CS and the City

There seems to be near universal misunderstanding of Facebook’s Android SDK and the single sign on (SSO) feature Facebook added late last year. I originally wrote a response on Stack Overflow detailing the fix but I didn’t realize the connection to SSO at the time. I’m hoping this post can summarize the problem and solutions for the mass of similarly confused developers who get stuck here.

Background

In November 2010, Facebook announced that they’re enabling Single Sign On in the Android SDK. Applications that take advantage of this feature will allow users to skip re-entering credentials and dive right into the action. What they do not mention is that SSO isn’t a feature developers opt into, it’s actually on by default. However, it only changes the way the Facebook SDK works IF the Facebook application is also installed. This causes the problem that most developers (including myself) see when they first set out to build an application.

The issue

The typical description of the problem goes something like this: You’ve downloaded the SDK and your application is running perfectly with shiny new Facebook authentication on the Android emulator. But when you deploy it to a device, it no longer works. The app loads but the Facebook login dialog disappears instantly. If you’re more familiar with Android development than I was at the start, you start up your copy of adb logcat while your application is running and you see logs that look something like this:

D/Facebook-authorize( 2194): Login failed: invalid_key
W/System.err( 2194): com.facebook.android.FacebookError: invalid_key

At this point, you Google for solutions to the issue and quickly start pulling out your hair out at the number of people reporting this issue with no apparent fix. The problem is actually very simple, though not immediately obvious. The problem is that, when deploying your application to the device after developing on the emulator, you’ve inadvertently and implicitly enabled Single Sign On because your device has the Facebook application installed. This is why one of the reported fixes is to uninstall the Facebook application. Your emulator does not have the Facebook application installed (though the Facebook SDK includes it if you want to install it), but your device does, thus triggering the SSO code. And SSO has some special configuration requirements that non-SSO does not which causes the invalid_key error above.

Fixing the Issue

There are a few different ways to tackle this problem.

1. The ugly: Uninstall the Facebook app

Don’t do this. You’re not going to be able to ask your users to do the same anyway. The only reason this works is because the SSO functionality is triggered by the presence of the Facebook application and this simply removes the possibility of using SSO completely, which is also a crappy user experience.

2. The bad: Opt-out of Single Sign On

If you want, you can actually have your application skip SSO completely. You probably don’t want to do this, but it’s a reasonable solution if you’re convinced you do. To do so, you need to modify the code calling Facebook to specify that you want to handle auth on your own. You do this by passing FORCE_DIALOG_AUTH value into the authorize method’s activityCode parameter.

3. The good: Set up Single Sign On properly (recommended)

Unless you have a good reason not to, you should set up SSO. It’s a bit more work, but it’s the best experience for your users.

Buried in the Facebook documentation is a mention about hash codes. Although it’s not obvious in the documentation, Single Sign On requires applications to provide a Key Hash or certificate (I use them interchangeably) of the signature used to sign the application to Facebook. This is used as part of the validation with SSO. When applications are built by the Android development tools, they’re automatically signed using a debug keystore. You need to use this keystore to generate the certificate. Details about the Debug keystore are available in the Android Documentation – Signing Applications.

In order to provide Facebook with information about the signature, you need to pull it from the keystore. On OSX, you do this in the terminal with the following command:

keytool -exportcert -alias androiddebugkey -keystore ~/.android/debug.keystore | openssl sha1 -binary | openssl base64

This generates a short string of characters (which may include characters such as ‘=’ or ‘/’) that identify the signature. This is the certificate or Key Hash as Facebook calls it. Once you have this, you need to give it to Facebook.

Find your application on Facebook’s Developer page (or create a new one if you haven’t set one up already). Once you’re in the application summary page, choose ‘Edit’ on the Settings banner and then pick ‘Mobile’ on the left-hand side. Under the Android section, you’ll see a box for Key Hash. Paste the certificate string from the command above into this box and hit save. Give it a few minutes to propagate and try running your application again. The invalid_key errors should disappear. Keep in mind, when you sign your application for distribution, you’ll have to generate another certificate like you do here and provide that as well.

SSO Weirdities

SSO isn’t completely smooth sailing though, there are a few issues to watch out for.

1. authorize() always shows a page, even if the user is authorized
As far as I’m concerned, this is a bug in the SDK. The workaround is to store the token after authorizing the first time and simply use that instead of calling authorize again while isSessionValid() is true (Stack Overflow has a great example of how to save the access_token using Android’s PreferenceManager). However, unless you want to request an offline_access token, the token will only be valid every 24 hours.

2. Different Access Token formats
The token received from SSO applications are of a different format. There’s a bug open on Facebook’s bug tracker about this, but they can’t seem to track it down despite it being easy to replicate. This isn’t a huge issue, but unfortunately, you won’t be able to parse the user ID of the Facebook User out of the SSO token the way you can from standard access token format

3. UI is inconsistent between SSO and non-SSO
Non-SSO uses a nicer pop-over dialog to show the authentication panel while the SSO panel slides in from the right (and back out to the right after the user finishes). There doesn’t appear to be a way to change this UI, at least without hacking the SDK code directly.

To ensure the continuity of this blog’s timeline, let me announce that Friday last week was my last day at Google and I’ll be starting on a new project, the details of which I can’t go into yet, but I’m looking forward to when I can.

I’m not planning on talking any further on why I left Google as the blog post you tend to see from people leaving is almost cliche. But I will say that I absolutely loved my time with the company and could see myself returning some day. For now though, greener grass

I’ve been a user of AwardWallet for a couple months now, a site that keeps track of many of my travel reward programs. You can think of it as Mint.com for loyalty programs. It turns out that I’m far more likely to participate in programs and actually be loyal to the brands if I can monitor my account status.  AwardWallet isn’t perfect, but it serves a large need I have.

Unfortunately, Southwest either doesn’t understand this benefit, or doesn’t actually want its customers to use the loyalty program because they’ve blocked AwardWallet from collecting this information on my behalf.  The team emailed me this week with the disappointing news:

Dear Sean,

We are writing to inform you that unfortunately Southwest is no longer allowing us to pull data from their website anymore. You can update your balance manually and you can use AwardWallet to auto-login to Southwest’s website. From now on you need to track the expiration date of your Southwest miles manually.

Southwest’s response to another AwardWallet user was equally frustrating:

We regret your disappointment that Southwest does not participate with third party companies who offer frequent flyer information on their web sites. Our reasoning lies in the fact that we can only safeguard a safe and secure program by keeping our Customers flight credits and Awards within our own internal system. While Award Wallet’s intentions may be genuine, by allowing them to have access to Rapid Rewards Members’ account information, we could potentially jeopardize not only our program’s integrity, but our Members’ personal information.

The fact that I have 11 Rapid Reward points (I only need 5 more for a free flight!) is not, in any world, hyper secure information. If I as a customer, choose to have that information aggregated in a way that provides value, that is my prerogative.  I’m convinced they recognize this too and that their concern is almost certainly that I am giving some third-party my login name and password in order to collect this information.  This I do recognize as a security issue, but it’s a problem with an easy and well recognized solution.

What I propose is a MicroFormat for APIs.  I’d like to define a protocol to increase the use of loyalty program data with the follow features:

• REST API for querying both the current status and the history of transactions for any given rewards program.
• Simple JSON data structure with extensible fields so that programs can customize to suit their needs
• OAuth based authentication
• (Optional) PubSubHubbub-based notifications for status updates

If every loyalty program adopted this, web services and iPhone apps the world over could quickly expose this information to users in a meaningful way, and instantly make adoption of those programs a lot more valuable to their customers, and ultimately make those customers a lot more loyal.

I’d love to see Southwest actually push toward a solution that enabled this sort of usage.  Looking at the AwardWallet forums, there’s obvious demand from power users.  Seems to me, they might be the types of customers that Southwest would consider worth pleasing.

My annual Flickr pro account renewal came up last month.  Looking at my renewal history, I can see that every time I’ve renewed it, I’ve never done it proactively.  I’ve always a month or so after my previous year’s subscription had expired.  This year was no different.  I let it expire, only to have to renew it again to unlock some of my older photos that I didn’t have a backup of (silly).  This time around, I seriously considered leaving it unrenewed.  I just don’t use it anymore.

I’m what I would call a long-term Flickr user.  I’m relatively sure I had my Flickr account before GMail.  I payed for the pro upgrade before I ever paid for generic web hosting. Flickr was great and I evangelized it to all my friends, as is evident in all the abandoned accounts on my Flickr friends list.

I was attracted to Flickr for three reasons:

• The ability to publish my photos for my friends
• Hosting photos for my blog
• Getting feedback from the community on the photos I took

But four years later, the world has changed.  Now all my friends use Facebook, because they don’t have to pay for it, because Facebook actually innovated on photo sharing by indexing by the people in the photo, and because it integrates into a tool my friends already use.  For hosting photos, I can use the same web-storage I’m paying for already. Though the reality is that I simply don’t blog or photograph as much, and so neither of those are that important to me anymore.

The more revealing part is that, in those four years, Flickr hasn’t changed at all.  The only event that brought me back to Flickr was the account merger with Yahoo.  The only news I heard was the half-assed support for video and the addition of the Yahoo logo.  Beyond that, it’s stagnated. Where is the Twitter short-links?  Where’s the first party Facebook app?  (Edit: found both after digging through the profile settings, foot appropriately in mouth). I’m asking partially because I’m a geek and I love playing with new features, but also because this complete lack on investment on Yahoo’s part has made it so worthless that almost all of the people who used to engage in the photos have now gone else.  My pro membership doesn’t buy me anything.

Unless something major changes, this will be the last $24.99 (a number that, despite Moore’s law, has stayed constant this entire time) I give to Yahoo. I’m not rushing to Picasa Web either.  They’re just as guilty of price stagnation as Flickr (though Face recognition is very cool).  For now, I’ll stick with iPhoto and Facebook (which maintains their own iPhoto plug-in I might add). There’s plenty to do in this area, so I’ll be waiting for someone to come along and impress me.

Epilogue

For anyone trying to get their photos off of Flickr, take a look at PhotoGrabbr, a tool for downloading entire Flickr albums for the Mac. I definitely won’t be dealing with photo lock next year.

This week I’ve been taking a look at the recently announced pubsubhubbub by Brad Fitzpatrick and Brett Slatkin of Google. The duo proposed and implemented a protocol for implementing near-realtime notifications on top of RSS and Atom. The protocol describes three roles: A publisher, a subscriber, and a hub. The hub basically acts as an intermediary, receiving subscription requests from subscribers and forwarding update notifications from publishers to subscribers.

One of the first things I noticed about the protocol is that subscribers are required to have an internet accessible URL for validating subscription registration and receiving notification pings. This is not an issue for the Google Readers and FriendFeeds of the world, but this does leave desktop RSS readers out of the party.

Also interesting to note is that there’s nothing that requires the hub to be a separate entity from the publisher. In fact, it could be very desirable for the publish to own the subscription hub. Besides removing one notification roundtrip from the protocol, it would also give publishers more control over how often to ping users on updates. Nothing in the protocol requires that a notification be sent every time, so it would be possible to only notify a subset of users in real time (perhaps the ones that pay), and others on a regular basis.

Depending on how deep your RSS Trivia knowledge goes, this might sound awfully close to the rssCloud element, but Brett points out that the key differentiator here is PSHB’s “fat pings“, that is, the entire updated content is sent as the ping to the user.

To reduce latency and polling, PSHB supports persistent HTTP connections from hubs to publishers, but it could use FriendFeed’s SUP protocol to detect updates as well.

Though solving slightly different problems, it’s interesting to compare the SUP’s and PSHB’s stance on polling. SUP obviously relies heavily on polling, despite drastically reducing the amount required. While PSHB has strong opinions against. Polling is certainly less error prone, in addition to being less efficient. For example, how does PSHB handle dropped pings to subscribers? I admittedly haven’t dug too deep, but I assume a reasonable amount of state must be maintained in the hub to handle these cases smoothly.

Ultimately the most valuable contribution of the entire project might be the two outspoken Google employees behind it. Already they are seeing some adoption. The pubsubhubbub demo at Real-Time CrunchUp announced launched FeedBurner support and showed prototypes of Blogger and Reader support. Having evangelists inside the company puts early adoption in other Google products much more likely, which in turn will give the standard much more credibility.

To be fair, the problem isn’t so much one of the Kindle’s. It’s more of a problem with books. I’ve had PDF books for years. PDFs were the cheaper method of getting textbooks for classes that were not always useful and they were often the only source of technical documentation in the days before Amazon (did I just date myself?). Over these same years, I bought many more books. To me, the physical copy of the book was absolutely preferred over reading on a computer. That all changed with the Kindle (and presumably for eBook readers before it).

After centuries, books are about to have their very first format transitions. Here comes that famous blogger hyperbole: Print is obsolete.

You’ve probably been through at least one of these before: Buying Blu-ray to replace DVDs that replaced VHS only a few years before it or upgrading from vinyl to cassette to CD to MP3 in a matter of a few decades). Each transition becomes increasingly costly for consumers as their libraries tend to get larger over time.

What remains to be seen is whether book authors will gorge on users paying to convert their library or, perhaps having felt the pain of format obsolescence for themselves, allow their fans to enjoy the content they already have a legal right to for free. I’m certainly being an idealist but I’m hoping its the latter. Time for some empirical evidence.

The Experiment
I have a small number of books on a range of subjects sitting my to-read queue. All are in various stages of completion. I would rather continue to read using my fancy new device, but I’m very opposed to purchasing a new digital copy when I have a perfectly readable analog copy.

To this end, I propose the following experiment:

I will email each of the books’ authors with a simple proposition: I will return my copy of the book to the author (or give it to a friend, second hand store, whatever is the author’s preference), and in exchange, I will ask them to give me a digital copy of the book. I’d love if they were able to gift me the Kindle version, but I will take any digital version they have and do they heavy lifting to get it onto the Kindle. They are, or course, free to reject my offer (as I expect most will).

If I were to write a review, the title of this post would be the eventual conclusion. That said, let me bullet point out the pros and cons:

Things I really like

• Great Customer Service: My first one was defective when received (Back button was broken). A call to customer service had one automated menu, a real person, and a next-day replacement in under fifteen minutes
• I can convert PDFs using Amazon’s converter
• I can read anywhere, while only hauling a perfect sized tablet around
• Cute female book nerds everywhere are stopping me to ask “Is that the new Kindle?”

Things I don’t like

• Amazon is wasting the annotations feature by just dumping the results in a txt file
• The bookstore’s coverage is relatively weak
• I’m buying into the worst of DRM lock-in: I can’t give books to other people and I can’t read the files outside of my Kindle (and the Kindle app on iPhone)

When Facebook first added the “Friends You May Know” section on their homepage, I was relatively impressed. It did a good job of finding people in my social group. In the end though, I only found one or two people I had not yet added myself. After that, it was another useless piece of the homepage sidebar trying to get me to pimp Facebook to people I know; Invite Your Friends (aka Spam Your “Friends”) and Find Your Friends being the others (Even the ad slot is a friend inviter half the time).

The problem with the Friends You May Know feature wasn’t in the graph algorithm, it was with me. It was indeed identifying people I knew, but knowing them was not the same as being friends with them. I called it the People I Know, But Don’t Really Like box.

To fight back against The social graph analyzing Man, I started hitting x next to each of the recommendations. As I did I would battle back the algorithm as it ran out of new recommendations for the day, only return a few weeks later with a group of people I was a little less connected to. Slowly but surely the recommendations became meaningless. Until it finally hit rock bottom.

Yesterday, Facebook recommended Jessica to me. It explained that we both went to the same University so surely we know each other. Jessica and I had absolute no mutual friends. Not one. I was surprised that algorithm had become so desperate for me to grow my social graph that it had begun resorting to recommending complete strangers. I wondered what other strangers homepages were recommending becoming friends with me, or maybe I was the only one so hostile towards the recommendations.

I knew all of its efforts would be fruitless. I had already realized what the algorithm or the clever coder behind it simply did not consider: I had no more friends. Facebook has done such a good job that my friends list was simply, complete. I could imagine the meeting in Facebook HQ where some quiet intern asked “What happens when they run out of friends?” only to have their question waved off. “Inconceivable!”

Well I’m here to tell you Facebook, I have reached that state. Facebook – Please quit bugging me to add friends, I will as I make new ones. Instead, do something really cool with all that sidebar space. I’m sure you’ve got some great ideas.

And have some self-confidence. Just because my Friend list is growing does not mean I’m jumping ship for Twitter any time soon.

I’ve always been a bit confused about the reckless amount of hyper surrounding Twitter. The functionality it provides is nothing more than 90s era IRC with cute animated birds and a 140 character limit. I was convinced the people who live and breath Twitter were making general assumptions about the reach of Twitter based on their smaller social group. Turns out Vallywag thinks so too.

Said Vallywag post is titled “Do You Twitter? How Adorable” and it makes the point that Twitter has “consumed the media elite”, but their view of it’s success is distorted because they only see how their colleges use it. “By the numbers, though, Twitter is an inconsequential nothing.”

My Twitter page is essentially tweets from a handful of variably frequent posters and the few dozen remaining followers that do nothing other than add icons to my followers list. I do very little tweeting myself excepting the odd response at one of those aforementioned heavy Twits.

Twitter, for me, is just one more site I need to check every day. My followers/following list is without exception, a subset of the social graph I already have represented in Facebook or Google. The only thing Twitter serves to do is further segregate the conversation I have with my friends.

For my part, I’ve been building a small script that polls and synchronizes my status across Facebook, Twitter, and GTalk (I’d like to add Live Messenger too, but there’s no easy API to get/set, *hint* for those MSofties reading this). Of course, that only solves my side of the conversation. The other direction remains fragmented.

When I started writing this review, I was half way through my fifth flight on Virgin America in three weeks time.  I felt knowledgeable enough to write an informed review on the entire VA experience.  But as I started to flesh out my mental notes into something more concrete, I realized why I enjoyed my flights so much:  The Virgin America plane is one big gadget.

Red is the name of Virgin’s in-flight entertainment system, and the most featureful I’ve used in my travels. It has radio and an impressively complete Music library, Music Videos, Satellite TV, TV on Demand ($1.99 per), Movies on Demand ($7.99 per) , and Video Games.  The Virgin Airbus is the first plane to pass the “Can you play Doom on it?” test (and all the cheat codes work!).  One of the other really hyped feature of Red is the seat-to-seat chat and plane chat room, but I did not see a single person in the chatroom during any of my flights.  I think this might be more “wow” than actually useful.  On the other hand, a feature that is very useful is the ability to order drinks and food directly from Red at (almost) any time during the flight.

Despite the plentiful entertainment options, Red is very much still in beta.  There were several points where the system was slow and unresponsive, once requiring a reboot.  This must be a somewhat common occurance as flight attendants occasionally warn about the need to reboot during the take-off speech likening it to their passengers’ Windows PCs.

Some of the features aren’t built yet: Read, Shop, and Email keep telling me to try again on my next flight. Red allows you to create to create musical playlists, but there’s no payoff if your list disappears as soon as you get off the flight.  It screams to be tied into a personal account (so much so that a login button is present in the home menu, with no functionality behind it).

I’m also convinced that several of the Satellite TV channels are pre-captured streams.  For example, on all of my flights, the Sci-Fi channel seemed to be playing the same two episodes of Battlestar Galactica over and over, and the video feed didn’t seem to break down in turbulence like CNN would.  Speaking of which, the satellite’s reception seemed to relatively poor compared to the similar system on WestJet flights.  This wouldn’t be as big of a problem if they offered a fresher selection of on demand video at a cheaper price point (read: free).  Geek style points for offering Diggnation and Boing Boing video for free though.

On the technical side, I have a supicion that Red is built on Linux.  After rebooting, my screen faithfully displayed the familiar X Windows Server backdrop before moving into Red.  Another sign? One of the games in the system is called Linux Circus.

Overall I’m very impressed with the system, but they’re going to have to iterate quickly on both the features and the content lest Red becomes a novelty rather than a necessity.