Gmail attachments not working?

I’m assuming you’ve found your way here because you too are having difficulty viewing image attachments in the Gmail app for Android?

I found that thumbnail previews of images were displaying fine, but when I tapped to view the full image the progress bar would scroll around indefinitely.

In my case the problem was caused by Android’s Download Manager, and the solution was relatively simple.

Go into your Android Settings screen, select Apps, swipe to the ALL tab and scroll down to Download Manager.

Tap on Download Manager and then Clear data.

Download Manager

Exit the settings, go back into Gmail and hopefully you should now find that attachments are working again.

Apps Publishing Security Policy

BSkyB has become the latest high-profile victim of a security blunder which has caused them to suspend all their Sky Android applications from the Google Play app store.

The hackers would appear to have used a combination of phishing and social engineering techniques to compromise a trusted computer and steal corporate login details for third-party sites such as Google and Twitter.

The storefront for Sky’s Android mobile apps was defaced, with the app descriptions changed and screenshots replaced.

Sky Go defaced

To make a bad situation even worse for Sky, one of their official Twitter accounts was also compromised and the hackers used it to draw more attention to their handywork.

skyhelpteam

Fuelled by the ‘official’ Twitter misinformation, customers were led to believe that the apps had also been tampered with, although this has been subsequently denied by Sky on their Help Forum:

We have temporarily removed our Apps from the Google Play store following a security alert.

All Sky Apps were unaffected and any Sky Android apps previously downloaded by customers are safe to use. There is no need to remove them from your android device.

As soon as we have restored the apps on Google Play we will post up an update.

In a related security breach, Twitter has locked access to @SkyHelpTeam, which is why we are currently unable to tweet from this account. However, help and info is available via @SkyHelpTeam1Facebook and here on the Sky Help Forum.

The tweet that was made from the @SkyHelpTeam twitter, in the early hours of Sunday morning, advising customers to unistall their apps was NOT an official tweet from Sky. Twitter security immediately detected this vogue messaging and locked account as part of agreed standard security process.

Sky have suffered this humiliation as a result of sloppy security practices. With a robust security policy the damage from this attack could have be limited or prevented entirely.

My recommendations for an apps publishing security policy:

  • Use a dedicated Google account for the Google Play Developer Console, not an account used for other Google services. Do not divulge the email address of this account.
  • Enable 2-Step Verification on your Google account and use Google Authenticator to login. Make sure that you properly sign out of your Google account when you have finished each session.
  • Only use a bookmarked https link to access the Developer Console. Never click on links contained in emails or on other web sites.
  • Tightly limit access to the Developer account. Only permit access to those directly involved with apps publishing, usually just the Apps Manager and their deputy.
  • Wherever possible use discrete private keys to sign each application – see the Signing Strategies section of Android Developer Tools. This limits the damage should the private key for an individual app be compromised.
  • Store your signing keys securely, preferably using a hardware-encrypted USB flash drive (such as an IronKey). Physically store the keys in a locked safe.
  • Use a standalone computer for code signing and never connect it to a network. Treat all networks as untrusted, even your corporate LAN.
  • Have a well rehearsed contingency plan to ensure business continuity if the worst does happen.

iPhone 5

An industry insider told me that sales of Samsung’s Galaxy S III sky-rocketed the day after Apple’s big reveal of the iPhone 5. Evidently potential customers were holding off their upgrades until they had seen the new product, but what they saw disappointed.

I probably shouldn’t be admitting this, but I have already used the iPhone 5 and I was underwhelmed too. iPhone has become the safe (even boring?) option, something you would confidently give to your Mum and Dad. Apple’s runaway success has become the de facto smartphone, but the commercial imperative not to alienate their mainstream customer base has stifled innovation.

The original popularity of iOS (then iPhone OS) was due to its perfect blend of technology, form and function. Often it wasn’t possible to customise something to your liking, but that was by design and the intention was to keep things deliberately simple.

I look at iOS 6 and wonder where Steve Jobs’ painstaking obsession with simplicity has gone. I never expected CEO Tim Cook to share the same ethos, but since Jobs had apparently described Sir Jonathan Ive as being his “spiritual partner” there was a hope that he would carry forward Jobs’ legacy. It’s likely however that Ive’s control only extends as far as the hardware design, not the operating system, which is the responsibility of Scott Forstall.

Watching the official iPhone 5 promo video, it’s hard not to be impressed by Apple’s manufacturing techniques and the obvious attention that has gone into the hardware design (like crystalline diamond-cut chamfers!), but it doesn’t detract from the hard truth that to the average customer the new iPhone just doesn’t seem all that different.

With each new iPhone Apple usually succeeds in generating enough excitement and desire to persuade existing customers to follow the natural upgrade path, but they also lose some customers to Android – and they rarely return. I don’t know anyone (including myself) who has switched to Android and then gone back to an iPhone. Once you’ve broken away from the closed iPhone ecosystem it feels quite liberating to have the freedom of open services and a wide range of devices.

Conversely with each evolution of the Android platform the gap has been closing and arguably the Android 4.1 ‘Jellybean’ release has leapfrogged iOS by delivering a simple intuitive user interface and powerful features – much like the original iOS.

Samsung are seizing the opportunity to capitalise on the apathy surrounding iPhone 5 with a marketing campaign directly comparing their two flagship products:

Apple fanbois have responded with their own parody advert, but when the best they have to brag about is ‘fits all pockets’ and ‘elastic bounce back’ (the subject of Apple’s recent patent dispute with Samsung), it doesn’t bode well.

It’s certainly not all doom and gloom for Apple. They will of course sell iPhone 5 by the millions, but the shine is starting to fade.

I do have an answer to their predicament. Apple needs another product with which to dazzle and showcase their technical excellence and suppressed innovation.

Dear Tim, how about you add a new model to the iPhone range? Call it the ‘iPhone X’, pack it with enough fancy gizmos and new technology to satisfy the Android crowd and demonstrate what the biggest company in the world can really do.

Android 4.0 turns GET into POST

After upgrading to Android 4.0 ‘Ice Cream Sandwich‘ I found that some of my existing apps weren’t working as expected.

On deeper investigation I discovered the culprit. When installed on devices running ICS the apps made HTTP POST requests when they were programmed to be GET requests.

It appears that Google have subtly changed the working of the java.net.HttpURLConnection class – without telling anyone!

The Android package reference documentation has this little gem tucked away in the class overview notes:

HTTP Methods

HttpURLConnection uses the GET method by default. It will use POST if setDoOutput(true) has been called. Other HTTP methods (OPTIONSHEADPUTDELETE and TRACE) can be used with setRequestMethod(String).

My now non-functional Android apps did indeed call setDoOutput, but in Android releases prior to 4.0 this did not result in the HTTP method being changed from a GET to a POST.

Even explicitly setting setRequestMethod("GET") does not fix the problem. Basically if you don’t want your app to POST, you must not call setDoOutput.

The apps have not changed, there is nothing referencing this change in the API Differences Report, but the behaviour is definitely different in Android 4.0.

Could this be what’s behind the flurry of Android Market app updates for ICS-related fixes?

Opting-out of Google Location Server

In September Google announced their intention to comply with requests from European data protection authorities and offer a method for opting-out of their Google Location Server (GLS).

Peter Fleischer (Google’s Global Privacy Counsel) has today published an update on the European Public Policy Blog and Google have added specific opt-out details on their Maps Help page.

What is GLS? It’s a location service that most Android smart phones use to request your current location. Your smart phone could simply use satellite positioning (GPS) to accurately pin-point your location, but GPS consumes battery and generally only works outside.

Instead of using GPS your smart phone attempts to discover your location by scanning for nearby WiFi access points. It gathers the relative signal strengths, network names and unique network addresses and sends the details to the Google Location Server (GLS) for processing.

The GLS checks its database of WiFi access points and returns an estimate of your location. If your local WiFi access points are known and already in the GLS then it will return a fairly accurate location, almost on a par with GPS, for a fraction of the power.

Google built their WiFi location database while collecting data for Google StreetView and it is constantly updated and augmented by smart phone crowdsourcing. The manner in which Google collected this data has been controversial and Google have been investigated for breaches of interception laws. As a result Google has been forced to offer this opt-out scheme to appease regulators.

So what do you need to do to ensure that your own WiFi access point is not included in the Google Location Server database?

Simply append “_nomap” to the SSID of your WiFi network and Google will remove it from their database the next time a device sends information to the GLS.

It’s undoubtedly an inconvenience to change your WiFi network name and re-associate all your wireless devices, but if this scheme is adopted by all the mapping services (Microsoft, Apple, Skyhook) then it could well be worth it.