Today, Apple announced that its customers have now downloaded a whopping one billion applications from its App Store. Here at ReadWriteWeb, quite a few of us have iPhones, so we thought that this would be a excellent time to feature some of our favorite apps. We download and test a lot of iPhone apps, but here are the ones that have stood the test of time for us. The App Store is now home to over 35,000 applications, so this is obviously only a small selection of applications, but these are the apps that we don’t hesitate to recommend to our friends.

Sponsor

We couldn’t get feedback from everybody on the RWW team (and our BlackBerry users weren’t very forthcoming with suggestions either), but here are the recommendations from Richard MacManus (R), Marshall Kirkpatrick (M), Frederic Lardinois (F), and Phil Glockner (P).

Music Apps / Internet Radio

• Pandora (M)
• Slacker Radio (F) – our review
• Last.fm (R)
• Tuner (P)

News

• New York Times (M,F) – our review of version 2.0
• USA Today (P)

Photo Apps

• Photon (F) – our review
• Pixelpipe (F) – upload your photos to over 70 different photosharing and social media services (we just posted a review of Pixelpipe’s new Firefox plugin today)
• Mobile Fotos (P) – browse and upload photos and videos on Flickr
• iview (P) – share photos on Tumblr

Social Networks

• Facebook (P, M)
• Foursquare (P) – our review

Twitter Clients

• Tweetie (M, P)
• Twitterfon (F, R)

E-Books

• Kindle for iPhone (F) – our review
• Stanza (P) – part of our list of seven must-have offline apps

Productivity

• Todo (F) – lots of to-do list apps for the iPhone – this one is $9.99, but worth the money
• Groundwork (R) – access Basecamp from your iPhone
• YouNote (R) – note taking app, but also works with photos, drawings, and audio
• Soonr (F) – access documents from your desktop on the iPhone

Chat / Voip

• Skype (P, F) – our review (“It’s Real and It’s Spectacular”)

Health

• Diamedic (R) – for tracking glucose levels, insulin injections, lab results etc.

What are Your Favorite Apps?

These are the apps that we use every day, but you surely have your own favorites, so feel free to leave a comment and let us know which apps you prefer.

Discuss

Healthline, a leading provider of intelligent health information services, today announced two additions to its stable of medical search tools: TreatmentSearch, the first treatment search application for the web, and DocSearch, a recommendation tool for recommending specialists based semantic parsing of symptom or health condition information. Other Healthline tools include SymptomSearch and DrugSearch. The integrated suite of Healthline Clinical Applications is now available on Healthline.com.

Sponsor

TreatmentSearch

There are a plethora of medical sites that help you figure out based on symptom what sort of ailment you might be suffering from. Place in your symptoms, browse the results, make a guess. In fact, Healthline has such a search engine as well: SymptomSearch. But how do you get more information if you already know what’s causing the symptoms? What if your doctor is suggestion a course of treatment and you want a second opinion? This is where the new search tool TreatmentSearch is handy. Using sematic search technology, TreatmentSearch takes your diagnosis and finds resources such as treatment costs and specialists. According to West Shell III, Chairman and CEO of Healthline Networks:

"When you are diagnosed with a health condition, you want to know your options, find a treatment and a specialist that are right for you, and know the associated cost implications. Healthline semantic search technology enables us to get inside not just the consumer’s health inquiry, but also all the relevant associations."

DocSearch

Also announced today is DocSearch, a comprehensive searchable database of 1.3 million doctors nationwide that can quickly supply useful results starting with a zip code and symptom, or alternatively just by specialty. Searches can be refined by distance, name, hospital affiliation, experience, and even spoken languages. Up to twenty doctors can be compared side-by-side to find the just the right specialist.

Healthline is taking advantage of new technologies such as recent advances in semantic search in order to improve the experience visitors have when using the site to help them with every stage of medical care, from diagnosis, finding a doctor, costs of treatment and pharmaceutical advice. Of course, Healthline is also a business, and to that end it has partnered with quite a few other networks and portal sites to provide search, content and advertising as well.

Discuss

Web photo retouching service Picnik just announced a new partnership with Photobucket-based Twitter photo sharing service Twitgoo on its blog. The alliance will allow Picnik users to quickly share their retouched images on Twitter for free. In addition, twittering Picnik users can also apply the image as their Twitter background or update their Twitter user icon. Twitgoo uses your Twitter login to enable these extra sharing features.

Sponsor

Picnik is, at heart, a very robust Adobe Flash-based web application that supports hundreds of Photoshop-style filters, effects, and adjustments. Getting started is free and registration is optional, but many of the advanced tools are only available after upgrading to a pro account ($24.95/year). Even though the tool can be used directly from Picnik’s site, one of its strengths is the sheer number of embedded partnerships it has forged with other social networks like MySpace, Flickr, and Facebook. This allows Picnik to be invoked directly and returns your retouched photo to the site you are on.

Twitgoo is a new competitor from Photobucket aiming to unseat the crown of the current Twitter photo-sharing site, TwitPic. It is a honestly unique service, trying very hard in a chameleon-like way to look very much like Twitter once you log in (using your Twitter username and password, or Twitter OAuth in the case of the Picnik partnership). The powers you grant Twitgoo go farther than just sending a tweet about a new photo. As we stated above, it can (if instructed) also update your Twitter background and user icon directly.

Finally, photos that are modified in Picnic and pushed to Twitter appear to come from Picnic on ‘from’ line below the tweet. This is a smart go on Picnik’s part, they are all about trying to become the de facto standard for web-based photo retouching, and this will raise their profile more. Having used Picnik with Flickr for close to a year now, we can assure you that it is a very simple and fun editor to use, and the results it generates are spectacular. Give it a try, and tweet your results!

Discuss

Twitter’s status blog this morning announced that Twitter has addressed the most recent variant of the Mikeyy worm but recommends that you still avoid viewing the profiles of users posting “uncharacteristic or otherwise suspicious tweets.”

It shouldn’t be this hard, Peter Soderling, founder of Stratus Security told ReadWriteWeb yesterday. “It appears Twitter is solving the problem by focusing on the input filtering, but a simpler and more effective solution would have been to focus on output escaping; encoding the script tags so they could not do in any victim’s browser.”

Sponsor

Web application development 101: You want to output something that the user has provided? Escape all of that data so that it is harmless. But what does this really mean in plain English?

Input Filtering in Plain English

Input filtering is the way in which developers validate data coming into their applications, and thwart any invalid, incorrect or malicious data from being used or executed.

Typically, when an application needs a user to input data, the site will offer a form, containing one or more fields.

For instance, Twitter users have the ability to input data in a variety of places within their settings. From the obvious – such as in the account tab – where you can type in your name, username, e-mail, URL, bio, location etc., to the less obvious such as the ‘change design colors’ that allows you to enter data to specify color.

As a result, all of these fields need to be ‘filtered’ by the site – not just by making the input validation ‘nice’ for the user [as described below], but making it safe on the server.

From a user point of view, when you go to change the background color for example, Twitter has ensured you can only input 6 hexadecimal characters; that is, the letters A through F and the digits 0 through 9.

While this may provide users with a sense of relief that nothing malicious can be ‘injected’ into this field, it may also be providing a fake sense of security if Twitter is not filtering the input on its servers.

Here’s why.

When you hit the ‘save changes’ button after you have input your data, your browser sends that information to Twitter’s server, which in turn will then store that information.

But what if the information Twitter’s server receives tells it to do something malicious? And, what if Twitter’s server thinks that the information it has received was from the form where nothing ‘terrible’ can be entered? This is what Mikeyy did. “It basically let me do anything I want within a browser on their Web site,” Michael Mooney, the worm’s creator, told Andy Sorcini in an interview last week.

Reckon of it this way. You’re sending ReadWriteWeb a letter via snail mail. The postman steams it open, rewrites it and delivers it to us. The information we receive, while still appearing to come from you, may have nothing to do with the original information you sent us.

But how do you send information to Web apps without entering them in the specified fields? Simple, if you have the tools. Programs such as Paros, a security tool made for Web application vulnerability assessment also allows those who are tech savvy enough to monitor, intercept and modify the data being sent to Twitter before it hits Twitter’s server.

Of course, this means Twitter is now storing information – not about a color, but potentially, instructions to do something malicious.

Input Filtering at a Server Level

When Twitter’s server receives a request (such as to change the background color), it must validate that the information received corresponds to the values Twitter has assigned to it. Continuing with the color example, it must validate that only hexadecimal data has been received.

Clearly, Twitter did not do this from the get-go and is now furiously chasing input vulnerabilities that may be sprinkled in a variety of places within its code; patching them as it finds them; a long, painful and tedious process when done retrospectively.

Reckon of it this way. A mouse is in your house. You search to find the hole in the floor and you plug it. Then you find another mouse. Again, you search for the hole and plug it. This can go on indefinitely. But, had you, during the building stage, place down a concrete floor, there would be zero chance of mice living under your house, and fewer ways they could get in.

“Understanding why and where to filter is more vital than understanding how,” Chris Shiflett, CTO of OmniTI clarifies. “It’s vital to appreciate just how easily a form submission can be spoofed, so that you realize that absolutely nothing about the client’s request can be blindly trusted.” He has written a excellent technical overview on input filtering if you are interested in learning more.

The Flip Side of the Coin: Output Escaping

Output escaping, much like input filtering, is an additional precaution that developers can take when making Web applications.

According to Soderling, it effectively renders any malicious code that is stored in a database useless.

Rather than focus on plugging holes in the input one by one, Soderling suggest Twitter focus on escaping outputs, which is simpler from a developer point of view because it effectively requires only five steps to implement.

So simple in fact, that PHP, a common programming language, has made htmlspecialchars to automate this process in the PHP world.

“All Twitter needs to do is code the script tags so they cannot do in any browser,” Soderling clarified. “This particular type of attack is not entirely uncommon.”

And while it is likely that the majority of sites in the world are vulnerable, Twitter, with its team of capable developers should be better locked down.

But, Twitter is not alone in this. Guillermo Rauch found a similar vulnerability in Digg today that he tested and quickly alerted Digg to (Digg has since fixed the bug). You can read about the process here.

Whether Twitter is dealing with this problem by focusing on input filtering or output escaping is still to be determined. We’ve sent them an e-mail in an attempt to find out more and will update this post as soon as we hear back.

Discuss

During his weekly address this morning, President Obama named Aneesh Chopra as the nation’s first Chief Technology Officer. Chopra, who has effectively been doing much the same job at a state level in his role as Secretary of Technology for Governor Kaine of Virginia, will work closely with Vivek Kundra, the recently named Federal CIO, and Jeffrey Zients, the man Obama today named the first ever Chief Performance Officer.

Last month, two Virginia congressmen recommended Chopra for the job, saying “Chopra’s public and private experience in the technology field made him the right candidate,” and pointed out his focus on healthcare IT “is ideal for a position that will have responsibilities dealing both with stimulus spending on healthcare and environmental programs.”

Sponsor

From President Obama’s weekly address today:

“I have named Jeffrey Zients, a leading CEO, management consultant and entrepreneur, to serve as Deputy Director for Management of the Office of Management and Budget and as the first ever Chief Performance Officer. Jeffrey will work to streamline processes, cut costs, and find best practices throughout our government.

Aneesh Chopra, who is currently the Secretary of Technology for Governor Kaine of Virginia, has agreed to serve as America’s Chief Technology Officer. In this role, Aneesh will promote technological innovation to help achieve our most urgent priorities – from making jobs and reducing health care costs to keeping our nation secure.

Aneesh and Jeffrey will work closely with our Chief Information Officer, Vivek Kundra, who is responsible for setting technology policy across the government, and using technology to improve security, ensure transparency, and lower costs. The goal is to give all Americans a voice in their government and ensure that they know exactly how we’re spending their money – and can hold us accountable for the results.”

Tim O’Reilly, the man who coined the term Web 2.0, claims that Chopra has been instrumental in helping him better know Government 2.0 and how technology can be utilized to build a better government. He offers eight reasons why Chopra is an brilliant choice as Federal CTO.

We’ve embedded a video of the keynote Aneesh Chopra gave at this year’s State of the Net Conference earlier this year to give you an insight into the thoughts of our new CTO. In this 50 minute talk, Chopra discusses health IT, broadband policy and open education among other things.

Discuss

How-to video site Howcast and YouTube have collaborated to develop a number of media-rich web sites for the Fifth Summit of the Americas, a strategic meeting between diplomats and world leaders from the western hemisphere, including President Obama and Secretary of State Hillary Clinton. The pressing issues headlining this summit will be human prosperity, energy security, and environmental sustainability. The summit, located in Port of Spain, Trinidad & Tobago, runs from April 17 (tomorrow!) through April 19, and there is an opportunity for the public to submit questions to be addressed on the final day.

Sponsor

The quick way to submit a question is to use the the widget you can find here. But there are plenty of other resources available if you are interested in learning more about the Summit of the Americas, starting with the <a href=”America.gov Townhall page or the Howcast Townhall page. The America.gov site in this case links to the Howcast site, which pulls together all the links, how-to videos, and forum posts centering around this summit, with additional media on their branded YouTube page. The videos and other US State Department media are located on their their own YouTube page, and finally there is not one but two professional sites covering Summit of the Americas activities in general.

We have covered the how Obama’s administration has harnessed YouTube in the past, and it looks like that they are taking advantage of that channel again, linking to the Howcast Townhall site directly from the official White House blog. It certainly appears as if they are sincere about leveraging the technological infrastructure that is out there in order to drive engagement for events like these. With any luck, that is what is going to happen, as the issues discussed may lead to lasting decisions about how the democratic nations of the Americas combines to combat these global issues.

Discuss

Google announced a new, smaller version of their sitelinks search feature on their official Webmaster Blog today. The new mini-sitelinks will appear on more than just the top search result, and will occupy a maximum of one line and four links per result. Sitelinks were originally added by Google to help people jump to more specific parts of large web domains like Amazon or About.com. Additionally, the original version of sitelinks were only generated for the topmost result of a search query, the new one-liners can appear on other result on the first page.

Sponsor

Sitelinks can be seen as a slow encroachment of Google into a function that is traditionally part of the experience of visiting a site. Depending on how a site is structured, a business might not appreciate customers being pushed directly to a page below the frontpage. It could be seen as taking away from customer average time on site (a commonly measured site statistic) as well as potentially confusing if a company’s offerings are complex and require some explanation.

To this end, Google has made available settings in its suite of Google Webmaster Tools that allow domain holders, once registered, to block specific sitelinks from being listed in Google search results. It does appear that the block is only temporary (90 days) and for specific pages – which means webmasters are going to have a headache dealing with it if they have a lot of potential sitelink pages to block. In any case, Google has written about how to block sitelinks here.

Discuss

Just hours after Twitter started removing the first cross-site scripting vulnerability that hit its site this weekend, a new modified strain has been found, and according to F-Secure, it’s not the last one we’re likely to see over the next few days.

“This is not over. There’s going to be quite a few modified Twitter worms for a day or two. Be careful in Twitter, don’t view profiles, don’t follow links. It’s gorgeous outside, maybe go for a walk instead?” Mikko said on the F-Secure blog earlier today.

Sponsor

According to Breaking News, Mikeyy Mooney, the 17 year-ancient owner of StalkDaily.com, has reportedly admitted responsibility for yesterday’s attack.

“I am the person who coded the XSS which then acted as a worm when it auto updated a users profile and status, which then infected other users who viewed their profile. I did this out of boredom, to be honest. I usually like to find vulnerabilities within websites and try not to cause too much hurt, but start a worm or something to give the developers an insight on the problem and while doing so, promoting myself or my website.”

We wrote about StalkDaily yesterday, and last night Twitter pointed out on its status blog that it has “taken steps to remove the offending updates and to close the holes that allowed this ‘worm’ to spread.” The offending code can be found at GitHub as noted by Mr Speaker who left a message in our comments, and a postmortem of yesterday’s vulnerability can be found on the DCortesi blog.

Clearly Mikeyy is still bored as the new version is now making its way across the Twitterverse, tweeting comments such as: “Man, Twitter can’t fix shit. Mikeyy owns :)”

So if you see a tweet with the word Mikeyy – don’t click on it.

F-Secure is reporting that all of these attacks are Javascript based and suggests turning it off. You can find instructions on how to turn off JavaScript in the four main browsers; Firefox, Internet Explorer, Safari and Opera at Tucows.

If you need to remove Mikeyy, Twittercism walks you through in six simple steps.

We’ll keep you updated as the day progresses.

Discuss

I’d like to tell you this is a wild exaggeration of how Alex and I communicate. But if anything, it understates the case.

And yet we make it work.

Sponsor

More Noise to Signal

Follow ReadWriteWeb on Twitter

Discuss