Tech Tip: How to add Items to Favorites.

1. Click on the file/folder you want to add to favorites.

2. A small Pop up will appear to your right, now Click on Add to Favorites.


3. Either you can add items to default Favorite list or create a New list and add to it.


No Responses

Tech Tip : Create a Playlist In Tonido Android App

All you need to do is,

1. Play a song using tonido Android app

2. Click on “Add Songs to Playlist” icon. 1

3. Click on the plus icon in the dialog to create a new playlist and add songs to it or click OK to add songs to default playlist.


4. Enter the name of the playlist and click OK


Your new playlist is now created.

No Responses

Tech Tip : Change Storage location for Tonido downloads in Android app.

Step 1: Open settings in Tonido Android App


Step 2: Click on Downloads Path


Step 3: Now click on Change and change the path to store the Downloaded files


Step 4: Once you have changed the path according to your convenience, give Confirm.


No Responses

Tech Tip : Automatic Photo and Video Backup using Tonido iOS app

Tonido Server Side

In your Tonido server browser UI,

1. Log into your Tonido server and go to Settings->Misc

2. Under “Mobile Media Backup”, Check if the current “Media Store Location” is the place you want the images/videos to be stored (This is selected by the app automatically if nothing was set by the user). If not, set a correct folder.


Tonido iOS App side

Open your iOS App,

You will see a new icon on the bottom left . Tap that icon to open the Camera Upload settings



The camera upload settings will have a number of options, you need to tap the “Server” to select the Tonido Server to backup the photos and videos to.


If you have multiple Tonido servers that support and have enabled Mobile Media Backup, then they will show up int his list. Tap the server to select it as the backup target.


Thats it! Watch it do its thing..



No Responses

How Tonido Personal Cloud brings Data Ownership, Privacy and Anonymity to your Digital Life?

When we started up Tonido, our goal was to provide a compelling alternative to public online services. We figured that a few companies controlling everyone’s information is not good for a equitable society. After 4 years, if we look at the current status of the Internet, all of our worst fears have come true. There is zero privacy and zero anonymity. The web is not open and the ecosystem is controlled by a few companies. One needs to set the expectation that everything that happens on the public internet gets tracked, aggregated, diced, profiled and sold to the highest bidder. Don’t do anything on the internet that you will not do in a public place. People’s memories fade, but the Internet never forgets.

The music you access, the emails you send, the photos you share, the comments you post and pretty much anything you put on public online services serve as one more data point to create your online persona . With a few clicks anybody can buy that data for a cost.



As always, the individual liberty and protection of privacy is the responsibility of users. Nobody is going to do that for you. If you have young kids or newborns many of them will outlive the current set of hot internet companies. But, by the time your kids become adults, the data that you entrust with these companies can change many hands and come back to haunt them in many ways. Even if the current management is benevolent (‘do no evil’) there is no guarantee that the future management will be benevolent.  Hard times and bad economies can change the way companies will treat your personal data.

With your permission, you give us more information about you, about your friends, and we can improve the quality of our searches. We don’t need you to type at all. We know where you are. We know where you’ve been. We can more or less know what you’re thinking about -  Eric Schmidt, Executive Chairman of Google

This quote pretty much summarizes the power that we voluntarily give out to internet companies. The new internet monopolies are not much different from the 19th century robber barons. The railroad magnates used their control over rail road distribution to create monopolies. In similar ways, the large internet firms use network effects, control over personal data and monopolies over desktop and mobile Operating Systems to serve their profit goals. It is not illegal. It is business as usual. But as users we need to think twice about the information we freely offer. What kind of control are we forsaking?


Many of the popular internet companies (Google, Facebook and others) enforce real name policy, thereby ensuring they are able to identify track and aggregate you and your data anytime you use their services. We are not advocating that you should not use their services. But do expect that anything you do and share on these services is up for sale. The “I have nothing to hide” argument is not really valid  here. The data you put or share in these services can have profound practical implications in your job search, getting insurance or getting a financial loan. It is not really about hiding stuff any more. The basics of life are at stake here.

Smart people now understand this predicament and indiscriminate sharing on social networks is changing slowly. If you want to have real control over your personal data then you need to have complete control over the system.

Tonido provides such a system. If you want to share your kids photos or share your thoughts with family and friends without any fear, Tonido can do that for you. Using Tonido, you can create this private, safe space  that runs on your device behind your home router. You will have 100% control over this private little space.

Here are the 10 things that Tonido can do  to safeguard ownership,  privacy and anonymity

  1. No Real Name Policy – Unlike Facebook or Google, we don’t require a real name to create Tonido account. You can choose any name.
  2. Completely Independent -  To facilitate ease of use, we provide dynamic dns and relay server capabilities to access your Tonido device from anywhere. You are free to use our dynamic DNS and relay servers or your own. Here are the instructions.
  3. Complete Control - Turn it On or Turn it Off any time.
  4. Private and anonymous shares- Tonido allows you to create private and anonymous file shares
  5. Ephemeral Shares - Tonido allows you to create time limited, ephemeral file shares that you can use to share content with friends and family
  6. Guest user support - Create user accounts for your  family members and friends in your own Personal Cloud
  7. Works without internet - The application and data is always local. You can access your Tonido device from your home network even if there is no internet
  8. Password Security - We store only your user name. We don’t store your passwords in our system. It will give you completely secure access to your data. Any centralized hack will not compromise your data.
  9. Cross Platform and works on any device - Tonido is available for Windows, Mac OS X and Linux. You don’t need  expensive hardware to run Tonido – Any old computer will do.
  10. Powerful Alternative to Online Services -Out of the Box, Tonido can replace Google Drive, Dropbox, Picassa, Flickr, Facebook and Spotify (If you own your music). It is extremely simple to use and comes with native mobile apps for iPhone, Android, Windows Phone and Blackberry.

In a nutshell, Tonido allows one to  access, share, sync and organize personal data from anywhere without losing control over the personal data.

We are committed in our vision to make Tonido  the #1 Personal Cloud that safeguards  privacy and online freedom.  We are happy that our years of effort  creating Tonido is making the world a better place. We don’t have billions of Tonido users. But we make a positive difference in the lives of the million or so users that currently take advantage of our systems. An active Tonido user puts order of magnitude less data in the popular online services than an average internet user. Every user that Tonido attracts is one less user for a Public cloud service. That is good enough for us. 

One Response

Tech Tip:- How to Switch to Different Account in Tonido

Step 1: Go to Settings and then to Accounts Tab.

Step 2: Scroll Down and click on Switch Account. 2014-05-30_105418

Step 3: You will see the Tonido Login Screen. From the login screen, you can either login with a different account name or create a new account using the New Account button.


*Note: Switch Account  allows you to change the name associated with that computer or TonidoPlug either by switching to different account or by creating a new account

No Responses

Add, Edit or Remove Guest User from Tonido

All that you need to do is,

1. Click on Shared Files from the left navigation panel

2. Go to Guests tab

3. Click on “Add Guest” Button to add a guest




4. Type in the guest username and password and click on create. Guest user will be create

5.  To update the existing guest :Click on the edit button and type in the new username and password



6.  Click on Update button to save the changes

7.  To Remove a guest account : Click on the remove button that appears  straight to the guest


8. Click on “OK  button to delete a guest permanently

No Responses

Change the Port on which Tonido is running

To achieve this ,

1. Go to Settings->Network

2. Click on Http Port under the section “Web Settings”.

3. Type in the port on which you need to run tonido.

4. Click Submit.

Restart the tonido server for the changes to take effect.

Your tonido will be now running on the port you specified .For  Example : You can open your tonido using

No Responses

How do you store passwords securely?

Whenever you make an application which requires a login, you need to store the passwords of the users. Passwords are important because they have the ability to give someone full access to a user account. Hence, it is very important how you manage passwords- sending them through requests, storing them and retrieving them. In this post, we will talk about the different techniques of storing passwords. (more…)

No Responses

Using JSONP for cross domain requests

It is often seen that developers are not confined to the limits of their own domains. When you make requests through JavaScript across domains, the browser prevents the request from going through citing the absence of an ‘Access-Control-Allow-Origin’ header. This is termed as the ‘Same Origin Policy’ of browsers which allows scripts running on a domain to make requests to resources on the same domain only, comprising the same URI scheme, domain and host number. There are many ways around the same origin policy- ranging from routing the request through a web proxy to using CORS (Cross Origin Resource Sharing), but the most popular method is using JSONP.

What is JSONP?

JSONP simply refers to “JSON with padding”. It is essentially a JSON response wrapped around a callback function that is specified in the URL. For instance, the following a JSON response.

{ “username”: “sdaityari”, “name”: “Shaumik Daityari”}

The same response with a callback function specified as processData is as follows.

 processData({ “username”: “sdaityari”, “name”: “Shaumik Daityari”})

How does JSONP help in working around the same origin policy?

As browsers don’t allow requests to other domains, how then do we add external files to CDNs (Content Delivery Networks) to speed up page loading and still get them to work? The hidden agenda is here is the fact that these files are present under the src attribute of <script> tags. This leads to a conclusion that anything under the <script> tags is executed by the browser under the context of the current domain!

Using the same idea, we supply a callback function, generally as a GET variable, to the src in the <script> tag, and we get a response of a JSON wrapped with the callback function. That essentially means that the callback function is executed with the JSON response as arguments. That helps in working around applications just like we did in the case of AJAX.

In the JSONP example provided, we would execute the function like the following-

 <script src=”“></script>

By doing so, processData would be executed with the given arguments.

Why would this not work if it was returning just JSON?

In place of a JSON response padded within a function, if the server just returned a JSON, the data would not get executed, instead raising a Syntax Error. You could emulate a response by pasting some JSON into your JavaScript console.

When can it go wrong?

In the example above, the data that was returned through JSON was not so sensitive. It just contained the username and name. However, imagine an ecommerce site which stores credit card details as a part of your profile. Let’s assume the following request being made-

<script src=””></script>

The website would return the following response irrecpective of the website that requested the information.


   “name”: “Shaumik Daityari”,

   “card_no”: “xxxx xxxx xxxx xxxx”,

   “expiry_date”: “xx-xxxx”


How does an attacker use it to get your data?

In the ideal case, this data is received by the intended website and used accordingly. However, let’s say that a malicious site,, gets wind of the information and tricks you into redirecting you to their server.

Basically, you are browsing and you are asked to click on something. Their server then sends the same response and since you are logged into the ecommerce site, data containing your information is returned. (There are other non-JSONP related security checks which can prevent this from happening, but let’s assume there were no other security measures to prevent this from happening.)

Once a malicious site gets hold of the sensitive data, it can process the data on the context of the site, and therefore do whatsoever it wishes with the data, most probably storing it in their own servers for later use. Not only this, a malicious site can also get hold of your cookies which contain vital information that a website uses to track your progress on its site.

Using JSONP safely

The reason JSONP got so popular is the ease of use and implementation. All you need is a callback and you are done. Therefore, there are many security concerns which need to be taken care of while using this technique.

Sanitize callback

This is one little thing that can lead to dangerous consequences. In fact, many tutorials talking about the security in the JSONP method fail to get this one right. In PHP, you would generally execute the following.

 echo $_GET[“callback”] . “(“ . json_encode($my_data) . “);”;

In addition to that, vulnerabilities in JSONP have also been identified through a term called flash injection.

The right way, as explained by Dylan Tack on his blog, is to use appropriate headers to manipulate the output in case the callback is being used for an XSS attack. He uses the following code-

function generate_jsonp($data) {

 if (preg_match(‘/\W/’, $_GET['callback'])) {

   // if $_GET['callback'] contains a non-word character,

   // this could be an XSS attack.

   header(‘HTTP/1.1 400 Bad Request’);



 header(‘Content-type: application/javascript; charset=utf-8′);

 print sprintf(‘%s(%s);’, $_GET['callback'], json_encode($data));


Full trust on a different domain

Using the JSONP requires that you trust the remote domain fully. This essentially means that if, for some reason, the functionality remote domain breaks, your service breaks too. It remains your decision, however, whether you want to depend on a third party service.

Moreover, as we are using it under script tags, it is difficult to catch errors within it and error handling changes from browser to browser, making it difficult to manage a proper structure.

User Authentication

For argument’s sake, a possible way to login a user into a remote site using only JSONP would involve sending the username and password as GET variables (since that is the only way HTTP requests can get you the data in a script tag). It is an unsafe method of authentication and therefore, should be avoided.

For the purpose of user authentication, it’s favourable that you follow the general workflow of OAuth- redirect to parent website, authenticate the user and on successful authentication, generate and share a token.

Using CSRF tokens for write operations

In case you are using the JSONP technique to write data to your server (whether it’s create or update), you must know that JSONP uses GET, which is not secure. In order to make sure that everything goes according to plan, you could issue a token within the headers of every request. A token needs to be generated for every user who is authenticated using the step above.

That being said, there are far better options considering security during writes, updates or deletes and you should follow them rather than finding workarounds with JSONP, which should ideally be used for reads only.

Looking forward- using CORS (Cross Origin Resource Sharing)

We have seen a few use cases of JSONP and all of them can be achieved by the web proxy method too. Although the JSONP technique remains popular, the vulnerabilities in it make it a headache to implement in complex situations. CORS has been gaining popularity steadily as its support in major browsers continues to grow, and it’s taking over the uses of JSONP.

   request = new XDomainRequest();, url);

   request.onload = function() {




How does CORS work?

The CORS process adds new HTTP headers to the request, which allows the server to serve resources, but only to requests from known and trusted domains. This means that if tries to access information from, it would not be possible because would not recognize! For further information on CORS, you could head over the Mozilla Developer Network.

The only drawback of CORS is the lack of support from older browsers and if you don’t care about users with those old browsers, you should definitely go ahead and give CORS a try.

No Responses