Facebook Messenger: All your numbers are belong to us

Facebook started 2016 with the bold claim that it intends to eradicate phone numbers and replace web browsing, but the Social Network has a mountain to climb before Facebook Messenger becomes the centre of our online world.


That’s the stated intention of the Zuckerberg empire – to replace all our myriad internet communication systems with one interface.

Facebook claims that its Messenger app has been installed 800 million times, but at VisionMobile our latest research shows that those installations are very much concentrated into the lower end of the market.

If Facebook is going to recruit the shops, taxi companies and airlines it needs to make Messenger a one-stop internet shop it will need to get the app installed across the demographics before Microsoft (with Skype) steps in to take the cream.

[tweetable]Facebook has long known that the days of pokes and personal walls are fast disappearing[/tweetable], and has quite a history in struggling to adapt to whatever the future might bring. Facebook Gifts/Credits/Deals/Questions/Beacon haven’t lit up the future, so now the company is betting on messaging, and value-added messaging platforms.

Such platforms are proliferating in business. The bots that proliferate across Slack and Yahoo Messenger have turned those platforms into much more than messaging, but taking that functionality into the consumer sphere is much harder.

The medium is the Messenger

With that in mind, Facebook Messenger was forked from the main Facebook mobile app back in 2011, but messaging remained possible in the main app until 2014. These days, the Facebook app will notify you that a message has been received, but if you want to read that message then you’ll have to download and install Facebook’s new Trojan Horse.

That analogy isn’t perfect: the horse of Troy was disguised while Facebook has made no secret of its plan to migrate key internet functionality into the Messaging client. If Facebook can’t own the interface to your phone (it tried that), then it will own the interface to the internet, which the company believes will be Facebook Messenger.

The inspiration behind this idea isn’t hard to see. In China, where Facebook/Google/Twitter fears to tread, the competitive market created in their absence has driven huge innovation as companies strive to differentiate themselves with new features and functionality. Every month, 600 million Chinese are using Weixen, Tencent’s WeChat client, to book taxis, check into flights, play games, buy cinema tickets, make doctors’ appointments, and even manage bank accounts, all without touching the web browser.

[tweetable]In China, messaging has become the platform of choice for accessing a wide variety of services[/tweetable], and Facebook plans to replicate that model in the rest of the world – with it owning the messaging platform, obviously.

This process has already started with Facebook integrating Uber into its messaging platform. It’s worth noting that Uber isn’t integrated into the Facebook website, or the mobile client, but into the Facebook Messenger app.


And Uber is just the beginning. As David Marcus, Facebook’s vice president of messaging products, makes abundantly clear: “We can help you interact with businesses or services to buy items (and then buy more again), order rides, purchase airline tickets, and talk to customer service in truly frictionless and delightful ways” – and that’s before Facebook becomes your personal assistant, Facebook M.

“Facebook M” starts listening in to all your conversations to suggest ways it can make your life more, as they say in such circles, “delightful.”

The Facebook wall will be supplanted by the Custom Conversation, providing a personalised interface (colour, style, emojis) for every chat thread. The visual equivalent of a ring-back tone, customised for every caller, will enable you to decide how both sides of the conversation see their interface, unless the other side has other ideas.

Walled garden of Zuck

In Facebook’s brave new world, everything is done through Facebook Messenger, and Facebook takes control of the delivery channel, removing that irritating “Open in Web Browser” which takes so much control away from the Social Network.

But that brave new world is predicated on the idea that people will install Facebook Messenger, rather than relying on the website, and email notifications, to stay in touch. Our research, in partnership with Celltick, looked at the top 10 applications installed on different handsets, and shows that while many low-end handsets do have Facebook Messenger installed, the application is almost invisible in handsets costing more than $200.

In high-end phones, Skype consistently rates top – well above the main Facebook application – and Facebook Messenger isn’t even in the top 10. In handsets costing less than $200, Facebook Messenger rates around four or five – a couple of positions below the main Facebook application, and very close to Skype.

What this means is that those who can’t, or won’t, invest more than $200 in a handset are happily installing Facebook Messenger, while those with a bit more disposable income are refusing to commit.

What it makes abundantly clear is the opportunity this presents to Microsoft. If messaging really is the future of mobile interaction, as Facebook seems to think, then Skype is perfectly positioned to grab the most important demographic.

If Microsoft were half as willing as Facebook to launch into value-added messaging, then it could make Skype into the messaging platform of the future, if indeed users really want such a platform at all.

You can read more in our free report, here (email address required.) ®

Article first published on the Register


Android cryptography tools for beginners

Mobile applications draw the attention of hackers more and more each day because they have something that the attackers want, user data. Hard-coded secret keys, personal information stored in plain text on SD cards, usernames and passwords found unencrypted in databases, analytics collected and sent in the clear to remote servers, are just a few cases that make the life of an attacker easier. This post focuses on Android Cryptography tools for beginners


How do you go about protecting your users’ data? Take the Developer Economics Survey and let us know. You might win amazing prizes and new gear.

Cryptography is the right tool to use in order to protect sensitive data, and ensure confidentiality and/or integrity. On the other hand, [tweetable]cryptography is hard to use and easy to misuse[/tweetable]. Note that broken cryptography (e.g. using insecure algorithms or hard-coding keys into binaries), is listed in the top 10 mobile risks for 2014. So what’s the lesson to be learned? Well, whereas not using cryptography can be bad, not using cryptography in the right way is just as bad (not to mention time-consuming).

Let’s see then how cryptography can be used in a way that’s both easy and appropriate, in order to develop secure applications for the Android platform.

First, an overview of some popular cryptographic libraries that can be integrated into Android applications. Cryptographic libraries can be seen as cryptographic toolsets that contain tools, such as encryption algorithms, padding schemes, and hash functions.

Bouncy Castle

The Legion of the Bouncy Castle is a charity from Australia that has written Bouncy Castle, a widely used library that provides both a light-weight cryptography API and a Java Cryptography Extension (JCE) provider. The Android platform already ships with a cut-down and outdated version of Bouncy Castle (with small changes in order to make it work on Android). Consequently any attempt to build and use the latest full version of the library in your application, results in classloader conflicts.

Spongy Castle

The motivation behind Spongy Castle is to allow Android developers to bundle any version of the Bouncy Castle library they want with their applications. Spongy Castle is basically a repackage of the latest version of the Bouncy Castle library; all org.bouncycastle.* packages have been renamed to org.spongycastle.*, and the Java Security API provider’s name has been changed from BC to SC.


OpenSSL is an open-source toolkit that provides implementation for the SSL and TLS protocols, as well as a general-purpose cryptography library. OpenSSL has been ported to many platforms, including Android. As an alternative, you can also build it from source (using the Android NDK) and bundle it with your application.

Let’s assume now, that for application purposes, you want to encrypt some data. What encryption algorithm should you use, AES or DES? How long should your key be, 128 or 256 bits? Which encryption mode should you use, ECB or CBC? If you do not have an answer to all these questions, along with a good reason for each answer, then it seems that you have found yourself in a position where, although you probably have all the tools you need, you are not absolutely sure which ones to use and how.

This is exactly the point where cryptographic toolkits for dummies come into play. These toolkits do not implement any exotic cryptographic functionalities, nor do they intend to replace the cryptographic libraries presented above; they rather built on some of them with the sole purpose of making cryptography easier and safer to use.

Contrary to a general-purpose cryptographic library, such a toolkit normally supports only a subset of the algorithms, modes, schemes, parameters, and other cryptographic tools that are out there. Instead it provides you with sensible defaults in case you (a) know what you want to do but don’t know how to do it, or (b) don’t really care as long as you end up with a safe solution. Let’s examine some of these toolkits to better understand their role.


Keyczar is an open-source toolkit originally developed by two members of the Google Security Team. It has implementations in Java, Python and C++. It supports authentication as well as both symmetric and asymmetric encryption. Keyczar provides safe defaults for algorithms, key lengths and modes, key rotation and versioning, automated generation of initialisation vectors and authentication codes, and internationalisation. This specific toolkit is based on JCE, and its demo for Android (available here), uses Spongy Castle’s security provider.

AeroGear Crypto

AeroGear Crypto is a small Java library provided by AeroGear. It supports authenticated symmetric encryption, elliptic curve cryptography, and password-based key derivation. It also provides sensible defaults for algorithms. AeroGear Crypto depends on Spongy Castle for Android and Bouncy Castle for other platforms. The library is also available for iOS, Windows Phone and Cordova.


In an attempt to find a fast and memory-efficient way to encrypt and authenticate large files on SD cards, Facebook developed Conceal. Conceal supports both authentication and encryption, and provides default implementations for key management. It uses OpenSSL, but includes only the necessary parts of it, thereby keeping its size at 85KB. Results published on the site of the library show that Conceal outperforms Bouncy Castle.

A summarised view of the libraries presented above is given in the following table. Note that, although all these libraries aim to safely fill in the gaps for developers that are new to cryptography, advanced developers can skip the defaults and specify all the details themselves (as they would do when using any crypto library).

Library Company License
AeroGear Crypto AeroGear Apache 2.0
Conceal Facebook BSD
Keyczar Apache 2.0

To sum up

If you are a mobile developer, you need to spend time making your applications usable, functional, and attractive BUT you also have to spend time making your application secure. If you do not know how to do so or if you’re worried that you might not get it right, then use one of the libraries described in this article in order to get started. No matter what cryptographic tools you decide to use, avoid implementing your own cryptographic algorithms and/or protocols; use only algorithms and protocols that are widely used, accepted, and ones that users have already spent enough time trying to break.


Which skills you can develop to be more effective in protecting your data?Take the Developer Economics Survey and we will let you know. Plus you may win new gear.