Thursday, June 21, 2012

Just in time for Friday...BarTab launches with card.io

BarTab powered by WebTab


Another cool app has launched with card.io functionality!  Check out BarTab, made by the team at WebTab, a social commerce platform that enables people, networks and businesses to seamlessly interact in real-time.  Send yourself or your friends a drink via your mobile phone, for just $1 (and the first one is on them).

It's cool - just pick your local watering hole, select from the drink menu, and decide who you want to give a gift to.  Not sure what to order yet?  You can also buy drink credits, so your friend can decide what they want on their own.  Your friend can pick up their drink now, or save it for use later, up to 30 days.  Enjoy special promotions, like those for the NBA Finals this week.

Forget about buying a round of virtual beers on Zynga Poker...this is the real deal!

card.io's SDK makes it super easy to just add a credit card and buy a round for your pals.

Download the BarTab app for iOS and Android.

Integrate card.io into your app here: www.card.io/integrate

Tuesday, June 12, 2012

Lemon partners with card.io!

Meet the newest member of the card.io partner family – Lemon. Lemon has officially announced their new Smart Wallet app. It's really slick, and it's powered by card.io



The Lemon app is a “digital makeover” of your wallet – check out their press coverage at Techcrunch, WSJBetaKit, and elsewhere. Like a physical wallet, it stores things like your credit cards, loyalty cards, and paper receipts, but goes beyond that to enable you to track your expenses and manage your money, with features like spending reports and graphs broken out by account and category, loyalty program balances, and access to exclusive offers from retailers.

Loading up your wallet is “click, click, done" - use card.io to scan in all your credit and debit cards, and they're scanned and saved securely on your phone: 


We're really excited about the clean, fast user experience that Lemon has built, and we're looking to watching the service grow! 

If you're a developer and want to add card.io to your app, get started here: https://www.card.io/developers/

Tuesday, June 5, 2012

1-800 CONTACTS partners with card.io!


1-800 CONTACTS logo


We're excited to announce one of our newest partners, a major consumer retail brand.  You've seen their quirky ads on TV (or watch them here); now the 1-800 CONTACTS app features its own kind of "Special Eyes" in the form of card.io's camera-based credit card acceptance solution.  1-800 CONTACTS customers can now speed through the purchasing process by just holding their credit card up to their iPhone in order to complete a contact lens purchase.

1-800 CONTACTS is the leading direct-to-consumer independent retailer of contact lenses in the US, and we're proud to have them as a partner.

The full press release is here.

Check out the 1-800 CONTACTS app in the App Store.

Are you a retailer interested in integrating?  Get instructions for integrating card.io into your retail app or drop us a line at sales@card.io.

Thursday, May 3, 2012

LevelUp partners with card.io!



Today we're officially announcing our integration with LevelUp and sharing some performance data. We've made it faster and easier for LevelUp users to enter their credit card information with card.io - it's over twice as fast, and LevelUp merchants have seen a 13% sales lift since card.io went live in the LevelUp app!

LevelUp users can now hold their debit or credit card up to their smartphone, and card.io will automatically read the card information using the phone's camera. This integration has reduced total registration time for new users from 60 seconds to 25 seconds ­and driven increased sales at LevelUp's merchants (~2500 local businesses across 8 U.S. cities).

We're excited to help other developers improve mobile purchase conversion and increase revenue. If you're interested in adding card.io to your app, you can get started here: card.io for developers.

Thursday, April 12, 2012

Why app developers should care about SSL pinning

In February, Arun Thampi discovered that Path was uploading users' address books to its servers.

The resulting kerfuffle served users well: Many apps–with Path leading the charge–are now much more careful about how they handle sensitive contact information and how they inform users of their intentions.

However, there's another useful reminder to draw from this episode: SSL is not a security panacea. Path's app communicated with its servers over SSL, yet third parties were able to intercept and read its traffic. How? The app wasn't pinned.

What is SSL pinning?


By default, when making an SSL connection, a client checks that the server's certificate:

  • has a verifiable chain of trust back to a trusted (root) certificate
  • matches the requested hostname

What it does not do is check that it is your certificate, the one you uploaded to your server.

When you don't know in advance to which hosts you might be connecting (e.g. in a browser), checking hostname match and chain of trust is the best you can do. In most native apps, though, you know your hosts in advance. This enables a higher level of security: You can make sure that it's your certificate that the server has presented.

This is known as SSL pinning. It offers extra protection against man in the middle (MITM) attacks, perhaps perpetrated using a compromised root certicate, or via social engineering ("Free wifi! Just add this root cert to your device!").

You don't want anyone executing such an attack on your users, ever. And there are other reasons to care:
  • You might not want people voluntarily snooping on (their own) SSL traffic to/from your app. Path probably didn't. (I'm glad, though, for privacy's sake, that things worked out how they did.)
  • Knowing the structure of an API makes it easier to find and exploit other security holes on the server.
  • Being able to easily alter server responses make it easier to find and exploit other security holes on the client. Many developers seem to assume that SSL protects you from malicious server responses. Blatant client security holes stemming from blindly trusting the server are all too common.

What apps does this affect?


The vast majority. It is incredibly easy to decrypt and observe traffic for some of the most popular apps across all categories (finance, entertainment, social networking) that many of us use daily. We've alerted every app we looked at for which we found this issue (and gave them a few months before posting this), but there are doubtless many thousands more.

At posting time, we know of four companies that implement some form of SSL pinning in their apps: card.io, Square, The Economist, and Mint.

SSL pinning is nothing new. However, with the surge in visibility of Aldo Cortesi's remarkable mitmproxy ever since the Path story broke, and with the explosion of native apps, it's high time SSL pinning was de rigueur.

How do I do implement SSL pinning?


Start by setting up mitmproxy to reproduce the problem and experience it first-hand. You should see something like the image below. We've blurred the sensitive details, but notice that the user's credentials would otherwise be plainly visible in this app:



Once you've seen how easy it is to reproduce, you can fix it! There are lots of how-to blog posts out there on SSL pinning–now that you know what to search for, half the battle is won. As for the other half...

Challenges implementing SSL pinning


There are a few problems you'll likely encounter when getting started with SSL pinning.

First, implementation is not as easy as it could be. iOS and OS X use fairly obscure C APIs, and getting this right in Android requires digging into the javax.net.ssl and org.apache.http packages. I hope that Apple and Google will make this easier soon, but in the meantime, find iOS sample code, or an Android example, read and understand it, and use it carefully. The fundamentals are not complex.

Second, what exactly do you pin to?
  • Pinning to your exact certificate will cause problems when your certificate expires and needs re-issuance.
  • Pinning to your root certificate means vendor lock-in, doesn't protect against compromised root certs, and doesn't protect against some certificate chaining attacks (cf. the iOS 4 SSL Basic Constraints vulnerability).
  • Pinning to the SPKI is just about right. Alas, in iOS, this requires manually parsing ASN.1, which is neither easy nor convenient. (Furthermore, parsing code is a common locus of buffer overflows, and such a security-critical code path is the last place you want that.) Android can use keystores generated with the Java keytool utility, although doing so requires configuration of an additional keystore provider. Again, better OS support here would be most welcome.

There's no magic answer here; understand the trade-offs and make an educated choice given your circumstances and platform.

But...


To anticipate a few obvious reactions:

Can't SSL pinning be bypassed by cracking the app?
Yes, it can. That's the nature of security. That doesn't mean you shouldn't make an attacker's job harder.

Aren't there are always more security holes?
Yes, there are. But this is a fairly easy one–both to exploit and to close.

I already have too many things to worry about.
Security is not a feature. It's part of the foundation of an app. Take the time, implement this once, and use it forever.

Why are you posting publicly about a security problem?
This is neither a new problem nor a new solution. This is a well known security weakness, yet–even after the Path story–it is not visible enough that many developers bother to fix it. Given that, sunlight is the best possible approach.


(Photo courtesy of Public Domain Photos, licensed under CC 2.0 Attribution License)


Wednesday, April 4, 2012

Uber partners with card.io!

Here at card.io, we are big fans of Uber, so we're excited to share that we've partnered with Uber to make it even easier to pay for a ride from your phone!

You can read more about it on Uber's blog or try it for yourself in the Uber app. Instead of typing in a credit card, just scan your card with card.io:


It's fast and secure, and you can scan in multiple cards (convenient for folks taking both personal and business rides). With card.io, Uber makes it even easier to get where you're going.

If you're building a mobile app and want to integrate card.io, start here.

card.io PhoneGap plugin for iOS



We're pleased to announce the new card.io iOS PhoneGap plugin. Available as part of the phonegap-plugins repository on GitHub, integration is quick, and it's easy to use:


Check out the readme to learn more about adding card.io to your PhoneGap-powered app.

We're listening to developers and working hard to make card.io easy to implement across a variety of platforms. Want to use card.io in your app? Check out our iOS, Android, and web integration instructions. Working with a different platform? Drop us a line or tweet to @cardio to let us know what you need.

(Images used in this post originally created by PhoneGap, modified by card.io, licensed under a Creative Commons Attribution-NonCommercial 2.5 Canada License)