Thus Spaketh Idd Salim

Mpesa : Well thought!

Well, I always am up for a big challenge. Ask all the neighbor’s daughters in my estate and they will testify. So, over the last week, since the inception of the pZ gateway, I have been privileged to have a-lot of Spare time to study the internal aspects of Mpesa, especially the IIS-based (cringe!!) web interface.

Mpesa is a VERY secure system. Well-thought and very polished.

But that is just for the average hello-world pinging -t and script-kiddie hackers we see around here.

There are 2 types of hacks I have discovered for the Mpesa system, especially the web interface.

• Constructive Hacks – That can help you as a C2B or B2C client use m-pesa better and more effectively. I will share these mostly ont his blog.
• Destructive Hacks – Hacks that can make you vulnerable to fraud based on some small details over-looked by Mpesa developers. I won’t share these, of-course, due to my moral and societal obligation as a WhiteHat.

Hack 1 of 4 – Porting Mpesa to Mozilla Firefox.

One of the biggest headaches about Mpesa Web interface is that it works *only* on IE6/7/8 and on Windows XP only. Not Opera. Not Firefox. Not Unix. I have visited alot of client sites where they have a spare Mpesa PC. How sad!

Well, the good news is that this cannot be further from the truth! Mpesa can work on VISTA. Mpesa can work on Firefox. Mpesa can work on Ubuntu and even on Lynx.

“Share, Salim!! How do we make Mpesa work on Firefox!! Please Share!!”, I hear you shouting. Relax. I will share. For Free.

Step 1 – Get your certificate from Voda

Go to https://vmtke.ca.vodafone.com/certsrv/ via your IE and login.

Get your cert

Important : Mark the SSL Certificate Keys as Exportable.

After 24 hours, come back to this site and INSTALL the keys to your IE browser.

Step 2 – Export the Keys from IE to a File

Click on :

• Tools [menu]
• Options [menu]
• Content [tab]
• Certificates [button]
• Select the ‘Vodafone MT KE 2009′ Certificate and click on Export
• Click Next
• Select ‘Yes, Export the private Key’ – Click Next
• Select PFX, Enable strong Encryption – Click Next
• Enter a password and confirm it. Important, save this password nowhere! Memorize it. – Click next
• Browse for file and save the Certificate + Key Combo. – my_mpesa_cert.pfx

Step 3 – Import the Key to Firefox. Any OS, Any PC

Open Firefox and follow the following steps

• Open Mozilla Firefox.
• Click Edit in the top menu, and select Preferences from the drop-down menu.
• Click the Advanced icon.
• In the Certificates section, click Manage Certificate.
• Click Import, and choose the text file containing the client certificate.
• Supply the token password if prompted. Same password you used during Export.
• Click OK. The new certificate is listed in the Your certificates tab.
• Restart Firefox, and Open : https://www.m-pesa.com/ke/ and Walla!!

I can see Kasomo and Alitsi smiling because I have just un-masked one of the biggest security PLUSES of Mpesa is that it thrives through security. Words like FireBug and Firefox WebDevToolbar come to mind. But be nice. Be positive.

Have fun!

Back to code kiasi.

Share on Facebook

Bend Over, daggering

Raila once quoted me and said, “Wameona Simba amenyeshewa na ametulia, wakadhani ni paka mkubwa”.

The sad Google swahili translator processes this as: “The see lion in rain. He has relax. They think big pussy”

Well, thanks to Mblayo, I got this disturbing video of the Zain truck:

BendOver jibe at Safaricom HQ

The Zain Marketers (who safcom’s has ruthlessly out-performed, out-thought, out-conned us and out-sold  for over 8 years now), came up with what they thought is a daggering blow at SafCom.

They hired PA System and went to blast the ‘Bend Over’ song at Safcom HQ.

Dunno if the traffic police, Nema, the ZainWanaringasasa crew and the ThisWeekSijaona conglomerate will take this lightly. I, for one, know Mwai is devastated by this.

But wait! For the life in me, I would assume for a moment Zain would show some class and focus on the areas where SafCon makes them bend-over, daggering style, e.g:

• Social Networking
• 3G or 4G Data
• Zap vs Mpesa
• International Call rates
• Data Rates

Just a thought.

Now, lemmi make some windows servers bend over.

Have a bendy night, wont you?

Wazi.

Share on Facebook

It is sad. Honestly, really sad.

I sat with Buju the other day and he asked me : “Salim. Wewe huwezi unda your own Facebook na venye code unaimesea?”. My response is the same respose I once gave DjCK, Okech and Sebi. “Put me in a position that I won’t have to worry about rent for 6 months, and I will give you the world.”

So, the discussion went on. I pointed out that ANYTHING Safaricom touches, turns to a pile of shiite. Mxit has MILLIONS of people all over the world. Safaricom brought it to Kenya, did over 100 pages of color ads, and it died, as expected. Meanwhile, 2Go is keeping Kenyans teens awake till 3am.

Next up, Facebook. In this encouraging post about the opportunities for Kenyan Coders, I did on March 9 2010, Facebook had 580, 000 Kenyans. On its own. No advertising, just viral value additions. Then Safaricom started doing their Ads and USSD codes + TV ads using that smigo-faced ugly rasta jamaa. 5 Months later today, the site has 776, 920 users. Pathetic, if you ask me. Facebook has Stagnated, As soon as SafCom stepped in.

They say EVERYONE IS ON FACEBOOK… Well, we must be the smallest country in the world.

Facebook has STAGNATED since Safaricom touched her

“So”, Buju continued. “Now that ONLY 19.43% of the Kenyans with the Internet are on FB, and the growth is stagnating., what can developers do to harness the massive 81% that is NOT on Facebook?”. I smiled.

“And what is this other system you are saying that is being tested now and will come to really shock Mpesa?”, He asked. I smiled more.

Back to code!

Wazi.

Share on Facebook

2Go is Good 2Go

Well, let me just say, Chema Chajiuza, kibaya chajitembeza. It is rare I blog about a non-Kenyan product of any stature, but Good code is Good code. Give credit where it’s due. I am not an Anti-Mxit person as I admire anything Java, but The fact that Even After about 100 pages of Full-page Ads in Kenya it never really picked up, I knew there was some issue with it.

And so, I got a comment on this post about mXit and, as usual, I took it as spam and with a pinch of Zulu salt. The I decided to Install 2Go and give the biatch a test-run. I never looked back! Once you go 2Go, you never go back!

2Go at a glance

Well, you can read all about it here, on 2Go’s official website.

The post-Facebook Era

Facebook ‘Mobile App’ (read – Mobile widget – ok.. or APP for people who consider kindergarten quick-hack wizard-generated hello-world apps like AfroHotOrNot or Wazzup! Apps REAL apps) has received  75,792,183 downloads as at this second. This means 75,792,183 Java users went there all expectant and got egg-faced. Facebook has NO J2ME app. Just a Bookmarklet.

Step in 2Go!!

The most interesting thing about 2Go is the ability to contact ALL your 2Go, mXit and Facebook users from one Small, Sexy, Fast App. The data compression they use is out of this world. I would give my left nut just to see tail -f of the 2Go server logs.  Must be orgasmic. This Agnostic model is one of the real killer features in 2Go.

If 2Go was a Female App, she would already be pregnant with my twins.

I am building a Stock Exchange Social Network for the NSE. You can guess whose Model I will adapt, but I ain’t giving out any prizes.

I would not mind consulting to handle a local deployment of 2Go for Kenyan users. Also, 2Go would really benefit from the Pay.Zunguka Mobile payments solutions, to essentially go where Mxit did not in terms of virtual currency.

Share on Facebook

One API to rule them all...

Great day today for Kenyan coders. Ok, let us say, EastAfrican Community coders, for political correctness. I don’t even know how to break this news, so I will just do it my plain no-beating-around-her-bushes method. No, the Octopus has not predicted that Safaricom, MTN and Zain will start supporting local innovations. No. The octopus would rather die than err. To err is to human; not to octopus.So, the hustle continues.

As a CSR, being  head of a team of very gifted coders at Symbiotic, I had committed to head the Pay.Zunguka Gateway and API development team and see to it that the Pay.Zunguka API was out before Mid May 2010. But one thing did not lead to another, and we had to inevitable delay the launch.

Well, here it is now. The API. The EuberAPI. One API to rule them all.

Download the API NOW!!

So first things first. What is an API, you would ask? Huh? You are having a larf if you expect me to answer that!! The API has been developed in PHP, jQuery and MySQL and the documentation provided with it makes it totally idiot-proof. Anyone and everyone can use the API and start earning from their hustle, Immediately! All transactions from Mpesa/Zap/yuCash will hit your system, via the API in 5 seconds. Anyone who can copy-paste, can use the API.

Safaricom have indirectly played ball this time round, so flawless end-to-end mPesa support is the first feature of the API. I hope this will not make them Mad. My QA team is still testing the ZAP and yuCash modules, but jump to it. Play with the fully working mPesa support and share your thought on the approach, the model, the logic and the illogic.

If you are a ‘BIG’ fish (read a big corporate with a lot of sensitive transactions) and don’t want to use our API as a payment aggregator, we can license the actual product. This would apply to guys like DSTV and KPLC. So instead of waiting for 48 hours for the transactions to hit their backend system, we can guarantee KPLC customers that their bills paid via Mpesa/Zap/yuCash will be reflected in their account within 5-7 seconds. Cute huh!

Like all my friends will tell you (real friends, not facebook jokers), I believe in seeing, showing and action. Si mdomo mob. So dive right into it! Visit http://pay.zunguka.com/ NOW and have a blast !!

Wazi.

-Salim, Idd

Share on Facebook