Monday, April 20, 2009

Nokiagate: my response to some comments

Last week the Nokiagate issue exploded and got attention worldwide. After having read comments and discussions from different sites I must clarify some basic things.

Lots of people have wondered if the communications is encrypted or not. I have already answered this question very clearly, but I will do it again. Connection is encrypted.

Second difficult topic to understand seems to be how email works. To start the wonderful journey into mobile mail, read an old post of mine. Then think for a second what Nokia’s marketing department has tried to communicate for some time: smartphone is an old-fashioned name for a device that has a new name: multimedia computer. That’s the name for a small battery operated pocket sized computer with one special feature, ability to send data and voice over cellular network. Nice little multimedia computer doesn’t require special protocols to access web content (remember WML and WAP?), nor does it require special protocols to access your mailbox. During this year’s Mobile World Congress Nokia’s EVP Anssi Vanjoki admitted that he hates the word “smartphone” and would rather use word “computer”.

Many comments posed a question how mobile phone then could access email without sending credentials to Nokia; after all this case is about the mythical mobile mail, right? If you have a desktop computer made by Dell, do you have to send your credentials to Dell in order to read your email? What about your Fujitsu laptop, did you send your credentials to Fujitsu before email started to work? Of course you didn’t, but you think that in a case of mobile device that has to be done? Well, that's not true.

Also many people told me that this is just how push mail works in general and Blackberry in particular. They have actively forgotten that I was't talking about any “pushmail” solution but wanting to use standard protocols to access my mail, without any mobile buzzwords. Blackberry solution (and many others) include messaging proxy server that sits between your terminal and the email server, that’s fine. When user wants to access his mailbox, messaging proxy does its magic and connects to the email server with the user’s permission. In my case user connects directly to his own mailbox (after the credentials have successfully been sent to an undisclosed server) and no proxy is involved.

So, is it a big deal to send password to a 3rd party server, after all Barack Obama is a well-known Blackberry user and if that’s not a problem for him, is this really a problem for me? Honestly I don’t know about Obama’s email setup and neither do you, but I’m very sure that if somebody in his team someday discovers that his terminal is silently sending stuff abroad that wouldn’t be considered as yet another "these things just happen but our intention was good" case.

//Harri

Friday, April 17, 2009

Nokia's statement about the Nokiagate

I just received Nokia's official statement about the case I reported earlier.

Nokia's statement begin.
A Finnish blogger recently posted on his blogsite that Nokia stores users' credentials in Nokia when they try to configure their email account on their Nokia device using direct IMAP/POP access.

For the mobile email account to be created and for the user to enjoy a seamless mobile email experience, his email credentials (namely email address and password) need to be sent to the mail provider's server. In some cases, the user's credentials are sent directly to the mail provider's server, but in other cases, they securely pass through the Nokia mail server, without actually being stored.

Nokia takes security seriously in all phases of the mobile communication systems development process, and will further investigate this case using our normal processes and comprehensive testing. Also, based on the feedback that we have received, we will look into the possibility of amending the on-device email set-up instructions to ensure that end-user information handling in our devices and services is accurate.
Nokia's statement end.

My comment on that statement:
  • I completely understand and accept the need to ease the email account creation. Despite that, I still feel that sometimes sending credetials to email provider and sometimes sending those to Nokia's server is not acceptable. I want to be in control who gets my credentials.
  • I haven't claimed that Nokia stores user's credentials. I have written that credentials are sent to Nokia - I don't have any idea what happens to credentials after that.
  • I asked if credentials are stored. Now we got a clear answer that credentials are not stored. That's good.

If I may suggest a solution to Nokia, would you consider a solution that
  • tells to user exactly what's going on during the account creation
  • allows user to decide wheter wizard is used or not
  • if wizard is not used, no communications is done to Nokia's servers
  • if wizard is used, only domain part (e.g. gmail.com) is sent to Nokia server

//Harri

Thursday, April 16, 2009

Info about the "Nokiagate"

Today has been an extremely busy day here at Mobilitics and lots of questions have been asked about the Nokiagate, both in post comments and private mail. Let me answer all of those at once.

Yes, Nokia is very much aware of this. I have made a report and they are working on this. Someday they will come out and give comment.

I am not talking here about Nokia Messaging or any other service they are providing. This case is about acessing your mailbox using IMAP without any extra middleware. You input information to connect to your email account and that information goes to Nokia's server. When the deployment server has tested that your account details are OK, information comes back to your terminal and the account is created. Now communication happens between your terminal and the actual email server just as it should.

Having said that, now it must be clear to everybody that Nokia's server is actually logging in to the email account when verifying the credentials. Test sequence includes logging in to both incoming and outgoing services - if that fails, client will prompt you to check credentials. If you want to verify this, you must be able to investigate traffic coming to your email servers.

Yes, according to my tests the verification server is located outside of the European Union, which means that your credentials are also there.

//Harri

Friday, April 3, 2009

Instant mobilizer

I remember having read an announcement about a new instant mobilizer last autumn and forgetting that because there was nothing else available than a press release. Today I was renewing one .mobi domain and at the registrar's site I saw a small question "Mobilize it?" What is this?

It is instant mobilizer. dotMobi has partnered with domain name registrars and whenever somebody is buying or renewing a .mobi domain name, he will be offered an option to automatically mobilize an old website. Solution is productized so well that it is diffucult to see how the trick is done, but I guess that all traffic to new .mobi site is redirected to a server that runs Mowser and new mobile site is created on the fly.

Instant mobilizer is a great solution for companies that want mobile presence but don't want to invest on creating a new site for that purpose. This is again one step to the right direction, showing that mobility is not speciality.

//Harri