24 January 2015

Is Android's BroadAnywhere really a threat that an antivirus can protect from? Do Android phones need antiviruses?


Firstly, BroadAnywhere is not a virus or malware. It's just an ordinary software bug in Android.

I became aware of this after I installed an antivirus on an Android phone and the antivirus said it detected the BroadAnywhere vulnerability and was now able to protect the phone from it. Made me curious, and I dug up the actual flaw and its solution:

BroadAnywhere is classified as Bug: 17356824 in Android's Operating System code and won't be found in any Android OS that's released after September 10 2014; and that would be Android version 5.0 onward.

The bug

mPendingIntent = PendingIntent.getBroadcast(this, 0, new Intent(), 0);

App's in Android communicate with each other using the Intent object. When your app gives a PendingIntent (a reference token) to another app, you're giving it the right to perform the operation you specify (the Intent), using the same identity and permissions as your app. If your app does not cancel the PendingIntent, the other app will be able to continue using it even if your app is closed/killed.

Bug 17356824 was a problem, because the Add Account Settings section in Android needed to identify the app that was invoking it and the PendingIntent it created for it, unwittingly allowed the invoker app to not only send it's identity information but also allowed it to launch activities, services or broadcasts. So anyone can create an app that misuses this PendingIntent, and either make your phone crash or wipe all data in your phone or send spam to your phone or send fake SMS'es.

The fix

private static final String SHOULD_NOT_RESOLVE = "SHOULDN'T RESOLVE!"; 
Intent identityIntent = new Intent();
identityIntent.setComponent(new ComponentName(SHOULD_NOT_RESOLVE, SHOULD_NOT_RESOLVE));
mPendingIntent = PendingIntent.getBroadcast(this, 0, identityIntent, 0);

Now the interesting part is that antiviruses for mobile phones claim to be able to protect us from this problem. I asked on StackExchange's Android forum, got an upvote, but no reply.


Windows users would be all-too-familiar with viruses and antiviruses that "catch" and "destroy" them.

Antiviruses use two techniques:
1. Virus signatures: These are just a sequence of bytes that the antivirus searches for, which will be unique for a certain virus. The same way you do a string search. Programmers started creating viruses that were capable of encrypting and decrypting themselves (and thus hiding their signature) and capable of creating variants of their signature each time they encrypted or decrypted themselves. Next came polymorphic viruses which changed the signature of the encryptor and decryptor itself, each time it replicated.
2. Heuristics: The file being scanned is allowed to run in a special virtual environment (something like a sandbox) and it searches for virus-like behaviour (replication, overwriting files or hiding suspicious files).

I've blogged about killing viruses... http://nrecursions.blogspot.in/2014/05/destroy-windows-viruses-with-linux.html

... and even after I killed a virus, antiviruses in Windows would identify the file as a virus. That's because of Virus Signatures.

So can an Android Antivirus protect you from BroadAnywhere?

The websites of these antiviruses claim to protect you, but haven't offered any explanation of how they do it. They definitely can't peep inside an app and check the lines of code to see what kind of an Intent is being sent, but if the antivirus company maintains a very-frequently updated list of malicious apps, it might be able to warn you that an app you're about to install is harmful.

Question is, do they really do it? It'd require a dedicated team who would actively search for malicious apps and test them. Would a company do so much for free? Or would they make their money by tracking your phone and the data in it (given the high level of permissions that antivirus app's request)? It's a matter of trust.

Do you need an Antivirus at all?

The answer is "no". The average Android user (99% users) does not need an antivirus.

Google's lead engineer for Android security himself speaks of why an antivirus is un-necessary and what the more pressing concerns are. Like in Linux, where your system can get infected only if you deliberately give root access to a malicious program, the one way your phone can be susceptible to viruses or malware is if you decide to give an app elevated permissions on your phone.

So to stay safe, only install apps from trusted sources like Google Play and be a bit suspicious and do a followup of apps that ask for permissions that seem un-necessary. If you're careful, you won't need an antivirus. It's not just about data and security. Many apps gather data about you and your location. Your privacy is also important.


Answer to a comment below: @Scott: I havent tried this yet, but from what I hear, even if your phone is rooted, an app can cause damage only if you give it permission to. So I would assume malware which exploits broadanywhere through another app would be able to do so only if you allow the app to execute those commands.
SuperSU available on Google Play is said to give you the ability to control which apps you want to run as root, which commands those apps run and even to be able to give you the ability to identify and stop malicious apps.
The Android forums can give you more info on this. Do post back on NRecursions if you have feedback to share! :-)

The best security you can have is in being aware of what you are installing and not connecting to unknown Wi-fi's. When in doubt, ask on the forums.

11 January 2015

Cascading Style Sheets and Cascading Craziness :-)

For an application developer who positions widgets and graphics on the screen using x, y positions, an introduction to HTML styling or CSS, drives them crazy!
There was a time when I found CSS to be very confusing.  But now....I'm so comfortable with it that I can create the HTML and CSS for a web-page using just a text editor.

I have a bit of an introduction that you can skip if you want to get to the meat directly. See the line below? Search for the next such line, and the 'meat' of this blog post will follow.


Why the confusion

Dear Application Developer, HTML is a markup language; not a programming language, and the whole reason we have such a complex, patched-up language is because when Tim Berners-Lee tried creating a software for CERN scientists to exchange information with, he had to make sure the software was compatible with different networks, disks, data and character encoding schemes. He was trying to bring order to chaos.

Every browser has had its own way of interpreting styling. Many times, buggy softwares are released into the market just so that businesses can beat the competition. Web developers are well aware of the way Internet Explorer has been poorly patched up over the years. Although thankfully, they've now come up with a new browser named "Spartan". Hopefully, browser implementations will be more agreeable with each other in future.

Referencing HTML & CSS

Like the man pages, the best sources to refer information on HTML, are the RFC's and the links they provide.
For CSS, RFC2318 led me to an excellent reference which even many tutorials couldn't help me with. Do have a look at the page on CSS Level 1.

Learning it

Think of how you'd send your application screen across a network. Send the code and allow the client to render it? Send a pixel stream and position information of the widgets? When you come to think of it, you'll realize that HTML and CSS aren't so bad after-all.

But to be able to use it, you have no other option other than to go through the nerve-wracking process of learning it (even if you use Dreamweaver, you'll have to know the concepts behind it).


First thing you need to know, is how CSS helps format HTML elements using margin, padding, border, width and height.
If you're packaging a fragile glass in a box, you'd stuff a lot of paper or foam between the glass and the box so that the glass wouldn't shake within the box and break. That internal protective layer is called padding. Same with CSS.

Now if that box is to be kept in a larger box full of similar such boxes, you'd want to prevent all these little boxes from colliding with each other, so you'd want to place them away from each other by a small distance, and you'd wrap these boxes with some thermocol or foam. This is called the margin.

Every one of those little boxes has their own thickness, which is the border.

The actual width of your content is just the width of the fragile glass.
But the width of the CSS box is = width of content + padding + border + margin

The problem: When you want a div in your code to have a 500px width, you'd suddenly find that the div appears to occupy more space than 500px, when it is given a border, margin and/or padding.

The solution: Specify your CSS as such:

  width: 500px;
  margin: 0px 15px 0px 15px;
  padding: 15px 20px 15px 20px;
  border-width: 10px;
  -webkit-box-sizing: border-box; /*for Safari browser*/
     -moz-box-sizing: border-box; /*for Firefox browser*/
          box-sizing: border-box; /*for other browsers*/

So instead of the div's width becoming 500+(20+20)+(10+10)+(15+15), the width of the total box will be 500px, but of course, your content will be shrunk automatically.
To apply this property on all elements, you can also use:
  -webkit-box-sizing: border-box;
     -moz-box-sizing: border-box;
          box-sizing: border-box;

Noticed the dot in ".someCSSname"? The dot means it's a class selection. If it was an id selection, it'd be "#someCSSname".

Margin and padding short forms

While it's perfectly ok to specify CSS margins as:
margin-top: 1px; and so on, I prefer to write it the short way:

margin: 1px 2px 3px 4px;

Imagine it clockwise. 1px is a one pixel margin space at the top, 2px is a two pixel margin space on the right side, 3px for the bottom and 4px for the left.

Same pattern for specifying padding:

padding: 1px 2px 3px 4px;

As a beginner to CSS, you'll very likely forget to write "px". Careful of that. They syntax just won't work without px.

Selections in CSS

Elements of HTML can be given id's which have to be unique across the document or class names which can be repeated multiple times for any element.
So you basically use id's to apply specific properties to an element and classes to apply common properties.
For id selections, you use # and for class selections you use a dot. See this:

.bkg { background: rgb(2,2,2); }
#lightGrey { color: #777; }
#red { color: red; }

<p id="lightGrey" class="bkg">
Once upon a time there were a King and a Queen who had a Prince and a Princess and they lived happily ever after.
<p id="red" class="bkg">There were no villains in the story.</p>


See how the background colour got applied to both paragraphs using class. Also, see the different ways in which you can specify colours. The #777 is the same as #777777 which is the hexadecimal colour for light grey.

Static, absolute, relative, fixed

The other thing about CSS that drives people crazy is the positioning which has names that are absolutely un-intutive.


If you don't specify position for an element, the default position assumed for it is static. In fact, the element is said to not be positioned at all.


Paste this code in an html file and open it in a browser:

  -webkit-box-sizing: border-box;
     -moz-box-sizing: border-box;
          box-sizing: border-box;
  background: #777;
  width: 300;
  height: 200; 

  position: relative;
  margin: 0px 0px 0px 0px;
  background: red;
  width: 200;
  height: 100;
  position: relative;
  top: 0px;
  right: 10px;
  bottom: 5px;
  left: 0px;

<div class="lightGrey sameBoxSize">
Once upon a time there were a King and a Queen who had a Prince and a Princess and they lived happily ever after.
<div class="red">There were no villains in the story.</div>
Hey, then what's the point of the story?


This is the output you'll see:

Now if you change top: 0px; to top: -30px;, you'll notice that the red div moves up thirty pixels, but the text "Hey, then what's the point of the story" stays in position. This is because, the browser keeps in memory the actual position that the red div is supposed to occupy, and does not allow any other element to take up that space. The red div is just rendered 30 pixels up.

Noticed something else? I've used class = "lightGrey sameBoxSize". CSS allows you to use multiple classes on any element in this manner.


This interesting positioning syntax positions elements according to the browser's edges. For the same code as above, remove the lines containing top and left, and just see the difference when we use fixed instead of relative.

The red class would look like this now:

  background: red;
  width: 200;
  height: 100;
  position: fixed;
  right: 10px;
  bottom: 5px;


On using fixed, the bottom: 5px; and right: 10px; code caused the red div to get positioned according to the browser's edges. On using absolute instead of fixed, the same thing will happen, except that this time, the positioning will be as per the parent element's edges (imagine the grey div to be the browser).

This basic knowledge is all you might need to get started off with CSS. The rest you'll be able to figure out with your excellent programming skills. Hope this blog post will save you hours of frustration.

One excellent quick reference for CSS is the Learn CSS Layout website. Do go through it. That's where I learnt some important lessons.

Oh one more thing: When using CSS in websites, keep the CSS in a separate CSS file and have multiple CSS files. One file for specifying the layout of your website. One file for the colour themes of the website, one for the fonts and so on. It'll save you a lot of headache in rework, extensibility and maintenance of the website.

All the best!!! :-)

04 January 2015


Continued from the previous LOL page

Footwear life
Share with this link

Many times, cheaper footwear also feel better than the expensive ones

Cycles in traffic
Share with this link

In today's times, cycles really are the better means of transport in cities

Share with this link

There are more reasons too...from people who have actually understood religion and the good it brings to the world.

Share with this link

Continued in the next LOL page

Conference: Effectual marketing for startups

Held on 3rd Jan 2015 at IIM-B, the conference on Effectual Marketing was what I thought would be about "marketing effectively", but it turned out to be something totally different. Read on...

The panel:
  • Prof. Saras D. Sarasvathy (A leading scholar on the cognitive basis for high-performance entrepreneurship)
  • Achitra Borgohain (founder of BinBag)
  • Yukti Yatish (founder of Scribie)
  • Siva Devireddy (founder of GoCoop)
  • Aditya Pisupati (founder of Artflute)

Causal vs Effectual Marketing

Causal marketing, or the usual way marketing is done is to:
  • Define your target market
  • Research on how to reach your target market
  • Identify the type of customers
  • Tailor your marketing to your customers
  • Market and sell

The effectual marketing pyramid, is the exact opposite of the causation model.

(click on the image to see it larger)

Effectual marketing starts with the causes and ends up wit an effect and a market that maybe did not even exist.

  • Bird in hand: You start with who you are, what you know and whom you know.
  • Affordable loss: Decide what you're able and willing to lose
  • Lemonade: Put surprises to work for you. Both the good and bad (when life throws lemons at you, make lemonade)
  • Pilot in the plane: Co-create the future without having to predict it.
  • Crazy quilt: Co-operate with parties you can trust. It also limits your affordable loss.

An example
If you refer a recipe for cooking, buy the ingredients and make a dish, it's like the causal marketing model.
But if you open your fridge, see what you have and use all of that to make something, you'd end up making something that you hadn't even expected. A totally new recipe which might taste excellent or awful. But you basically haven't lost much by trying it, because you didn't waste time, money or resources by going out to buy something and you got a chance to try something new instead of sticking to some old recipe. This is how effectual marketing works. If it flops, you haven't lost much.

Prof.Saras was conducting a very interesting session, where she was constantly interacting with the audience and asking them to put their "skin in the game". If they came up with suggestions, they were also asked what they could do to make those suggestions a reality. If they couldn't, they were asked if they could put the professor or the panel in touch with someone who could. If they couldn't, then they were asked if they could bring in at least ten people who could be potential customers for the panel. If you missed Prof. Saras' session, you missed a lot!

Of course, this much interaction also takes up time, which brought down the content disbursement of the session down. So we were given just a few examples of effectual marketing:

1. A carpenter in Karnataka: There are many carpenters who make furniture the customer asks for or is popular. There was also another carpenter who made furniture according to his own imagination and he paid tractor owners to transport his furniture to customers. The genius of his plan was, that he chose tractors which took a round-about route to reach the customers, instead of the usual shortest route. 
In the process, many potential customers along the route would see the furniture on the tractor, and were allowed to ask the driver for details and they'd order it. 
The carpenter says he got an average of four new orders for each piece of furniture he sent in this manner. 

This is marketing and sales combined. You don't make a cheaper product for the customer. You make what you want and say "this is what I have. Are you willing to buy". This way, you get real buyers.

The effectual entrepreneur is also encouraged to make the customer a co-creator by asking "I'm building a produce. What will it take for you to buy it?".

2. Affordable loss: Ask for forgiveness; not permission.

Prof.Saras gave use the example of a certain ski manufacturing company which when just a startup, distributed rubber balloons in a movie theater, where the balloons had their brand logo imprinted on it. People were encouraged to fill up the balloons with air and release them in the theatre itself, which they did. The theater owners were obviously upset, and the matter went to the press, which gave the ski company a good amount of publicity. It is said that even today, this is discussed as an un-conventional example of effectual marketing. 

There's also Jill who created Nerf (because children were hurting themselves with real toys, so she created toys out of foam) and distributed it to the fans of TV anchors who were waiting outside a production studio to see their favourite anchors. Normally, the TV anchors walk out and shake hands with fans. This time, the fans were so busy playing with Nerf balls, that they almost completely ignored the celebrities. The anchors soon identified who did this, and Jill was invited on a talk show where she got a good amount of publicity.


What do you think the video is about?
Luxury travel? Innovation in helicopters? Vacation?

Since the video revealed nothing, people would follow the link and go to hotelicopter's website. They received millions of visitors who'd reach the website and see a text that says that Hotelicopter is an April fools' joke. Their real intent was to make a search engine that gave results on various hotels, and the hotelicopter video was their marketing stunt to get people's attention.

Amazon using lawsuits as marketing
Amazon announced long back, that it was the world's largest retailer of books. They got sued promptly by another company that was actually the largest retailer, who said that Amazon didn't have a single book in their shops and couldn't claim that they were the largest.
The lawsuit went on for years, and Amazon made sure some news about the lawsuit appeared in prominent journals every one or two weeks, giving them a good amount of publicity.

Lijjat papad

The enterprising women in India who made papads on their terrace, had a plan of expanding their enterprise by making cheaper papads for the poor and costly papads for the rich (somewhat like RubyCup's plan). An experienced entrepreneur though, advised them not to do so, and to make Lijjat papad resonate with quality. They were advised to sell not just the papads but also their story. And this served as a very effective marketing tool, as more people joined in and Lijjat papad became known across the country.

Panel introduction

What followed were a series of discussions where the panel members introduced to us their startups and prof.Saras was asking the audience to come up with suggestions. 

Ideas came up for BinBag, and the professor asked Achitra what he'd give the ideator in return. Achitra said he'd give them some green points, to which the professor said that wasn't enough. To be effectual he ahd to engage the customer. Ask them their name, how they came up with the idea (maybe they are into the same field) and if they would actually help BinBag in doing what was suggested.

The stakeholder helps you put the stake down. Push them to engage and ask how they would do it How do you bring them to co-create and bring them in . How to make them bring more people in.

The founder of Scribie mentioned how they use content marketing by asking people to write blogs about them.

Artflute uses a special business card with a rectangular hole in the middle. People always remember them for it. The noticed that at the 1 MG Road mall in Bangalore, the architecture was such that there were no escalators to the first floor, and retailers were unhappy that customers didn't venture up. So Artflute setup a painting activity on the first floor (they got the space for free, because they were helping retailers get more customers on the first floor), which pulled people up, and in turn, the participants of the painting activity gave Artflute some valuable feedback they wanted to collect, about art. Artflute basically encourages you to buy more art from contemporary artists and to keep your walls more up-to-date with art.

This concluded the first part of the session, and I didn't attend the question-answer session which was after lunch, but this was one of the most interesting sessions I've attended at IIM-B, because there were real-world examples and audience interactions which also formed immediate business contacts. Professor Saras handled the audience and the session with elan!

More on NRecursions

Conference: Investor Relations & ESOPs For Startups
Conference: Funding for Startups
Conference: Analytics for startups