Pages

-->

Thursday, June 28, 2012

Change The Color Of Status Bar In iOS With ‘StatusTint’

Owners and lovers of devices running the Android operating system will regularly tell you that one of the shortcomings of iOS is the fact that the visuals of the software can’t really be customized in any way. While this may be true for stock installations of Apple’s mobile operating system, performing a jailbreak on the device leaves the whole system open to intense customization.

Some jailbreakers prefer to go down the route of installing full home screen themes that involves pretty much every aspect of the user-interface being aesthetically changed, as well as individual system sounds being added and amended. One of the main benefits of that is; it makes your iOS device completely unique.

Some users prefer a more subtle approach to customization, something which the StatusTint tweak may provide. The StatusTint package is available from the jailbroken Cydia store and allows modification of the system-wide status bar that appears at the top of the operating system containing things like the signal strength indicator, the current time and battery level, as well as any data or Wi-Fi icons.

There are a number of reasons why an individual may want to amend the look and feel of the status bar, ranging from changing it to your favorite color or altering it so that it suits the aesthetics of your favorite or most used apps. Regardless of the reason, if you can look past the fact that it isn’t one of the most earth shattering packages in terms of functionality, it actually is a fun and relatively useful tweak.

No additional home screen icons are added with StatusTint, with all of the modifications being possible through a dedicated preferences section in the Settings app. The required color can be set and amended using the supplied RGB sliders, with users also being given the option of setting the status bar to a solid color or mashing their own gradient pattern through the use of two colors.

StatusTint is available as a free of charge download from the ModMyi repository with no specific iOS version requirements being given.

Be sure to check out our iPhone Apps Gallery and iPad Apps Gallery to explore more apps for your iPhone, iPad and iPod touch.

You can follow us on Twitter, add us to your circle on Google+ or like our Facebook page to keep yourself updated on all the latest from Microsoft, Google, Apple and the web.

Subscribe to our RSS Feed !



Powered By WizardRSS.com | Full Text RSS Feed | Amazon Plugin Wordpress | Android Forums | Wordpress Tutorials

Sparrow for iPad, it’s coming!

Saad Hamid on June 7, 2012

I must say that if there is one iPhone app that I simply can't live without, it has to be Sparrow for iPhone.

Sparrow for iPhone is an email client much similar to the default Mail.app client in iOS but rich with a lot of features that make it simply much more pleasing to the eye.

And not just the iPhone, the Sparrow mail client for Mac has actually forced me to ditch the default Mail.app in Mac OS X due to its light-weight, pleasing gestures, and easy-to-use functionality. And looks like, the iPad will be next.

The company is prepping up to launch the iPad version of Sparrow for which they have setup a special page on the URL http://www.sprw.me/ipad/ that teases "We are preparing something bigger".

Although, one feature that have been keeping Sparrow users in disappointment is support for Push. Let's hope they add Push support to the iPad client at least.



Powered By WizardRSS.com | Full Text RSS Feed | Amazon Plugin Wordpress | Android Forums | Wordpress Tutorials

Adjusting Privacy Settlings of GAFG

With the year drawn to a mid, the tech industry has had its share of highs and lows. Whether it was the ensuing patent war, workforce taking the employers to court on grounds of anti-trust activities, a go-live of IPv6 or the CISPA coming into effect, it would probably be quite fair to assume that the industry has been in the sight of the regulators more than innovators.  Google’s controversial privacy policy changes, as exposed by SafeGov.org fit the discussion best.

Before we proceed with the details of the story that holds a different interpretation from the plaintiff to the pontiff, let’s identify the premise first. The privacy policies binding both the consumer and the government were announced to go through changes by Google. With the announcement released in January, the changes were to take effect from early March. As per the public statement, the changes were aimed at the simplification of the privacy policies. The ‘fine print’ was decoded by SafeGov.org, a group dedicated to ensuring uptake of best practices for cloud adoption within the Government Sector.  As per it, users’ data across all Google services would be synced to ensure customized service delivery across all platforms. The only flaw inherent within it was the contradiction it posed to Google services contracted to government employees.

Workers using Google Apps For Government (GAFG) are individually contracted, and not bound by privacy policy changes, stated Google when prompted by SafeGov.org. Google’s word was taken in goodwill and the case came to a suspension until recently, SageGov.org brought forward contracts signed with government employees for GAFG, publicly posted. And there was reason to believe that SafeGov.org had been inquisitive on legible grounds indeed.

Suitably titled, ‘Do Google’s Government Contracts Really Supersede its Privacy Policy’, a exposé posted on the website on the 15th of June 2012, relates three separate instances of policy posted contracts. Raising an argument around the security and privacy of classified information the government deals in, that now stands compromised post the adoption of amendment s to the privacy policy, stands similar for both consumer and government from what the contracts reed.

As quoted by our source, Google VP of Enterprise, Amit Singh was reached by The Washington Post, to share a word on the same to which, he responded with, “Enterprise Customers who use GAFG have individual contracts. These have always superseded Google’s Privacy policy.”

Contracts entered with government bodies for the use of Google Apps, portray a different picture. Although, Google hasn’t been taken through any legal proceedings for the same, the tech giant shouldn’t overlook the matter in passing.

 



Powered By WizardRSS.com | Full Text RSS Feed | Amazon Plugin Wordpress | Android Forums | Wordpress Tutorials

Nokia Global Launch in Pakistan: First Time Ever!

We are invited to a number of launch events and we have almost attended all of them, and being in Pakistan we have always been part of launch events for devices that are about to be launched in Pakistan.

Thanks to Nokia Pakistan, for the first time ever, a new Nokia phone announcement was made from Pakistan at a global launch event held at Marriott Hotel, Karachi last week.

This was a media event held just for the traditional media, newspapers/magazines and online media (this is where we come in!). Sizzled Core, along with a bunch of other bloggers around Pakistan were invited to be a part of this grand event.

Nokia’s decision to choose Pakistan for the global launch of their upcoming devices was a clear sign of how important Pakistani market is for Nokia. Nokia envisions to connect the next billion people with the newly launched Nokia 110 and Nokia 112. Great presentations, and overview of how strong the telecommunications industry is in Pakistan, dance, music, fireworks… This was all part of the Nokia event.

Nokia has the biggest app store in Pakistan which includes 2,000,000+ weekly downloads on average! Almost all of media fro mPakistan is accessible on the Nokia Store â€" apps include: Geo, Aaj TV, Dawn News, Express Tribune, ARY News, Radio Pakistan etc.

Some really cool local applications are also available, such as Cricket, Ludo, Toffee TV etc. Islamic apps on the App store have millions of downloads. There are over 400 local apps, with 200+ Pakistan developers contributing to the Nokia App store which bring the download count of the Pakistani content to over 17 million!

These statistics and figures were shared by the three key speakers of the main event â€" Imran Khalid Mahmood, Saulo Passos and Calin Turcanu. The event had global and regional spokesperson from Nokia to share their thoughts on emerging markets and the new devices. Let’s take a brief intro to each of these speakers.

Imran Khalid Mahmood

Imran Khalid Mahmood is the VP, Near East, Nokia Corporation. In his line of duty he is responsible for heading the sales strategy for Nokia in this region. He is the frontrunner of all measurable KPIs and maintains a strict vigilance over them which are the main reason for Nokia’s success and popularity in this region.

Saulo Passos

Saulo Passos is the Global Director Mobile Phone Communications at Nokia, based in London, England. As part of the global Mobile Phones leadership team, his main focus targets the Next Billion strategy, a Nokia effort to connect more people to the internet, using a mobile device as the leading path.

Calin Turcanu

Starting from August, 2011, Calin Turcanu is the Head of Mobile Phones Business Unit, Nokia India, Middle East & Africa and overseessales, marketing and business development of Nokia devices in the region. Calin is actively involved in developing business strategies to ensure market success of key Nokia devices and strengthen Nokia’s brand presence in the region at the same time.

Remember the dance and music I mentioned earlier? Check out the photo below.

We’ll try to get a full video coverage for you to watch it as well. This performance was just before the Nokia team unveiled their new Nokia 110 and Nokia 112.

These new devices will be available in Pakistan and soon after into rest of the world, starting from the end of May. Prices of these new Nokia phones were one of them ain concerns by the attendees there. Nokia 110 is priced at Rs. 3800 and Nokia 112 will be available for Rs. 4000. Very affordable, isn’t it?

Nokia is continuously working on making the value rich features affordable to all price points â€" Nokia 110 and Nokia 112 are great examples of how even the entry-level Nokia devices don’t just offer optimized and affordable internet but at the same time flaunt a stylish design that will cater to a variety of lifestyles.

These devices will prove to be a true enabler in providing the people of Pakistan and the consumers from other growing economies with their first internet experience on mobile phone. Having internet on mobile phone opens up doors for new opportunities for the masses and helps them follow their dreams.

Now, we expect Nokia to make a bigger global launch announcement from Pakistan next time!



Powered By WizardRSS.com | Full Text RSS Feed | Amazon Plugin Wordpress | Android Forums | Wordpress Tutorials

Sparrow for iPhone Updated to Version 1.3 – Now Supports POP Accounts

sparrow 1.3 for iPhone with POP account supportSparrow for iPhone, formerly just a Mac OS X app, was launched a few months ago as a Gmail client. Recently, version 1.6 of the desktop app was released with support for POP accounts which meant that Hotmail and the likes would work with Sparrow. The same feature has just been added to the iPhone app as well so the list of compatible email services now looks something like below:

Use your Gmail, Hotmail, Google Apps, iCloud, Yahoo, AOL, Mobile Me and custom IMAP/POP accounts.

Apart from this, there’s not much new apart from mandatory bug fixes. Folder mapping issues have been addressed in this update.

Despite support for an increased number of email services ( virtually all of them since Sparrow supports both IMAP and POP accounts ), push notifications are still not supported which means that here at iThinkDiff, Sparrow is still not our primary choice of a go to email app. Sparrow would provide push notification support in a future update but let us hope that it’s free and not a paid feature. Another issue is not having the app already updated with the latest email every time it’s opened, like how Mail.app works â€" something we doubt we would be able to see in the near future due to iOS restrictions.

Download Sparrow for iPhone from the App Store



Powered By WizardRSS.com | Full Text RSS Feed | Amazon Plugin Wordpress | Android Forums | Wordpress Tutorials

Monday, June 25, 2012

Plausibility of Security Breaches

(For PCWorld Pakistan)

Are These Self-Inflicted?

Are the security breaches happening with some of the leading names in the online space, rightly justified? What seems to be the case, a domino effect elucidates best. Tracing back to late 2011, PayPal was in the limelight as the most phished brand due to an omnipresent market penetration strategy and favorable market repute. According to a study conducted by Anti-Phishing Working Group (APWG) reporting findings from April this year, Taobao.com, China’s largest e-commerce site had surpassed PayPal as the most phished site. An interesting observation that can be conjectured from this, is that PayPal had indeed managed to surpass the leading e-commerce brands Amazon and eBay, in being targeted. Customer security continues to be the largest concern of PayPal nevertheless. The concern appears to be quite reasonable from what the ‘others’ have had to go through.

Cashing on the business of e-commerce, social/professional networking forums are the eloquent trendsetters these days. Not in competition as such, these often complement the business models of internet merchant intermediaries like PayPal, Mobile Payment Solutions etc. Two of the globally-leading networking forums have had massive password leaks in the recent past with unfortunate consequences.  Twitter, a micro-blogging platform and the second-largest networking forum had more than 55,000 passwords leaked to Pastebin. While Twitter immediately commanded a reset of Twitter passwords, another gaffe was waiting to happen.

With a level of severity exceeding the Twitter infraction by 10-fold, account passwords of the 6.5 million LinkedIn users were hacked and posted online in hashed format. As compared to Twitter, the accounts leaked weren’t of a few but of the entire LinkedIn community. A repercussion to the same was a class action suit filed by an Illinois resident, Katie Szpyrka holding LinkedIn responsible for not using adequate safety measures, to provide immunity to its users against security breaches and account hacks. LinkedIn was found guilty of saving the account passwords of its users in an unsalted SHA1 hashed format, which is below the basic industry standard encryption methods, promised in the contractual obligation between LinkedIn and the accountholder. The complaint filed against the professional networking giant identifies an SQL Injection, a process through the website is rooted to attack the databases, to have led  to the password leakage.

Holding ‘Anonymous’ Resposnible??

In the case of LinkedIn, how plausible would it to be consider the security-breach to be self-inflicted? A technical glitch left unaddressed was maliciously catapulted against the largest professional networking forum, members to which aren’t all premium accountholders. Leaked passwords of premium accountholders are likely to have opened access to, and endangered, credit card information of these using their accounts to buy services. Had the encryption firewalls met the bare minimum industry standards, the resultant could have been avoided. In a way, there is reason to believe the security breach was indeed called for.

Recalling the case of PayPal, there is an even more of a reason. According to wallstreetdaily.com, PayPal was considered to have mucked into unwarranted territories with the launch of a mobile payment service that works without Near-Field Communication (NFC) technology. To avail the facility, PayPal accountholders simply needed to enter a phone number and a PIN code. According to many security evangelists, there were serious security shortcomings to the plan. Not requiring the interjection of a physical device, such as a credit card, or a smart-phone for the transaction to be completed, renders a PayPal mobile payment account quite permeable.

A posted comment of Wall Street Daily reader pretty much summarized the flaw, “With NFC, someone has to steal your phone. [With] the proposed PayPal solution, someone could key log your phone number and PIN. NFC appears to be more secure to me.” That is so because the NFC chip comes built-in within the mobile phone. There are however, a limited number of phones equipped with the chip. A feature used by Google Wallet, the NFC Chip turns the smart-phone into a digital wallet, protected by two PIN codes and three layers of encryption. Other than Google Wallet that lets you make use of the app by ‘adding funds’ synced with your credit card, ISIS (a joint venture of Verizon, AT&T, and T-Mobile) is another Mobile Payment Solution built of NFC. PayPal is another competitor to Google Wallet, but not a potential one given the unaddressed vulnerability checks.

When it comes to PayPal therefore, a self-inflicted attack can be assumed quite reasonably to be the case.

Countering the same, PayPal is running a ‘bug bounty’ program.  As announced by PayPal’s Chief Information Security Officer in a blog post, PayPal is offering security researchers with verified PayPal accounts, monetary rewards for reporting Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), SQL Injection (SQLi) and Authentication Bypass vulnerabilities. How will this influence others to follow that have faced/are privy to security attacks(s), is quite uncertain.

What is certain though, is the necessity for websites with necessitate account-opening for P2P interaction or e-commerce, to fortify the security algorithms. Appreciating the crucifying the need for the same, PayPal is offering community-wide monetary incentives. A smarter move would have been to revisit the operational model of PayPal’s Mobile Payment Solution, firstly.

The accountholder’s security compromised shouldn’t be a casualty to an enhanced business model of a website.

 

 

 

 

 



Powered By WizardRSS.com | Full Text RSS Feed | Amazon Plugin Wordpress | Android Forums | Wordpress Tutorials

Nokia Global Launch in Pakistan: First Time Ever!

We are invited to a number of launch events and we have almost attended all of them, and being in Pakistan we have always been part of launch events for devices that are about to be launched in Pakistan.

Thanks to Nokia Pakistan, for the first time ever, a new Nokia phone announcement was made from Pakistan at a global launch event held at Marriott Hotel, Karachi last week.

This was a media event held just for the traditional media, newspapers/magazines and online media (this is where we come in!). Sizzled Core, along with a bunch of other bloggers around Pakistan were invited to be a part of this grand event.

Nokia’s decision to choose Pakistan for the global launch of their upcoming devices was a clear sign of how important Pakistani market is for Nokia. Nokia envisions to connect the next billion people with the newly launched Nokia 110 and Nokia 112. Great presentations, and overview of how strong the telecommunications industry is in Pakistan, dance, music, fireworks… This was all part of the Nokia event.

Nokia has the biggest app store in Pakistan which includes 2,000,000+ weekly downloads on average! Almost all of media fro mPakistan is accessible on the Nokia Store â€" apps include: Geo, Aaj TV, Dawn News, Express Tribune, ARY News, Radio Pakistan etc.

Some really cool local applications are also available, such as Cricket, Ludo, Toffee TV etc. Islamic apps on the App store have millions of downloads. There are over 400 local apps, with 200+ Pakistan developers contributing to the Nokia App store which bring the download count of the Pakistani content to over 17 million!

These statistics and figures were shared by the three key speakers of the main event â€" Imran Khalid Mahmood, Saulo Passos and Calin Turcanu. The event had global and regional spokesperson from Nokia to share their thoughts on emerging markets and the new devices. Let’s take a brief intro to each of these speakers.

Imran Khalid Mahmood

Imran Khalid Mahmood is the VP, Near East, Nokia Corporation. In his line of duty he is responsible for heading the sales strategy for Nokia in this region. He is the frontrunner of all measurable KPIs and maintains a strict vigilance over them which are the main reason for Nokia’s success and popularity in this region.

Saulo Passos

Saulo Passos is the Global Director Mobile Phone Communications at Nokia, based in London, England. As part of the global Mobile Phones leadership team, his main focus targets the Next Billion strategy, a Nokia effort to connect more people to the internet, using a mobile device as the leading path.

Calin Turcanu

Starting from August, 2011, Calin Turcanu is the Head of Mobile Phones Business Unit, Nokia India, Middle East & Africa and overseessales, marketing and business development of Nokia devices in the region. Calin is actively involved in developing business strategies to ensure market success of key Nokia devices and strengthen Nokia’s brand presence in the region at the same time.

Remember the dance and music I mentioned earlier? Check out the photo below.

We’ll try to get a full video coverage for you to watch it as well. This performance was just before the Nokia team unveiled their new Nokia 110 and Nokia 112.

These new devices will be available in Pakistan and soon after into rest of the world, starting from the end of May. Prices of these new Nokia phones were one of them ain concerns by the attendees there. Nokia 110 is priced at Rs. 3800 and Nokia 112 will be available for Rs. 4000. Very affordable, isn’t it?

Nokia is continuously working on making the value rich features affordable to all price points â€" Nokia 110 and Nokia 112 are great examples of how even the entry-level Nokia devices don’t just offer optimized and affordable internet but at the same time flaunt a stylish design that will cater to a variety of lifestyles.

These devices will prove to be a true enabler in providing the people of Pakistan and the consumers from other growing economies with their first internet experience on mobile phone. Having internet on mobile phone opens up doors for new opportunities for the masses and helps them follow their dreams.

Now, we expect Nokia to make a bigger global launch announcement from Pakistan next time!



Powered By WizardRSS.com | Full Text RSS Feed | Amazon Plugin Wordpress | Android Forums | Wordpress Tutorials

Sparrow for iPhone Updated to Version 1.3 – Now Supports POP Accounts

sparrow 1.3 for iPhone with POP account supportSparrow for iPhone, formerly just a Mac OS X app, was launched a few months ago as a Gmail client. Recently, version 1.6 of the desktop app was released with support for POP accounts which meant that Hotmail and the likes would work with Sparrow. The same feature has just been added to the iPhone app as well so the list of compatible email services now looks something like below:

Use your Gmail, Hotmail, Google Apps, iCloud, Yahoo, AOL, Mobile Me and custom IMAP/POP accounts.

Apart from this, there’s not much new apart from mandatory bug fixes. Folder mapping issues have been addressed in this update.

Despite support for an increased number of email services ( virtually all of them since Sparrow supports both IMAP and POP accounts ), push notifications are still not supported which means that here at iThinkDiff, Sparrow is still not our primary choice of a go to email app. Sparrow would provide push notification support in a future update but let us hope that it’s free and not a paid feature. Another issue is not having the app already updated with the latest email every time it’s opened, like how Mail.app works â€" something we doubt we would be able to see in the near future due to iOS restrictions.

Download Sparrow for iPhone from the App Store



Powered By WizardRSS.com | Full Text RSS Feed | Amazon Plugin Wordpress | Android Forums | Wordpress Tutorials

A Fascinating Collection Of Over 250 Steve Jobs Videos In Biographical Order

Steve Jobs’ unfortunate passing back in October of last year left a gaping hole in the technology industry, for it wasn’t just his innovations; but his character, dogmatism and demeanour that made him one of a kind. Responsible for co-founding Apple, he was ousted when things weren’t going particularly merrily, but after making strong progress in his absence with the likes of Pixar, he returned â€" like the knight in shining armor â€" to rescue his beloved Apple from its knees.

His life was a fascinating series of events, and in the run-up to his passing, Jobs made a point of documenting it with the help of biographer Walter Isaacson. Unfortunately, the book was something of a disappointment, and although Isaacson has a very credible resumé, he failed to really capture the imagination with what turned out to be a pretty mediocre prose.

AppleSteveJobsLogo

Still, those taken in by the life and times of Steve Jobs have two movies â€" both with quite different agendas â€" which are currently in the works for release in the not-so-distant future. The version starring Ashton Kutcher as Jobs got underway first, but our money’s on Aaron Sorkin â€" the guy behind the rather brilliant The Social Network â€" to offer a more captivating iteration, which will be released under Sony Pictures.

If you, like us, are really looking forward to the Jobs motion pictures, then you might be interested to check out a well put together archive of videos of the great orator, which are compiled in quite the biographical sense. As you’re probably aware, videos featuring the former Apple CEO aren’t exactly in short supply, but one Art Matsak has created a detailed catalog based on events discussed in the Isaacson Book.

In many respects, this could be seen as the accompanying documentary to the book, and while much of it is famous footage, even the most ardent of Apple fans are bound to discover some hidden gems they’ve never seen before. It’s certainly not the first collection of videos dedicated to Jobs, but we’ve yet to stumble across anything pieced together quite as nicely as this.

It is well worth having a look at, and if you’re interested, you can find the Steve Jobs video archive here.

(via TheNextWeb)

You can follow us on Twitter, add us to your circle on Google+ or like our Facebook page to keep yourself updated on all the latest from Microsoft, Google, Apple and the web.

Subscribe to our RSS Feed !



Powered By WizardRSS.com | Full Text RSS Feed | Amazon Plugin Wordpress | Android Forums | Wordpress Tutorials

Sparrow for iPad, it’s coming!

Saad Hamid on June 7, 2012

I must say that if there is one iPhone app that I simply can't live without, it has to be Sparrow for iPhone.

Sparrow for iPhone is an email client much similar to the default Mail.app client in iOS but rich with a lot of features that make it simply much more pleasing to the eye.

And not just the iPhone, the Sparrow mail client for Mac has actually forced me to ditch the default Mail.app in Mac OS X due to its light-weight, pleasing gestures, and easy-to-use functionality. And looks like, the iPad will be next.

The company is prepping up to launch the iPad version of Sparrow for which they have setup a special page on the URL http://www.sprw.me/ipad/ that teases "We are preparing something bigger".

Although, one feature that have been keeping Sparrow users in disappointment is support for Push. Let's hope they add Push support to the iPad client at least.



Powered By WizardRSS.com | Full Text RSS Feed | Amazon Plugin Wordpress | Android Forums | Wordpress Tutorials

Friday, June 1, 2012

RESTful Services: Authenticating Clients Using Basic Authentication

Security is important... period. There is no getting around it and we should all have it in mind when developing services of any type. So today I want to speak to the 1st of 2 different mainstream methods used for authenticating client calls to your WCF RESTful service. This post will expand on my last post here titled: Creating a WCF RESTful Service And Secure It Using HTTPS Over SSL. Keeping in the same genre of services types as before, I am speaking about WCF RESTful Services hosted on the internet and authentication methods prominent to this type of scenario. For intranet based RESTful services, you can employ the help of Windows based authentication to authenticate clients inside a Windows domain. However with the popularity of exposing data in a RESTful manner via the internet and the lack of built in security (as opposed to the cradle that Windows can be), I am keeping this focus to the services exposing data for internet scenarios.

In my last post I showed that once you secured the service using a SSL certificate, you could now view a security context when debugging. This is important because now we need to populate that context so we can determine if we want to allow the client to be authenticated to the service, and then check to see if they are authorized for whichever method or operation they have requested.

Once again we can fall back to our knowledge of the web in general for this configuration. Basic Authentication is nothing new to RESTful or even WCF services in general. It is a 401 HTTP challenge/response mechanism to prompt the client for credentials. As we also know, 'Basic' authentication can get a black-eye because it is just a base64 encoded non-encrypted string that is not natively secure, unless used in conjunction with a SSL certificate to secure the transport of this sensitive information.

From my last post we configured a simple REST service using a security mode of 'Transport' with a SSL certificate, and we now need to configure the clientCredentialType attribute. If we add a <transport> element within our existing <security> parent element, we can select Basic as our clientCredentialType. Notice there are several options for this attribute and you can read about all of them here: HttpClientCredentialType Enumeration. You might be wondering about 'Digest' as the security mode, but it is not actually that much more secure than 'Basic' and requires the hosting server to be joined to a domain. As for the others like Windows and NTLM they are good in intranet or extranet hosted scenarios. The 'None' option is the default option, but the whole point of this conversation is about securing our service, so we don't want to use that. The 'Certificate' option will be the focus of my next post on another mainstream way to secure our internet facing RESTful service. Our focus continues to be on using Basic authentication as displayed below:

<bindings>
<webHttpBinding>
<binding name="webHttpTransportSecurity">
<security mode="Transport">
<transport clientCredentialType="Basic"></transport>
</security>
</binding>
</webHttpBinding>
</bindings>

Our next step is to configure the service to point to a custom user name and password validator method that we will create shortly. Within our <serviceBehaviors> element we can configure the <servicecredentials> element and dictate that we want to use a Custom 'userNamePasswordValidationMode' value. We need to do this so we can intercept the credentials provided by the client via the request message header.

<serviceBehaviors>
<behavior name="SecureRESTSvcTestBehavior">
<!-- To avoid disclosing metadata information, set the value below to
false and remove the metadata endpoint above before deployment -->
<serviceMetadata httpGetEnabled="false" httpsGetEnabled="true"/>
<!-- To receive exception details in faults for debugging purposes, set the value below to true.
Set to false before deployment to avoid disclosing exception information -->
<serviceDebug includeExceptionDetailInFaults="false"/>

<serviceCredentials>
<userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="RESTfulSecuritySH.CustomUserNameValidator, RESTfulSecuritySH" />
</serviceCredentials>

</behavior>
</serviceBehaviors>

Notice above that I have already provided a name for the class which will intercept and validate these credentials: 'CustomUserNameValidator'. The overridden 'Validate' method in this class will allow us to check if the user accessing our service is going to be authenticated. In the call stack, this method we are going to create will be called prior to the method being requested, so if authentication fails it will happen prior to accessing anything else inside the service. This code snippet that will follow is a close derivative to one that came from the MSDN (here: http://msdn.microsoft.com/en-us/library/aa702565.aspx).

public class CustomUserNameValidator : UserNamePasswordValidator
{
// This method validates users. It allows in two users, user1 and user2
// This code is for illustration purposes only and
// must not be used in a production environment because it is not secure.
public override void Validate(string userName, string password)
{

if (null == userName || null == password)
{
throw new ArgumentNullException("You must provide both the username and password to access this service");
}

if (!(userName == "user1" && password == "test") && !(userName == "user2" && password == "test"))
{
// This throws an informative fault to the client.
throw new FaultException("Unknown Username or Incorrect Password");
// When you do not want to throw an informative fault to the client,
// throw the following exception.
// throw new SecurityTokenException("Unknown Username or Incorrect Password");
}
}
}

Looking at the code above we see that we are able to inspect the username and password values to authenticate a user to the service. At this point you are seeing that this is preforming service level authentication and is more coarse grained than some of the method level authorization we will see in a minute. The point of this code is to validate if the client making the call has access to your service.

It should go without saying that you would not use the simplistic implementation from the code above. More than likely, you would probably make a call to a database to validate if the user's credentials are valid as opposed to hardcoding the logic. If the credentials are validated, control will pass on to the originally requested method. The 'Validate' method is void so there is nothing to set or return once authorized. It's a 'no news is good news' type of functionality, where exceptions should be raised only when there is an authentication issue.

This custom method of authenticating users is different as opposed to those of you that have overridden the 'CheckAccessCore' when using a defined 'serviceAuthorizationManagerType' that returns a bool indicating if the user is authorized. Since we are validating the username and password, configuring a value for the 'customUserNamePasswordValidatorType' is exactly what we need.

At this point test out what we have done, by starting your service (e.g. WCF Test Client) and make a call to the 'Customer' method as we built in my last post. This time we will be prompted for credentials by the browser.


Upon entering the correct credentials (username = "user1", password = "test") we get the returned JSON results expected. All of this authentication happened securely because our RESTful service is secured with a SSL certificate. Also note these credentials can be assigned programmatically in whatever language you are using. The beauty of REST services is they are platform and language agnostic and rely on the standards of the web and HTTP. If you happen to be a .NET client calling the service, then you would add the credentials to the request header as shown below:

HttpWebRequest req = (HttpWebRequest)WebRequest.Create(@"https://DevMachine1234:8099/MyRESTServices/Customer/1");
//Add a header to the request that contains our credentials
//DO NOT HARDCODE IN PRODUCTION!! Pull credentials real-time from database or other store.
string svcCredentials = Convert.ToBase64String(ASCIIEncoding.ASCII.GetBytes("user1"+ ":" + "test"));
req.Headers.Add("Authorization", "Basic " + svcCredentials);
//Just some example code to parse the JSON response using the JavaScriptSerializer
using (WebResponse svcResponse = (HttpWebResponse)req.GetResponse())
{
using (StreamReader sr = new StreamReader(svcResponse.GetResponseStream()))
{
JavaScriptSerializer js = new JavaScriptSerializer();
string jsonTxt = sr.ReadToEnd();
}
}

Now try entering incorrect credentials (in code or in a browser) and make the same REST call. This time as expected and exception is thrown, the client receives a HTTP 403 Forbidden, and we are not permitted to view the results or access the service.


The next and final step here is to take the provided client context a step further with authorization at the method level. The reason for doing this is to offer fine grained security at the method level. For example if you are hosting a RESTful weather service with 10 methods, but only 7 of the methods are served up to everyone and the remaining 3 are for paid subscribers only. In this case we need to preform authorization at the method level.

Remember from my last post I mentioned the importance of the 'ServiceSecurityContext' object. Here is where it will come into play. This is populated with the client's context after being validated by our custom 'Validate' method. Within the ServiceSecurityContext instance the 'PrimaryIdentity' is populated with an instance of System.Principal.Identity.GenericIdentity that contains the properties we need to determine if this user is authorized to the requested method.


The code below will examine this instance and determine if the call can proceed:

//NOTE: This code is within the actual method call (e.g. GetCustomer CLR method)


//Get current SecurityContext to inspect below for authorizing
ServiceSecurityContext securityCtx;
securityCtx = OperationContext.Current.ServiceSecurityContext;

//This code is a bit primitive and ideally you would call off to another method here that would
//perform the logic and probably just return a bool value as in commented out line below:
//if (CheckIfAuthorized(securityCtx) != true)
if ((securityCtx.PrimaryIdentity.IsAuthenticated != true) || (securityCtx.PrimaryIdentity.Name != "user1"))
{
throw new UnauthorizedAccessException("You are permitted to call this method. Access Denied.");
}

If you use the "user1" account you can see that we are indeed both authenticated to the service and authorized to call this method. However, now try and log back into the service with the "user2" account. This account is authenticated to make calls to the site, but not authorized to call this method. Once again you would not hardcode this logic, but rather be calling out to a security file or database to determine the authorization for this user and returning a bool more than likely. This provides that method level fine grained security that many services require.


So to wrap this up, you can implement a well know HTTP authentication method in 'Basic' authentication to secure your RESTful services. We can then take the context of the authenticated client call a step further and implement fine grained authorization at a method level to limit access to methods when needed. By using a well know security protocol that has been secured with SSL over HTTPS, you will broaden your services use and popularity using well know security practices.