Better ‘Click to call’ using redirects

A lot of mobile sites with click-to-call advertising or services require 3 clicks for click to call – first you click on the ‘click to call’ link then a new page loads often with a confirmation message e.g. ‘Click the link below to call Acme!’, after that the phone itself will ask for confirmation you really want to dial a number – that’s 2 clicks too many.

What’s happening is that the first click is registering the click through with the ad server/tracking engine, so that commission can be charged or whatever charging mechanism is in use.  You can’t easily do that on a a “tel:” URL because the mobile intercepts the click and dials the number (the server never knows about it).  To the end user its annoying – “Why didn’t the first click just connect me?”

Luckily there a ‘trick’ to get rid of one of the clicks.

It works like this:

The click to call link should hit the server e.g. be a http link, this should register the click with the tracking engine.  The server should send back a HTTP response 302 – a redirect.  The redirected URL should be the “tel:” link.  To the user there is a slight pause while the server is contacted, then their phone will prompt them to allow the call.  3 clicks have been reduced to 2.  That leave one click to obey the ‘3 clicks to anything’ rule aspired to by mobile UI designers everywhere.

‘Send to a friend’ SMS gotchas part 2

Another thing to look out for with SMS to a friend is allowing the sender to enter in their name.  You must ensure the name data is checked by the server to not include any misleading data.

 
For example: 

“Your friend John has sent you a link http://coolstuff.mobi/212322.  Check out more cool stuff at coolstuff.mobi”

The form to send this required a destination mobile and name, imagine the following variations on “John”: 

“Your friend John sent you this http://nefarious.mobi/dosomethingbad he also has sent you a link http://coolstuff.mobi/212322.  Check out more cool stuff at coolstuff.mobi”

other variations:

 “Your friend John called on 199100100 and also has sent you a link http://coolstuff.mobi/212322.  Check out more cool stuff at coolstuff.mobi” 

Of course 1991100100 would be some premium rate number. All ofthese exploits are well known in the web world, the mobile world adds the added  problem of it being relatively easy to extract money from the innocent mobile user. 

The Fix:

Clean all data submitted in forms, remove all URLs including click to call URLs like “tel:” and “wtai://wp/mc;”          

‘Send to a friend’ SMS gotchas

UPDATE: The developers removed the send to a friend functionality!

There I was using a mobile site that allowed you to send the page you are on to a friend (by SMS).  Upon closer inspection it had a huge security hole, it was a hole that each time it was exploited cost approximately 15 to 20 cents. It was also easy to change the destination mobile number allowing it to be used as a denial of service attack on a single number or to spam a range of numbers.  It was repeatable and easily scriptable.  NOTE I disclosed this to the company responsible, I didn’t even get a response. 

Read the rest of this entry »

Wide open gate in Telstra’s Walled Garden

There I was perusing the Sensis WAP site from an Optus mobile phone when I seem to have clicked my way into the Telstra/Bigpond walled garden.  Read the rest of this entry »