Thus Spaketh Idd Salim

One API to rule them all...

Great day today for Kenyan coders. Ok, let us say, EastAfrican Community coders, for political correctness. I don’t even know how to break this news, so I will just do it my plain no-beating-around-her-bushes method. No, the Octopus has not predicted that Safaricom, MTN and Zain will start supporting local innovations. No. The octopus would rather die than err. To err is to human; not to octopus.So, the hustle continues.

As a CSR, being  head of a team of very gifted coders at Symbiotic, I had committed to head the Pay.Zunguka Gateway and API development team and see to it that the Pay.Zunguka API was out before Mid May 2010. But one thing did not lead to another, and we had to inevitable delay the launch.

Well, here it is now. The API. The EuberAPI. One API to rule them all.

Download the API NOW!!

So first things first. What is an API, you would ask? Huh? You are having a larf if you expect me to answer that!! The API has been developed in PHP, jQuery and MySQL and the documentation provided with it makes it totally idiot-proof. Anyone and everyone can use the API and start earning from their hustle, Immediately! All transactions from Mpesa/Zap/yuCash will hit your system, via the API in 5 seconds. Anyone who can copy-paste, can use the API.

Safaricom have indirectly played ball this time round, so flawless end-to-end mPesa support is the first feature of the API. I hope this will not make them Mad. My QA team is still testing the ZAP and yuCash modules, but jump to it. Play with the fully working mPesa support and share your thought on the approach, the model, the logic and the illogic.

If you are a ‘BIG’ fish (read a big corporate with a lot of sensitive transactions) and don’t want to use our API as a payment aggregator, we can license the actual product. This would apply to guys like DSTV and KPLC. So instead of waiting for 48 hours for the transactions to hit their backend system, we can guarantee KPLC customers that their bills paid via Mpesa/Zap/yuCash will be reflected in their account within 5-7 seconds. Cute huh!

Like all my friends will tell you (real friends, not facebook jokers), I believe in seeing, showing and action. Si mdomo mob. So dive right into it! Visit http://pay.zunguka.com/ NOW and have a blast !!

Wazi.

-Salim, Idd

Share on Facebook

So, Today at 9:54am, I checked in after a thorough security search for metals and other things like screw drivers, hacksaws and pangas etc; stuff that can be used to HACK servers. (Fck! As I blog here, I remembered just I LEFT MY ID THERE!)

So we were welcomed with the usual ‘leteni IDs’ Kenyan greeting and we waited to be led to the training room. I sat on row 1 and the training started at 10:01 Sharp. Bwana Dennis Makau was out tutor and this guy really knows his stuff. Lively and not a boring monologuesue jamaa. He took us through all we wanted to know. He had rich knowledge of kila kitu. 10 outta 10.

Mpesa is REALLY one powerful tool, especially to developers.

Then came the tea break. I stole the chance I took my time to take the SmartTV ladies and the Sarova team on hwo they can really leverage Mpesa (powered by the virtual or dedicated modules of pay.Zunguka.com to maximize their profits and improve customer care, to a level Mpesa does not deliver – Last mile.)

After my pitch, Still at the tea-break, I checked out the Dell Sites and Gmail and Decided, “let me check my website”. Ha! Bummer!

IddSalim.com is Blocked from Safaricom LAN

And then came the hack

As you would expect, I couldn’t just sit there with all my skills. So i decided to chokora kiasi.

No, I did not escalate my privileges, get access to MJ’s PC and download data from their SQL Servers etc, like all my hack-mates would have expected. I am a Whitehack hacker, remember? I just prodded the systems. I discovered quite a few things.

1 – Mpesa Web Interface source code is susceptible to SQL Injection.

Mpesa Input not 100% Sanitized.

I took Mr Makau through a process where the Vodacom Mpesa SSL Certificate can be spoofed and replicated to grant access to rogue machines. Also, I mentioned to him the logic bug where after an account has been closed, the user session gets ‘bamboozled’ and the interface gives DB Server information.

But all in all I was really, really impressed with the accounting procedures and logic, flow logic and overall eagle-eye view of the system.

As a business tool, the Mpesa web Interface is perfect. But it’s security was well-thought… well-googled… but not well-consulted.

Back to code!

Share on Facebook

Well, we all know that Mpesa is

One Gateway to rule them all

widely used in Kenya, Tanzania and Afghanistan. Zap is available to the 22+ Zain One-Network Countries.

We also know that Paypal hates Africa.

Lastly, We know that Symbiotic Media Consortium has developed a working Payment Gateway that already links PayPal, Mpesa and Zap. Needless to say, there was no help or support at all from Safaricom, because safaricom knows as much about Mpesa as Wangechi.

So this presents a very clear advantage for players like Google to come into the Africa playing field. Africa has millions of people who have NO WAY doing e-commerce, unless they have credit-cards and can cheat Paypal to not be seen as originating from Africa, the Dark Continent full of thieves.

Using The Symbiotic Payment Platform, Google can rule the African Market and Leverage the un-tapped m/e-commerce. We know Google Loves Africa. She has Offices in Kenya.

This being a man-eat-man society where people just sleep and wait for others to think then steal the ideas, I will share no more, but will email it as a PDF to Google, detailing each and every step, hoping they will adopt it. They will. I know.

-Salim, Idd

Share on Facebook