Thursday, June 21, 2012

Just in time for Friday...BarTab launches with

BarTab powered by WebTab

Another cool app has launched with functionality!  Check out BarTab, made by the team at WebTab, a social commerce platform that enables people, networks and businesses to seamlessly interact in real-time.  Send yourself or your friends a drink via your mobile phone, for just $1 (and the first one is on them).

It's cool - just pick your local watering hole, select from the drink menu, and decide who you want to give a gift to.  Not sure what to order yet?  You can also buy drink credits, so your friend can decide what they want on their own.  Your friend can pick up their drink now, or save it for use later, up to 30 days.  Enjoy special promotions, like those for the NBA Finals this week.

Forget about buying a round of virtual beers on Zynga Poker...this is the real deal!'s SDK makes it super easy to just add a credit card and buy a round for your pals.

Download the BarTab app for iOS and Android.

Integrate into your app here:

Tuesday, June 12, 2012

Lemon partners with!

Meet the newest member of the partner family – Lemon. Lemon has officially announced their new Smart Wallet app. It's really slick, and it's powered by

The Lemon app is a “digital makeover” of your wallet – check out their press coverage at Techcrunch, WSJBetaKit, and elsewhere. Like a physical wallet, it stores things like your credit cards, loyalty cards, and paper receipts, but goes beyond that to enable you to track your expenses and manage your money, with features like spending reports and graphs broken out by account and category, loyalty program balances, and access to exclusive offers from retailers.

Loading up your wallet is “click, click, done" - use to scan in all your credit and debit cards, and they're scanned and saved securely on your phone: 

We're really excited about the clean, fast user experience that Lemon has built, and we're looking to watching the service grow! 

If you're a developer and want to add to your app, get started here:

Tuesday, June 5, 2012

1-800 CONTACTS partners with!

1-800 CONTACTS logo

We're excited to announce one of our newest partners, a major consumer retail brand.  You've seen their quirky ads on TV (or watch them here); now the 1-800 CONTACTS app features its own kind of "Special Eyes" in the form of's camera-based credit card acceptance solution.  1-800 CONTACTS customers can now speed through the purchasing process by just holding their credit card up to their iPhone in order to complete a contact lens purchase.

1-800 CONTACTS is the leading direct-to-consumer independent retailer of contact lenses in the US, and we're proud to have them as a partner.

The full press release is here.

Check out the 1-800 CONTACTS app in the App Store.

Are you a retailer interested in integrating?  Get instructions for integrating into your retail app or drop us a line at

Thursday, May 3, 2012

LevelUp partners with!

Today we're officially announcing our integration with LevelUp and sharing some performance data. We've made it faster and easier for LevelUp users to enter their credit card information with - it's over twice as fast, and LevelUp merchants have seen a 13% sales lift since went live in the LevelUp app!

LevelUp users can now hold their debit or credit card up to their smartphone, and will automatically read the card information using the phone's camera. This integration has reduced total registration time for new users from 60 seconds to 25 seconds ­and driven increased sales at LevelUp's merchants (~2500 local businesses across 8 U.S. cities).

We're excited to help other developers improve mobile purchase conversion and increase revenue. If you're interested in adding to your app, you can get started here: for developers.

Thursday, April 12, 2012

Why app developers should care about SSL pinning

In February, Arun Thampi discovered that Path was uploading users' address books to its servers.

The resulting kerfuffle served users well: Many apps–with Path leading the charge–are now much more careful about how they handle sensitive contact information and how they inform users of their intentions.

However, there's another useful reminder to draw from this episode: SSL is not a security panacea. Path's app communicated with its servers over SSL, yet third parties were able to intercept and read its traffic. How? The app wasn't pinned.

What is SSL pinning?

By default, when making an SSL connection, a client checks that the server's certificate:

  • has a verifiable chain of trust back to a trusted (root) certificate
  • matches the requested hostname

What it does not do is check that it is your certificate, the one you uploaded to your server.

When you don't know in advance to which hosts you might be connecting (e.g. in a browser), checking hostname match and chain of trust is the best you can do. In most native apps, though, you know your hosts in advance. This enables a higher level of security: You can make sure that it's your certificate that the server has presented.

This is known as SSL pinning. It offers extra protection against man in the middle (MITM) attacks, perhaps perpetrated using a compromised root certicate, or via social engineering ("Free wifi! Just add this root cert to your device!").

You don't want anyone executing such an attack on your users, ever. And there are other reasons to care:
  • You might not want people voluntarily snooping on (their own) SSL traffic to/from your app. Path probably didn't. (I'm glad, though, for privacy's sake, that things worked out how they did.)
  • Knowing the structure of an API makes it easier to find and exploit other security holes on the server.
  • Being able to easily alter server responses make it easier to find and exploit other security holes on the client. Many developers seem to assume that SSL protects you from malicious server responses. Blatant client security holes stemming from blindly trusting the server are all too common.

What apps does this affect?

The vast majority. It is incredibly easy to decrypt and observe traffic for some of the most popular apps across all categories (finance, entertainment, social networking) that many of us use daily. We've alerted every app we looked at for which we found this issue (and gave them a few months before posting this), but there are doubtless many thousands more.

At posting time, we know of four companies that implement some form of SSL pinning in their apps:, Square, The Economist, and Mint.

SSL pinning is nothing new. However, with the surge in visibility of Aldo Cortesi's remarkable mitmproxy ever since the Path story broke, and with the explosion of native apps, it's high time SSL pinning was de rigueur.

How do I do implement SSL pinning?

Start by setting up mitmproxy to reproduce the problem and experience it first-hand. You should see something like the image below. We've blurred the sensitive details, but notice that the user's credentials would otherwise be plainly visible in this app:

Once you've seen how easy it is to reproduce, you can fix it! There are lots of how-to blog posts out there on SSL pinning–now that you know what to search for, half the battle is won. As for the other half...

Challenges implementing SSL pinning

There are a few problems you'll likely encounter when getting started with SSL pinning.

First, implementation is not as easy as it could be. iOS and OS X use fairly obscure C APIs, and getting this right in Android requires digging into the and org.apache.http packages. I hope that Apple and Google will make this easier soon, but in the meantime, find iOS sample code, or an Android example, read and understand it, and use it carefully. The fundamentals are not complex.

Second, what exactly do you pin to?
  • Pinning to your exact certificate will cause problems when your certificate expires and needs re-issuance.
  • Pinning to your root certificate means vendor lock-in, doesn't protect against compromised root certs, and doesn't protect against some certificate chaining attacks (cf. the iOS 4 SSL Basic Constraints vulnerability).
  • Pinning to the SPKI is just about right. Alas, in iOS, this requires manually parsing ASN.1, which is neither easy nor convenient. (Furthermore, parsing code is a common locus of buffer overflows, and such a security-critical code path is the last place you want that.) Android can use keystores generated with the Java keytool utility, although doing so requires configuration of an additional keystore provider. Again, better OS support here would be most welcome.

There's no magic answer here; understand the trade-offs and make an educated choice given your circumstances and platform.


To anticipate a few obvious reactions:

Can't SSL pinning be bypassed by cracking the app?
Yes, it can. That's the nature of security. That doesn't mean you shouldn't make an attacker's job harder.

Aren't there are always more security holes?
Yes, there are. But this is a fairly easy one–both to exploit and to close.

I already have too many things to worry about.
Security is not a feature. It's part of the foundation of an app. Take the time, implement this once, and use it forever.

Why are you posting publicly about a security problem?
This is neither a new problem nor a new solution. This is a well known security weakness, yet–even after the Path story–it is not visible enough that many developers bother to fix it. Given that, sunlight is the best possible approach.

(Photo courtesy of Public Domain Photos, licensed under CC 2.0 Attribution License)

Wednesday, April 4, 2012

Uber partners with!

Here at, we are big fans of Uber, so we're excited to share that we've partnered with Uber to make it even easier to pay for a ride from your phone!

You can read more about it on Uber's blog or try it for yourself in the Uber app. Instead of typing in a credit card, just scan your card with

It's fast and secure, and you can scan in multiple cards (convenient for folks taking both personal and business rides). With, Uber makes it even easier to get where you're going.

If you're building a mobile app and want to integrate, start here. PhoneGap plugin for iOS

We're pleased to announce the new iOS PhoneGap plugin. Available as part of the phonegap-plugins repository on GitHub, integration is quick, and it's easy to use:

Check out the readme to learn more about adding to your PhoneGap-powered app.

We're listening to developers and working hard to make easy to implement across a variety of platforms. Want to use in your app? Check out our iOS, Android, and web integration instructions. Working with a different platform? Drop us a line or tweet to @cardio to let us know what you need.

(Images used in this post originally created by PhoneGap, modified by, licensed under a Creative Commons Attribution-NonCommercial 2.5 Canada License)