Blog

eb33b40e2bf41c3e815d4401ee514792ea7fe4dc1eb21845_1920

Web Application Security Testing

eb33b40e2bf41c3e815d4401ee514792ea7fe4dc1eb21845_1920

The Open Web Application Security Project (OWASP) is an international organization dedicated to enhancing the security of web applications.

The conference held at Mantra Labs by one of our experienced test engineer Rijin. Here he has  discussed the current top 10 web application security risks worldwide. The list describes each vulnerability, provides examples, and offers suggestions on how to avoid it.

The top 10 web application security risks worldwide are:

  1. Injection
  2. Broken authentication and session management
  3. Cross-site scripting
  4. Indirect object security reference
  5. Security misconfiguration
  6. Sensitive data exposure
  7. Missing function level access control
  8. Cross site forgery
  9. Using components with known vulnerabilities: Heartbleed and Shellshock
  10. Unvalidated redirects and forwards

Link to Hackerone Bug reports:

https://h1.sintheticlabs.com/

From here you can take the understanding and would get an idea of ongoing security issues/bugs. How the hackers are exploiting the web applications. Various security/penetration bugs are listed here.

https://www.exploit-db.com/exploits/42309/

 

  1. INJECTION

This is when an attacker sends rogue content to a web application interpreter causing the interpreter to execute authorized commands. The most common of the code injection attacks are SQL Injections, also known as SQLi. An SQLi attack is done when malformed code is sent to the database server, thus leading to the exposure of your data. And this attack style is so simple and easy, anyone with access to the internet can do it – SQLi scripts are available for download and can be acquired easily.

How is it done?

The character “‘” is entered into the search field and pressing the button leads to an error page which displays more information than needed.

This example showcases a badly and insecurely programmed application that is incapable of handling SQL Injections. Just a few illegal characters with a little sniffing around leads the hacker to this string: “‘ union select password from users;”. He can then implement this finding to harvest usernames and passwords from the database. This is just one basic way to exploit application databases.

Tool commonly used for SQL Injection

SQLmap

sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers.

It is commonly used in Kali-linux.

After finding a vulnerable page you can find database by typing :

sqlmap –u (url) –dbs

Guide to exploit via sqlmap

https://www.darkmoreops.com/2014/08/28/use-sqlmap-sql-injection-hack-website-database/

https://www.hackers-arise.com/single-post/2017/01/20/Database-Hacking-Part-3-Using-sqlmap-for-SQL-Injection-Against-MySQL-and-WordPress

For practice you can use the following websites:

http://www.shumka.com/shumka-at-50/news/index.php?id=847

http://waytogonatural.com/product_detail.php?ID=4526

You can also find SQL vulnerable website on your own. You just have to look for

  • php?id=(any Number)
  • login.php?id=(any number)
  • index.php?id=(any number)

Examples of SQL injection:

https://hackerone.com/reports/200818

https://hackerone.com/reports/179751

2.BROKEN AUTHENTICATION AND SESSION MANAGEMENT

Incorrect implementation of authentication schemes and session management can allow unauthorized users to assume the identities of valid users.

Broken Authentication and Session Management attacks are anonymous attacks with the intention to try and retrieve passwords, user account information, IDs and other details.

Key Points to check if you are vulnerable:

  1. User authentication credentials aren’t protected when stored using hashing or encryption.
  2. Credentials can be guessed or overwritten through weak account management functions (e.g., account creation, change password, recover password, weak session IDs).
  3. Session IDs are exposed in the URL (e.g., URL rewriting).
  4. Session IDs are vulnerable to session fixation attacks.
  5. Session IDs don’t timeout, or user sessions or authentication tokens, particularly single sign-on (SSO) tokens, aren’t properly invalidated during logout.
  6. Session IDs aren’t rotated after successful login.
  7. Passwords, session IDs, and other credentials are sent over unencrypted connections.

Examples of attack scenarios:

Scenario #1:

Airline reservations application supports URL rewriting, putting session IDs in the URL:

http://example.com/sale/saleitems?sessionid=268544541&dest=Hawaii

An authenticated user of the site wants to let his friends know about the sale. He e-mails the above link without knowing he is also giving away his session ID. When his friends use the link they will use his session and credit card.

Scenario #2:

Application’s timeouts aren’t set properly. User uses a public computer to access site. Instead of selecting “logout” the user simply closes the browser tab and walks away. Attacker uses the same browser an hour later, and that browser is still authenticated.

Scenario #3:

Insider or external attacker gains access to the system’s password database. User passwords are not properly hashed, exposing every user’s’ password to the attacker.

Vulnerability to ‘Sensitive Data exposure’:

 

  1. Is any of this data stored in clear text long term, including backups of this data?
  2. Is any of this data transmitted in clear text, internally or externally? Internet traffic is especially dangerous.
  3. Are any old / weak cryptographic algorithms used?
  4. Are weak crypto keys generated, or is proper key management or rotation missing?
  5. Are any browser security directives or headers missing when sensitive data is provided by / sent to the browser? (Nikto)

Prevention from Sensitive data exposure:

  1. Make sure you encrypt all sensitive data .
  2. Don’t store sensitive data unnecessarily. Discard it as soon as possible. Data you don’t have can’t be stolen.
  3. Ensure strong standard algorithms and strong keys are used, and proper key management is in place.
  4. Ensure passwords are stored with an algorithm specifically designed for password protection, such as bcrypt, PBKDF2, or scrypt.
  5. Disable autocomplete on forms collecting sensitive data and disable caching for pages that contain sensitive data.

Protection against broken authentication and session management:

Password Strength

-Minimum size and complexity.

-Complexity depends on the usage of combinations of alphabetic, numeric, and/or non-                              alphanumeric characters

-Change password periodically

-Prevent from reusing previous passwords.

Password Use 

-Restrict to a defined number of login attempts per unit of time and repeated failed login                           attempts should be logged.

-System should not indicate whether it was the username or password that was wrong if a                           login  attempt fails.

Password Change Controls 

-Users should always be required to provide both their old and new password when changing                   their password .

-If forgotten passwords are emailed to users, the system should require the user to                                      reauthenticate whenever the user is changing their e-mail address, otherwise an attacker who                  temporarily has access to their session (e.g., by walking up to their computer while they are                       logged in) can simply change their e-mail address and request a ‘forgotten’ password be                           mailed to them.

Password Storage 

-Passwords must be stored in either hashed or encrypted form

-Encryption should be used when the plain text password is needed

Session ID Protection

-A user’s entire session should be protected via SSL.

-Session ID should never be included in the URL as they can be cached by the browser.

-Session IDs should be long, complicated, random numbers that cannot be easily guessed.

-Session IDs can also be changed frequently during a session to reduce how long a session ID                   is valid. Session IDs must be changed when switching to SSL, authenticating, or other major                   transitions.

Browser Caching 

-Authentication and session data should never be submitted as part of a GET, POST should                      always be used instead.

-Authentication pages should be marked with all varieties of the no cache tag to prevent                            someone from using the back button in a user’s browser to backup to the login page and                            resubmit the previously typed in credentials.

Examples of broken authentication and session management:

3.CROSS SITE SCRIPTING

This is when a browser unknowingly executes scripts to hijack sessions or redirect to a rogue site.

Cross-site Scripting (XSS) refers to client-side code injection attack wherein an attacker can execute malicious scripts (also commonly referred to as a malicious payload) into a legitimate website or web application. XSS is amongst the most rampant of web application vulnerabilities and occurs when a web application makes use of unvalidated or unencoded user input within the output it generates.

By leveraging XSS, an attacker does not target a victim directly. Instead, an attacker would exploit a vulnerability within a website or web application that the victim would visit, essentially using the vulnerable website as a vehicle to deliver a malicious script to the victim’s browser.

There are basically two types of XSS:

a)Stored XSS

b)Reflected XSS

Stored XSS

  • A Stored Cross Site Scripting vulnerability occurs when the malicious user can store some attack which will be called at a later time upon some other unknowing user. The attack is actually stored in some method to be later executed.
  • The storage of a method could involve a database, or a wiki, or blog. Basically the malicious user has stored some type of attack, that when an unknowing user will encounter this, the attack will be executed. The stored method actually not only has the problem of incorrect checking for input validation, but also for output validation. Even if data has been sanitized upon input, it should also be checked for in the output process. By checking and validated the output, you could also uncover unknown issues during the input validation process.

Reflected XSS

  • The malicious user has discovered that a field within a website or web application holds a XSS vulnerability. This malicious user then crafts a way to use the vulnerability to execute something malicious to some unknown user. Reflected XSS vulnerabilities occur when a unknowing user is directed to a web application that has a XSS vulnerability, by the malicious user. Once the unknowing user gets to the web site or application the malicious user’s attack is executed.
  • The attack is crafted by a series of url parameters that are sent via a url. The malicious user then sends his/her malicious url with the url parameters to unknowing users. This is typically sent by email, instant messages, blogs or forums, or any other possible methods.

How to test for XSS injection vulnerabilities, example:

You can determine if a web-based application is vulnerable to XSS attacks very easily. A simple easy test is to take a current parameter that is sent in the HTTP GET request and modify it. Take for example the following request in the browser address URL bar. This url will take a name parameter that you enter in a textbox and print something on the page. Like “Hello George, thank you for coming to my site” http://www.yoursite.com/index.html?name=george And modify it so that add an extra some additional information to the parameter. For example try entering something similar to the following request in the browser address URL bar.

http://www.yoursite.com/index.html?name=<script>alert(‘You just found a XSS vulnerability’)</script>

If this pops up an alert message box stating “You just found a XSS vulnerability”, then you know this parameter is vulnerable to XSS attacks. The parameter name is not being validating, it is allowing anything to be processed as a name, including a malicious script that is injected into the parameter passed in. Basically what is occurring is normally where the name George would be entered on the page the </script></script> message is instead being written to the dynamic page.

The alert message just is an example of how to test for the XSS vulnerability.

Some examples of cross-site scripting attack vectors:

http://hackersonlineclub.com/cross-site-scripting-xss/

Tools that can be used:

Zaproxy: It’s a freeware.

https://github.com/zaproxy/zaproxy/wiki/Downloads

Also Burp Suite and Beef can be used to find out XSS vulnerability.

4.INDIRECT OBJECT SECURITY REFERENCE

An attacker can access a reference to a file or directory and manipulate that reference to gain unauthorized access to other objects.

A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, database record, or key, as a URL or form parameter. An attacker can manipulate direct object references to access other objects without authorization, unless an access control check is in place.

  • Vulnerability to Insecure Direct Object References
  1. For direct references to restricted resources, does the application fail to verify the user is authorized to access the exact resource they have requested?
  2. If the reference is an indirect reference, does the mapping to the direct reference fail to limit the values to those authorized for the current user?
  • To test Insecure Direct Object References

To test for this vulnerability the tester first needs to map out all locations in the application where user input is used to reference objects directly. For example, locations where user input is used to access a database row, a file, application pages and more. Next the tester should modify the value of the parameter used to reference objects and assess whether it is possible to retrieve objects belonging to other users or otherwise bypass authorization.

The best way to test for direct object references would be by having at least two (often more) users to cover different owned objects and functions. For example two users each having access to different objects (such as purchase information, private messages, etc.), and (if relevant) users with different privileges (for example administrator users) to see whether there are direct references to application functionality. By having multiple users the tester saves valuable testing time in guessing different object names as he can attempt to access objects that belong to the other user.

Some basic examples:

The value of a parameter is used directly to retrieve a database record

Sample request:

http://foo.bar/somepage?invoice=12345

  • In this case, the value of the invoice parameter is used as an index in an invoices table in the database. The application takes the value of this parameter and uses it in a query to the database. The application then returns the invoice information to the user.
  • Since the value of invoice goes directly into the query, by modifying the value of the parameter it is possible to retrieve any invoice object, regardless of the user to whom the invoice belongs. To test for this case the tester should obtain the identifier of an invoice belonging to a different test user (ensuring he is not supposed to view this information per application business logic), and then check whether it is possible to access objects without authorization.

Examples of the attack:

https://hackerone.com/reports/12011

https://hackerone.com/reports/42587

Testing traversal/file include

Many web applications use and manage files as part of their daily operation. Using input validation methods that have not been well designed or deployed, an aggressor could exploit the system in order to read or write files that are not intended to be accessible.

Testing techniques to test this flaw

In order to determine which part of the application is vulnerable to input validation bypassing, the tester needs to enumerate all parts of the application that accept content from the user. Here are some examples of the checks to be performed at this stage:

Are there request parameters which could be used for file-related operations?

Are there unusual file extensions?

Are there interesting variable names?

http://example.com/getUserProfile.jsp?item=ikki.html

http://example.com/index.php?file=content

http://example.com/main.cgi?home=index.htm

An attacker could insert the malicious string “../../../../etc/passwd” to include the password hash file of a Linux/UNIX system. This kind of attack is possible only if the validation checkpoint fails; according to the file system privileges, the web application itself must be able to read the file.

http://example.com/getUserProfile.jsp?item=../../../../etc/passwd

It also possible to include files and scripts located on external website.

http://example.com/index.php?file=http://www.owasp.org/malicioustxt

If protocols are accepted as arguments, as in the above example, it’s also possible to probe the local filesystem this way.

http://example.com/index.php?file=file:///etc/passwd

If protocols are accepted as arguments, as in the above examples, it’s also possible to probe the local services and nearby services.

http://example.com/index.php?file=http://localhost:8080 or http://example.com/index.php?file=http://192.168.0.2:9080

Example of path traversal: https://hackerone.com/reports/150018

5.SECURITY MISCONFIGURATION

Improper server or web application configuration leading to various flaws.

  • Debugging enabled
  • Incorrect folder permissions
  • Using default accounts or passwords

Vulnerability to Security Misconfiguration

Is your application missing the proper security hardening across any part of the application stack? Including:

  1. Is any of your software out of date? This software includes the OS, Web/App Server, DBMS, applications, APIs, and all components and libraries.
  2. Are any unnecessary features enabled or installed (e.g., ports, services, pages, accounts, privileges)?
  3. Are default accounts and their passwords still enabled and unchanged?
  4. Does your error handling reveal stack traces or other overly informative error messages to users?
  5. Are the security settings in your application servers, application frameworks (e.g., Struts, Spring, ASP.NET), libraries, databases, etc. not set to secure values?

Attack scenarios:

Scenario #1: The app server admin console is automatically installed and not removed. Default accounts aren’t changed. Attacker discovers the standard admin pages are on your server, logs in with default passwords, and takes over.

Scenario #2: Directory listing is not disabled on your web server. An attacker discovers they can simply list directories to find any file. The attacker finds and downloads all your compiled Java classes, which they decompile and reverse engineer to get all your custom code. Attacker then finds a serious access control flaw in your application.

Scenario #3: App server configuration allows stack traces to be returned to users, potentially exposing underlying flaws such as framework versions that are known to be vulnerable.

Scenario #4: App server comes with sample applications that are not removed from your production server. These sample applications have well known security flaws attackers can use to compromise your server.

Protection against Security misconfigurations:

  • Install latest updates and security patches. Have an easy to manage updating process with test environments to check updates before deploying to production environments.
  • Remove sample applications that ship with content delivery systems and web frameworks. Most tools that help build web applications include demo and sample code to help teach developers how to use the tools and get you started. These samples and demos should be removed. They provide a known target for anyone attempting to compromise web application security.
  • Remove unused features, plugins and web pages. Only include the parts of web applications that you need to provide your service to end users. Remove any plugins or functionality that you are not using.
  • Turn off access to setup and configuration pages. Don’t leave the setup and configuration pages available for users to use.
  • Change usernames, passwords and ports for default accounts. Web application frameworks and libraries often ship with default administration names, passwords and access ports enabled. Everyone knows these. Change all these to non standard usernames, passwords and ports.
  • Don’t share passwords between accounts on Dev, Test and Production systems. Related to the point above. Don’t use the same administration accounts and settings across your Dev, Test and Production systems.
  • Turn off debugging so that internal info isn’t sent back in response to test queries or errors. Excessive debugging information can be used to glean information about a web applications configuration.

Good read :

https://lockmedown.com/owasp-5-security-misconfiguration-hardening-your-asp-net-app/

Stay tuned for rest of the security risks, they are coming shortly.

technology-illustration-shutterstock-crop-600x338--crop-600x338

InsurTech: Present and Future of Insurance Technology

Insurers need to spin the technology that offers their customers with more efficient, optimized and relevant policies. The ones that could be customized could be fed with data from a wearable/mobile device or the ones that are applicable for just an hour. With such customer focus initiatives, they yet need to achieve core business objectives like price and operational efficiency and compliance to stringent regulations. Could the Insurtech meet up the expectations? Could technology lend a helping hand? Let’s explore how the insurance vertical is evolving with the latest technology and what its future is –

The Present of InsurTech

The insurance firms are under immense pressure of reorganizing their house – customized policies, risk mitigation strategies, real-time analytics, instant claim settlement, sensors, drones and augmented reality (AR) apps are playing a significant role. So, what are the technologies adopted by the firms? Let’s take a closer look –

Robo-Advisory Services

Robo-Advisors have seen a broad adoption across insurance sectors. Unlike olden days when hiring a financial advisor was a dream for many individuals, with Robo-advisors people of the low-income group could use DIY advisory for their financial portfolio. Should you opt for all critical disease cover or only a few? Should buying an integrated policy be beneficial or an individual one is some of the questions that could be answered via Robo-Advisory Services.

Policies via Sensors, Detectors, and Telematics

Sensors, Detectors connected via the internet could send early signals of smoke/radiations to the rescue services, helping in minimizing the damages. Also, Telematics like monitoring automobile speed, the behavior of a rash driver could assist in making a clear judgment of claim policies for individuals and insurance firm. Hence while IoTs and interconnected network could be a boom in offering customized policies, these minuscule are taking insurance services to the next step.

The Future of InsurTech

Could technologies like Blockchain, Augmented Reality, Virtual Reality change the world sees insurance sector? Would they bring in the exotic flavors of policies? Only time can tell, for now, let’s explore how these technologies could be handy in insurance sector?

Blockchain

A distributed ledger technology has the potential to ease out fraud detection and risk prevention as per a report from EY. The report also highlights that blockchain is efficient in establishing transparent and customer focussed claims building trust and loyalty for the insurance firms.

Augmented or Virtual Reality

Just imagine driving in stormy weather, an AR app helps you define the road/lane border so that you do not bombard a tree or a car in your parallel path. Or how about a 3D modeling and simulations help customers in making insurance claims easier and faster? Or how about before you go for the home insurance a simulation helps you pinpoint all the areas under insurance rather than reading the lengthy document? It all is a possibility with AR and VR technologies.

With the evolution of technologies, the secret is to be adaptable to change. @Mantra Labs we believe in this, and hence one of our esteemed clients Religare is using our InsurTech solutions in Post-sale, pre-claim, post-claim and renewal processes. It helps in providing customers with transparent and intuitive services that is robust and secured for businesses. A win-win for all.

Reference Links:

https://assets.kpmg.com/content/dam/kpmg/xx/pdf/2016/10/how-augmented-and-virtual-reality-changing-insurance-landscape.pdf

https://www.realexpayments.com/blog/augmented-reality-insurance-businesses/

IOT in Insurance Sector: Home, Auto and Health Insurance

Internet Of Things is helping the Insurance Industry as well. Based on the reports we have read it is all set to transform the insurance industry in flexible and exciting ways. Last month Accenture insurance blog stated that 39% have already launched or are piloting connected home or connected building initiatives that use the Internet of Things, and 44% consider connected devices to be a driver of future insurance revenue growth.

Future insurance is set to be completely transformed because of IoT. There are already some insurance companies that have adopted IoT and Insurance Tech such as Bajaj Allianz, ICICI Lombard, HDFC life.

 

connected-cars

Image Source: iamwire

In this article we plan to discuss how IoT is helping in home insurance,  auto insurance, and health insurance businesses.

Health Insurance:

Wearable devices such as fitness bands such as FitBit are helping people, especially elderly, to track their health details constantly. This information can further help doctors treating the patients requiring immediate medical attention. Insurance companies, at the same time, can reduce their claims by offering incentives to their policyholders to use these kinds of devices.

Home Insurance:

Sensors, Detectors connected via the internet could send early signals of smoke/radiations to the rescue services, helping in minimizing the damages. Information derived from inter-connected smart devices at home can also be utilized by insurance companies to determine the safety maintained at home. In the first place, smart devices used to keep an eye on their home while they are away. This would decrease the unfortunate incidences of theft or burglary and save people from losing their precious assets as well. Eventually, it would also bring down the claims raised by households.

Auto Insurance:

Telematics like monitoring automobile speed, the behavior of a rash driver could assist in making a clear judgment of claim policies for individuals and insurance firm.

Hence while IoTs and interconnected network could be a boom in offering policies, these minuscule are taking insurance services to the next step.A huge amount of data generated by the IoT devices can be used for predictions, understanding of the market, customers etc, that will help in distributions the policies in a very effective manner as well as a great customer satisfactions.

Laravel 5.4 Vs Yii2 : PHP Frameworks Comparison

 laravel

PHP frameworks make development faster. Among various frameworks, Laravel & Yii are two widely used frameworks. Recent releases are Laravel 5.4 & Yii2, we have analyzed the functioning of both these frameworks from the developer’s point of view.

Requirements

Yii is used by programmers for developing web portals and much more. The latest version Yii2 requires PHP5.4 or higher versions.
Laravel is designed for the purpose of building high-end web applications. Laravel 5.4 will be functioning only on PHP 5.6.4 or higher end versions.
Laravel Requires OpenSSL Extension, Mbstring Extension, Tokenizer Extension also.

Extensions

Both Frameworks offering various kinds of useful extensions. Programmers can find many valuable extensions in these frameworks. Laravel has a various number of user contributed / commercial extensions compared to Yii2. It has various kind of extensions providing different scopes in functionality which is ahead of Yii.

Object Relational Mapping

Yii2 Framework feature data access objects, Doctrine2 through plugins and Active Record Pattern. Laravel Also provides the same.

The object relational mapping (ORM ) of Laravel is Eloquent and Yii is Active Record.

Security

Yii2 and Laravel5.4 both have more security features related to authentication, authorization, SQL injections, CSRF coupled with the core code. Whereas Laravel provides these security measures with several extension packages.

Performance

When it comes to the performance of these two frameworks Yii is considerably fast when we compare with Laravel. Laravel5.4 takes 2ms as application startup time whereas Yii2 startup time is1ms.
Also, Yii has a wonderful caching system and supports DB based page, Memcache, XCache, segment caching and APC. While in Laravel cache necessities include Database, Memcached, and Redis.

Templating Engine

Laravel5.4 Using blade templating, which is simple yet powerful templating engine where you can use plain PHP code into views unlike other PHP templating engines. Blade view files are stored in .blade.php file extension. Vue.js javascript frameworks can be used for Laravel.
Yii doesn’t use any third party templating system by default. Still, Twig Or Smarty Template Engines can be used.

Conclusion

The selection of framework is clearly based on project requirements, Yii overtakes Laravel in some aspects like security and fast performance. Programmers should use the Laravel framework to avoid coding flaws.

Both these frameworks have their own pros and cons but Laravel and Yii both are excellent frameworks to work on.

Top Latest Trends in Insurance Tech

technology-illustration-shutterstock-crop-600x338--crop-600x338

Today, the insurance industry is at a digital transformative phase to enhance the business models. There are few key areas we can expect insurers to embrace as they seek to create more automated, user-friendly processes in Insurance sector.

Use of automations and artificial intelligence  

Insurance industry is shifting towards exploring automation of more complex and risky processes rather using of traditional method, which is less effective in case of time and accuracy. Using of emerging technologies like Artificial Intelligence and Machine learning provide the scope of intelligent automation for analysis of huge amount of data generated by IoT and smart wearables devices. These Analysis and cross checking of data help understanding the better customer insights, fraud detections, claims verification and processing.

With the more refined automated technologies and capability of analysing more data, insurance companies like AIG started employing smart drone for automated property assessment and claims processing, which not only helps in accurate assessment but reduces the operational cost also.

Redefining of Insurance distributions

For better user experience, insurers have already generalized the new channel of distribution such as online research, comparison platforms and chatbot for better interaction and understanding, which already impacted in the market of personal insurances. The new direct distribution channels and online comparison platform for direct small insurances are likely to be more effective in coming days.

Companies like Allstate is already allowing small business owner to buy policies in just five minutes, or P2P platform like Gather giving the opportunity to small business owner to self insure and coverage is offered through a captive which is owned by the businesses it insures.Thus offering greater transparency and reducing cost in policies for these type of enterprise.

Insurance through value chain disaggregation

As the market is growing, the specialization in sectors is becoming more popular. As insurers move into advanced and extreme digital stages there is more use of data, automation, connectivity, ecosystem integration, new development methodologies, and a smarter use of IT resources. Some of these companies are providing customer interface with a unique value propositions, some companies provides tools for specialized software solutions for the insurers.

Companies like PolicyBazar provides insurance comparison and gives customized suggestions and recommendations based on the customer needs and choices, using their artificial intelligence.

Data analytics to improve profitability and better customer experience

The exponentially greater data availability and better analytical capability of softwares provide the base of making decision. Cross checking and analysing on the large amount of data coming from various unstructured resources such as social media real time data through various connected devices, helps in better risk management to drive greater profitability as well as better customer experience. Applying a combination of techniques such as predictive modeling, text mining, databases searches and exception reporting, insures are able to understand better customer insight, fraud analytics which help them in making insight driven strategies and risk mitigation strategies.

Sensors, Detectors, and Telematics  for building data

IoT or internet of things refers to the physical objects that are embedded with sensors, which gather information about specific objects and transmit it. These transmitted data are then analyzed as discussed earlier.

In insurances, using of IoT technologies is becoming more popular. In case of home insurances, smart homes is one of the fastest growing segment. Insurances companies are giving more discount on policies for an internet connected Home/Smart home.

Various wearable devices are also in demand as it enables life and health insurers to better engage with customers while obtaining real time insight into risk. Aditya Birla Health  Insurance is offering their policyholders health benefits and rewards for connecting their approved apps and wearable devices to their health app so they can track one’s activity.

Property and casualty insurance companies like AIG , are going to use smart drone for better property assessment.

Blockchain Technology for fraud detection

In coming days Distributed Ledger Technology(DLT) or Blockchain Technology is going to be leveraged across all sector including Insurance for its revolutionary way of sending, receiving and storing information in a secure and decentralized way. Using of Blockchain technology in insurance will improve the quality of service, increase in the volume of data from new data sources, automate claims, also will reduce the operational costs. It has the potential to ease out fraud detection and risk prevention as per a report from EY.

Once insurance and blockchain technology are interconnected, key business process like policy management and claims management are likely to transformed and new business model are expected to emerge using Blockchain.

Augmented Reality/Virtual Reality in Insurance

Though Augmented Reality is leveraged by many other sectors, like in social media or in gaming and other sectors, insurance sector still is limited to areas like marketing or training by simplifying complex explanations, meant for customers and employees. How about a 3D modeling and simulations help customers in making insurance claims easier and faster? Or how about before you go for the home insurance a simulation helps you pinpoint all the areas under insurance rather than reading the lengthy document?

There are big challenges ahead for insurers. With more changing technologies, executives will need to carefully consider the opportunities.

 

 

 

IoT World is getting trendier and fashionable with these Latest trends

xl-2016-internet-of-things-1

Let your treadmill pass on the data to your wearable hand devices that could be read on your smart phone with visual and analytics. Or how about you casting your mobile to Office projector while all are having their evening snacks and enjoying live cricket?

Let’s see what are the latest trends in IOT.

Welcome to Connected World!

Research experts like Gartner Say 8.4 Billion Connected “Things” Will Be in Use in 2017, Up 31 Percent From 2016. On the other hand, firms like Intel predicts that there would 200 million connected devices by 2020. With such a rapid growth startups and big firms are keen in observing the space. So, here we bring on the latest trends shaping the world of IoT [ Internet of things].

An Increase in Miniscule Products

Products like sensors and cameras may be little in existence, but the power they hold makes them sustainable in the long run. Smart homes, Smart cars, climate control, home security are some of the aspects that need these sensors and devices. In future, we may see them as default items in IoT world, but for now, they are the stepping stone and would create an impact in IoT domain.

Evolution of IoT Squares 

A very peculiar case of IoT is that the Amazon Prime video cannot be cast via Google Chormecast, the user needs to purchase Amazon Firestick if he must enable casting. With such a wide range of hardware and software list, users can’t be loyal to just one firm. Hence the need for gateways that allow software’s, hardware, apps, devices of various vendors to connect, interact and communicate without the need to change it.

These markets would not only help the users but the firms who want to want to automate their legacy equipment. They could just tap into industrial drivers, hubs, data visualization, monitoring and data mapping modules and reap the benefits.

Let the Data Do the Talking

Big Data is not an emerging trend anymore, but a default technology adopted by most of the businesses. However using Big data with IoT cloud could help many firms in making an informed decision. Just for example an insurtech firm could gather the driving behavior and pattern of his customer using sensors and could design a customized policy that suits his needs.

IoT Analytics is an upcoming trend, and many of the start-ups are eager to provide the optimum solution to other businesses.

Integrate IoT with Machine Learning

Machine learning is another emerging trend that experts are confident would change the future. But its benefits could be manifold if it’s integrated with IoT. Mantra’s innovative solution XAVI is the best example here. Just imagine you entering the home after a long tiring day and wished someone could switch on your lights tv and air conditioner. XAVI is a genie that allows you to do so with your voice or through a mobile app. As you get comfortable on your sofa, you could issue a command to list all English movie to be aired in next 15 minutes, and in no time, you could have an exclusive list of it on your tv screen. For more features click here.

It would also help firms in gathering data of individual usage patterns and would assist them in building more cognitive technology.

Security the Major Opportunity

With every new technology first question posed is – Is it safe? While many people believe interconnection could make systems more vulnerable to attacks, the opportunists believe it as a space to explore and come with a more robust solution to keep devices and data protected.

 

 

7 Reasons why PHP is getting so popular

Php

Millions of websites developed and still counting. Do you think why PHP Web Development is so popular? Apart from these benefits like open source, free, there are a lot of other benefits of PHP which attracts developers & clients towards it.

So, let us take a look at some of the most important reasons why PHP is so popular.

Simplicity

PHP programming is just like composing an English article for the computer. Aside from the fact that the language is bits and bytes, It is compatible to be run on any system productively. Writing a PHP script is pretty straight forward and as opposed to another language. Thus programmers can write profoundly customized scripts.

Zero cost

PHP is an open source framework, meaning that it is free, handy and supported by loads of documentation. All of it makes PHP one of the savviest systems that have found its way into popular applications like Facebook, Twitter, Wikipedia, WordPress and more. Being open source also means that PHP is readily available for new developers who want to test their aptitude in coding.

Works exceptionally well with CMS

PHP makes scripting amoebic, allowing developers to change codes as and when they will. All PHP websites are fully customizable and can be transformed to meet the requirements of the customers with ease because Content Management Systems like WordPress, Drupal, Joomla and others are primarily based on PHP. Hence, developing or integrating a robust custom-made CMS solution with your website is simple.

Versatile

Any PHP code can be run on all significant platforms, allowing designers to coordinate the sites in its different stages. For businesses, this would mean cost effective utilisation of the current framework and work on platforms like UNIX, Linux, and Windows and further an extra support to integrate Apace and MySQL.

Flexible, measurable and effective

This is clearly understood from the fact that the biggest social network, Facebook, runs on PHP. The usefulness of PHP for such a dynamic platform has also led to the creation of “Hack”, a subordinate language, to meet the changing development needs. PHP doesn’t require a server reboot to be updated as opposed to other competing languages.

Extensions and other ad-ons

PHP is the most adaptable language in the field of web development. It allows designers to create and add more updated functionalities that keep the end users hooked. Further, extensions and plugins help new developers cope up with the programming challenges.

Large Community/Libraries

PHP is backed up by a huge library of resources and tutorials. Being open source, developers get to learn from users across the globe and this has been a defining reason why PHP is being adapted by every web developer today.

   Some Interesting Statistics

  • Usage of server-side programming languages for websites

This diagram shows the percentages of websites using various server-side programming languages.

  • Historical trends in the usage of server-side programming languages for websites 

This report shows the historical trends in the usage of server-side languages since January 2010.

  • Usage of server-side programming languages broken down by ranking   

This diagram shows the percentages of websites using various server-side programming languages broken down by ranking.

Stay tuned for more updates.

Press Release June 2017

                    Mantra Labs and Medallion Healthcare sign a Strategic Partnership

Over the last 10 years, Medallion has evolved into a reliable partner to execute healthcare assignments, ranging from setting up of for-profit hospitals, establishing medical colleges, partnering with government institutions and more importantly, the introduction of social enterprise models in rural India. Medallion, with their vast functional experience, of more than 50 collective years, bring implementation as their core value proposition to this partnership.

mantra-medallion

“Technology will be the single most driving force for healthcare to innovate and improve the service offerings. We are extremely confident that Mantra Labs with their level of technical competence are the ideal partners to build healthcare solutions. This partnership will go the distance, in terms of our clients accessing cutting edge technologies”. Manesh Mathew, Founder & CEO of Medallion Healthcare.

As part of expanding the scope of services in healthcare, Mantra Labs has entered into a strategic alliance with Medallion Healthcare. Through this synergy, Mantra aims to gain vital functional knowledge from user groups and thereby develop solutions for next-generation and address the actual pain points of customers as well as healthcare providers.

Mantra Labs is an ideal partner as it is a results-driven technology and design company who likes to be at the cutting edge of technology and develop innovative and scalable software and design solutions.

Mantra Labs is working with clients all over the world on solving interesting problems in Health-Care, Fin-Tech and Consumer Internet space.  

Mantra sees a huge scope of innovation and disruption in healthtech. We are focused on achieving success in healthtech in partnership with Medallion using our advanced technical skills in new age technologies. Medallion is an ideal partner, they have proven track record of understanding healthtech from perspective of its management, practitioners and end users”. Parag Sharma, CEO , Mantra Labs.

 

Press Release May 2017

  Mantra Labs becomes implementation partner for Religare Health Insurance

 

 Religare Health Insurance has signed a technical implementation partnership with Mantra Labs to work on development, support, technical advice for their user portal.

mantra-religare

Religare Health Insurance Company Limited is a specialist health insurer engaged in the distribution & servicing of health insurance products. Religare is the most preferred healthcare service provider, which is caring, cost effective, innovative and reachable.

“ Being end to end product development company from consulting, UI/UX , front end and backend. We are perfect fit to take care of  modules of Religare Health Insurance. Now we are implementing AI and ML to help them reduce cost in their call center operations. Being vendor of Religare has helped us get better visibility and proven our capabilities to work with bigger businesses. “ Says Kaushlendra Yadav, Co-Founder, Mantra Labs

About Mantra Labs

Mantra Labs is uniquely positioned as a niche technology company with a strong focus on working on cool ideas in web, mobility, AI and IoT. We provide technology services across different domains to design and develop products in an agile, cost effective and timely manner. We deep dive into your business to deliver business results, improve productivity, increase efficiency, and reduce costs.

Kotlin vs. Java: Android Programming Language

For developers, what can be more exhilarating than a new programming language. Just like Java was named after the Java Island, Kotlin’s name comes from the Kotlin Island, thus starting the conflict between these two. We have covered some comparisons between these two languages.

kotlin_800x320

In Java, Groovy and Scala both are powerful and versatile languages however they are also verbose, and not optimised for mobile.

Android’s answer to keeping up with the rapid pace of mobile development – The Kotlin programming language.

Let’s understand Kotlin first:

Kotlin is a statically-typed programming language that runs on the Java Virtual Machine and also can be compiled to JavaScript source code or uses the LLVM compiler infrastructure. Although the syntax isn’t compatible with Java, Kotlin is designed to interoperate with Java code and is reliant on Java code from the existing Java Class Library.

Kotlin is an enhancement to Java, rather than a completely new language, so many of your skills that you’ve acquired through your Java career should still be applicable to your Kotlin projects.

Well, why should iOS developers have all the fun? If you’re an Android developer and if you’re thinking of rewriting your Java project in Kotlin. Don’t stress – the Kotlin plugins have you covered. These plugin even has a handy tool that allows you to convert a Java source file to Kotlin.

Switching to Kotlin from Java:

Although Java 8 introduced a lot of new features for developers and is a modern programming language, Android specific developers can use it only partially and are stuck with Java 7. Java’s syntax is also pretty verbose, particularly when compared to some other modern programming languages.

So you may want to switch to one of the many modern programming languages that are designed to run on the JVM, like Kotlin. Its greatest strengths are the sheer level of interoperability between Java and Kotlin. Everything will still compile flawlessly and users won’t be able to tell which parts of your project are written in Java, and which parts are written in Kotlin. You won’t have to convert or rewrite anything at all.

It is an enhancement to Java, rather than a completely new language, so many of your skills that you’ve acquired through your Java career should still be applicable to your Kotlin projects. Also, just in case you come across some code which seems drastically different since Kotlin is also designed to be intuitive and easy to read you should still be able to get an idea of what’s happening there.

It is a crossover between procedural and functional programming and aims to bring you the best of both worlds by combining concepts and elements from both.

For the Android developers out there, Kotlin is developed by JetBrains, the company behind IntelliJ, which is also the IDE that Android Studio is based on.

If you compare a Java class and a Kotlin class, the one written in Kotlin will typically be much more concise and compact. As every developer knows, less code means fewer bugs!
 Few drawbacks in Kotlin too:

  • There is an extra runtime size, the Kotlin Standard Library and runtime will increase the size of your APK but this only equates to around 800KB.
  • The biggest factor that might worry a developer is that Kotlin isn’t officially endorsed by Google. Also, on Stack Overflow, when compared to Java, Kotlin has a smaller community and thus lesser available help.

In conclusion, Java 6, 7 and 8, with all their workarounds, back-ports and tools to overcome those hurdles, still had room for improvement and it grew up in the same room. The newer, lightweight Kotlin is designed to advance existing Java paradigms, solve problems with API design flaws, and even though it’s equally suited for enterprise back-end systems, make Android mobile development better.

Overall, It is one of the safest bet as an alternative to Java for custom Android app development.
And did I mention, that semicolons are optional 😉

Stay tuned for more updates.