Information about Nokia email case

Quick answers for the impatient readers:

1. “Yes”
2. “Yes”
3. “It’s easy”

---

Below are my comments to some reactions I have seen regarding this "Nokiagate".

1) You are stupid! Don’t you know there is a new service called “Nokia Messaging”? It has to be able to retrieve your messages from the server!

Yes, I know there is a solution called Nokia Messaging (read more from here), but maybe I wasn’t clear enough in my initial post: I am configuring direct IMAP/POP access to my own/company/organization/whatever email service and I am not using nor planning to use Nokia’s messaging proxy.

Messaging proxy is a piece of software that you can use if you wish, there’s nothing wrong about that. If you want to use that, then you understand and accept that your credentials must be available to proxy - otherwise things will not work. When you signup for such a service, that is made clear to the user and he accepts it. However, this wasn’t the case in my email issue.

After email wizard has finished with the email configuration, all network connections are done from my terminal directly to the IMAP/POP email server, not to any messaging proxy. When I use email, data traffic doesn’t go via Nokia. There is no reason why my credentials should be sent anywhere else than to my email server.

2) Is the data encrypted?
Yes, the data is encrypted. Read next sentence aloud using ironic voice: “When I configure private email account into my phone, my email credentials are sent to Nokia in a secure way.”

3) Can’t believe this! Can I verify this myself?
It’s easy. First of all, you need some solution to intercept all network traffic originating from your terminal. For this purpose I used WebScarab and Wireshark. WebScarab is a tool that creates an HTTP proxy which will allow you to control both HTTP requests and responses. Install, configure and run it in your desktop. Check your desktop’s IP address and port that WebScarab is listening.

Because sniffing cellular network is beyond my skills, I used WiFi as a data bearer (email wizard will silently use cellular network if that is available). To enforce WiFi connection, put your terminal into offline mode and/or remove SIM card. Then configure a WiFi access point that will use your WebScarab desktop as a proxy (you need the IP address and port here).

When you think you are done, launch browser in phone and try to open some site. If you see the request in WebScarab, the configuration is correct. If not....well, I’dont provide support for this setup.

After configuration is working, run email wizard and see what happens.

---

Request to readers
I don’t have any idea which terminals have this email wizard - and if it exists does it work the same way when configuring an email account. If you find terminals behaving this way (sending passwords), please send terminal information to this post’s comments. Include terminal type and software version (you can see that by going to telephony screen and typing *#0000#).

Update

These are the devices and software versions I've tested and verified password leak:

5800 (20.0.0.12)

N79 (11.049)

E75 (110.48.78)

//Harri

Why Nokia wants my email password?

Many new Nokia S60 terminals seem to have an "email wizard" that helps the user to configure an email account to the terminal. Wizard prompts the user to give some basic information and then in most cases wizard is able to create account with all the correct settings.

Lets use Nokia 5800, an iconic device that has sold over 1.000.000 units. When you start the email wizard, you will see a screen like this

If I click "Back", wizard closes and email account is not created. Clicking "Start" will continue the wizard, but was that answer also consent to store the personal information? Anyway, there doesn't seem to be a way to create an account without this wizard.

Let's create an account for user test.user@mycompany.com (his password is "topsecret" but I will not tell it to anybody). After you have entered this information, the wizard will open a network connection and make an HTTP request to URL

https://ccds.serviceactivation.ext.nokia.com:443/api/v1/rest/?operation=ccds.provider.determineAccount&applicationCode=email&

address=test.user@mycompany.com&password=topsecret&

mcc=244&mnc=91&carrier=sonera

Nice! I just sent to Nokia my email address, password, operator information and terminal type (in HTTP headers, not visible here). All you Nokia 5800 users around the world: did you know that? I didn't know that, nor did I like it.

Today I had an opportunity to play with a new Nokia E75, phone that's supposed to be THE email device of all business users. First impression with the device is very good, it's solid and snappy. When I checked the email client, it was behaving just as in 5800. When you create an account, wizard will send your sensitive data over the internet to Nokia's server.

When I create an email account that has absolutely nothing to do with Nokia's email services, my user credentials are sent to Nokia's server. I guess that this feature can be a show-stopper in some business environments - "hey, let's create email accounts and send our usernames and passwords to Nokia" doesn't sound that good.

According to my tests it seems that if you want to create an email account without giving your credentials to Nokia, you have two options:

• you should give a dummy information to the wizard when it is asking for email address and password. Wizard will try to fetch settings from the internet but finally gives up and you can input the data safely.
• put phone to offline mode when creating the account. That way phone cannot connect to any servers and when wizard notices it, you will be able to enter the email account data without sending it to the Nokia servers.

So finally, here are my questions to Nokia:

• Why you have created an email wizard that by default sends user's email login information to your server without making that very clear and asking explicit permission to do so?
• Why there is no option available to create an email account manually, without any wizards?
• When user starts the wizard and continues from the first screen, does that give permission to Nokia to store my personal information?
• If my personal information was stored to Nokia's servers because I've used email wizard to create an email account, how can I get my data removed from the server?
• How do you use my personal data, collected from email wizard?

Update: Read also my follow up post.

Update 2: I'm trying to give answers to readers' questions here.

Update 3: Nokia's official statement is here.

//Harri

Going to Nokia Developer Summit

In case you haven't noticed, Nokia is organizing a Developer Summit in Monaco at the end of April. Check the agenda and decide if there is something for you; I will be attending the event. If you too will be there, come say hi!

By the way, there is also a LinkedIn group for the event.

//Harri

Numbers of Mobility

Some numbers that describe mobile industry in March 2009 (statistic numbers from Gartner). Please judge by yourself what this all means and if Nokia is doing the right things in the smartphone arena.

---

-16.8% is the number how much Nokia’s smart phone sales decreased Q4/2008 compared to last year.

0€ is the price an iPhone user has to pay to get phone operating system upgraded to the most recent level. Update will be available this summer.

0€ is the price a Nokia user has to pay to get phone operating system upgraded to the most recent level. Update will not be available (source: Nokia).

2 is the number of different iPhone models available today.

3.7% is the number how much smart phone sales in general increased Q4/2008.

78 is the number of different Nokia phones available in Finland today. (source: product listing at nokia.fi)

84.9% is the year-on-year growth in RIM’s sales.

111.6% is the year-on-year growth in iPhone sales.

138% is the year-on-year growth in Samsung smartphone sales.

1000 is the number of voluntary resignation packages offered to Nokia employees (source: Nokia).

1700 is the number of Nokia R&D people that are affected by the company’s latest cost reductions (source: Nokia).

2500 is the number of people that will be affected by lay-offs in factory at Salo when phone production is scaled down to meet the market demand (source: Nokia).

---

The list is pessimistic to shake you up, but clearly there’s something wrong with the way Nokia now performs. The number of different terminal models is huge (compared to competitors) and it is changing rapidly, too. As soon as you buy the terminal there’s something “better” already available and user is told that upgrade will not be available. Wake up Nokia, competitors outperform here!

For quite a long time I’ve been annoyed by the gap there is between product launch and product's actual availability, at least when it comes to the flagship models. The marketing heat is on after the launch, but there’s nothing to sell and neither there is actual date given for availability. When the terminal some day silently hits the shops, in the worst case there already is a new flagship model to steal the marketing momentum. Who wants to spend hundreds of euros for an "outdated" device you cannot upgrade? For example N97 was launched back in December and many models have been launched after that - when will all these devices be available? Give us the exact date and make noise about that, these devices are not made for engineers but for customers to buy. Why people have to play detectives to get the information when they can buy these terminals? Is marketing department awake?

//Harri

The Cloud hits the Ground

When email storage space was limited users had to keep their inbox small, messages organized to folders and delete every message that wasn't absolutely important. Now you can use services like GMail that have (practically) unlimited storage space in "the Cloud" and let you search your messages so quickly it makes organizing just a waste of time. When using GMail I just don't organize nor archive messages - search is enough.

Nokia's S60 phones have an email client that can regularly login to your IMAP mail account and load new messages. When you enable that feature, it will disable the setting that limits the number of messages in your phone's email account (why is it like that?). Tried this automatic refreshing feature with GMail, decided to disable it and left other settings untouched.

Later I began to wonder why the email access has become very slow in my phone and why some applications either crashed or displayed clearly wrong information about my mailbox status. Then I checked the message count from my terminal's email application and there were 3900 email messages listed! Having all messages in your inbox is not a problem when processing happens in the Cloud, but then (fattish) clients like S60 email application will hit the Ground.

I know there is a GMail application available for my phone, but I rather use the native messaging application because that way I can have all my SMS/MMS/Email messages stored in the same place and I can access those without switching the applications.

Having all messages in the same place, hmmm....

Why my SMS/MMS messages are only in the phone? I'd like to have those archived in the Cloud, too. When I work with the messages, I'd like the changes to be replicated to my GMail account - that way I could also use GMail application to access my messages from the Cloud and messages would also be stored in a safe place. If all my messages were replicated like that, there could be just a new folder available in the GMail mobile application to access my SMS messages. That would also allow me to do search from all of my messages, no matter what media was used to deliver it. As far as I understand, it is no rocket science to create a solution like this to upload messages automatically to the Cloud. Anyone interested to try?

//Harri