Category Archives: Assignment 2

Square Reader & Security

When our team prepared for our presentation on Square, we did not expect that there would be so much interest in the security aspect of using Square. In order to focus on the other interesting elements of the Square Register app, our team spent only a mere 20 seconds explaining how the Square reader works. We actually wanted to highlight how Square could still be useful even if it was used without the credit card reader.

After reading through the reviews and comments posted by the rest of the class, I felt that I should share some of my thoughts on security.

I did some research on this area, and everything discussed here are information that are publicly available. Also, as I do not have a strong background in cryptography, do read up more on your own if you are interested — and feel free to correct me if I’m wrong.

Square Reader

Conversion to Sound is NOT Encryption

Some of the class seem to have the impression that the conversion of data into sound waves is what makes Square secure. This is not actually the case. After the card data in the magnetic strip is read, a piece of hardware in the reader is responsible for encrypting this information. As to how this chip does it, or what cryptographic cipher it uses — I don’t know. In the Square app, the analogue sound waves are converted back into digital, but the content remains encrypted.

Attack Vectors

A study on the security of smartphone-based POS systems listed down some of the potential threats faced by these systems.

Network

Unencrypted information transmitted from the app over the network could be intercepted. However, the study also found that all applications tested were protected from this via the use of TLS to encrypt data sent over the network.

Malicious Apps

Malicious software or a compromised OS could intercept data sent over the audio-jack. In other words, you could have installed a bad app that tries to listen on the microphone jack for data from the Square reader. According to the study, readers without hardware encryption are indeed susceptible to this form of attack. While the first version of Square did not offer hardware-based encryption, this is no longer the case.

Malicious Hardware

The reader device could be altered at a hardware level to entirely bypass encryption. However, in order to transmit this data back to the attacker, the smartphone used also has to be compromised.

Would You Use It?

Security and technicality aside, would use such a technology? As a customer, would you choose NOT to patronise a merchant if it processes your card payment using a smartphone or similar devices? Would you even care? Most of the time, when customers make payments in restaurants, their credit card is passed to the waiter, who then returns with a receipt for the customer to sign. If Square is used together with their receipt printer, one could argue that the customer might not even know the payment was processed by Square.

On the other hand, data on credit cards remain insecure as long as they are encoded on the magnetic stripe. Anyone with a cheap magnetic stripe card reader can read, or even duplicate the data stored on the card without much difficulty. Or even easier — the waiter taking your card could simply snap a picture of the card number together with the CVV code. This information is enough for them to use your card to make online transactions.

Would you stop using credit cards entirely?

Facebook / iPad Application Seminar

Just got back from the Facebook / iPad Application Seminar, where ten groups took turns to review ten different apps that are currently in the market. This is probably the first class where I had to sit through a series of ten presentations in a row — and yet, each one brings in fresh insights that are applicable and relevant.

Goodreads

Goodreads

The presentation on Goodreads was pretty clear and insightful, and I thought the group gave a really good introduction to what Goodreads is. My only encounter with Goodreads prior to today was brief — I actually stumbled on the little “g” logo while trying out the Amazon Kindle Paperwhite.

In short, Goodreads helps people find and share the books they love through book reviews by other users. Goodreads has a huge catalog of over 900 million books. It currently has 34 million book reviews, created by its 30 million users. With that many users, Goodreads’ most valuable asset is probably its large user-base of people who loves reading. This, in my opinion, could have been what pushed Amazon to acquire the company for $150M earlier last year.

“Powerful” Book Search

Throughout the presentation, the group highlighted the fact that Goodreads’ powerful book search is one of the key features that makes it stand out from its competitors. I disagree. While their search is undoubtedly good, such features like auto-completion and searching by ISBN seem to be a pretty standard feature in many other sites now, providing results that are just as accurate as Goodreads (at least in my own experience). In fact, I would actually expect to be able to search for books by Title, Author and ISBN at any decent book review site of today. What might be more unique about Goodreads is their book discovery feature. Drawing from their large database of books its users have read and liked, I believe they provide pretty good recommendations based on the books you like.

Cluttered User Interface

The group also made a point about the user interface of Goodreads being too cluttered. A user interface that is cluttered with too many things distracts users from the content they care about. As one who appreciates clean UI designs, I would really love to see Goodreads being redesigned to have a cleaner and more responsive UI.

During their presentation, the group also showed a screenshot and pointed out that there is no clear call to action on that page. They mentioned that the sidebar had too many sections with too many actions a user could possibly take. From the sidebar alone, users could:

  1. Input the books they are currently reading
  2. View personalized book recommendations
  3. Take part in a personal reading challenge
  4. View their bookshelves
  5. Take part in featured polls
  6. See the Quote of the Day

Although these content resides on the sidebar (where auxiliary and secondary information are displayed), they are still too much and may make a new user feel lost.

User Recognition & Gamification

The group also suggested implementing a point system to encourage more active contributions to the community. Since Goodreads’ content is primarily user-generated, this is pretty important. A good way to get more people to contribute book reviews would be adopting the user reputation system implemented by StackOverflow. I really love this idea and believe that a user-reputation system could greatly increase the quantity and quality of book reviews in Goodreads. After all, people who contribute good stuff want to feel recognized and important in their community.

Since I’m not an avid reader, I wouldn’t say I’m attracted to continue using Goodreads after this review. However, I feel that the site has a lot of promise for those who enjoy reading. While exploring Goodreads, I also tried out their mobile site (which happens to be an entirely different site optimised for mobile browsing). The UI was much cleaner with less clutter, although the look and feel of the page was quite different from the desktop version. I believe that Goodreads would certainly do well with a redesign, building a more consistent and familiar interface across devices.

To sum up, there were many learning points from the seminar. Not only did I learn about what to look out for when coming up with the UI for an app, I also learnt some interesting business models and strategies some companies use in order to monetize their business.

Square Register

For the second assignment, our team had to choose a Facebook or iPad application to study and present on. We initially had a list of more than 10 different apps, but slowly narrowed it down to a final three. Most of the apps were chosen because we felt that they had interesting points that we as app developers could learn from. Our team eventually chose to study and review Square Register.

Square

Square is not one of the typical apps that everyone with an iPad would download. Its purpose is to give small merchants the tools they need in order to scale and expand their business — tools that were once accessible only to larger and more established merchants.

As of now, Square only works in certain regions, and Singapore is unfortunately not one of them. However, I managed to get hold of a Square reader during a recent visit to Square’s headquarters in San Francisco last month. Although it is not supported in this region at the moment, the Square Register app is still fully functional, complete with sales analytics and email receipts. The only thing it cannot do is the actual processing of credit card payments.