Fabrizio Giordano

An Update on Encrypted UIDs

by Fabrizio Giordano - Published: November 24th, 2010 -

Last month, we outlined an initial proposal to address the inadvertent sharing of User IDs (UIDs) via the HTTP Referral header. Further, we announced our intention to provide a unique, but anonymous mechanism that developers can use with third-party service providers. Over the past few weeks, we have received feedback from the developer community, which we have used to refine our proposals. Today, we are providing an updated proposal for handling inadvertent UID sharing and releasing a new mechanism for legitimate and anonymous sharing with third-parties.

Iframe POST Proposal
Currently, we pass iframe applications the ‘fb_sig_user’ query string parameter in the URL. This allows the application to identify the user and create customized, social experience. Due to the way browsers work, this information in the URL can be inadvertently passed in the HTTP Referrer header when someone clicks a link within the iframe.

Our initial proposal to address this issue used encryption as a means to protect against this inadvertent sharing, but still passed this encrypted UID in the URL. After talking with the community, we have updated our proposed solution to use a different mechanism that provides better protection for users while minimizing the impact on existing applications and eliminates the need to use encryption libraries.

In short, this new proposal embeds the UID in a HTTP POST body ensuring that it will not be exposed in any HTTP Referrer header whatsoever (encrypted or otherwise). We do this by creating a <form/> element targeted at the application Canvas URL:

<form target="canvas_iframe" action="http://example.com/" id="canvas_form">
<input name="fb_sig_user" value="1234" type="hidden" />
</form>
<iframe name="canvas_iframe"></iframe>
<script>
document.getElementById("canvas_form").submit()
</script>

This change will require minimal effort for developers and addresses the feedback that we have received to date. You can learn more about this change on the POST for Canvas page.

This is still a proposal from us and we welcome feedback on the approach. We have, however, implemented this change, so developers can understand how this proposal will impact their applications. You can test this change by turning on the “POST for Canvas (Beta)” migration on the Advanced tab of the Developer Application. We plan on gathering feedback over the next two weeks and then determine if/when to require this mechanism for all applications.

Third-Party IDs
Facebook has never and will never sell user information, and we expressly prohibit Platform developers from passing any data from Facebook to data brokers. There are, however, practical reasons that developers will need to share information with a legitimate third party. For example, a game developer might need a way to identify that a user has taken an action on a partner website (e.g., completed an offer) so that the person can receive virtual goods. For this reason, we have developed a mechanism for developers to obtain an anonymous but unique identifier for their users, which we call a third-party identifier.

Developers can obtain a third-party identifier through either the Graph API or FQL:

Graph API

Get the third-party identifier from my User object:

http://graph.facebook.com/dmp?fields=third_party_id&access_token=[access_token]

Get the third-party identifier for two users:

http://graph.facebook.com/?ids=dmp,vernal&fields=third_party_id&access_token=[access_token]

FQL

Get the third-party identifier from the user table:

https://api.facebook.com/method/fql.query?query=select third_party_id from user where username ="dmp"&access_token=[access_token]

Get the third-party identifier for two users:

https://api.facebook.com/method/fql.query?query=select third_party_id from user where (username ="dmp" or username="vernal")&access_token=[access_token]

These identifiers may be shared with permitted third parties, but like all data from Facebook, they are also prohibited from sharing with data brokers. We encourage developers to move to this mechanism quickly, and we will require it as of January 1, 2011.

If you have comments or questions about either the iframe POST proposal or our third-party identifier feature, please use the comments found below.

Mike Vernal is Director of Engineering for Facebook Platform.

Comments: No Comment - Category: Shared

Push Notifications Startup Raises Another $5.4 Million

by Fabrizio Giordano - Published: November 5th, 2010 -

Urban Airship, a company that provides push messaging and in-app purchase content and notifications for thousands of mobile apps, just announced that it has closed its Series B funding round for the amount of $5.4 million.

This brings Urban Airship’s total venture capital investment to $6.5 million. The round was led by Boulder’s Foundry Group. True Ventures and the Founders Co-op — both of whom participated in Urban Airship’s Series A in February — also joined the Series B.

You might not be familiar with Urban Airship by name, but if you have ever used an iPhone, BlackBerry or Android app that offers push notifications or in-app purchase options and notifications, you’re familiar with what Urban Airship does.

Push notifications are a pretty common part of modern mobile applications. It’s a great way for an app to communicate with the user without necessarily running in the background, it can be used in lieu of SMS messaging to deliver news and content, and it can also alert users of newly posted content, new deals and promotions — even geographically relevant information.

Urban Airship created a platform with a goal to make adding push notifications to BlackBerry, iPhone and Android apps easy and seamless. Its AirMail Push product is already in use by apps like Dictionary.com for iPhone [iTunes link], Gowalla and even Mashable’s iOS apps [iTunes link].

Urban Airship also offers an AirMail Inbox service that can stand in for MMS or standard e-mail blasts. It’s a way to transform push notifications from opening an app to instead opening a message that looks more like an e-mail or graphic rich page.

Urban Airship also offers tools for in-app purchases, making it easy for users to be notified of their in-app options and confirm their purchases. For content publishers that offer subscription content — think magazines and newspapers — these notifications can also be utilized to let users know when an issue is available for download or when another component of their subscription is ready.

Newsweek recently started using the In-App Purchase subscription module in its iPad app.

Being Platform Agnostic and Offering Developers Options

The big advantage of using something like Urban Airship, rather than implementing your own push notification services, is time. Apple, as an example, has very specific rules about how push notifications can be used. Additionally, maintaining your own server that can deliver persistent, real-time messages and scale based on traffic and usage can be costly and time consuming.

Because Urban Airship already has the backend in place for the three biggest smartphone platforms — in terms of app usage — it’s a compelling option for developers. Additionally, the first 1 million push messages sent each month are free.

The platform agnostic nature — at least from a developer standpoint — means you can use one service to power and manage your push notifications, rather than having to maintain separate servers or services for each device type.

The Future of Push: Location

The real potential for push notifications, we think, goes beyond letting users know what’s new in an app or even if something is available for purchase — it’s all about location.

As we’ve noted with apps like Foursquare, Loopt and SCVNGR, location-aware apps have real potential. Location allows content publishers to give context to their messages. For instance, if I’m downtown and I get an alert that X store is having a sale, and that message is delivered based on my location — that message has more meaning and is more useful.

That’s one reason that Living Social is using Urban Airship to deliver its deals data.

Having a server-side platform that can deliver customized messaging and offer in-app purchasing options is a valuable service. By positioning itself as something that can be used on multiple platforms and offering affordable platform tiers, we expect Urban Airship to continue to succeed.

Reviews: Android, BlackBerry Rocks!, Foursquare, Gowalla, iPhone

More About: android, blackberry, in-app purchases, iOS, push notificaitons, urban airship

For more Mobile coverage: