I recently talked about our experiences developing applications for the Yahoo Open Platform. Caja is a system used by YAP (and resumable others close to OpenSocial/Google) that transforms ordinary HTML and Javascript into a more restricted form.

At its heart, Caja enables platform providers like Yahoo! to allow developers to use Javascript in their applications safetly.  Caja solves a similar problem that Facebook solves with its FBJS (Facebook Javascript), albeit in a more flexible fashion. Facebook solves the problem by provided a limit set of Javascript-like functions, tries to mirror some of their functionality with that of its server-based API, and provides very decent support for AJAX. Caja tries to solve the problem by support regular Javascript with some limitations.

The Yahoo Application Platform (YAP) is new as is Caja, so there are still a lot of kinks that need to be worked out. Some developers, however, seem to prefer the limit, yet working, set approach that Facebook offers versus the every should work (but it doesn’t exactly) that Caja and OpenSocial may have to offer.

As I mentioned, Caja – like many other technologies that originate at Google, is open-source so expect more companies to adopt this approach to limit XSS style attacks on their site. As one post by a Google devleloper working on the project claims “With the lauch of My Yahoo! and Yahoo! Mail gadgets, we’ve got 275 million users.” – partially true (first they have got to see the applications..before they can use them), so developers need to start taking a serious look at Caja and what Caja will mean for them. Tim Oren makes a similar (even stronger) point in his post on Web 2.0, Javascript and Caja.

In working we Caja, we had to come up with serveral not so trivial work-around based on the current limitations of Caja (XML parser for AJAX calls, ie) so working with (and around) Caja may not be trivial but hopefully will become a lot easier as these kinks are ironed out in future YAP releases.

Other Resources:

• Google Caja
• Yahoo! YAP/Caja
• Tim Oren’s: Web 2.0 Investors -Pay Attention to Caja
• Wikipedia on the Caja Project

Given the way Twitter works – its fairly open API and the ease of creating Twitter accounts (Twitter doesn’t require you to have a valid email address when creating a new account), it is surprising there isn’t more spam on Twitter than there currently is. We have all starting reading the reports on Twitter spam attacks or celebrity Twitter accounts being hacked or how big the spam problem on Twitter will get! With more and more business (and individuals) taking to Twitter to promote their ventures (and potentially their scams), expect spamming on Twitter to eventually explode! After all, by some claims 90% of all email is spam. Here is my attempt at a short but comprehensive list of the types of Twitter spam and abuse that is going on:

General Spamming and URL Shortners
It is becoming a common practice for individuals use their real or fictitious accounts to shamelessly promote their services to the general public via Twitter. This sort of spam is be expected, after all, one man’s (or woman’s) spam is another man’s (or woman’s) “business opportunity”! What makes spam on Twitter worse are the URL shortners!Become many users shorten their links with a URL shortner to get the most of Twitter 140 character limit, sometimes innocuous looking links point to viruses, trojans, pornography, or scams! It is impossible to tell, until you click the link.

Hash and Trend Spamming
This builds on generally spamming to make it more effective (or sometime targeted). This form of spam takes advantage of trending topics on Twitter by adding a hash tag to particular keyword in a tweet. Recently, for example spammers have been taking advantage of the sad death of Michael Jackson by adding #MJ and #MichaelJackson to their tweets. The same sort of thing has been going on with the #Iranelections and other popular trending topics.  By adding trending topics or keywords to their tweets, spammers get their tweets to show up more often in popular (or targeted) searches. This has sometimes forced Twitter to temporarily disable trend searching on its site.

@username Spamming and Tweetjacking
This takes advantage of the popular practices or reply to/retweeting over peoples tweets. This common form of Twitter spam involves spammers replying to your @username, which then causes the Tweets to show up in your timeline (and may cause you to read it). This has quickly evolved into the practice of Tweetjacking. Here someone replies to or re-tweets a post you made, except they substitute your shortened URL in the post (http://tinyurl.com/good, i.e.) with another shortened URL that points to porn or scam site (http://tinyurl.com/bad,i.e.).

Twitter Account Hijacking
This involves hackers breaking into your account and using it for their own purposes (warning: avoid simple or obvious passwords on your Twitter account). Spammers hack into a reputable account (presumably with a lot of followers) and use it to send out spam. Accounts of popular Twitter users such as former Mac evangelist (or more recently investor) Guy Kawaski and even Britney Spear’s (TwitPic accounts) have been recently hacked! The list of celebrities who have had their accounts hacked continues to grow! (Lindsay Lohan, Barack Obama, Britney Spears, Fox News, ie). In fact this and the legal problems that follow has promoted Twitter to launch verified accounts.

Follower Inflation, “Follower Services” and Related Spam
The Twitter economy is based in part on the number of followings you have. Since creating an account is relatively easy, some has introduced automation to amass hundreds or thousands of fake followers! Some of these “spammers” have gone on to try and sell their services or accounts to the highest bidders! Spammers use this and related techniques to propagate general spam and grow their spam network.

Twitter Harassment
Not really spam but definitely a form of social networking abuse has prompted Twitter to put out and try and enforce a Twitter Harassment Policy (some have claimed this is not enough). Individual can and do get harassed on Twitter. Some have been harassed professional views, celebrities have complained about being stalked/harassed on Twitter and you can expect the same time of harassment that goes on social networks such as MySpace to rear its ugly head!

Dealing with Twitter Spam and Abuse

1. Be Careful Who You Follow
   Tools like Twitchuck allow you check to see if @username appears to be a spammer by analyzing metrics such as their following to follower ratio, number of posts and other metrics. A lot of spammers try and capture followers (and potentially gain more credibility and exposure) by very quickly following as many people as they can. Consider blocking these individuals.
2. Be Careful What You Click
   As I mentioned earlier, you can never be sure exactly what you are clicking on in Twitter (and other services) where true URL addresses are hidden behind a URL shortner (such as tinyurl.com, bit.ly, i.e.). I think we should look to these services to add some level or protection or expect secure/spam-free URL shortner to appear. Unfortunately there isn’t any solution that provides complete protection (desktop spam filters help) since some of these messages may come from a friends hacked account! Definitely beware of clicking on links in tweets by people you don’t now or find in a general search!
3. Twitter Spam Filters and Techniques
   Expect these services (Clean Tweets, almost.at, TweetTornado, i.e. )to make an a big appearance shortly. But such a service would filter allow you to search for trends on Twitter or do simple searches while remove the tweets or known or suspected spammers. Expect more and more Twitter spam blacklists to appear (similar to those for email spam). There are also organization dedicating to identify spam fighting techniques on Twitter, check them out.
4. Abuse and Flagging Tools from Twitter
   A growing number of users are advocating that Twitter at tools that allow users to alert Twitter about abuse. I would expect that this will happen shortly. Abuse complaints already pour into Twitter’s support site. Twitter currently does suspend accounts “due to strange activity” so they are trying to get on top of the problem and ultimately they have the power (and best interest) to reduce spam on the service.  Twitter can easily start validating email addresses and adding “Flag User” or “Report Abuse” buttons on profiles and search results and I am certain they eventually will.

Wanted to share an old screen capture of the Yahoo! Widget TV to give folks an overall idea of how the new Yahoo! Widgets look and work.

You will notice that at the bottom of the screen is a dock that displays widget snippets (dynamic icons). Once clicked, a widget opens up in a sidebar. Widgets can also enter a fullscreen graphical or video mode. The Connected TV environment comes with a Gallery Widget that is used to browse and add 3^rd party widgets. Individual widgets feature a horizontal tabbed menu metaphor (very similar approach to the Widgetmatic 600 series). Each widget has a title area, a “Navigation Start Point” (usually where the content goes), a set of horizontal tabs (menus), as well as a global toolbar (at the bottom).

Both TechCrunch and Mashables ran articles today about the glut of iPhone applications based on usage numbers from AdMob. AdMob has looked at 2,309 apps (with 15.1 million unique users) and has concluded what most of us already know – very few iPhone applications have any significant user base! Only 116 applications have over 100,000 users and amazingly 54% of applications have less than 1,000 users. Conclusion – unless you have a compelling reason to, you probably don’t want to build yet another application for the iPhone platform – chances are (unless you actively promote and market it) you won’t get millions of downloads, much less millions of dollars! The real money belongs to another group of people.

What’s Good for the Goose, is Good for the Gander?
Let’s do some simple math so see the type of money we are talking about. Let’s say (as the articles suggest), there are more than 50,000 applications. Let assume they were build by 50K developers (not accurate since some build more than one, but again there are thousands of developers who didn’t follow through and it usually takes more than one developer per app). Let’s assume each of of these developers got an extra phone for development (that a $300 margin for Apple according to iSuppli) and paid $100 for the SDK (rounded up). That’s $400 a developer. Multiply by 50K and that equals $20M dollars, and that’s before the 30% margin Apple makes on each application sold! The real “developer revenue” number is probably 2 or 3 times that amount but we get idea!

The New Platform Gold Rush
Every once in a while, a new development platform will create a “developer gold rush”. This was very much the case with Facebook (but didn’t really happen for OpenSocial) and it was most definitely the case with the iPhone (but has happened in the same way for the Andriod). As a platform provider it definitely helps to be first (Facebook vs OpenSocial, Apple vs Android), to have a powerful developer-friendly platform, to be loud and takes risks (Facebook vs Yahoo!), and to do it right (Apple vs Blackberry, Facebook vs OpenSocial). Here is how some of it works:

How Platforms are Launched and Why Application Glut Happens

• Before the Beginning: A new platform usually begins with a private beta. Popular, talented or reputable software vendors and developers are courted/invited by the platform provider long before the platform is released as part of a private invite-only beta. Platform providers want to make sure their platforms are tested and stable and want to release their new platform with a huge marketing splash and lots of apps!In order to do that, they need dozens of good applications on day one! They can’t have just have anyone building “crappy me-to apps” because that does not demonstrate the “true power of their new platform”. Instead they hand pick a group of companies with recognizable brands or valuable services (or “friends of the company”) that they want to have “featured” on their platform. Sometimes a developer like Metablocks is called in by the ISV or platform provider to actually help build these application (we have recently gone through this process for 2 new platforms in the process of being released) and sometimes we are just a “friends of the company”
• On Day One: When the new platform is launched, it usually happens with a lot of fan-fare. Facebook’s F8 Launch featured dozens of applications from well-known companies like Microsoft, Amazon, Red  Bull, Washington Post, and Digg as well as more innovative offerings from upstarts like iLike, Slide, and RockYou. Now ask yourself, when was the last time you used an application from Microsoft on Facebook – you get the idea. Big launch with big names usually equals big developer response. You can’t launch platform without any apps! Quiet releases don’t work every well.
• On Day Two: Once the platform is launched and “publicly available”, hordes of developers, ISV and hobbyists rush in as part of the gold rush. By this time, any promises of making a financial killing on the platform start to quickly diminishes. Application quickly get bloated with 10, 20, 30 or more applications that do EXACTLY the same thing! Me-to developers whose approach is to quickly replicate successful applications on other platforms make an appearance. Then anyone who has 10K or more to spend to have someone in India build them an application arrives at the same time.  Real companies, who unfortunately took their time building well-design application, are late to the party. Those who can even make it through the front doors find that there are is no free food or drinks left and they get elbowed as they try and make their way to the front of line. The brands or those with truly unique content (music labels) have the best chance of making a go at it. By spending thousands on advertising, they can get people to download theirs apps, but again they are not interested in selling $1, $2 apps but real products we already pay for everyday. So who are the real winners? Those who came early, the VIPs (Brands) and whoever is throwing the party.
• Building Momentum: If a platform is especially hard or expensive to build on, or if the market (aka consumers) just isn’t there yet, or simply to accelerate the process, some platform provider organize competitions, host developer events or even help start a micro venture fund to help build platform momentum.
  • Developer Competitions: Ribbit $100K Killer App Challenge, $10M Android Challenge, Open AIM Challenge
    – note: used to jump start platforms that do not immediately sell themselves, competitions are expensive and usually do not yield the best results. Warning: if everyone is using your platform, you don’t need a competition to launch it!
  • Developer Events: Facebook Developer Garage, iPhone Tech Talks, Yahoo! HackU
    – note: a very effective way to create follow-on momentum (not for jump starting). Use of free (usually alcoholic) drinks and food, and archiving events using video generally increase efficiently.
  • Development VC Funds: Facebook’s fbFund, KP’s iFund (iPhone), Google Ventures, AppFactory
    – note: probably the most effective “marketing tool” that serves to create the perception that everyone will soon be building on a platform. In Silicon Valley, this technique can help launch 100’s of wannabe startups on a platform. Warning: these funds do not always pay out to true ‘pure plays’ and sometimes existing portfolio companies are ‘repackaged’ and quietly funded from this funds. It’s also a way for small or old VC’s to get much needed press (and entrepreneur interest).
• Re-igniting the Gold Rush: Providers periodically update their platform with new features to help re-ignite the gold rush. Apple’s iPhone 3.0 release with its new features is being said to renew developer interest. Press helps as well. Stories about the vast fortunes being made on a platform, definitely help! Headlines from Wired that read: iPhone Developers Go From Rags to Riches or Who Wants to be a Facebook Millionaire (BusinessWeek) is what the American (developer) dream is all about! Taglines like: Developer Makes $250,000 in Two Months sound more like a late night TV commercial. Yes, for the lucky few these things do happen, but by the time you read about it, the party is probably over!
• Show Me the Money: This is all great for platform providers, since the smart ones very quickly figure out how to many money off the developer gold rush. Apple not only makes money each time an application is sold but they also charges for its iPhone SDK, making money off the thousands of application that are never made or sold – genius!Others, like Facebook, have introduce verification programs ($375 an application) and encourage developers to buy advertising to promote their applications. Both are excellent strategies for monitizing popular development platforms.

  In addition to customer acquisition via apps, charging for SDKs, “verification” programs, and advertising other mechanisms such as plaform-wide micro-payments, directory listing fees, and pay-to-play platforms will soon emerage as additional monitization options.

• Sometimes Developers Make Money Too: Joking aside, developers do have an opportunity to make real money, if they get in early and build reasonably good apps. Silicon Valley Insider claims this year, Facebook developers (combined) will make more money than Facebook, perhaps, but its all good.

Conclusion:
What’s good for the goose, IS good for the gander, and promising new platforms that will attract CONSUMERS(most importantly) and good DEVELOPERS (always a chicken and egg) will make money for both (providers and developers). As for the consumer, please keeping using and buying our applications, and don’t forget to click some on some of the ads, your patronage of our applications is much appreciated. Thank you and please stay tuned for more!

Just posted an interesting post that takes a look at the “Widget Space” on our Widgetmatic Blog.

The post tries to shed light on what widgets are, how companies should use them what the widget space really is.

We recently developed a YAP app (I like the way that sounds) for a client. For those who are not familiar with YAP, Yahoo! describes the Yahoo! Application Platform:

The Yahoo! Application Platform allows you to reach our users and improve the Yahoo! user experience by building and deploying new experiences for them into Yahoo! pages, writing code the way you love to write it.

From a marketing perspective, it’s Yahoo!’s response to Facebook’s popular application platform and MySpace’s OpenSocial, but in many ways it is different (and it promises to be even more different in the future).

Here are some of the similarities and differences between YAP and other popular application platforms:

• Like Facebook, the YAP official SDK is PHP-based, and similarly both platform support development in Adobe Flash. Both also have their own markup languages (FBML,YML) and both support Javascript (FBJS,Caja).
• Unlike Facebook and OpenSocial’s “externally and internally facing” applications (seen by others and yourself), Yahoo! applications are “internally facing” (seen only by you) and thus are designed to work with My Yahoo! (and Yahoo Mail)
• Unlike Facebook and OpenSocial, very little interactivity is currently is supported on the front page/Small View
• The application metaphor behind YAP is probably more similar to those of “starting page” widgets for services like NetVibes and Pageflakes
• Sharing of applications is probably less intuitive than Facebook but comes “automatically” with each application (since it is built into the application chrome rather than the application itself for the most part)
• The YAP API supports OpenSocial 0.8, but in general its PHP API is less complicated (and less featured) than Facebook’s. Full support for OpenSocial is planned in the future

Developer Do’s and Don’ts:

• YAP’s Caja Javascript Sandbox is a bit unforgiving when it comes to spelling errors, and at the time we developed our application, there wasn’t a great way to debug these problems
• Be prepared to write your own XML parser (we did) since currently YAP’s flavor of Javascript limits some types of DOM manipulation. If you plan on using AJAX and XML, this may be an issue. I believe their JSON support is a lot better.
• Understand the limitations of different Views. The Small (front-page) View doesn’t support Javascript, Flash or IFRAMES, so interactivity is limited. If you want to update the Small View, you’ll need to periodically run a CRON job or use a Web Service. Plan on doing most of your “work” in the Canvas View, which does support Flash and Javascript (but not IFRAMES).
• AJAX and other communication and event-based calls will need to be done through OpenSocial 0.8, so previous MySpace development experience helps
• The Yahoo! developer forum does a fairly good job of answering questions so be sure to use it. The individuals responsible for evangelizing and supporting the platform did a phenomenal job in supporting our development efforts. The documentation was okay (navigation wasn’t great), sample code (at least when we used it) was okay as well but could have been organized a little better.

Conclusions:

• Developing on YAP!, as is the case with any new developer platform, was challenging but fun!
• YAP! holds a lot of promise as soon as Yahoo! was more aggressively promoting.
• Remember that for the most part, the platform is still in beta, so some of these issues have probably addressed.

A couple of weeks ago I was speaking with one of our clients about API design.  I has reminded of the conversation when checking out the YELP API this morning as part of working we are doing on a joint venture called SocialGrub. Pretty much every web-based service these days has some sort of API. An API, which stands for Application programming interface, is simply a mechanism that allows developers to get content from (or create it in) your service or application programmatically.  As developers, we all have to design them to be intuitive and easy to use (for other developers).  Here are some suggestions when designing an API:

• Call or method names should be intuitive, avoid long or confusing names
• http://api.test.com/getStore?id=1
• Support multiple file formats for output. Popular formats include XML, JSON, and serialized PHP
• http://api.test.com/getStore?id=1&format=json
• Consider having a JSON version (or serialized PHP/Phython) of your API. XML API responds tends to get large rather quickly. Consider using shorter node/element names (but try and keep them intuitive)
• Balance file size with node/element/method name intuitiveness
• Document your API, it always helps
• Include examples calls in your API as well
• When possible avoid keys for your API unless they are necessary
• Allows you to track/control usage but also adds complexity and time
• Provide platform specific SDK (PHP, C#, JS, i.e.) or sample code whenever possible
• You an also encourage your developer community to share their sample code and examples
• Study other API’s to understand best-practices, standards and get a good ideas of what developers will expect. 

This week’s round up of interesting widget news, trends and analysis:

• Widgets Still Strong!
  Wall Street Journal’s “Still A Wonderful World Of Web Widgets For Some Start-Ups” concludes that widgets are still well and alive!
• Widget Maker Gydget get Acquired
  Gydget, once known for its attempts to go after the music bands, has been acquired by Adgregate, which plays to distribute its ShopAds on the 200,000 widgets that Gydget has created. Can you say, “I wish I owned my own widget”. Gydget was originally founded by Gerardo Capiel, who is now the VP of product management at MySpace.
• iWidgets Becomes Transpond
  Company changes focus to try and power native applications for Facebook, MySpace, and iGoogle.
• Quantcast/comScore Widget Traffic Numbers are Big!
  Widgets were all the rage last year and the trend seems to be growing. Widgetbox is reporting 500 million impressions in the past month (Quantcast).  RockYou, however, had 9.5 billion impressions and Clearspring had 520 million unique visitors according to comScore.

Here are a list of Facebook application projects we have been involved with:

Music and Entertainment

• Ghostbuster’s Virtual GhostHunt (Atari/Intel)
• Chris Sligh Get Out the Vote (Brash Records)
• eSongcards (Introspect Records)
• Fire Emblem Challenge (Nintendo)

Retail and Food

• Dolce VIP Network (Dolce Group)
• McDonald’s Nuggets Facebook Page App (McDonalds)
• McDonald’s QPC Wall of Confidence (McDonalds)
• Naturally Beautiful (Body Shop)
• Send a Freshly Brewed Teeccino (Teeccino)

Non-Profit

• Virtual March on the Hill (CCFA)
• CPR Awareness Week (American Heard Association)
• Support Organ Donation (Donate Life)

A couple of things of things that developers and marketers should be aware in regards to changes on Facebook.

1. Vanity URL for Facebook
   Since June 13, existing Facebook users ahve been able to claim a personalized vanity Uniform Resource Locator (URL) pointing to their regular existing profile page. Millions of users have already registered vanity URL’s. Page owners can do the same, with the caveat that (currently) only pages with 1000 or more fans are allowed to register vanity URL’s in this way.
2. Brand Owners Get to Register their Trademarks
   To prevent URL squatters and the legal mess that quickly follows. Facebook is allowing owners of existing registered trademarks to protect them. Rights holders interested in protecting the use of their existing registered trademarks may visit: http://www.facebook.com/help/contact.php?show_form=username_rights
3. Facebook User ID’s have Changed
   Preparing for continued growth, Facebook is issuing larger ID’s to certain new users. In the past most Facebook ID’s were 10 or less digits (easily handled by an INT field in your database). This week as part of our testing for a new game we helped developed, we noticed 15 digit ID’s (100000027051821), which CANNOT be handled well by an INT field and require a BIGINT field. Developers who are noticing odd behavior (users not being able to save preferences or the creating of duplicate records in your user table), will need to modify their databases.