Whether you’ve had previous experience with Xamarin or are completely new to C# or mobile development, Xamarin University offers an extensive course library that caters to developers of all levels. The program offers live, interactive, lab-based classes taught by Xamarin mobile experts from around the world, at all hours of the day. In addition to […]
The post Upcoming Xamarin University Guest Lectures appeared first on Xamarin Blog.
The “on-demand economy” is everywhere these days. With the tap of a screen you can summon a taxi or have food delivered from your favorite restaurant. Often these services even provide you with real-time updates on the location of the car or courier so you know exactly when they’ll be showing up. From a user’s perspective this is awesome, but there are pretty big privacy implications at play here for both users of the service as well as those working for them.
To that point, I’d like to discuss some glaring privacy issues I found when using Caviar, a courier service that focuses on delivering food from local restaurants.
TL;DR – if you’re a courier for Caviar or a user of Caviar, you should request that they fix these issues as soon as possible.
Back on July 11 I ordered a delivery through Caviar. Once the courier was en route to my house the page started updating to show their location. Like most developers, I cracked open the browser developer tools to see how they were doing it. Were they using web sockets? Long polling? It’s always interesting to see how different companies set up their solutions for this sort of thing. For anyone curious, they’re actually using a less-exciting method of just doing occasional full page refreshes via a meta tag.
On each page load Caviar is dropping the coordinates of the courier into JavaScript variables, along with my coordinates, and then showing those on a map. Simple enough. After the delivery came the map reverted to just showing my location, but I noticed something very alarming: the variables for the courier’s location were continuing to get updated long after the delivery was made. In fact, simply flipping a variable named out_for_delivery from false to true as the page was loading would result in the courier’s current location being displayed nicely on the map.
For posterity, I’ve published a gist containing the relevant snippet of code responsible for this. There’s not a whole lot going on there, but it’s a good example of why you should never completely rely on client-side security rules.
Once I realized this was not resolving itself, I contacted Caviar’s support to let them know about the issue. The next day I got a response saying that their engineers would be looking into the problem. Awesome! Problem solved, right?
Fast forward to today, and if I pull up the order status page for that July 11 order it still has moving courier coordinates being dropped onto the page. I also placed another order a couple nights back that now exhibits the same behavior, so it’s definitely still an issue.
This is a huge privacy violation for Caviar’s couriers. As a user of the service I should not be able to have any knowledge of the courier’s location outside of the context of my own delivery. As soon as my delivery is complete, the page should no longer need to be updated with any information about the courier. Instead, if I wanted to I could continue tracking that courier indefinitely. I could mine the data for delivery patterns, pickup and dropoff locations, working hours, and probably even deduce where the courier lives based on where the location settles after hours. This is not information I have any right to, nor is it something I even want to know, so I did nothing of the sort but that doesn’t change the fact that it was still there for the taking.
Security by Good Samaritans is not a good long-term strategy.
One other thing I noticed in using Caviar is a privacy issue for both users and couriers. As is the case with basically every system out there, there’s a standardized URL for checking on your order status in the form of /orders/{order-id}. This is the same page discussed in the previous section that exposed the courier’s location. In addition to that, it also has my full name, address, and even telephone number.
There’s one problem here: the page is public. You don’t need to be authenticated to view order details and get access to all of this personal information. I have a small sample size here, but the order ID seems to be 8 characters long and a case-sensitive mix of letters, numbers, and underscores. Anyone that comes across the right combination of these characters can easily access all of this data. It’s not hard to imagine a brute force attach on this URL to try generating valid order IDs and harvesting private information. Just as before, this is not information I even want to have, so I did not make any attempts to exploit the weakness.
None of this is meant to disparage Caviar, or imply that any privacy violations observed here were intentional or malicious. As a user I’ve had good experiences in using their service. I had hoped that contacting their support would result in these issues being resolved, and now hope that publishing this will accomplish that. If you’re a user or a courier for them, I strongly advise that you contact them to get this patched up.
I also want to highlight the importance of privacy in general with services like these, especially given their continued rise to ubiquity. The burden of responsibility falls to us as software engineers to make privacy and security a top priority. When users trust us with sensitive information, it’s on us to do the best we can to protect it and use it responsibly. We can do better.
Xamarin is back in session with tons of new workshops, seminars, Dev Days, user groups, and conferences happening this September all over the world! Get involved this month in events near you: Seattle Mobile .NET Developers Seattle, WA: September 1st What’s new in C# 6 and F# 4! with James Montemagno and Xamarin MVP, Frank […]
The post Xamarin Events in September appeared first on Xamarin Blog.
I recently had the pleasure of being a guest on Jesse Liberty’s Yet Another Podcast to talk about Xamarin, with a particular focus on how we do things at Olo. Check it out, and I hope you enjoy!
http://jesseliberty.com/2015/08/24/yet-another-podcast-141-greg-shackles-on-xamarin/
Easily Automate Your Xamarin.Forms Apps James Montemagno, from Xamarin Inc., tries to knock the tedium out of testing. Episode 28: Behind the Scenes of Xamarin.Forms with Jason Smith Greg Shackles and Jon Dick talk with the legend Jason Smith from Xamarin. Rapid Mobile App Prototyping with Xamarin.Forms Krystin Stutesman, from Xamarin Inc., shows off some […]
The post Weekly Xamarin Newsletter Issue #55 appeared first on Syntax is my UI.
public class ListView : Xamarin.Forms.ListView
{
public static BindableProperty ItemClickCommandProperty =
BindableProperty.Create<ListView, ICommand>(x => x.ItemClickCommand, null);
public ListView()
{
this.ItemTapped += this.OnItemTapped;
}
public ICommand ItemClickCommand
{
get { return (ICommand)this.GetValue(ItemClickCommandProperty); }
set { this.SetValue(ItemClickCommandProperty, value); }
}
private void OnItemTapped(object sender, ItemTappedEventArgs e)
{
if (e.Item != null && this.ItemClickCommand != null && this.ItemClickCommand.CanExecute(e))
{
this.ItemClickCommand.Execute(e.Item);
}
this.SelectedItem = null;
}
}
The key here is the ItemClickCommand property. This will be the command that gets executed when we tap on an item. We also listen to the OnItemTapped event and the magic goes here by simply setting the SelectedItem to null again, allowing for the item to be tapped again.
public INavigation Navigation { get; set; }
public ObservableCollection<Duck> Ducks
{
get;
set;
}
public Command<Duck> DuckSelected
{
get
{
return new Command<Duck>(async (d) =>
{
var duckView = new DuckView();
duckView.LoadData(d);
await Navigation.PushAsync(duckView);
});
}
}
}
public class Duck
{
public string Name { get; set; }
}
</ContentPage.Content>
</ContentPage>
var viewModel = new MainViewModel();
viewModel.Navigation = this.Navigation;
BindingContext = viewModel;
}
}
