Talk given by Tom at the Global Messaging 2009 conference in London on 24th June 2009. It coverred the essence of what makes a good mobile service, using Masabi's UK rail work as a case study.
8. Mobile Masochism The mobile experience is about PAIN Texting on a Moto… Pretty much anything at all onNokia’s touchscreen S60… User experience is becoming important Ex-RAZR users often won’t Moto again But nothing is perfect, even Steve
9. Many Services Will Fail Good ideas are common Good ideas which actually work aren’t Given handset constraints… Given real world conditions… Compared to existing alternatives…
10. Pick Your Battles A successful service must offer a significant advantage to the user An mPaymentmust be easier than cash and cards Just because a user can do something, doesn’t mean they will Offer net pain relief
11. Considerations User probably moving Must be simple Must be resilient Has user got alternatives? Cash Debit/credit cards PC
13. UK Rail Barcodes Reliable, fast Offline scanning Tickets still work when Internet doesn’t! Open security PKI signatures prevent modification Public Key verification is cheap, easy Royalty free, open barcodes Aztec scans best on a handset screen
14. UK Train Ticketing Phone becomes your ticket Today’s reality: Only supported on a few routes Eg. our National Express trial 3-6 months: Train franchises start to go live Some rollout of barcode reading gates
15. Not Just a Ticket UK Rail Barcode has space for other entitlements Eg. Free coffee Bundle other sales together with ticket Barcodes have plenty of other uses Remove cash from high-risk environments to reduce ‘shrinkage’
17. Handset Support Chiltern Railways ticket app trial showed: Adopted outside young male demographic Often user’s first transaction with a phone Tickets must be supported on everything! Smartphones are a niche
20. Pure SMS Ticketing Picture messaging can carry small barcodes 3 SMS per picture is expensive Too small for new rail ticket barcodes Simple insecure 1D or 2D barcodes only No text details for visual inspection Scanner always required Can be forwarded and reused
21. Wap Ticketing Wap Push with ticket URL User downloads ticket Saves image like a wallpaper Must trust OMA DRM A lot of effort to size image Handsets often rescale an image that is slightly too big or small This plays havoc with barcode scanners!
22. Java Ticket Wallet User installs local ticket wallet Server sends tickets over SMS One encrypted binary msg/ticket Delivered directly to wallet app App can display ticket details and barcode Better barcode rendering > faster scanning Details readable to an inspector
25. User Needs Ticket delivery is an extension of online Fairly useful for users without printers BUT most train tickets not bought online Sell from phone Buy in taxi / on street / in station Avoid queues
26.
27. Mobile Payment Channels SMS Premium SMS > phone bill Credit card over SMS Payment through the browser Payment through a local app
28. SMS Premium SMS payment Good for simple transactions Easy to set up, works on everything 30-60% operator cut Best for low-value high-margin items SMS insecure for any other payment Messages be read on stolen phones Messages be read on the network
29. Mobile Browser Purchase Wap purchase is multi-step Repeat page loads slow and expensive Requires continuous connection Data mis-entry becomes painful Limited opportunity to help user with validation etc – not like full web AJAX Often insecure Wap1 inherently insecure Transcoders can mess with Wap2 and the mobile web
30. Mobile Browsers Wap security Wap2 security Inherently insecure: Used on older browsers, “Wap” settings Like the web: Most handsetsuse this with “Internet” settings
31. Transcoders with HTTPS Some transcoders leave HTTPS alone Others will insert themselves in the connection Handset cannot verify end certificate Just like a man-in-the-middle attack!
32. Java Ticket Sales App Ticket purchase in UK Aimed at repeat users Intelligent client Helps user with data entry=> minimises resends After 1st purchase, just enter CVV Submits credit card purchase with one encrypted SMS Good when signal strength low Integrated into ticket wallet
34. Java (someone has to like it) You don’t have to be the ‘best’ Sometimes being the only option is good enough NOT suitable for everything Remember, pick your services Good for: Recurring purchases Flaky connections Retries, SMS fallback, fat intelligent client
35. Near Field Communication A lot like “Oyster on your phone” (Almost) no handset support Common by 2013? NFC already embedded on cards Habit: you pay with a card, why use a phone? Who will pay for the infrastructure?
36. NFC – Not Today NOKIA HANDSETS NOKIA NFC HANDSETS
37. Some Notes On Oyster Great in London Almost everyone has to usepublic transport Locals ‘bribed’ to adopt with lower fares Large government subsidies Not economically viable to roll out elsewhere Even London overground train lines required £40m subsidy to support it
Masabi have been producing downloadable mobile applications for over 7 years, and today Masabi secure mobile applications process millions of dollars worth of transactions every year
SMS purchase from a vending machine isn’t going to work – people use cash. The fact that the vending machine oepratopr may be able to shave a few % off vandalism repairs and reduced theft doesn’t matter to the user.
Source: Strategy Analytics (http://iphone.tmcnet.com/topics/iphone/articles/55332-global-handset-shipment-falls-record-rate-during-q1.htm)5800 2.6m vsiPhone 3.8mNokia about 25x sales of Apple – bad quarter for Nokia
TODO new screenshots
By ‘other payments’ => should never send credit card number over a normal text
Wap “https” not the same as web https
TODO new screenshots
It’s a great system, but worth considering why – need to consider the bigger picture
Come see me after for live demos, or to chat about building secure mobile applications form-commerce,Banking,Ticketing,Messaging,Read our blog for more details on security.blog.masabi.com