dummy elements in a container to keep everything nice and tidy, but strictly speaking it isn’t required. Here’s what that markup might look like:

<label>
  <span class="checkbox">
    <input type="checkbox">
    <span class="checkbox-value" aria-hidden="true"></span>
  </span>
  Set phasers to stun
</label>

We’re now free to visually hide the checkbox, styling .checkbox-value however we like:

/* hide the "real" checkbox visually */
.checkbox input {
  border: 0;
  clip: rect(0 0 0 0);
  height: 1px;
  margin: -1px;
  overflow: hidden;
  padding: 0;
  position: absolute;
  width: 1px;
}
 
/* style the "fake" checkbox */
.checkbox-value {
  /* default/unchecked styles */
}
input:checked + .checkbox-value {
  /* checked styles */
}

When the user clicks the label, the click is passed along to the <input>, which toggles the state of :checked, which affects the appearance of .checkbox-value.

Here’s an example that styles the checkbox like an iOS-style switch:

See the Pen Styled checkbox by Tyler Sticka (@tylersticka) on CodePen.

Here’s the same idea applied to radio buttons with a slightly more conventional design (incorporating a base64-encoded SVG checkmark):

See the Pen Styled radios by Tyler Sticka (@tylersticka) on CodePen.

This technique has a few drawbacks. It requires some extra markup. It won’t work in IE8 or earlier without a fallback. It could probably use another pass for accessibility. But compared to most of the JavaScript solutions I’ve tried, this feels straightforward, consistent and predictable.

Selects and File Inputs: Transparent Overlay + JavaScript

For more complex elements like <select> and <input type="file">, we can’t get by on CSS alone (though it gets us further than one might expect).

Our markup is similar to the previous set of checkbox/radio examples, except we won’t need a <label> for click events:

<div class="select">
  <select>
    <option>Option 1</option>
    <option>Option 2</option>
    <option>Option 3</option>
  </select>
  <span class="select-value" aria-hidden="true"></span>
</div>

Instead of hiding the <select> entirely, we want to position it over the rest of our element, allowing it to intercept click events and correctly position any dropdown it may display. Because this technique relies on JavaScript, we’ll qualify some of our selectors with .js (since you’re probably already using Modernizr).

.js .select {
  position: relative;
  /* default styles */
}
.js .select:hover {
  /* hover styles */
}
.js .select.focus {
  /* focus styles */
}
 
/* nicer default styles for "real" <select> */
.select select {
  cursor: pointer;
  display: block;
  width: 100%;
}
/* hide and overlay when JavaScript is enabled */
.js .select select {
  left: 0;
  height: 100%;
  min-height: 100%;
  min-width: 100%;
  opacity: 0;
  position: absolute;
  top: 0;
}

Already, this “works.” Options will display on click. But there are some problems. The value doesn’t update. There are no hover or focus styles. That’s where JavaScript comes in!

(Although I’ve chosen to write this in jQuery for the sake of readability, remember: You Might Not Need jQuery!)

// For each .select element
$('.select').each(function(){
  // Save some elements as variables
  var $element = $(this);
  var $select = $element.find('select');
  var $value = $element.find('.select-value');
  // Bind event handlers to <select>
  $select.on({
    // On change or keyup, update the value text
    'change keyup': function () {
      $value.text($select.val());
    },
    // On focus, add the focus class
    'focus': function () {
      $element.addClass('focus');
    },
    // On blur, remove the focus class
    'blur': function () {
      $element.removeClass('focus');
    }
  });
  // Trigger the change event so the value
  // is current
  $select.trigger('change');
});

Here’s how all of that comes together:

See the Pen Styled select by Tyler Sticka (@tylersticka) on CodePen.

With some tweaks, the same basic technique can also work for file inputs (assuming experimental WebKit/Blink features aren’t your thing):

See the Pen Styled file input by Tyler Sticka (@tylersticka) on CodePen.

This idea isn’t new. Peter-Paul Koch wrote about it quite a while back. Yet I rarely see it in use outside of a few large mobile frameworks. I’m honestly not sure why.

…and beyond?

What do all of these examples have in common? They don’t mess with the form element too much! By worrying less about customizing behavior and more on simply triggering it, we can indulge some of our designerly impulses without discarding all a given platform has to offer.

Consistency and functionality… no hair-pulling or teeth-gnashing required!

Update: September 8, 2014

A reader pointed out that the select example wasn’t responding to keyboard input in Firefox. I discovered that Firefox doesn’t fire the change event for selects like other browsers do, so I’ve updated the demo and example code so that it binds to both change and keyup.

I also learned that Firefox doesn’t show the full dropdown on any keypress, but this seems to be true of unstyled <select> elements as well. I encourage developers to use these examples as a starting point, and to augment usability shortcomings on a case-by-case basis if the default browser behavior isn’t cutting it.

by Tyler Sticka at September 05, 2014 04:35 PM

London Calling

Exciting digital marketing opportunity for leading fashion brand

I rarely, if ever post jobs on my blog, however one of my clients is looking for someone to work in their digital marketing team – based in London.  I know the company well so thought I’d use my channels to help them in their search.

The job description is below – if you are genuinely interested, or know of someone who could fill this role then please get in touch with me directly and I can tell you more about the company and put you in touch with them directly.

I’m not receiving a fee for this – just want to connect the right person with this exciting company.

The short-form requirements are below

  • University background (Marketing degree preferred)
  • Native English speakers (for London and NY territories)
  • Native Swedish speaker (for Sweden)
  • Marketing and fashion background is a must
  • Digital knowledge/familiarity is a plus
  • Responsible to call on brands and retailers in the respective countries to build marketing projects and execute the ingredient branding strategy with clients

Downstream Marketing Specialist

The Downstream Marketing Specialist (DMS) will report to the global marketing director. The primary responsibilities are to develop and execute highly effective and impactful marketing actions, campaigns and sales tools that result in a steady stream of qualified sales leads.
The DMS will be tasked with increasing market and (ingredient) brand awareness, working closely with the country based sales team, they will be responsible to build momentum in the market through smart use of multiple marketing tools and media channels, social media, journal advertising, targeted campaigns, promotional events, tradeshow activities.

Responsibilities of the DMS include clear understanding of the competitive landscape, professional and consumer trends as well as competitive pricing and promotional activities. Additional responsibilities include pre- and post-promotion analysis, supporting sales meetings and tradeshows.

Responsibilities:
• Develop and execute highly effective and impactful marketing actions and sales tools for the sales team.
• Increase the market awareness of the company and the ÏSKO ingredient brand, as well as claim a space within targeted clients for their product lines.
• Create a resulting steady stream of qualified leads from marketing activities for the sales team.
• Build momentum by working closely with the leadership to execute promotional meetings and events that get the message out.
• Establish and manage contacts with key opinion leaders in the field of the denim and fashion industry
• Build and maintain relationships with the trade and consumer fashion press in the market of reference
• Stay in tune with market trends, competitive pricing and landscape to effectively be able to be proactive to the changing circumstances within our targeted markets.

Who are we looking for?
You have a Bachelor degree, 3+ years of proven downstream marketing experience and success in the fashion and/or denim industry. You are a self-starter who can take charge, plan and execute with confidence. You have excellent written and verbal communication skills, strong creative and analytical capabilities. The ideal candidate comes with a proven track record that shows outstanding results. Your background should have a mix of relevant product and marketing experience in the fashion and denim industry.

Profile:
• Proven track record of successful downstream marketing and execution
• Creative and resourceful
• Excellence written and verbal communication skills
• German (Japanese) native speaker, fluent in English. A third language will be considered a plus
• Proactive, can do attitude and a self-starter with a take charge approach
• Background in marketing communications is a plus
• Background in the denim retail industry is a plus
• Team player, relationship building skills
• At least 3 year’s successful downstream marketing experience in the fashion industry
• Flexibility to travel and the ability to work in a hectic environment

If you enjoyed this blog post you may like other related posts listed below under You may also like ...

To receive future posts you can subscribe via email or RSS, download the android app, or follow me on twitter @andrewgrill.



You may also like ...

by Andrew Grill at September 05, 2014 04:08 PM

September 01, 2014

Brad Frost Web » Brad Frost Web | Web Design, Speaking, Consulting, Music, and Art

Designing an Effective Donate Form

I reached out to the Pittsburgh Food Bank last year about helping them redesign their website largely because I was having a hard time figuring out how to give them money.

So as part of our redesign of the Pittsburgh Food Bank’s website, we want to make the donate experience more visible and usable.

Ember

We’re still working hard to finish up the form design along with the rest of the site, but wanted to share some of the things we’re considering as we design the donate form:

  1. Be visible
  2. Cut out the noise
  3. Break big tasks into smaller steps
  4. Use button styling for input
  5. Provide smart defaults and suggestions
  6. Articulate impact
  7. Inline validation
  8. Use proper input types
  9. Reduce the number of taps
  10. Automatically generate city and state info
  11. Use single-field credit card input pattern

Be visible

We’re including the donate form above the footer on almost every page of the site. There’s still a dedicated donate page, but by including the donate functionality on each page we’re hoping users will be inspired to donate after reading about the Food Bank’s many wonderful initiatives.

Cut out the noise

It’s important to create an interface that helps users focus on the task at hand. For key tasks, such as a donate form or an e-commerce checkout form, it’s often a good idea to remove superfluous elements that can distract users. Including a simplified header and footer (a la Amazon’s checkout) and removing sidebars and other auxiliary content will help users accomplish the task faster.

Break big tasks into smaller steps

Another way to cut out the noise and help users focus is to break the form into smaller chunks. This reduces the cognitive load on the user, and also presents a much less intimidating form than exposing all fields at once.

Use button styling for input

Visually speaking, buttons are more approachable, more tap-friendly, quicker, and more visually appealing than a select menu, traditional input or radio button. We’re using button styling for the donation amount, with an optional input field if the user wants to donate a custom amount.

Provide smart defaults and suggestions

Many people (myself included) don’t know what a typical and appropriate donation to a food bank looks like. By providing some representative suggestions, we’re able to guide the user into the appropriate bucket. Barack Obama’s campaign donate form provides a series of button selections for common donation values:

Ember

On the food bank’s donate form, we’re also pre-selecting a reasonable value to guide users into donating a worthwhile amount.

Articulate impact

Donate form messaging

It helps for people to know the impact of their donation. Right now we have simple (placeholder) messaging that helps users understand how far their donation will go. We’re still working on the messaging and display of this info, but it will certainly help create a connection between the financial donation and the real impact it will have to alleviate hunger.

Inline Validation

There’s nothing worse than submitting a massive form only to be scolded to go fishing to find your erroneous fields. Inline validation can help users fix their problems while they’re still focused on the general area. We’re using the wonderful Parsley library to validate our inputs as users exit fields.

Reduce the number of taps

An important overall goal of a form is to reduce as much as humanly possible. The less work the user has to do the more likely they are to complete the form. Simple things like combining fields like “First Name” and “Last Name” into a field simply called “Full Name” reduces the amount of taps the user has to endure.

User proper input types

Using the proper HTML5 input types and pattern attributes pulls up the appropriate virtual keyboard on mobile devices, saving users from having to manually switch over to enter a number.

Automatically generate city and state info

Automatically fetch city and state info from ZIP code

Surfacing the ZIP code field first allows us to automatically populate the city and state fields using a neat API called Ziptastic. This reduces the amount of fields the user has to fill out, and as a result increases their efficiency.

Use single-field credit card input pattern

Donate credit card single field pattern

We’re using the single-field credit card input pattern to collect credit card information. This provides a more concise input method for entering credit card info, and testing data for this pattern is showing that users prefer it over a more traditional credit card input. So I’m excited to see how this plays out!

Work in Progress

The site isn’t live yet, so it’s still too early to tell whether the donate form will perform as well as we hope it will. A donation form is definitely a ripe place for some A/B testing, so it will be fun to experiment with over time.

If you have data, techniques, or anecdotes about web form design, I’d love to hear them. One of the benefits of designing in the open is that we’re able incorporate feedback and new ideas back into our design before we launch.

For more info on form design, I’d recommend taking a look at these resources:

by Brad Frost at September 01, 2014 11:58 PM

August 31, 2014

Martin's Mobile Technology Page

How SUPL Reveals My Identity And Location To Google When I Use GPS

In a previous post I was delighted to report that assisted GPS (A-GPS) has become fast enough so I no longer have to rely on Google's Wi-Fi location service that in return requires me to send Wi-Fi and location data back to Google periodically. Unfortunately it turns out that the A-GPS implementation of one of my Android smartphones sends the ID of my SIM card (the IMSI) to the A-GPS server. From a technical point of view absolutely unnecessary and a gross privacy violation.

Read on for the details...

How Assisted GPS (A-GPS) works

To get a position fix, the GPS chip in a device needs to acquire the signal of at least three satellites. If the GPS chip is unaware of the identities of the satellites and their orbits this task can take several minutes. To speed things up a device can get information about satellites and their current location from an A-GPS server on the Internet. The single piece of information the server requires is a rough location estimate from the device. Usually a device is not aware of its rough location but it knows other things that can help such as the current cellular network id (MCC and MNC) and the id of the cell that is currently used. This information is sent to the A-GPS server on the Internet that then determines the location of the cell or network with a cell id / location database.The location off the cell or network is precise enough to assemble the satellite information that applies to the user's location which is then returned over the Internet connection. The satellite information is then fed to the GPS chip which can then typically find the signals of the GPS satellites in just a few seconds.

No Private Information Required

It's important to realize at this point that no personal information such as a user's ID is required in this process. The only information that can be traced back to a person, if the A-GPS client is implemented with privacy in mind, is the IP address from which the request was made to the server. In practice a mobile device is usually assigned a private IP address which is mapped to a public IP address from which the request seems to have originated. This public IP address is shared with many other users. Hence, only the network operator can identify which user has originated the request while the A-GPS server never gains any insight into who has sent the request.

The SUPL protocol and Privacy Breaching Information Fields

A standardized method for a device to gather A-GPS information from a server is the Secure User Plane Location protocol (SUPL). Several companies provide A-GPS SUPL servers answering requests on TCP port 7275 such as Google (supl.google.com) and Nokia/Microsoft (supl.nokia.com). In the case of my Android smartphone, supl.google.com is used. As the 'S' in 'SUPL' suggests, the protocol uses an encrypted connection for the request. As a consequence, using Wireshark without any additional tools to decode the request won't work as the content of the exchange is encrypted. Fortunately there's SUPL-PROXY, an open source piece of software by Tatu Mannisto that can be used in combination with domain redirection to proxy the SUPL SSL connection and decode the request and response messages. And on top, the SSL certificate generated by Tatu's software for the proxying can be fed into Wireshark which will then also decode the SUPL messages. And what I saw here very much disappointed me:

My SIM Card ID In The SUPL Request And No SSL Certificate Check

I almost anticipated it but I was still surprised and disappointing so see my SIM card's ID, the International Mobile Subscriber Identity (IMSI) in the request. This is shown in the first screenshot below. As explained above, the IMSI or any other personal information is not necessary at all for the request so I really wonder why it is included!? And just to make sure this is really the case I ran another test without a SIM card in the device and also got a valid SUPL return with the IMSI field set to 0's.

The second screenshot shows the cell id in the request which is required for the SUPL request. The IMSI in combination with the cell ID provides the owner of the SUPL server (i.e. Google in my case) a permanent personal identifier and as a consequence the ability to pinpoint and record my location whenever a SUPL request is made. And in this day and age, it's pretty certain that my network operator is not the only entity that is aware of my IMSI...

The third screenshot below shows the first part of the SUPL response which includes the location of the cell that served me when I recorded the SUPL request. Just type the two coordinates into Google search and you'll end up with a nice map of the part of Austria where I was when I put together this post. The second part, not shown in the screenshot, contains the satellite information for the GPS receiver.

And the cream on top is that the SUPL client on my Android device did NOT check the SSL certificate validity. I did not include the server certificate in the trusted certificate list so the client should have aborted the request during the SSL negotiation phase. But it didn't and thus anyone between me and the SUPL server at Google can get my approximate location by spoofing the request in the same way I did. I'm sure that two years ago, most people would have laughed and said that it's unlikely this could happen or that someone else but my network operator would know my IMSI, but one year post-Snowden I don't think anyone's laughing anymore...

When The Baseband Makes The Query

And now to the really scary part: The next thing I tried was if I could reproduce this behavior with other Android devices at hand. To my surprise the two I had handy would not send a SUPL request over Wi-Fi and also not over the cellular network (which I traced with tcpdump on the device). After some more digging I found out that some cellular radio chips that include a GPS receiver seem to perform the requests themselves over an established cellular IP connection. That means that there is NO WAY to trace the request and ascertain if it contains personal information or not. This is because the request completely bypasses the operating system of the device if it is made directly by the radio chip. At this point in time I have no evidence that the two devices from which I did not see SUPL requests actually use such a baseband chip A-GPS implementation and if there are personal indentifiers in the message or not. However, I'm determined to find out.

     Supl-issue-1-imsi-removed Supl-issue-2 Supl-issue-3

 

 

 

And for those of you who'd like to try yourselves I'll have a follow up post that describes the details of my trace setup with two Raspberry PI's, Wireshark, and the SUPL-PROXY software mentioned above.

by mobilesociety at August 31, 2014 06:55 AM

August 29, 2014

Brad Frost Web » Brad Frost Web | Web Design, Speaking, Consulting, Music, and Art

Why

In my latest post for the Pastry Box project, I explain the importance of understanding why you do what you do.

by Brad Frost at August 29, 2014 02:21 PM

Martin's Mobile Technology Page

Still Early Days for TIM's LTE Network in Italy

I recently traveled to Italy and since my home network operator has an LTE roaming agreement with TIM, I could of course not resist to try out their LTE network. While many network operators have started with LTE quite a while ago and are now in the process of optimizing their networks, it seems TIM is not as far down that road yet. Both in Udine and Mestre I got LTE coverage from a 10 MHz carrier on the 800 MHz band. When making phone calls, the LTE network would always send my device to the GSM network and not in to the also existing UMTS network. This is quite a shame since it increases the call setup time and also denies me a data connectivity during the call. Hm, I wonder if they have optimized their network next time I have a look because this looks like early days.

by mobilesociety at August 29, 2014 12:13 PM

Automating The Update of the Android 'Hosts' File to Block Ads And Other Stuff

HupdateRecently, I wrote two posts (see here and here) on how to use the Android/Linux 'hosts' file to block advertising and unwanted automatic OS downloads. Since then I've taken the approach further and have put the 'hosts' file for blocking on Github from where it can be downloaded by anyone.

To simplify usage I've put together a couple of scripts:

One script that runs in a terminal app on Android can be used for occasional updates of the blocking list. The script would have been a no-brainer but unfortunately the Android Busybox 'wget' implementation does not support https. Github, however, rightly insists on using https. So I had to find a different solution. The solution I found is to use 'curl'. Fortunately, the curl developers provide binaries for a number of operating systems, including Android here. The zip file for Android contains 'curl' and 'openssl' which have to be copied to '/system/bin' on a rooted Android device. The script to download the hosts file and copy it to '/etc/hosts' then looks as follows:  

mount -o rw,remount /system
cd /etc
mv hosts.blocked hosts.blocked.bak


curl -k https://raw.githubusercontent.com/martinsauter/Mobile-Block-Hosts-List/master/hosts.blocked >hosts.blocked

cp hosts.blocked hosts
mount -o ro,remount /system

In addition, 'ho.sh' (hosts -- open) puts the original 'hosts' file back in place to disable blocking while 'hb.sh' (hosts -- block) overwrites the 'hosts' file with a local copy of the blocking list to switch blocking back on again.

Simple, effective and quick!

by mobilesociety at August 29, 2014 11:45 AM

August 26, 2014

Open Gardens

New futuretext web site is now live

Over the last two years, I have been refocussing my work and much of that is now complete

 

Have a look at the new futuretext site which reflects my emphasis on Machine Learning and IoT – both for projects and teaching

 

by ajit at August 26, 2014 07:25 AM

August 25, 2014

Kai Hendry's blog

How much does it cost to run an Archlinux mirror on EC2

AWS

Singapore kindly gifted http://hackerspace.sg/ with 500SGD of AWS credits.

Since the mirrors http://mirror.nus.edu.sg/ and http://download.nus.edu.sg, which are two separate competing groups from the NUS which oddly try to outdo each other in incompetence, have had several issues mirroring Archlinux in my two year experience of using either of them, I thought lets use these credits to host an Archlinux mirror!!

After much head scratching with the AWS jargon of {ebs,s3} and {hvm,paravirtual} EC2 Archlinux images, I launched an "ebs hvm" instance of m3.xlarge.

I got a nice 80GB zpool going for the mirror and everything was looking good. However, now to do the budgeting.

On demand pricing is $0.392 an hour

There is roughly 9000 hours in a year. So that's $3528. Eeeek, over budget by just 3000 dollars!

Ignoring added complexity of Spot and EBS enhancements, a one year resevered instance under "Light Utilization Reserved Instances" (I am not sure what that means) is 497 dollars! Yes!!

I'm told "Light utilization means that you will not turn it on all the time". For 1 year I would need heavy utilization!

So a m3.xlarge would be: 981 (down payment) + 24 * 365 * 0.124 = $2067.24, about 1500 dollars over budget.

Oh and bandwidth?

Well, a mirror is going to be a network whore. AWS charges for bandwidth. I tried their calculator (since I couldn't figure out what they charge per GB) with a lowball 1TB a month in and out and that costs almost 200USD.

Wow that's expensive! AWS EC2 (+ 500SGD credit) isn't suitable for an Archlinux mirror! :(

Digital Ocean quote

For a machine with at least 50GB of disk, you would need Digital Ocean's 60GB offering, with

  • 4GB / 2 CPUS
  • 60GB SSD DISK
  • 4TB TRANSFER

So that is 40USD a MONTH or 480USD a year. A lot cheaper than EC2, and bandwidth clearly priced at 2c per GB, so 1TB = 20USD IIUC.

Lessons learnt

Running a mirror is quite expensive on EC2. It's not really feasible on DO either without some free unmetered traffic.

August 25, 2014 07:43 AM

August 22, 2014

Martin's Mobile Technology Page

How To Trace An A-GPS SUPL Request

In a previous post I've described my results of tracing an A-GPS SUPL request from my mobile device to the Google GPS location service and the issues I've discovered. In this follow-up post I thought I'd give an overview of how to setup up an environment that allows to trace and decode the conversation.

Does Your Device Send SUPL Requests Over Wi-Fi?

Supl-requestThe first thing to find out before proceeding is whether a device sends SUPL requests over Wi-Fi at all. It seems that some devices don't and only use a celluar connection as SUPL requests are sent directly from the cellular baseband chip.

To trace SUPL on Wi-Fi there must be a point between the mobile device and the backhaul router to the Internet on which Wireshark or Tcpdump can be run to record the traffic. I've used my Raspberry Pi based VPN Wi-Fi Travel Router for the purpose. If you have an Android based device that is rooted it's also possible to run tcpdump directly on the device. The first screenshot on the left shows a DNS query for supl.google.com followed by an encrypted SUPL request to TCP port 7275 that you should see before proceeding. Note that a SUPL request is only done if the device thinks that the GPS receiver requires the information. A reliable way to trigger a SUPL request on my device was to reboot if I didn't see a SUPL request after starting an application that requests GPS information such as Osmand.

The Challenge

As the name suggests, the Secure User Plane Location (SUPL) protocol does not send plain text messages. Instead, a Secure Socket Layer (SSL) connection is used to encrypt the information exchange. The challenge therefore is to figure out a way to decrypt the messages. If you are not the NSA, the only chance to do this is to put a proxy between the SUPL client on the mobile device and the SUPL server on the Internet. This splits the single direct SSL Connection between client and server into two SSL connections which then allows to decrypt and re-encrypt all messages on the proxy. At first, I hoped I could do this with MitmProxy but this tool focuses on web protocols such as https and would not not proxy SUPL connections.

Compiling and Running SUPL-PROXY

After some research I came across SUPL-PROXY by Tatu Mannisto, a piece of open source software that does exactly what I wanted. Written in C it has to be compiled on the target system and it does so without too much trouble on a Raspberry Pi. The only thing I had to do in addition to what is described in the readme file is to set a path variable after compiling so the executable can find a self compiled library that is copied to a library directory. In essence the commands to compile supl-proxy, a couple of other binaries and to set the command variables are as follows:

#untar/zip and compile
mkdir supl
cd supl
tar xvzf ../supl_1.0.6.tar.gz
cd trunk
./configure --precompiled-asn1
make
sudo make install

#now set LD_LIBRARY_PATH. It does not seem to be used onthe PI as it is empty
echo $LD_LIBRARY_PATH
LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/lib
echo $LD_LIBRARY_PATH
export LD_LIBRARY_PATH

First Test with SUPL-CLIENT

Before proceeding, it's a good idea to check if the supl package is working. This can be done by using SUPL-CLIENT which will send a SUPL request to a SUPL server. The command below uses a network and cell id in Finland:

supl-client --cell=gsm:244,5:0x59e2,0x31b0 --format human

If the request was successful the output will look as follows:

Reference Location:
  Lat: 61.469997
  Lon: 23.807695
  Uncertainty: 59 (2758.0 m)
Reference Time:
  GPS Week: 782
  GPS TOW:  5879974 470397.920000
  ~ UTC:    Fri Aug 22 10:39:58 2014
Ephemeris: 30 satellites
  # prn delta_n M0 A_sqrt OMEGA_0 i0 w OMEGA_dot i_dot Cuc Cus Crc Crs Cic Cis toe IODC toc AF0 AF1 AF2 bits ura health tgd OADA
[...]

Creating A SUPL-PROXY SSL Certificate

One more thing that needs to be done before SUPL-PROXY will run is to create an SSL certificate that it will send to a supl client during the connection establishment procedure. This is necessary as the proxy terminates the SSL connection to the client and creates a second SSL connection to the 'real' SUPL server on the Internet. This is done with a single command which creates a 'false' certificate for supl.google.com:

supl-cert supl.google.com

A Copy SSL Of The Server Certificate For The Client Device

The command above will create four files and one of them, srv-cert.pem, has to be compied to the mobile device and imported into the certificate store. For details, have a look at the description of how this is done for mitmproxy, a piece of software not used here, but which also requires this step.

What I noticed when I used SUPL-PROXY with my Android device was that the supl client did not check the validity of the server certificate and thus this step was not necessary. This is a serious security issue so if you want to know if your device properly checks the validity of the certificate don't copy the certificate to the mobile device and see if the SUPL request is aborted during the SSL connection establishment. Another approach is to first install it to be able to trace the SUPL request and later on remove the certificate again from the mobile device to see if SUPL requests are then properly aborted during the connection establishment phase.

Starting SUPL-PROXY

Once done, SUPL-PROXY can be started with the follwoing command:

supl-proxy supl.nokia.com

This will start the proxy which will then wait for an incoming SUPL request and forward it to supl.nokia.com.  Note that the incoming request from the client is for supl.google.com and the outgoing request will be to supl.nokia.com. This is not strictly necessary but makes the redirection of supl.google.com in the next step easier and also shows that Google's and Nokia's SUPL servers use the same protocol.

Redirecting SUPL Requests To The Proxxy

At this point all SUPL requests will still go directly to Google's server and not the local supl proxy so we need to redirect the request. If you have a rooted Android device you can modify the /etc/hosts file on the device and point supl.google.com to the IP address of the device on which SUPL-PROXY waits for an incoming request (e.g. 192.168.55.17 in the example below). Another option is to make the DNS server return the IP address of the device that runs SUPL-PROXY. In my setup with the Raspberry Pi VPN Wi-Fi Router this can be done by editing /etc/hosts on the Raspberry Pi router and then restarting the DNS server. Here are the commands:

sudo nano /etc/hosts
--> insert the follwoing line: 192.168.55.17   supl.google.com


sudo service dnsmasq restart

Tracing And Decoding A SUPL Request with SUPL-PROXY

At this point everything is in place for the SUPL request to go to SUPL-PROXY on the lcoal device. After rebooting the mobile device and starting an app that requests GPS information, the request is now sent to SUPL-PROXY which in turn will open a connection to the real SUPL server and display the decoded request and response. Here's how the output looks like:

pi@mitm-pi ~ $ supl-proxy supl.nokia.com
Connection from 192.168.55.16:48642
SSL connection using RC4-MD5
Client does not have certificate.
mobile => server
<ULP-PDU>
    <length>43</length>
    <version>
        <maj>1</maj>
        <min>0</min>
        <servind>0</servind>
    </version>
    <sessionID>
        <setSessionID>
            <sessionId>5</sessionId>
            <setId>
                <imsi>00 00 00 00 00 00 00 00</imsi>
            </setId>
        </setSessionID>
    </sessionID>
    <message>
        <msSUPLSTART>
            <sETCapabilities>
                <posTechnology>
                    <agpsSETassisted><true/></agpsSETassisted>
                    <agpsSETBased><true/></agpsSETBased>
                    <autonomousGPS><true/></autonomousGPS>
                    <aFLT><false/></aFLT>
[...]

The output is rather lengthy so I've only copy/pasted a part of it into this post to give you a basic idea of the level of detail that is shown.

Tracing And Decoding A SUPL Request with Wireshark

The SUPL-PROXY output contains all request and response details in great detail so one could stop right here and now. However, if you prefer to analyze the SUPL request / response details in Wireshark, here's how that can be done: While a SUPL request that goes to the 'real' SUPL server directly can't be decoded due to the use of SSL and the unavailability of the server's SSL key, it's possible to decode the SUPL request between the SUPL client and SUPL-PROXY as the server's SSL key is available. The SSL key was created during the certificate creation process described above. 'srv-priv.pem' contains the private key and can be imported in Wireshark as follows:

  • In Wireshark select "follow TCP stream" of a supl conversation. The TCP destination port is 7275
  • In the stream select "decode as --> SSL". The cipher suite exchange then becomes visible
  • Right-click on a certificate exchange packet and select "Protocl Preferneces --> RSA Key List"
  • Enter a new RSA key as shown in the first screenshot below. Important: The protocol is called "ulp", all in LOWERCASE (uppercase won't work!!!)

The second screenshot below shows how the output looks like once the SSL layer can be decrypted.

Have fun tracing!

Wireshark-supl-configuration Wireshark-supl-configuration-2

by mobilesociety at August 22, 2014 11:23 AM

August 20, 2014

Martin's Mobile Technology Page

VLC on Android for Down to Earth Music Listening

While I like music streaming when I'm at home, things are quite different when it comes to listening to music on my smartphone. Here, I don't have a large library of individual tracks ripped from CDs or other sources, it would be too much work... Also, I don't use online streaming services while I'm on the go as the amount of data I have on my mobile contract per month is limited, the battery goes flat much too quickly and there are spots on my daily commute where I don't have coverage. So what I have on my mobile are recordings of the radio streams I like, each spanning several hours. The player to play these must only do one thing: play them. No album art, no database lookups, just play and play them instantly.

Unfortunately, pretty much all native players I've come accross. Especially the CyanogenMod Apollo player has problems with my recordings as it takes at least 10 seconds before it starts playing. I have no idea what it does in the meantime. So I had to go on the lookout for another player app that meets my needs and I had to find out that there's a large assortement, but all not to my (privacy) taste. But then I stumbled over a player I use on my notebook as well that fits perfectly: VLC. It's open source, simple to use, there's no album art lookups and privacy leaks, it plays pretty much any audio and video codec ever invented and it plays my files without any delay. Perfect!

by mobilesociety at August 20, 2014 05:15 PM

How To Block Software Updates While Traveling On My VPN Access Point

In a previous post I've described how today's smartphones and tablets take Wi-Fi connectivity as an invitation for downloading large amounts of data for software updates and other things without user interaction. This is particularly problematic in Wi-Fi tethering scenarios and when using slow hotel Wi-Fi networks when traveling. But at least in the later case I can fix things by adding banned URLs in the 'hosts' file on my Raspberry Pi based VPN Wi-Fi Travel Router. After changing the hosts file, a quick restart of the DNS server on the router via 'sudo service dnsmasq restart' is required.

Over time, my hosts file has grown quite a bit since I first started to use it as a line of defense against unwanted advertising, privacy invasions and software downloads. Here's my current list:

127.0.0.1   localhost

#Prevent the device to contact Google all the time
127.0.0.1   mtalk.google.com
127.0.0.1   reports.crashlytics.com
127.0.0.1   settings.crashlytics.com
127.0.0.1   android.clients.google.com
127.0.0.1   www.googleapis.com
127.0.0.1   www.googleadservices.com
127.0.0.1   clients3.google.com
127.0.0.1   play.googleapis.com
127.0.0.1   www.gstatic.com
127.0.0.1   ssl.google-analytics.com
127.0.0.1   id.google.com
127.0.0.1   clients1.google.com
127.0.0.1   clients2.google.com

#Amazon is really nosy, too...
127.0.0.1   www.amazon.com
127.0.0.1   s.amazon-adsystem.com
127.0.0.1   api.amazon.com
127.0.0.1   device-metrics-us.amazon.com
127.0.0.1   device-metrics-us-1.amazon.com
127.0.0.1   device-metrics-us-2.amazon.com
127.0.0.1   device-metrics-us-3.amazon.com
127.0.0.1   device-metrics-us-4.amazon.com
127.0.0.1   device-metrics-us-5.amazon.com
127.0.0.1   device-metrics-us-6.amazon.com
127.0.0.1   device-metrics-us-7.amazon.com
127.0.0.1   device-metrics-us-8.amazon.com
127.0.0.1   device-metrics-us-9.amazon.com
127.0.0.1   device-metrics-us-10.amazon.com
127.0.0.1   device-metrics-us-11.amazon.com
127.0.0.1   device-metrics-us-12.amazon.com
127.0.0.1   mads.amazon.com
127.0.0.1   aax-us-east.amazon-adsystem.com
127.0.0.1   aax-us-west.amazon-adsystem.com
127.0.0.1   aax-eu.amazon-adsystem.com

#No need for Opera to call home all the time
127.0.0.1   mini5-1.opera-mini.net
127.0.0.1   sitecheck1.opera.com
127.0.0.1   sitecheck2.opera.com
127.0.0.1   thumbnails.opera.com

#Some more 'services' I don't need
127.0.0.1   audioscrobbler.com
127.0.0.1   weather.yahooapis.com
127.0.0.1   query.yahooapis.com
127.0.0.1   platform.twitter.com
127.0.0.1   linkedin.com

#Prevent automatic OS updates for a number of vendors
127.0.0.1   fota.cyngn.com
127.0.0.1   account.cyanogenmod.org
127.0.0.1   mdm.asus.com
127.0.0.1   mdmnotify1.asus.com
127.0.0.1   updatesec.sonymobile.com

#Ad blocking
127.0.0.1   ad8.adfarm1.adition.com
127.0.0.1   googleads.g.doubleclick.net
127.0.0.1   stats.g.doubleclick.net
127.0.0.1   mobile.smartadserver.com
127.0.0.1   www.google-analytics.com
127.0.0.1   pagead2.googlesyndication.com
127.0.0.1   ads.stickyadstv.com
127.0.0.1   pixel.rubiconproject.com
127.0.0.1   t1.visualrevenue.com
127.0.0.1   beacon.krxd.net
127.0.0.1   rtb.metrigo.com
127.0.0.1   c.metrigo.com
127.0.0.1   ad.zanox.com
127.0.0.1   cm.g.doubleclick.net
127.0.0.1   ib.adnxs.com
127.0.0.1   ih.adscale.de
127.0.0.1   ad.360yield.com
127.0.0.1   ssp-csynch.smartadserver.com
127.0.0.1   ad.yieldlab.net
127.0.0.1   dis.crieto.com
127.0.0.1   rtb.eanalyzer.de
127.0.0.1   connect.facebook.net
127.0.0.1   b.scorecardresearch.com
127.0.0.1   sb.scorecardresearch.com
127.0.0.1   ads.newtentionassets.net
127.0.0.1   ak.sascdn.com
127.0.0.1   fastly.bench.cedexis.com
127.0.0.1   probes.cedexis.com
127.0.0.1   x.ligatus.com
127.0.0.1   d.ligatus.com
127.0.0.1   a.visualrevenue.com
127.0.0.1   radar.cedexis.com
127.0.0.1   www.googletagservices.com
127.0.0.1   pubads.g.doubleclick.net
127.0.0.1   prophet.heise.de
127.0.0.1   farm.plista.com
127.0.0.1   static.plista.com
127.0.0.1   video.plista.com
127.0.0.1   tag.yoc-adserver.com

by mobilesociety at August 20, 2014 09:22 AM