I recently released my second iPhone/iPad app. It has absolutely nothing in common with Monal. The program is called MyNepali and uses sounds and images to teach young children some basic animal names in the Nepali language. It is 99 cents. If you are interested, you can find MyNepali here
http://itunes.apple.com/us/app/mynepali/id406911355?mt=8
Saturday, December 18, 2010
Tuesday, December 14, 2010
And we're back
I have no idea what happened. The email account that was used to create this blog was listed among the 1.3 million accounts taken from Gawker hack on Sunday. While my account password was not there, I did get locked out of Gmail because of suspicious activity, likely thousands of failed login attempts from all over the world. I assume this blog was taken down for the same reason. This was annoying but could have been much worse, I could have been stupid and used the same password for my Gawker account and my email account.
The Gawker hack is one more reminder of why trusting some third party with your Gmail, Facebook or corporate login is a bad idea. While push messages are really nice, are you sure that the database that has your username and password is secure? Do you trust the company making your IM client with all of that info?
The Gawker hack is one more reminder of why trusting some third party with your Gmail, Facebook or corporate login is a bad idea. While push messages are really nice, are you sure that the database that has your username and password is secure? Do you trust the company making your IM client with all of that info?
Saturday, December 11, 2010
A note on privacy and tracking software
How many people use Monal? A lot. Thousands and thousands of people all over the world in all sorts of random places (Hello, Antarctica!). However, all I know is what the Apple download/upload counter shows and what people tell me in emails. Much the same way I have objections to ads in my software, I do not like the "metrics" software and libraries that are out there. Unlike many other iOS apps, Monal does not contain and will never contain user tracking software. Consider this app your refuge from ads, trackers and middle man servers.
Sunday, November 28, 2010
2.0.2 changelog
This is a bug fix update that addresses issues users have raised. I have tried to have one release roughly every month, there will be no January release. Unless there is a major issue in this release the next release will be in February.
1. fixed a bug where some people might not show up as online sometimes
2. fixed bug where away was not working
3. added status orbs
4. fixed bug adding accounts
5. several ipad ui improvements
6. SECURITY: fixed possible XSS attack
7. active chats count update properly
8. Misc connectivity bugfixes
1. fixed a bug where some people might not show up as online sometimes
2. fixed bug where away was not working
3. added status orbs
4. fixed bug adding accounts
5. several ipad ui improvements
6. SECURITY: fixed possible XSS attack
7. active chats count update properly
8. Misc connectivity bugfixes
Tuesday, November 2, 2010
Always free, no ads, no creepy servers
A lot of people have told me about being willing to see ads to support development. I actually really dislike ads and all the apps that I have used that had ads were slowed down by them. I also notice that certain other IM clients released versions without ads and then pushed updates with them after the user base grew. I find that to be a rather deceptive bait and switch particularly since I know that the ad services collect and use user data --possibly based on your chats-- to present more ads. It is behavior like this, the 3rd party account sign up nonsense and the lack of direct connections that prompted me to write Monal in the first place.
There will always be a free version of Monal, it will always support direct connections and it won't have ads.
Monday, October 18, 2010
2.0.1 bugfixes
I am pushing out a quick bugfix update to fix some issues people have told me about.
1. removes a lock up when user disconnects while chatting
2. added a progress indicator to show when large chats are loaded
3. fixed a compatibility bug with some ejabberd servers
4. fixed failure to load on some devices
5. added timeouts on connection to better detect errors
6. fixed the issue where sometimes the login window spins forever
1. removes a lock up when user disconnects while chatting
2. added a progress indicator to show when large chats are loaded
3. fixed a compatibility bug with some ejabberd servers
4. fixed failure to load on some devices
5. added timeouts on connection to better detect errors
6. fixed the issue where sometimes the login window spins forever
Monday, October 11, 2010
Jabberd and Monal 2
I am receiving a few reports of issues connecting to some Jabberd servers. I haven't been able to replicate this on any of my test installs. If anyone has access to a server that is not working with Monal and can give me a test account to work with, email me.
Saturday, October 9, 2010
Monal 2.0 is out
The new release is now available for download in the app store. If you encounter any bugs, please email me at monaltest@gmail.com
Monday, October 4, 2010
Monal 2.0 iphone screen dump
While we are waiting for the new version to be approved, here are final screens for the iphone app's page
Sunday, October 3, 2010
Thursday, September 30, 2010
Delayed!
A beta tester just found a rather serious bug that I need to check. I've pulled the binary and the release will be pushed into next week so I can look at this.
Wednesday, September 29, 2010
Monal 1.07 is now 2.0 and other updates
Monal has been submitted to the app store for approval. Don't be alarmed when you see Monal 2.0 show up on your application list. It is what was 1.07. I had to increase the version number to 2.0 because for some reason the application loader couldn't tell that 1.07 was greater than 1.062 and refused to allow me to upload an "older" version. It should be approved in a few days. While, this isn't how I wanted 2.0 to be released, it is the biggest update to the software since it came out and it has been over a year since 1.0, so it's not that bad.
I have also added Monal to the business category in addition to social networking because of the cisco webex connect support. The minimum iOS version has been changed to 3.1.2 from 3.1.3. Finally, the application rating has been changed to 17+ since it includes a web browser.
I have also added Monal to the business category in addition to social networking because of the cisco webex connect support. The minimum iOS version has been changed to 3.1.2 from 3.1.3. Finally, the application rating has been changed to 17+ since it includes a web browser.
Thursday, September 23, 2010
Monal 1.07 feature complete
Monal 1.07 is feature complete and is about to complete testing. Release candidate 1 was sent out to testers today. If no issues arise this will be the build submitted to the app store.
This is the final changelog of what to expect. In addition to the graphical overhaul, the other major change that will affect many people is support for group chat.
1.07 changelog
This is a major update that significantly changes the front and backends of the program.
1. Stops crash on load on iphone 3g and fixed many other bugs
2. faster start up and much more efficient login code (3-4x faster)
3. fixed bug where chat input box was disabled after viewing logs
4. urls in chat are detected and can be tapped to bring up safari when there is multi tasking or in app when there isn't.
5. Added a logoff button for easy logoff without closing app
6. contacts listed in alphabetical order, own username not shown
7. support for xmpp tunes, option to set status as currently playing ipod song
8. New ipad UI autorotates to all orientations, supports landscape
9. new lighter, faster and more accurate XMPP parsing engine
10. xmpp uses JID for setup
11. UI improvements for consistency
12. new sliding notification when a message is received or song changes
13. status updates are immediately seen
14. added a simple web browser for non multi tasking OSes
15. Icons update correctly when buddy changes it
16. added an active chats tab to access current conversations easily
17. added DNS SRV record discovery. this enables cisco webexconnect support in addition to greater compatibility overall.
18. added support for group chat
19. added support for itunes file transfer
Thursday, September 16, 2010
Cisco Webex connect support
I can confirm that the next version of the client connects to cisco webex connect XMPP servers. There are still a few quirks that I intend to iron out, but basic the functionality is working.
Edit 4/13/2011 :
you can find instructions on the new monal site's help page for webex
http://monal.im/help/cisco-webex/
Edit 4/13/2011 :
you can find instructions on the new monal site's help page for webex
http://monal.im/help/cisco-webex/
Monday, September 13, 2010
DNS service discovery, priorities and Cisco Webex
It's not everyday I learn about something totally new. I learned today that XMPP uses SRV records in the DNS to correctly determine the highest priority server and port to use. I have now added XMPP DNS service discovery. This improves compatibility with servers across the board and in theory it should also enable connections to Cisco WebEx XMPP servers -- something several people have asked about. I will write back with confirmation.
See debug logs below:
Gtalk:
Cisco:
Sunday, September 12, 2010
1.07 changelog so far
Development and testing on 1.07 is almost complete. This is the near final changelog. The one more addition to this will be multi user chat support.
1. Stops crash on load on iphone 3g.
2. faster start up and much more efficient login code (3-4x faster)
3. fixed bug where chat input box was disabled after viewing logs
4. urls in chat are detected and can be tapped to bring up safari when there is multi tasking or in app when there isn't.
5. Added a logoff button for easy logoff without closing app
6. contacts listed in alphabetical order, own username not shown
7. support for xmpp tunes, option to set status as currently playing ipod song
8. New ipad UI autorotates to all orientations, supports landscape
9. new lighter, faster and more accurate XMPP parsing engine
10. xmpp uses JID for setup
11. UI improvements for consistency
12. new sliding notification when a message is received or song changes
13. status updates are immediately seen
14. added a simple web browser for non multi tasking OSes
15. Icons update correctly when buddy changes it
16. added an active chats tab to access current conversations easily
1. Stops crash on load on iphone 3g.
2. faster start up and much more efficient login code (3-4x faster)
3. fixed bug where chat input box was disabled after viewing logs
4. urls in chat are detected and can be tapped to bring up safari when there is multi tasking or in app when there isn't.
5. Added a logoff button for easy logoff without closing app
6. contacts listed in alphabetical order, own username not shown
7. support for xmpp tunes, option to set status as currently playing ipod song
8. New ipad UI autorotates to all orientations, supports landscape
9. new lighter, faster and more accurate XMPP parsing engine
10. xmpp uses JID for setup
11. UI improvements for consistency
12. new sliding notification when a message is received or song changes
13. status updates are immediately seen
14. added a simple web browser for non multi tasking OSes
15. Icons update correctly when buddy changes it
16. added an active chats tab to access current conversations easily
Monday, September 6, 2010
Saturday, September 4, 2010
Monal 1.07 Private Beta
I am ready to begin beta testing the next release of Monal. I am interested in making sure Monal works with as wide a range of XMPP servers as possible. If you are interested in joining the beta please email monaltest@gmail.com with the subject : Monal 1.07 private beta .
In your email please include the following information:
1. if are you using gmail, facebook or some other server.
2. if you are using some other server do you know what it is (openfire, ejabberd etc)
3. what device (s) you use iPad, iphone 3g, ipod touch etc.
4. what ios version you use
5. your device UDID ( http://www.tuaw.com/2008/08/08/iphone-101-find-udid-with-a-single-click/ )
6. what country you are in
In your email please include the following information:
1. if are you using gmail, facebook or some other server.
2. if you are using some other server do you know what it is (openfire, ejabberd etc)
3. what device (s) you use iPad, iphone 3g, ipod touch etc.
4. what ios version you use
5. your device UDID ( http://www.tuaw.com/2008/08/08/iphone-101-find-udid-with-a-single-click/ )
6. what country you are in
Friday, September 3, 2010
In App Browser
For users of older iPhone and iPads that do not have multi tasking, I have added a simple in-app web browser. This is under the more menu and takes up no additional resources since it uses the same message rendering engine. Its not safari but it should let you do other stuff while still receiving messages
Sunday, August 29, 2010
Sunday, August 22, 2010
More Changes: Meet The Slider
Monal now has the option to tap into itunes and use a neat little notification system. The black translucent overlay box slides in from the bottom and works like growl on OSX. Here are some preliminary shots. I plan on showing the song art/buddy icon and letting you tap on them to go to the incoming message.
Saturday, August 21, 2010
Changes
Friday, August 20, 2010
How to contact me
If you need to contact me regarding Monal please email monaltest@gmail.com. You can also add me on gtalk or as a contact on your own jabber server.
Wednesday, August 18, 2010
More updates
I've been overhauling the system to make it faster and more stable. It is noticeably better now. This is the current change log
1. Stops crash on load on iphone 3g.
2. faster start up and much more efficient login code (3-4x faster)
3. fixed bug where chat input box was disabled after viewing logs
4. urls in chat are detected and can be tapped to bring up safari
5. Added a logoff button for easy logoff without closing app
6. contacts listed in alphabetical order, own username not shown
7. support for xmpp tunes, option to set status as currently playing ipod song
1. Stops crash on load on iphone 3g.
2. faster start up and much more efficient login code (3-4x faster)
3. fixed bug where chat input box was disabled after viewing logs
4. urls in chat are detected and can be tapped to bring up safari
5. Added a logoff button for easy logoff without closing app
6. contacts listed in alphabetical order, own username not shown
7. support for xmpp tunes, option to set status as currently playing ipod song
Sunday, August 8, 2010
iPhone 3G crash issue
I have been testing more heavily on iPhone 3G iOS4 and have discovered the cause of the crash on load issue that many users have described. It has now been fixed. Bugs fixed so far for the next release:
1. Stops crash on load on iphone 3g.
2. sped up application start to prevent time out (crash) on load
3. fixed bug where input box was disabled after viewing logs
1. Stops crash on load on iphone 3g.
2. sped up application start to prevent time out (crash) on load
3. fixed bug where input box was disabled after viewing logs
Saturday, July 31, 2010
1.062 is in the store
Use this thread to tell me about any issues you may have, questions or comments. I use this feed back to improve subsequent releases. Thanks.
Friday, July 23, 2010
1.062 pushed out
Because I have been too busy to complete all the features I planned on having in 1.07, I have pushed out 1.062 with many of the bug fixes and user recommendations. It should be in the app store in a few days. this is the final change log:
1. removed unnecessaty XMPP commands (chatstates, pings) to reduce CPU/battery load
2. xmpp keep alive increased to 4 minutes to reduce network/battery usage
3. fixed bug where there was no vibration or ring when messages arrived
4. made the idle logout notification only if an account is active
5. background idle logout notification may be turned off
6. fixed bug where disabling the account didn't disconnect it
7. chat log: no duplicate names, names sorted in alphabetical order, own username no longer shown
1. removed unnecessaty XMPP commands (chatstates, pings) to reduce CPU/battery load
2. xmpp keep alive increased to 4 minutes to reduce network/battery usage
3. fixed bug where there was no vibration or ring when messages arrived
4. made the idle logout notification only if an account is active
5. background idle logout notification may be turned off
6. fixed bug where disabling the account didn't disconnect it
7. chat log: no duplicate names, names sorted in alphabetical order, own username no longer shown
Saturday, July 3, 2010
crashes and 1.07 changes so far
these are the changes coming in 1.07 so far. I will fix things as i become aware of them. Some people still report ipad crashes. Please sync your ipads to itunes so Apple sends me the crash log and i can see whats going on. I havent been able to replicate them. Could someone still experiencing this problem try deleting the app and reinstalling it.
1. fixed bug where there was no vibration or ring when messages arrived
2. made the idle logout notification only if an account is active
3. background idle logout notification may be turned off
4. xmpp keep alive increased to 4 minutes to reduce network usage
5. fixed bug where disabling the account didn't disconnect it
1. fixed bug where there was no vibration or ring when messages arrived
2. made the idle logout notification only if an account is active
3. background idle logout notification may be turned off
4. xmpp keep alive increased to 4 minutes to reduce network usage
5. fixed bug where disabling the account didn't disconnect it
Tuesday, June 22, 2010
1.06 bugs, IPad and 1.061
1.06 with multi tasking is on the itunes store. I made a mistake with the compile process and 1.06 will crash on immediately on iPads since they still run OS3. I have pushed out 1.061 which fixes this issue for iPad users.
Use the comments on this post to tell me about problems you have experienced anything else you might need to ask/tell me.
Use the comments on this post to tell me about problems you have experienced anything else you might need to ask/tell me.
Monday, June 14, 2010
How background works in iOS4
Background Apps
iOS4 has several classes of background apps. Unfortunately, IM is not one of those classes. The classes that do exist are for essentially for voip (network socket maintenance), audio (audio processing) and location services (full multi tasking) . Having run Monal in the background for a few weeks and seen the battery life, I now understand why Apple has done this. You are always aware of and interacting in some way with all of the classes of background apps allowed. You are either making a voip call, listening to audio or using the GPS navigation. At no time do any of these background apps run with the user not aware of it. IM on the other hand is expected to run at all times. It runs silently in the background, using the cpu , keeping a connection open and generally draining the battery. It is entirely possible for someone to run an IM app, not be aware it is running and then begin to wonder why the battery only lasts a couple of hours. I have seen this happen time and again to android users. Power users may be able to use the task manager to kill processes, but that is unreasonable for a mass market product.
How Monal Works
All of that being said, Monal does run in the background and the way it does it should satisfy the needs of most users. Monal runs in the background for 10 minutes. After 5 minutes of idle time, it will push a notification that only 5 more minutes of background time remain. After 10 minutes, the program will logout and suspend itself. A suspended program is not a drain on the battery. If at any point in the 10 minutes you bring Monal back to the foreground, the clock will be reset for a fresh 10.
When Monal is running in the background, it will push notifications to the user when messages are received. The user will view/reply to the message and thus continuously reset the 10 minute clock.
I think the typical user would sign in and move Monal to the background and do other things. They either send and receive messages and continuously reset the 10 minute clock or at 5 minutes are asked to renew it for another 10 minutes by brining Monal the the foreground once. This prevents the scenario where someone signs in and forgets to sign out, locks the phone and then completely drains the battery.
What if someone wants to stay signed in while the phone is idle ?
If you want to remain signed in while not using the phone, move Monal to the foreground before locking the phone. If you do this you will always be signed in and will receive notifications for all messages. When you want to use the phone again you can move it to the background and renew the 10 min lease periodically.
iOS4 has several classes of background apps. Unfortunately, IM is not one of those classes. The classes that do exist are for essentially for voip (network socket maintenance), audio (audio processing) and location services (full multi tasking) . Having run Monal in the background for a few weeks and seen the battery life, I now understand why Apple has done this. You are always aware of and interacting in some way with all of the classes of background apps allowed. You are either making a voip call, listening to audio or using the GPS navigation. At no time do any of these background apps run with the user not aware of it. IM on the other hand is expected to run at all times. It runs silently in the background, using the cpu , keeping a connection open and generally draining the battery. It is entirely possible for someone to run an IM app, not be aware it is running and then begin to wonder why the battery only lasts a couple of hours. I have seen this happen time and again to android users. Power users may be able to use the task manager to kill processes, but that is unreasonable for a mass market product.
How Monal Works
All of that being said, Monal does run in the background and the way it does it should satisfy the needs of most users. Monal runs in the background for 10 minutes. After 5 minutes of idle time, it will push a notification that only 5 more minutes of background time remain. After 10 minutes, the program will logout and suspend itself. A suspended program is not a drain on the battery. If at any point in the 10 minutes you bring Monal back to the foreground, the clock will be reset for a fresh 10.
When Monal is running in the background, it will push notifications to the user when messages are received. The user will view/reply to the message and thus continuously reset the 10 minute clock.
I think the typical user would sign in and move Monal to the background and do other things. They either send and receive messages and continuously reset the 10 minute clock or at 5 minutes are asked to renew it for another 10 minutes by brining Monal the the foreground once. This prevents the scenario where someone signs in and forgets to sign out, locks the phone and then completely drains the battery.
What if someone wants to stay signed in while the phone is idle ?
If you want to remain signed in while not using the phone, move Monal to the foreground before locking the phone. If you do this you will always be signed in and will receive notifications for all messages. When you want to use the phone again you can move it to the background and renew the 10 min lease periodically.
Thursday, June 3, 2010
Background apps
Monal runs in the background now. When you go to another program, it will continue to remain connected using Apple's battery saving background processes. If you receive a message while in the background, you will see a pop up that looks like a push notification with the message. It will also popup a push notification if you have the home screen locked.
Monal 1.06 with multi tasking will be released as soon as Apple releases the official SDK (expected to be
June 7th )
1.05 Approved
Monal 1.05 has been approved and is in the app store. Grab it for your iPad and iPhones
Sunday, May 30, 2010
Crazy stuff
OS4 is a blast to work with and I have gotten it to do some really crazy stuff to have Monal run seamlessly in the background. Hopefully these aren't bugs in the beta and Apple will allow it.
Sunday, May 23, 2010
Final Change log for 1.05
These are the changes in 1.05. This will be the final 3.x release. This should show up in iTunes soon. I have already started programming for the multi tasking in 4.x . The next release will be a huge update and will drop as soon as 4.0 is released.
1.05 changelog
1. fixed all bugs from crash logs, made some speed improvements
2. removed the confusing chat logs window edit button
3. fixed bug where names of users signing in sometimes showed up in other chats
4. opening conversation shows last 10 not 20 messages (faster load)
5. the input box now allows multiple line input and expands when tapped on
6. input box does not delete unsent messages when tapping outside of the box
7. Graphical emoticons in chat
8. added a basic iPad interface
9. Added button to quickly clear all conversation logs
1.05 changelog
1. fixed all bugs from crash logs, made some speed improvements
2. removed the confusing chat logs window edit button
3. fixed bug where names of users signing in sometimes showed up in other chats
4. opening conversation shows last 10 not 20 messages (faster load)
5. the input box now allows multiple line input and expands when tapped on
6. input box does not delete unsent messages when tapping outside of the box
7. Graphical emoticons in chat
8. added a basic iPad interface
9. Added button to quickly clear all conversation logs
Saturday, May 22, 2010
Ipads
The iPhone Monal app already works on the iPad and I see from the crash logs that there are quite a few of you using it. The next release will be a universal application that takes advantage of the added space. The native iPad version doesnt look much different right now, I'm still learning all the new features. It's a start.
Multi tasking.
Monal runs in the background for a while on OS4. You should be able to switch back and forth between chat and other programs.
1.05 in the works
1.05 moving along well. Here is the change log so far for the next release.
1.05 changelog
1. fixed all bugs from crash logs
2. removed the confusing chat log edit button
3. fixed bug where names of users signing in sometimes showed up in other chats
4. opening conversation shows last 10 not 20 messages (faster load)
5. the input box now allows multiple line input and expands when tapped on
6. input box does not delete unsent messages when tapping outside of the box
1.05 changelog
1. fixed all bugs from crash logs
2. removed the confusing chat log edit button
3. fixed bug where names of users signing in sometimes showed up in other chats
4. opening conversation shows last 10 not 20 messages (faster load)
5. the input box now allows multiple line input and expands when tapped on
6. input box does not delete unsent messages when tapping outside of the box
Friday, May 21, 2010
Happy Birthday Monal
Tuesday, May 4, 2010
Iphone OS4 And More Server Support
I can confirm that Monal 1.04 works fine in OS4. While it doesn't fall under the class of programs allowed to multi task, I am planning on adding fast switch and task completion which should hopefully allow you to switch between programs quickly without losing your connection.
Work on Monal 1.05 will resume this week. Before OS4 comes out I want to get another version out that is focused on bug fixes and server compatibility. If you are aware of public servers that do not work, let me know in the comments section. If it is a private server and you can give me access to test, contact me at anurodhp@SPAM.gmail.com (remove the spam) with instructions. I will make sure it works in the next release.
Work on Monal 1.05 will resume this week. Before OS4 comes out I want to get another version out that is focused on bug fixes and server compatibility. If you are aware of public servers that do not work, let me know in the comments section. If it is a private server and you can give me access to test, contact me at anurodhp@SPAM.gmail.com (remove the spam) with instructions. I will make sure it works in the next release.
Tuesday, February 16, 2010
1.04 getting pushed out
I am about to push out 1.04 here is the final changelog
1.04 changelog
1. added support for SSL on port 5222 (New style) (XMPP)
2. added support for digest md5 authentication mechanism (XMPP)
3. added support facebook chat (XMPP)
4. added basic support for AOL Instant Messenger (AIM)
5. uses the contact's full name from vCard if available instead of username (XMPP)
6. opening a conversation shows the last 20 messages not 30. speeds up loading
7. added network activity indicator on top bar
8. fixed bug where some offline messages were being ignored
9. fixed several crashing bugs
10. fixed random disconnect/reconnect issue
11. modified message theme to have less image loading and better space use
12. tested with jabberd2 servers
There is a new screen shot to go along with this of course
1.04 changelog
1. added support for SSL on port 5222 (New style) (XMPP)
2. added support for digest md5 authentication mechanism (XMPP)
3. added support facebook chat (XMPP)
4. added basic support for AOL Instant Messenger (AIM)
5. uses the contact's full name from vCard if available instead of username (XMPP)
6. opening a conversation shows the last 20 messages not 30. speeds up loading
7. added network activity indicator on top bar
8. fixed bug where some offline messages were being ignored
9. fixed several crashing bugs
10. fixed random disconnect/reconnect issue
11. modified message theme to have less image loading and better space use
12. tested with jabberd2 servers
There is a new screen shot to go along with this of course
Monday, February 15, 2010
How weak is Facebook's XMPP security?
As I mentioned earlier, Facebook does not use SSL on their new XMPP server. All of their security is based on an algorithm called Digest-Md5. As the name says this is based on the popular MD5 hashing algorithm that is no longer considered secure. From Facebook:
Regarding MD5:
US-CERT, the US Department of Homeland Security's Computer Emergency Readiness Team, says:
No SSL:
What happens when you don't use SSL for your chat? People sniffing the network can see what you are saying. This is very simple to do.
Either use tcpdump from the command line (works on Mac,linux etc) or grab a packet sniffer like wireshark . I would recommend wireshark anyway because it makes the next part even easier. If you used tcp dump, this you would have something like this
Lets say you have a network dump somehow and you open up wire shark. set it to filter jabber and you will start to see something like this. I've highlighted a message packet so you can see that I was able to read this message someone sent.
Now everything sent on the network can be read and the password "security" is based on MD5 right? behold a captured password sequence:
cmVhbG09ImNoYXQuZmFjZWJvb2suY29tIixub25jZT0iNjdFRDdCQTg3NjgwN0MyOEIzQUI2RkE2MzRGQTE2MDUiLHFvcD0iYXV0aCIsY2hhcnNldD11dGYtOCxhbGdvcml0aG09bWQ1LXNlc3M=
this decodes from base64 to:
realm="chat.facebook.com",nonce="67ED7BA876807C28B3AB6FA634FA1605",qop="auth",charset=utf-8,algorithm=md5-sess
Excellent we have some information. The client replied with:
dXNlcm5hbWU9InNvbWVvbmUiLHJlYWxtPSJjaGF0LmZhY2Vib29rLmNvbSIsbm9uY2U9IjY3RUQ3QkE4NzY4MDdDMjhCM0FCNkZBNjM0RkExNjA1Iixjbm9uY2U9ImQzM2M4ODYyMTI2NjI2NTYzNzcxMDk3YjcwIixuYz0wMDAwMDAwMSxxb3A9YXV0aCxkaWdlc3QtdXJpPSJ4bXBwL2NoYXQuZmFjZWJvb2suY29tIixyZXNwb25zZT01MjBhMjdiOWRjOTE5NWRjMTJjNTVjZGY4MTUyOWI2MixjaGFyc2V0PXV0Zi04
this decodes from base64 to:
username="someone",realm="chat.facebook.com",nonce="67ED7BA876807C28B3AB6FA634FA1605",cnonce="d33c8862126626563771097b70",nc=00000001,qop=auth,digest-uri="xmpp/chat.facebook.com",response=520a27b9dc9195dc12c55cdf81529b62,charset=utf-8
Nonce and cnonce are used to calculate the encrypted "response". This is where the password is. nonce and cnonce are really there for one time use to prevent a replay attack.
What do we know now?
password hash: 520a27b9dc9195dc12c55cdf81529b62
nonce: 67ED7BA876807C28B3AB6FA634FA1605
cnonc: d33c8862126626563771097b70
qpop: auth
nc: 00000001
password hash is based on a series of md5 hashes:
first hash (X) is of username:realm:password
we know this to be = someone:chat.facebook.com: (password)
Next hash (Y) is X:nonce:cnonce
we know this to be: (password hash): 67ED7BA876807C28B3AB6FA634FA1605: d33c8862126626563771097b70
Next hash (Z) fully known to be of AUTHENTICATE:xmpp/chat.facebook.com
Final hash is the response value, which is also known and we know it is in the form:
Y:nonce:nc:cnonce:qop:Z
we fully know Z, nonce, cnonce, qpop, nc
The only thing missing here is Y, which is dependent on X, which is just an unsalted MD5 hash based on a password. How would you crack this? There are a few ways, but the simplest in most cases is just to use rainbow tables but compute the hash 2 times more using the other parts of the string from above and see if it matches the response. I'm going to stop the explanation here for obvious reasons. More info on rainbow tables here:
http://www.freerainbowtables.com/
http://en.wikipedia.org/wiki/Rainbow_table
There is also the possibility of finding another string that will create the same password hash. This is called a hash collision. In this case, the attacker doesn't even need to know the actual password. They can just use this other string in its place and access an account just the same.
If the person is using a short or insecure password a dedicated attacker (identity thieves, spammers etc) should have it cracked easily and since the packet was captured, the attacker can test against the password as much as he likes on his own machine.
No. At this time, Facebook Chat does not support SSL.
Does Facebook Chat use plaintext authentication?
No. Facebook Chat uses DIGEST-MD5 during authentication.
No. Facebook Chat uses DIGEST-MD5 during authentication.
Are my Chat messages encrypted?
No. However, authentication information is secured using DIGEST-MD5.
No. However, authentication information is secured using DIGEST-MD5.
US-CERT, the US Department of Homeland Security's Computer Emergency Readiness Team, says:
- "Do not use the MD5 algorithm"
"Software developers, Certification Authorities, website owners, and users should avoid using the MD5 algorithm in any capacity. As previous research has demonstrated, it should be considered cryptographically broken and unsuitable for further use." - "Scrutinize SSL certificates signed by certificates using the MD5 algorithm"
"Users may wish to manually analyze the properties of web site certificates (...) Certificates listed as md5RSA or similar are affected. Such certificates that include strange or suspicious fields or other anomalies may be fraudulent. Because there are no reliable signs of tampering it must be noted that this workaround is error-prone and impractical for most users."
No SSL:
What happens when you don't use SSL for your chat? People sniffing the network can see what you are saying. This is very simple to do.
Either use tcpdump from the command line (works on Mac,linux etc) or grab a packet sniffer like wireshark . I would recommend wireshark anyway because it makes the next part even easier. If you used tcp dump, this you would have something like this
sudo tcpdump -i en0 -s500 -w ~/Desktop/DumpFile01.pcap -vv
Lets say you have a network dump somehow and you open up wire shark. set it to filter jabber and you will start to see something like this. I've highlighted a message packet so you can see that I was able to read this message someone sent.
Now everything sent on the network can be read and the password "security" is based on MD5 right? behold a captured password sequence:
this decodes from base64 to:
realm="chat.facebook.com",nonce="67ED7BA876807C28B3AB6FA634FA1605",qop="auth",charset=utf-8,algorithm=md5-sess
Excellent we have some information. The client replied with:
dXNlcm5hbWU9InNvbWVvbmUiLHJlYWxtPSJjaGF0LmZhY2Vib29rLmNvbSIsbm9uY2U9IjY3RUQ3QkE4NzY4MDdDMjhCM0FCNkZBNjM0RkExNjA1Iixjbm9uY2U9ImQzM2M4ODYyMTI2NjI2NTYzNzcxMDk3YjcwIixuYz0wMDAwMDAwMSxxb3A9YXV0aCxkaWdlc3QtdXJpPSJ4bXBwL2NoYXQuZmFjZWJvb2suY29tIixyZXNwb25zZT01MjBhMjdiOWRjOTE5NWRjMTJjNTVjZGY4MTUyOWI2MixjaGFyc2V0PXV0Zi04
this decodes from base64 to:
username="someone",realm="chat.facebook.com",nonce="67ED7BA876807C28B3AB6FA634FA1605",cnonce="d33c8862126626563771097b70",nc=00000001,qop=auth,digest-uri="xmpp/chat.facebook.com",response=520a27b9dc9195dc12c55cdf81529b62,charset=utf-8
Nonce and cnonce are used to calculate the encrypted "response". This is where the password is. nonce and cnonce are really there for one time use to prevent a replay attack.
What do we know now?
password hash: 520a27b9dc9195dc12c55cdf81529b62
nonce: 67ED7BA876807C28B3AB6FA634FA1605
cnonc: d33c8862126626563771097b70
qpop: auth
nc: 00000001
password hash is based on a series of md5 hashes:
first hash (X) is of username:realm:password
we know this to be = someone:chat.facebook.com: (password)
Next hash (Y) is X:nonce:cnonce
we know this to be: (password hash)
Next hash (Z) fully known to be of AUTHENTICATE:xmpp/chat.facebook.com
Final hash is the response value, which is also known and we know it is in the form:
Y:nonce:nc:cnonce:qop:Z
we fully know Z, nonce, cnonce, qpop, nc
The only thing missing here is Y, which is dependent on X, which is just an unsalted MD5 hash based on a password. How would you crack this? There are a few ways, but the simplest in most cases is just to use rainbow tables but compute the hash 2 times more using the other parts of the string from above and see if it matches the response. I'm going to stop the explanation here for obvious reasons. More info on rainbow tables here:
http://www.freerainbowtables.com/
http://en.wikipedia.org/wiki/Rainbow_table
There is also the possibility of finding another string that will create the same password hash. This is called a hash collision. In this case, the attacker doesn't even need to know the actual password. They can just use this other string in its place and access an account just the same.
If the person is using a short or insecure password a dedicated attacker (identity thieves, spammers etc) should have it cracked easily and since the packet was captured, the attacker can test against the password as much as he likes on his own machine.
Sunday, February 14, 2010
New optimized space icon
I've implemented the full stockholm theme now, each message from a user does not load the icon and colored bar all over again. This leads to dramatically faster loading of chat windows and much better use of space. Compare below to what we had before.
The biggest improvement is in landscape mode with the keyboard on. You can now see up to 5 lines above the keyboard and the input box.
old landscape in 1.03
1.04 will support Digest-Md5 and Facebook
I have added Digest-Md5 support to Monal and it will be in 1.04 . I added this because it is what Facebook uses. I will have a Facebook preset in Monal with all of the server settings in 1.04. Hopefully facebook will fix the lack of SSL by then as well. It also looks like I need to support aliases. Facebook chat is unusable and confusing without it.
Saturday, February 13, 2010
Monal supports AIM
As I have said from the beginning, Monal will be a multi protocol instant messenger client. Something to look for in 1.04
Friday, February 12, 2010
Monal mentioned on Cnet podcast
There is a mention of Monal and the Facebook XMPP security hole on today's Buzz Out Loud podcast. You can hear it at 35:45 mark.
Listen to it here:
http://www.cnet.com/8301-19709_1-10452774-10.html
People have also voted up the SSL bug on the Facebook developers site.
Listen to it here:
http://www.cnet.com/8301-19709_1-10452774-10.html
People have also voted up the SSL bug on the Facebook developers site.
Warning on Facebook XMPP
I just finished looking at the new Facebook XMPP server. I strongly recommend against using it.
This is probably one of the worst implementations ever. The chat does not use SSL encryption unlike almost every other server. Better yet, they decided to use an authentication scheme called Digest-MD5, which aside from having varying implementations and compatibility problems was DEPRECATED by the IETF in January 2009 ( https://tools.ietf.org/html/draft-ietf-sasl-digest-to-historic ) because it can be cracked. Facebook has just opened up a gaping hole in their security. Someone at facebook needs to be fired.
The link above explains many of the problems with Digest-MD5 but this is the best one.
8. The cryptographic primitives in DIGEST-MD5 are not up to today's
standards, in particular:
A. The MD5 hash is sufficiently weak to make a brute force
attack on DIGEST-MD5 easy with common hardware.
B. Using the RC4 algorithm for the security layer without
discarding the initial key stream output is prone to attack.
This is probably one of the worst implementations ever. The chat does not use SSL encryption unlike almost every other server. Better yet, they decided to use an authentication scheme called Digest-MD5, which aside from having varying implementations and compatibility problems was DEPRECATED by the IETF in January 2009 ( https://tools.ietf.org/html/draft-ietf-sasl-digest-to-historic ) because it can be cracked. Facebook has just opened up a gaping hole in their security. Someone at facebook needs to be fired.
The link above explains many of the problems with Digest-MD5 but this is the best one.
8. The cryptographic primitives in DIGEST-MD5 are not up to today's
standards, in particular:
A. The MD5 hash is sufficiently weak to make a brute force
attack on DIGEST-MD5 easy with common hardware.
B. Using the RC4 algorithm for the security layer without
discarding the initial key stream output is prone to attack.
Thursday, February 11, 2010
Facebook and 1.03
Monal 1.03 has been released into the wild. Grab it from itunes. As mentioned earlier, this version has the improved landscape and support for self signed SSL certificates.
I just found out that Facebook added support for XMPP chat. Oddly, it uses the deprecated Digest-Md5 authentication and no SSL. Because digest-md5 was deprecated and sasl plain over SSL was the defacto standard, I never bothered implementing it. I guess I have to do it now.
I just found out that Facebook added support for XMPP chat. Oddly, it uses the deprecated Digest-Md5 authentication and no SSL. Because digest-md5 was deprecated and sasl plain over SSL was the defacto standard, I never bothered implementing it. I guess I have to do it now.
Wednesday, February 10, 2010
Improving SSL in 1.04 (works on 5222)
This is probably one of the most requested features. SSL now works on port 5222 using the "new style" SSL connection that uses the StartTLS command. It isn't 100% reliable yet, which is why it wasn't pushed out in yesterday's 1.03 but it will definitely be in 1.04. This combined with support the support for unsigned SSL certificates already in 1.03 should satisfy almost everyone.
Tuesday, February 9, 2010
1.03 submitted
Its only been a few days since 1.02 was released, but I think I've gotten enough feed back to push out a quick 1.03 update. The improved landscape and SSL support should make the application much more usable and I saw no reason to sit on it. Expect 1.03 by the end of the week.
The full changelog below. I am also going to update the FAQ to clarify that 1.03 supports self signed certificates.
1. Self signed SSL certificates now work
2. removed non public API used
3. improved xmpp support
4. message send failure is treated as a disconnection and handled automatically
5. navigation bar and status bar now disappear in landscape mode
6. scroll to the newest message when first going into a chat now
7. adjusted brightness of icon so it isnt so dark
The full changelog below. I am also going to update the FAQ to clarify that 1.03 supports self signed certificates.
1. Self signed SSL certificates now work
2. removed non public API used
3. improved xmpp support
4. message send failure is treated as a disconnection and handled automatically
5. navigation bar and status bar now disappear in landscape mode
6. scroll to the newest message when first going into a chat now
7. adjusted brightness of icon so it isnt so dark
Monday, February 8, 2010
Improving SSL in 1.03
There has been some criticism on the itunes store about the lack of support for self signed certificates when using SSL. 1.03 now supports self signed certificates.
Saturday, February 6, 2010
Improving landscape in 1.03
A user pointed out to me that the old landscape mode had lots of wasted space at the top. In 1.03, when the phone goes to landscape, the navigation bar and status bar disappear. This recovers that space and when using a keyboard, much more can be seen on top.
Friday, February 5, 2010
Monal 1.02 Approved
You can grab the newest version on the iTunes store now.
Don't forget to rate in itunes and Digg!
Don't forget to rate in itunes and Digg!
Tuesday, February 2, 2010
Monal 1.02/1.03 FAQ
Here is a quick list of things i think people should know when trouble shooting the next release. If there is anything else, post a comment and I will try to address it.
What servers have you tested this with?
Monal 1.02 has been tested mostly with google talk, openfire and ejabberd.
Openfire has been very heavily tested on multiple versions all the way up to 3.6.4.
ejabberd was tested on jabbim.com .
What SSL settings work?
At the moment only old style SSL works. This means if you are going to use SSL it probably should be on port 5223. If you connect on 5222 with SSL it will not work.
What server settings work?
The server must support SASL Plain authentication. This is the standard and should not be a problem for most people. Connections to port 5222 should not have SSL enabled. To use SSL you need to use port 5223. Not all servers support SSL on port 5223 if your server does not, you can either use 5222 without SSL if you are ok with that.
What if the certificate on the server does not match the server address?
Monal does not check to make sure that the certificate name and the server name are the same. SSL connections to these servers should work fine.
What if I have a self signed certificate?
Edit: the answer below applies for 1.02 only. 1.03 supports self signed certificates.
Monal does not support servers with self signed certificates right now. You cannot use SSL to connect to a a server with self signed certificates.
Why does the program slow down when I open it the first time/ connect to a server the first time.
Monal tries to download all the buddy icons after loading the list of people online. This takes up resources and might slow things down depending on how many buddies you have, how fast your connection is and how big your icons are.
Why does the chat screen flash when I load a new conversation.
Monal basically uses a web view (safari) to show the chat window in all its glory. The flash is safari loading the page. This only happens when you first start a chat
How do I delete chat history?
Go to the chat logs and swipe to delete all history with that user or click "Edit" on the upper right to select items and delete them. If you want to delete all logs, delete the log that is an entry for your own user. This will delete every message you have received or sent.
What servers have you tested this with?
Monal 1.02 has been tested mostly with google talk, openfire and ejabberd.
Openfire has been very heavily tested on multiple versions all the way up to 3.6.4.
ejabberd was tested on jabbim.com .
What SSL settings work?
At the moment only old style SSL works. This means if you are going to use SSL it probably should be on port 5223. If you connect on 5222 with SSL it will not work.
What server settings work?
The server must support SASL Plain authentication. This is the standard and should not be a problem for most people. Connections to port 5222 should not have SSL enabled. To use SSL you need to use port 5223. Not all servers support SSL on port 5223 if your server does not, you can either use 5222 without SSL if you are ok with that.
What if the certificate on the server does not match the server address?
Monal does not check to make sure that the certificate name and the server name are the same. SSL connections to these servers should work fine.
What if I have a self signed certificate?
Edit: the answer below applies for 1.02 only. 1.03 supports self signed certificates.
Monal does not support servers with self signed certificates right now. You cannot use SSL to connect to a a server with self signed certificates.
Why does the program slow down when I open it the first time/ connect to a server the first time.
Monal tries to download all the buddy icons after loading the list of people online. This takes up resources and might slow things down depending on how many buddies you have, how fast your connection is and how big your icons are.
Why does the chat screen flash when I load a new conversation.
Monal basically uses a web view (safari) to show the chat window in all its glory. The flash is safari loading the page. This only happens when you first start a chat
How do I delete chat history?
Go to the chat logs and swipe to delete all history with that user or click "Edit" on the upper right to select items and delete them. If you want to delete all logs, delete the log that is an entry for your own user. This will delete every message you have received or sent.
Sunday, January 31, 2010
Saturday, January 30, 2010
Adium themes are in
As luck would have it, there was a critical bug in the version of Monal submitted to the App store and I pulled it before it was approved. While it was in the approval queue i managed to get the Adium themes working correctly so it will be in 1.02.
appending the following to the change log:
21. New faster and better looking message display that is compatible with Adium themes.
appending the following to the change log:
21. New faster and better looking message display that is compatible with Adium themes.
Subscribe to:
Posts (Atom)