The Hybrid Desktop/Web Application

Our goal always has been to provide a very simple easy to use Call Recording application. To that end we employed a very simple and sparse UI. It used to look like this.

A simple html window where all the records were listed with the options. Unfortunately this interface was also very restricted. We were looking for an easy and seamless way to integrate the desktop client with our web service.

So in the 1.1.0.0 update we completely removed this in built UI and instead embedded a small web server in our application. This enabled us to present the UI in a browser. And the result was this.

As you can see, this interface is far better than the previous one. Better listing, embedded flash player, search/sort/filter options and more responsive. We firmly believe that its a big step towards making our application and service better for our users.

What enables this UI is Javascript. We have used JS heavily. Whenever the history or configuration menu item is clicked, it launches the default browser pointing to a page on our web server. This page serves JS content which then does a cross-site query using JSONP to the local web server embedded in our client. The embedded web server then interfaces to the Sqlite backend and sends data back to the browser. The JS formats this data as html and the browser renders it.

The end effect is that you seem to be browsing a page on our web server but magically your local data turns up in the browser! Sounds scary right. How did my data end up being on your server? Did we steal it?

The short answer is no. The long answer is that we used XSS. XSS is a technique which which is widely used for phishing and other website related attacks. But has seen growing acceptability in the recent times. Several popular web API’s use it (eg. Twitter, Flickr, Google AdSense). When used for legitimate purposes it can be a very powerful tool.

But as Saul in his comment points out, it can also be used by hackers to inject malicious JS into our application and steal the local data from the computer. The point is valid and its good that someone raised it.

Yes. That is a possibility. And anticipating that we have taken several steps to prevent it from occurring. For starters, the http port of the client is dynamically generated. At each startup this port number changes. The web server also has inbuilt checks on the types of requests it responds to. It processes requests only from the localhost. The query string has strict checks. It does not open up the whole computer and does not serve any files. It is in fact a very limited implementation of a web server. The actual content of the call record, the mp3 content, is not fetched via XSS. The embedded flash player directly downloads it to its its cache. Going forward we also plan to put in SSL and encryption into it.

We have put in all the safeguards that we could think of to prevent such an attack. You are most welcome to have a look at the JS code. Its not minified at this point of time, so you can just browse through it. Please do have a look and let us know if we can improve on something.

On the question of us stealing your data, it should suffice to say that we are a legitimate business entity running a service for which we have paid users. We are fully committed to protecting your data and ensuring that nobody can gain unauthorized access to it.

Embedding a web server in a desktop application is not entirely a new concept. Google’s Desktop Search does that, although it uses static html pages. In the embedded systems programming world its fairly common technique. Using XSS along with it might be new. To be honest we don’t really know if there is a precedent. I am sure others have thought about it. But if we are the first to actually try it out, then allow us to take the credit for it. We think this is a very effective way of protecting the users data, while still delivering services from which add value to our customers. Our service is a hybrid between a desktop application and a web application. We want to provide our users with a seamless experience between the two. And this method allows us to do exactly that.

We hope this post clarifies any questions regarding our update. Feel free to post comments and discuss it here.

Recording And More..

So what after the recording. You are obviously recording the call with some purpose. Our web service, CRIMS which stands for Call Recording Indexing and Management, provides you with several options once you are done with the recording. I’ll briefly go over the things you can do with CRIMS in this article.

Registering:

You need to register for our web service to use it. Registration is free and straightforward. Provide your mail id to us and we’ll send you a link. Click on the link and we’ll ask you to fill out a form. And you are done.

Several of our users have reported that they are not getting the mails at all. It happens because a lot of mail clients (especially Hotmail) treats such mails as spam. Hence check your spam folder if you do not get the mail. You can always request for a new mail from the register page as well.

Setting up the Account:

This web service works with our Skype call recorder only. So before you can do anything with it, you need to associate and verify your client installation. If you haven’t already installed the client, then its the right time to do so. Get it from here.

On your computer, right click on the Call Graph task bar icon, choose ‘Configuration’, go to the ‘Association’ page and enter your username and password that you used to create your account. Click on the ‘Associate’ button. You should get a notification saying that your machine has been added and it needs to be approved before calls can be uploaded. The approval has to be done from the Machines page.

If you want all your calls records to be automatically uploaded to your account then make sure that ‘Automatically upload a copy to my account’ option on the associations page. The upload happens independently of call recording in the background. So you can carry on with your work and record more calls if you want.

Uploading:

Now that your account is set up, you can start uploading calls. Start a call with ‘echo123’ and record it. If you have opted to upload calls manually, open the Call Graph history dialog (right click on the CG Task bar icon and choose ‘History’) and click on the upload link below the file name. Otherwise the upload starts as soon as the call recording completes.

The client will notify you when the upload finishes. After that login to your account. You should see something like this.

Call Recording History:

This is your call record history page. This is the first page you are shown when you log in to your account and is the starting point if you want to do something with your record. There are two parts to this page: the left hand menu and the history table. The menu lists down the other pages that you can go to. We’ll get to that in a short while.

In the call record history there are two main parts: the details column and the management column. The details column displays the details of your call record. When was it recorded, by whom, when was it uploaded, was it shared with someone and so on.  It also has an embedded flash player. Click on the play button and you should be able to listen to your record.

The management column gives you a set of actions that you can do with your record. Few of them are self explanatory. You can rename the file, edit the tags or delete it in the same way you can do in the client. You can also download it back if you want. Helpful if you are recording calls from several machines.

Note that when you delete the file its completely removed for our system. There is no way to get it back. You can do a ‘reupload’ if you still have it in your client though.

As with the client, this page also displays your call records in reverse chronological order, the latest one first.

Sharing:

If you want to share it with someone, maybe the person you recorded the call with, click on the share link. It will ask you for the email id and instructions of how to access the record will be sent to your contact.

Once you share a record, a new field will start appearing your your details column stating with whom was the record shared with. There will be a new option in the management column as well to unshare the call record. If you mistakenly shared your record, click on unshare and all the shares will be revoked.

Note that the contact you have shared your call with can only play it back. Since you are the owner of this record, only you have can delete, share, transcribe etc.

Transcribe:

If you want a text transcript for your call then click on the transcribe link. We provide transcripts for calls which pass our quality checks. The parameters for quality check include voice quality, your language setting (must be American English for now) and duration (> 5 minutes).

Once the screening is passed you will be notified of it. You can click on the transcribe link and place an order for the transcript from there.

As we go along we will add support for many more languages and accents. This post has a some details of our transcription process if you are interested to know more.

Search:

One of the most interesting feature of our web service is Search. We can do contextual searches. When your call records are being screened we generate a list of keywords which can be used to identify your call record. These keywords added to the tag list of your call record. So now you can actually search for a call with a word which might have occurred during the call itself.

A search bar is present at the top of the history page. Type in your search term and press enter. It should take you to a the ‘Search Results’ page where all records matching your search terms will be listed.

As with the client, we also add the your contact’s name by default to the tag list. So if you want to list all the call records with a particular contact of yours, just search for it and it will display the timeline.

The search is also very basic currently since we lack good language and grammar databases. But as we keep on improving the system, it should start getting more and more useful.

What Else:

You can add more machines to your account if you want from the machines page. As many as you want!

You can also mail us directly from the support page if you want to ask us something.

You can also change your password, or your language setting or delete your account from the settings page. if you click on delete, we delete all the records and personal data you have provided us with. We retain nothing!

Note that if you do not want your call records to be screened then you can set your language setting to ‘Other’.

What’s Next:

As you would have noticed, the UI is very simple and basic. Very Web 1.0’ish. But we are working on a major upgrade to it and things will be much better soon. So keep tuned.

If you haven’t signed up already then please do it now. Click here. We are offering all these services for free in the beta phase. So give it a try and let us know what you think of it!