Masabi have been producing downloadable mobile applications for over 7 years, and today Masabi secure mobile applications process millions of dollars worth of transactions every year
Our applications are built on three core principals –
Make the application usable and relevant to the end user, and make the default use cases quick and easy on the mobile. (I’ll show you some sides of that later)
Then, PORTABILITY to all popular handsets, including the older handsets that many developers avoid, to ensure the largest possible user-base for your service.
For Mobile commerce – security, on all phones, to modern public standards.
[The screenshots above are animated, to show useful UI widgets helping the user to select from large lists, or input Credit Card numbers correctly]
WAP and WEB services are Thin Clients ; good when you have a reliable, low latency connection. Mobile is not like that. – inside buildings, moving vehicles and in remote locations: connections are often dropped or unavailable.
Mobile Java allows us to build FAT clients, and not just glorified mini-browsers!
Applications should provide most of the interaction while OFF-LINE and then only require an occasional connection at the end to make transactions, or get updates. e.g. you should be able to review your bank account and create new payment instructions while on the metro, not only when stood still in good
Here are screenshots showing how you can quickly select one station from a list hundreds long, and also how to perform local validation of credit card numbers before sending to reduce the number of unecessary network connections
SMS Failover: Many users (more than half, we reckon) cannot make network connections from Java using WAP, because they need to switch to the correct INTERNET settings. To provide these users with an out-of-the-box instant purchase, the application can automatically detect the lack of functioning GPRS and switch to encrypted SMS instead.
Hold up 3510i or old Nokia S40 phone When you provide transactional software for these old phones, we find that significant numbers of people use them. Can you afford to throw away 10-20% of your users? (By way of comparison Microsoft and iPhones represent around 1% of the market)
To provide Portability, we use our own porting Framework: DevelopME
We’ve seen many mobile products that are either attractive, but high-end only; or basic-looking and available on all handsets. Through DevelopME we are able to provide attractive apps on all Java phones.
You have to work hard to build full function applications that work on the older phones, and you can’t out-source it, or think about it late in your dev cycle – it has to be at the core of how you build everything.
It’s not just different graphics sizes and bugs, you have to build variations of UI’s that make the best use of very different input mechanisms on the different phones, and not expect the end consumer to re-learn new UI concepts that they don’t already use on their phone every day.
Standard GSM services are not secure to Financial Services or Payment Card Industry regulations.
You shouldn’t use SMS or WAP to send payment instructions, bank passwords or credit card details because too many individuals can gain access to them in transit.
(True end-to-end https is only available on the latest handsets – slow and not usable from Java or SMS.)
"The contents of SMS messages are known to the network operator's systems and personnel. Therefore, SMS is not an appropriate technology for secure communications. Most users do not realise how easy it may be to intercept“ Nick Jones, Gartner Research 2002 http://www.gartner.com/DisplayDocument?doc_cd=111720
“It would not be enough for a financial institution to provide mobile banking services relying on de-facto GSM protocol security” Pakistan State Bank, Guidelines for Branchless Banking 2007 http://www.sbp.org.pk/bprd/2007/Guidelines-Branchless-Banking.pdf
We built EncryptME to the latest standards for new secure web services, and it is still the world’s only US Government Certified mobile java security library.
At 3kb, it can provide security on the oldest java handsets, including the black and white Nokia 6310i (show legendary retro business phone)
Most importantly, it allows SMS data to be encrypted too!
Servers can continue to use standard cryptography from Sun or Microsoft etc – they don’t need to use custom or proprietary security libraries.
We’re using on-screen barcodes to show the ticket values for reading by automatic gates, or checking by the train guards who carry hand-held scanners.
The ticket code can be transferred to the NFC element on compatible phones (like this nokia 6131) but this handset is the only mainstream GSM handset with NFC and we’ve not heard of others in the pipeline.
Even when NFC services become mainstream, you will still need a secure interface to purchase entitlements, before they get transferred to the NFC element.
75% (roughly) UK airline tickets purchased online, Yet only 2% of heathrow express tickets bought on-line Because people only think and act on their public transport needs as they approach the station.
Mobile can give every user their own ticket machine, that never has a queue.
Simple – simply put in your car, your credit card, and how long you want to park.
Brand new user can sign up and pay in just one secure SMS (or 0.02pence worth of data)
Extend your parking without returning to the vehicle.
Credit Card details entered just once into the application.
Users have said “easier to use the mobile purchase than web purchase” because of quick, optimised workflow.
Come see me after for live demos, or to chat about building secure mobile applications for m-commerce, Banking, Ticketing, Messaging,
Read our blog for more details on security. blog.masabi.com
Mobile Commerce meets the Real World - Mobile Ticketing
Just because you can do something
with mobile technology -
Does not mean that
customers will want
to use it
Does not mean that
Normal people will only try to use new
technology to do a regular daily activity…
…if the old way of doing
it is painful enough to
make them try
At that moment:
offer them a
Make a clear business case first
Must make more money
Must pay for itself in the first year
Capital is not easy to raise right now
•First mobile viral apps
•Playtech mobile casino
•First certified mobile security
• 20 currencies
• 4 alphabets
• 2 Factor Authentication
• Secure messaging
• UK Rail Ticket Standard
Transport Finance &
• Public certification
• Fast and small
• Popular handsets
• All form factors
• Offline functions
• Slick and attractive
WAP / xHTML
Browser based, like on
on most mobiles
Installed on the phone
Still useful without a continuous
Optimised data entry
Catch mistakes quicker
SMS failover from GPRS
Avoid settings, reception &
Cheaper + faster for the user
Send only the data
Flat rate data is still not common
Support the popular handsets
Not just the “easy” ones
Adapt content and graphics to
Automatic handling of handset bugs
Optimise experience for form factor
To Enable Payments
Credit Card Transactions
WAP and SMS alone are
not PCI/DSS secure
Why not use pSMS / Operator?
Too expensive for many industries
(cost of Operator Billing>40%; only 1% to 3% for Visa)
US Government Certified
British Telecom validated
IET Security Award
Latest Encryption Strength
1024bit RSA, 256bit AES
Standard Server Cryptography
Tiny 3Kb library
Works on all Java phones
Secures any medium
SMS, GPRS, Bluetooth, NFC
Only 12% of UK rail tickets sold on the
internet – most bought at station
Over 2/3 of mobile users do not
complete registration if it’s on the web
So: Sign up the users when they need it
in a queue
in a hurry
next to a broken ticket machine
No sign-up process
Mostly off-line interface, SMS backup
Fast repeated regular purchases
Auto-show tickets, full screen barcodes
Dependant on scanning hardware
Soft rollout option with visual inspection
Avoid up-front capital cost of
full barcode scanner rollout
Visually inspect at launch
Staff report barcode ticket
usage levels each week
Occasional SMS or scan checks
Staged scanner rollout for
routes with significant adoption
RSPS3001 Approved in December 2008 as the UK standard
for self print and mobile barcode rail ticketing
Share self-print and
between Operators and
3rd party retailers
Public and open security
Based on PKI, standard
Decentralised system -
Any barcode scanner, online or off-line,
must support: 2D Aztec with CCD imager
Small basic scanners for door staff
Advanced PDA based scanners for service staff
Bluetooth scanner upgrade for Avantix Mobile 2
Cash Register/EPOS Scanners
Connect via USB or as “keyboard wedge” in
between keyboard and EPOS like a normal scanner
Fixed Scanners for gates or check-outs
Retro-fit to existing gates, user places phone on
rubber face to scan
Or built in at manufacture by gate supplier
Fixed / gate
Sign-up in the queue
(no usernames or passwords)
No queues ever again
Tickets same price
Lower cost per sale
No need to expand stations (major cost)
Staged capital expense on scanners
Payments straight from phone
No need for explicit sign-up or passwords
Just type CVV again for future purchases
All user data entry and validation performed off-line
Secure SMS for users without data settings or with
New user can sign-up and pay in just one SMS
95% of surveyed users said:
“better than the IVR system we used until now”
No paper, no queues - barcode tickets
Tunnels aren’t showstoppers!
Auto-detects SMS or GPRS
1-2 SMS per ticket
Doubles the consumer uptake by removing Data issues
Quick repeat tickets
Customer loyalty and lock-in
Chiltern Railways with YourRail
User feedback: “Better than the web!”
People will only try to use new technology
to do a regular daily activity…
…if the old way of doing it is painful
enough to make them try something
At that moment:
offer them a better way.