Some folks will recall back in November I wrote how OpenSocial was irrelevant as a platform for social networking applications. I’ve been working with it for the last three days on MySpace and have to say, over the last few months the folks at MySpace have been working hard to bring OpenSocial to a usable reality. I’ve had some time this week to experiment with it and I must say – while certainly not “done” it’s come a VERY long way. Warning: This is going to get kinda lame for those who don’t care about Social Networks and application development.
Signed Requests / Security
OAuth which allows the providers proxies to sign requests using a pre-shared secret key – limited docs on the MySpace implementation are available on the developer site but your best served looking through the forums. This is so huge I don’t even know where to begin. Essentially, prior to this – anyone could make a request, watch it go over the wire and then manipulate the parameters at will. This type of untrusted injection was problematic for any application that needs to maintain integrity of their users data. Consider the following request:
// AJAX request
While 99% of users would never see this request go, the 1% of users who are more aware of what’s going on could see that by simply calling the file directly in their browser would let them write unlimited messages to anyone – virtually unchecked!
// False AJAX requests
Imagine if I wrote a script to automatically call that page incrementing the ‘t’ (target) value by one each time. I could eventually send a message to every user on that social network. In case your wondering the level of difficulty of this, it’s not hard. OAuth changes this by signing the request.
// Pseudocode to sign
// OAuth AJAX request:
Now on the server side, we can validate the source of this data to be trusted because we can recalculate the oauth_signature value by reconstructing the string using the same calculation using the shared secret on the server side. If the keys match, the request is valid! So why not just “unsha1” the value? SHA1 is a hashing algorithm that is generally not reversible. SHA1 is also implemented in most modern web languages so it’s easy to integrate. Only a full public key infrastructure would be more secure! BTW: I know this signature is invalid – it’s for illustrative purposes.
Developers, wherever you are, keep those keys secure and hard to guess!!!
Where MySpace is Still Failing
I commend MySpace for adopting a standard for their implementation of OpenSocial, however, there’s a critical flaw in the execution. It’s OpenSocial based, not a true OpenSocial application. For some unknown reason, I have to upload 3 different versions of my code (1 per “surface”) that are then bascially cached on the MySpace server. While this is great for load and scalability for a startup, it leaves me little room for tweaking and makes testing VERY difficult unless I work in their very small textarea. Thank God for Apple’s Safari which allows for scaling of textarea elements in real time. This also means I need to create a new version of my application for MySpace. It could have accomplished the same means to an end by having their responsibility for the application end with the directory registration process. In that process we could establish a shared key (see OAuth above) and any particular differentiations from the standard OpenSocial format. Furthermore, the write once – run anywhere mantra of
Java OpenSocial could be preserved!
Developers Define Space
The Data Portability working group has been formed and has gained some mass acceptance among social network providers triggered mostly by actions of blogger Robert Scoble who downloaded all of his Facebook contacts using a script and sent the entire Social Networking community into an uproar. While nothing has actually come to the users as a result of the group … I’m hopeful that Social Networking will allow us to select the tools we wish to use without alienating our friends.
At least in the MySpace arena, there will be a directory of applications that users can choose from. Other social networks also host their own directories and I suspect that will be the case for some time to come. I could see a future state where an automatic discovery tool worked its way in (like RSS for apps) but it may be trivial if developers are continuing to craft their applications for each individual network.