WordPress Mobile Plugin by Andy Moore does dirty things

Last week I wanted to take a look at the recently released WordPress 2.7 and of course wanted to give it a go on a mobile. As you might have noticed I’m on Google’s blogger and there is, unfortunately, no mobile version, so a proper mobile plugin would be a big plus for me and a good reason to move away.

I download the tiny zip from the official site, opened the readme.txt file. The file itself did not tell much if not that it would make my blog mobile. Fair enough, I took the php file and copied it in wp-content/plugins. That is all that was apparently required to install and in fact in the admin interface I had a new plugin available, I selected it and enabled on my Mac. The site URL was a local one, of course, wordpress.local (and added to my hosts file to access it).

Looking for some further information I went back to the official site (that I won’t link) and notice that in homepage there’s a nice link mentioning that my wordpress.local is the latest site which installed the plugin! A bit surprised I opened the small PHP file and noticed that there are two calls, one on plugin activation and one on deactivation. Being PHP it was not so hard to find what it does and I was very disappointed with the discovery. On both events the plugin calls a remote API AND send an e-mail to Andy Moore mentioning the site name, URL, and the admin’t email, YES, YOUR E-MAIL address.
In my case, the SMTP server was down, so the e-mail did not get delivered, but to my great disappointment the API was reached and that is why my local install was mentioned on the website.

Nothing wrong has happened, in fact I’m pretty sure if Andy wanted to contact me he would definitely find a way, but it was very disturbing to discover that this happens without letting the user know. If I had been a bit smarter I would have looked at the code and I would have discovered it, the problem is that the average wordpress user will not bother to look at the code and will probably not even be capable of understanding what’s going on. We are not all developers and my impression is that Andy is relying exactly on the inability of his users to disable the feature. The software is GPL and everyone is welcome to look at and change it and that is exactly why I did not even bother to look at it, I took it granted that nothing bad would happen.

In case you wanted to disable this functionality (but it’s probably too late now, I admit), what you should do is open wordpress-mobile.php, find the function wordpress_mobile_plugin_activate (it’s at line 1664 in version 1.3), go to the first line of the function and just add the following line:
return true;

Do the same for the function wordpress_mobile_plugin_deactivate (line 1673 in version 1.3).

Andy has definitely spent time to get this plugin working and maintaing it and I think it’s perfectly fair for him to ask for money and ask his users to provide usage details, but asking and taking are different operations, I my opinion.

SecurityFocus on mobile devices for the first time?

SecurityFocus Newsletter #485 is I think the first issue of the newsletter where mobile devices are listed. 2 issues have been reported one about the iPod Touch and iPhone and the other about the Nokia 6131, both are vulnerable to remote attacks on the browser.

The interest for security on mobile browsers is yet another proof that mobile is about to take over the rest of connected-electronics.

4. Nokia 6131 Multiple Vulnerabilities
BugTraq ID: 30716
Remote: Yes
Last Updated: 2009-01-05
Relevant URL: http://www.securityfocus.com/bid/30716
Nokia 6131 is prone to multiple vulnerabilities.

The device is affected by URI-spoofing and denial-of-service issues.

Remote attackers may spoof the source URI of a site to direct users to a malicious location and trigger crashes in an affected device.

23. Apple iPhone and iPod Touch Prior to Version 2.0 Multiple Remote Vulnerabilities
BugTraq ID: 30186
Remote: Yes
Last Updated: 2009-01-05
Relevant URL: http://www.securityfocus.com/bid/30186
Apple iPhone and iPod touch are prone to multiple remote vulnerabilities:

1. A vulnerability that may allow users to spoof websites.
2. An information-disclosure vulnerability.
3. A buffer-overflow vulnerability.
4. Two memory-corruption vulnerabilities.

Successfully exploiting these issues may allow attackers to execute arbitrary code, crash the affected application, obtain sensitive information, or direct unsuspecting victims to a spoofed site; other attacks are also possible.

These issues affect iPhone 1.0 through 1.1.4 and iPod touch 1.1 through 1.1.4.

Apple Safari to support WML?

I was checking the latest changes of the webKit nightly to see if it’s worth updating my current nightly (about 1 month old) to something fresher. While looking at the timeline I noticed how a few commits have been made in the last few days to implement WML card, timer and do tags, some WMLScript and so on. BIG SURPRISE!

You can see for example a few changesets such as [38816], [38833], [38838] and a couple of bugs, #22522 and #22550.

I am definitely among those that think that WML is dead and that everything should be in XHTML by now and surely Apple as a company has been promoting the iPhone and the iPod touch as “full web” devices and in fact Safari Mobile does not even support HTML-MP. The addition of WML seems very strange to me.

OK, the main committer is not an Apple employee, but rather a KDE developer (Nikolas Zimmermann), but we all know that webKit is mostly controlled by Apple and if they are working on WML it means there is some interest. If they are working on WML, why not XHTML-MP?

We’ll see. I’ll keep an eye on this and definitely test a recent nightly!

Everyone wants an App Store these days

Apple has changed the world with the iPhone. Developers (and users sometimes) complained there were no open APIs to build native applications. Apple noted the request and changed the world again with the App Store.

Everyone in the mobile space seems to be running now to create his own store. Google has launched its store called Market (also see a short review with some nice screenshots) and while at this time it’s all free, it is going commercial next year.

RIM has its own BlackBerry Application StoreFront.

T-Mobile, who is already benefiting from Google’s Market, is going to create its own based on Apple’s experience.

Now Orange comes with Orange Downloads.

There are probably more that haven’t announced it, or simply I haven’t heard of.

BUT, did any of these guys ever think that the great thing about Apple’s App Store is that it is one place and there’s no fragmentation? How are these guys going to cope with this? Replicating and renaming won’t solve those issues. They will all be just like the existing “Decks” or portals, simply on a pre-installed application. That will not make them win.

High Efficiency

I always run Rescuetime in the background, even though I have to admit I don’t check it so often (anymore).
It was interesting to see that the week before the DeviceAtlas 2.0 release my efficiency was very high. See here:

It should be noted that normally during the day I spend some time developing and some time writing specs, talking to colleagues, on the phone and so on, but of course, just before the release it was all about development. 🙂

Within the DeviceAtlas team, on Monday 29th September, we worked an average of 11 hours and 30 minutes, plus the what the designers worked, that is probably about the same. What a team!!

Volantis Mobility Server 5.1

I’m pleased to see that Volantis Announces Mobility Server 5.1. According to the PR version 5.1 is focused around adding connectors for web 2.0 applications such as Picasa and Flickr. Also, the device database has been updated and they now claim more tha 5600 devices! I see that the open-source version of the server is still at 5.0, but I know they are really committed to open-source, so I’m sure they will follow up quickly. These days I’d be especially curious to see the Media Access Proxy in action, if done right it’s still one of the most important things in mobile (get the images right!).

They also announced an update to BuzzCast last week, hopefully my operator will buy it so that I can test it. 🙂 I’m a NetNewsWire addict, so BuzzCast seems quite interesting to me.

webKit the official mobile browser?

Initially Nokia announced the decision of using the webKit browser in their mobile devices in the S60 series and they called it S60 Browser (running on the S60WebKit). That was already a landmark, I think.

Apple of course boosted the users of webKit and Safari releasing the windows version of Safari and then Safari in the iPhone.

Google followed announcing webKit in Android and now with Chrome.

MOTOMAGX is a linux platform by Motorola. They use it for some of their PDA’s. The other day I received their newsletter that among the other things mentioned widgets for MOTOMAGX and guess what? The official browser is the webkit.

A lot of big companies are jumping on the webKit band-wagon, but I think my original question still stands, Will Apple share ownership of the webKit? It’ll be especially interesting to see how Google will contribute and try to take control of the platform as now they have a lot of interest in making sure it goes in the right direction. So far it looks like Nokia did not have much voice in the project, at least from what I see.

More open questions:

  • Where does this leave Opera (Mini)? Will there still be space for them?
  • What about the Mozilla’s Fennec mobile browser? If you want to know my opinion, they might be late to the party.
  • What about other browsers like Skyfire and Teashark?