Be Consistent Not Uniform

Trux Android, iOS

Android UI is not iPhone UI

A common shortcut often taken is to make one UI work on multiple platforms, and I find myself fighting this misconception often. My thoughts on this were spurred by an article Mobile First, Desktop Worst, which basically takes on mobile first and responsive design as being flawed. I think many of the arguments presented in that article were also relevant to building mobile UIs for an app that exists on both iOS and Android.

UI development is the most time consuming aspect of developing mobile apps. As the app owner you may want your app to be the same on all platforms to try and minimize the work, but this thinking is wrong. Individual users don’t use your app on multiple platforms and expect a common experience, they use your app on their chosen platform and expect it to act like other apps on their chosen platform. An application which does not adopt the UI conventions of the target platform will have diminished success. Users now expect applications to match their platform experience, especially millennials or users who don’t have experience in other platforms.

Each platform has controls, widgets and interaction paradigms that do not exist on other platforms. One UI that works across all platforms will not take advantage of the unique features of each platform, becoming a compromised design that does not meet user’s expectations. The differences in each platform are typically what makes a quality user experience for that platform. The least-common-denominator approach of the sameness across platforms reduces the potential for adoption and success of an app on any given platform. Mobile usability and a fabulous UX are now expected, and your app won’t achieve that goal unless it exploits the platform and device features.

Many of the cross-platform tools make this mistake out of the gate and promise a two-for-one outcome, which is fallacious thinking. Don’t fall into this trap.

Apache HTTP Client in Android API 24+

Trux Android

Google had been telling us for quite some time that the Apache HTTP Client was deprecated and going to be removed, and with the release of Marshmallow (API 24) this came true. For the vast majority of developers, this is a non-issue. The HttpUrlConnection object is more than adequate. But for some enterprise developers, this presented a problem. The HttpUrlConnection does not support NTLM (Microsoft Active Directory) authentication. But the Apache client does. If you are using or want to use the Apache client, it is still possible. Simply add this to the android section of your build.gradle:

android {
    useLibrary 'org.apache.http.legacy'
}

Now when you build the Apache client becomes available again. It’s still marked as deprecated and Android Studio will complain, but it definitely works.

Resources – Android Authentication in the Web World

Trux Android

I am presenting this talk at the Michigan GDG DevFest on April 22nd. It’s an look at understanding and using existing web technologies for authenticating an Android application to web services, to make for a more secure experience for your Android users.

Code

Github repo

Slides

Links

Resources – Apps Users Want to Use

Trux Accessibility, Android, iOS, Uncategorized

DetroitDevDay

I am presenting this talk at DetroitDevDay on November 12th. It’s a look into some differing views on psychology and app composition and how it affects users of software. As a mobile developer, this kind of work had come to the forefront as the bar for mobile apps continues to rise.

Books

Articles

Videos

Accessibility Resources

Trux Accessibility, Android

I am speaking at the Detroit Google Developer’s Group on October 26th about Accessibility in Android. In preparation for my talk I have gathered lots of link resources and am posting them here to track for myself and to share.

General

Section 508

Android

Testing

Adding Keyboard Navigation to a RecyclerView

Trux Accessibility, Android

List showing selected tab only

I’ve created a list of items using a RecyclerView which works fine (see the screenshot). But, in order to keep my app accessible, I need to support keyboard-based navigation. Just using the normal Recyclerview pattern and the associated layout was not good enough. If I use a keyboard, I am unable to move the focus down into the list, the focus stops in the tab control and then cycles back up to the app bar. Tapping the items with your finger works fine, and even switch access moves the focus properly to the list items. But it doesn’t work for the keyboard.

The trick is to set the LinearLayout to focusable and clickable, and set the background of the LinearLayout to:

android:background="?android:attr/selectableItemBackground"

as shown below in the XML layout snippet below. These three changes allow the list items to be selectable by the keyboard.


<?xml version="1.0" encoding="utf-8"?>
<LinearLayout xmlns:android="http://schemas.android.com/apk/res/android"
    android:orientation="horizontal"
    android:layout_width="match_parent"
    android:layout_height="wrap_content"
    android:background="?android:attr/selectableItemBackground"
    android:focusable="true"
    android:clickable="true"
    android:paddingBottom="5dp">

    <ImageView
        android:id="@+id/item_image"
        android:layout_width="48dp"
        android:layout_height="48dp"
        android:layout_marginTop="8dp"
        android:adjustViewBounds="true"
        android:layout_weight="1"/>
    <TextView
        android:id="@+id/item_name"
        android:layout_width="wrap_content"
        android:layout_height="wrap_content"
        android:layout_marginTop="8dp"
        android:paddingTop="12dp"
        android:layout_weight="8"/>

</LinearLayout>

What should I build?

Trux Programming

Crystal Clear app ktip

I’ve been asked by developers who are learning this exact question. They want to build something to practice their skills or learn a new language or platform, but they don’t have ideas. Luckily, there are solutions for this problem that don’t require the next great idea.

Recreate A Simple App

Look in the App Store or Google Play for a really simple app. A timer, flashcards, a calculator, a pedometer. It doesn’t matter. Make one of your own, use the one you found as a set of requirements. You don’t need to publish the app, you just need to have something to build. If you can publish it, that’s even better but the goal is to practice and get better at coding.

I did a variation this one. Initially, I made a flash card game for my daughter to learn her fact families. The school required here to complete 50 problems in under 2 minutes. I couldn’t find any game at the time that had that feature, so I made one myself. Since that time I’ve re-written that game on two additional platforms (Silverlight and Android) and even ended up publishing it.

Hackathons

Hackathons are events where a bunch of programmers get together and build things. Sometimes it’s for fun, sometimes it’s to help others, like nonprofit organizations or the local government.The ideas typically come from organizations who need help. Sometimes hackathons are competitive and have prizes. They can be in person or online. Usually they take place over time time period, from hours to weeks in duration. You can find a list of hackathons at DevPost. In-person hackathons are great because you can learn from other developers and network with your peers. The online versions are more likely to offer prizes though.

Open Source

You can contribute to an open source project. It’s helpful if it’s a project you are already familiar with. Look at their issues list. There are bound to be bugs reported that need fixing. Fork the code, fix the bug, submit a pull request. Make sure you talk to the project leaders though and understand what they are looking for in pull requests so you head down the right path when you start fixing the bug. This route helps you learn to read code, and get good experience setting up a development environment for someone else’s work.

Exercises for Programmers

This book from the Pragmatic Programmer series provides a set of exercises you can use to build something. Lots of them are small, but there are quite a few that could be a full app. Not original ideas you could probably publish, but still plenty of ideas you could build.

Learning To Have Ideas

Like any other skill, having ideas can be learned and practiced. In the end it’s a numbers game, you need to have lots of bad ideas in order for some good ones to come out. Set aside time and try to come up with ideas, no matter the quality. Write them down. Do it again tomorrow, and again after that. Before long you will start to see better ideas emerging. But you need to keep at it. Doing it once isn’t going to work.

Android Certificate Pinning

Trux Android, Security
Barnum.aktie

Securing your web sites and services using HTTPS is something you should be doing no matter what. Last year the government mandated all their sites move to HTTPS, and even Google is rewarding secure sites in its ranking algorithm. There is no reason for not using HTTPS any more. Since HTTPS is the baseline for web apps, certificate pinning should be the baseline for mobile apps interacting with the web.

OWASP published a good description of certificate pinning. To summarize, pinning a certificate means that your app is verifying that the site the app is communicating with is the actual site by comparing the certificate presented by the site to one bundled in the app. This prevents a man-in-the-middle attack on your app.

Why is this important to your app? It matters greatly if you also own the web service API or use a proprietary or paid API. Attackers can use a man-in-the-middle attack to reverse-engineer the web service interface, or to inject malicious data into the payload sent by your app to the web service. In fact, I have used this technique in the past to deconstruct a vendor’s API to better understand how to call it. Lucky for me (but bad for consumers) that they didn’t pin certificates in their Android app in the Play Store.

How Do I Pin a Certificate?

Get the Certificate

First, you must acquire the certificate. Luckily you only need the certificate, and not the private key. If your team/company built the web services, you can get the certificate from them. If you are consuming a public API, there are a variety of ways to get the certificate. I just use OpenSSL from the command line:

ex +'g/BEGIN CERTIFICATE/,/END CERTIFICATE/p' <(echo | openssl s_client -showcerts -connect your.company.com:443) -scq > export.crt

In all likelihood, there will be more than one certificate found by that command, known as the certificate chain. You need the whole chain, and the above command will place those into the file. This file will be placed into the Java keystore.

Create the Keystore

You will need to download the BouncyCastle jar which is a cryptography API we’ll use to convert the certificate into the required .bks keystore. Create the keystore from the command line:

keytool -importcert -v -trustcacerts -file export.crt -alias ca -keystore pin.bks -provider org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath /path/to/bcprov-jdk15on-155.jar -storetype BKS -storepass thekeystorepassword

Move the resulting .bks file into the res/raw folder of your Android Studio project.

Using the Keystore in Code

To keep the example simpler, we’ll look at how to use it directly with the HttpsURLConnection object. We’ll open the keystore, set its contents to an SSLContext, and then add a TrustManagerFactory to the SSLContext. Finally, we’ll associate the SSLContext object to the HttpsURLConnection and then the code can proceed as normal from there.


KeyStore trusted = KeyStore.getInstance("BKS");
InputStream store = app.getResources().openRawResource(R.raw.pin);
trusted.load(store, "thekeystorepassword");
SSLContext sslContext = SSLContext.getInstance("TLS");
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init(trusted);
sslContext.init(null, trustManagerFactory.getTrustManagers(), null);

final URL networkUrl = new URL("https://your.url.com/resource");
final HttpsURLConnection conn = (HttpsURLConnection) networkUrl.openConnection();
conn.setSSLSocketFactory(sslContext.getSocketFactory());
conn.setRequestMethod("GET");

final InputStream inputFromServer = conn.getInputStream();

But I Use Retrofit!

(updated 4-19-2017)

Retrofit and the OkHttpClient make it even easier. You don’t need the certificate in a keystore. All you need is a hash of the public key, which you can get using this command:

openssl s_client -connect www.yourdomain.com:443 | openssl x509 -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64

In your Android code you use the CertificatePinner object and inject that into the OkHTTPClient builder before building your Retrofit object. Note the prepending of the hash type and a slash before the actual hash value:


CertificatePinner certificatePinner = new CertificatePinner.Builder()
    .add("www.yourdomain.com", "sha256/UXRFPJGwFvvyJI3vFOMIc19r0JNlNSQydEnYRrZI/W4=")
    .build();
client = httpClient.certificatePinner(certificatePinner).build();

builder = new Retrofit.Builder()
    .baseUrl(Settings.BASE_URL)
    .client(client)
    .addConverterFactory(GsonConverterFactory.create());

Security

So some of you may be thinking:

Hey, hold on there. The certificate (and keystore password) is in my app now. Can’t someone decompile the app and get the certificate?

Yep, that’s true, someone could get the certificate (unless you used Retrofit), which they can technically fetch even without your app. The good news is that they can’t use the certificate to fake being the web server without the private key, which we never used here or included in the keystore. The certificate is publicly available, you aren’t decreasing the security of your app, you are increasing it!

Also, I’d like to point out that I didn’t use the term SSL. At this point in time, well-hardened web servers shouldn’t be using SSL, they are actually using TLS. SSL has become synonymous with HTTPS and that’s just wrong, and even SSL vs TLS is not a completely equitable comparison. HTTPS means the connection is secure, SSL or TLS is the method used to secure the connection.

First Time Jenkins iOS Build Stalls

Trux DevOps, iOS

We’ve been adding some Cordova-based builds into our system, and the first iOS build kept stalling during the build. After some troubleshooting and Googling I came across this fantastic article: Automating Cordova Workflow: xcodebuild Hangs During iOS Build. What Simon describes is exactly the effect we were observing, and his solution solved the problem. What is happening is Cordova is not creating the Xcode project correctly, it’s missing the schemes. Opening Xcode on the server fixes this, as does the scripted solution presented by Simon.

But even better than fixing our current problem with Cordova, one of the commenters solved another mystery which I’ve encountered for a long time in Jenkins iOS builds. The first time a project is built using Jenkins, it never seems to work. But if you remote into the server and just open the project using Xcode, it magically starts working after that. Turns out the schemes are stored in xcuserdata, which we are keeping out of source control with .gitignore. Opening the IDE on the server causes the schemes to be created. The real solution is to set the schemes to shared in Xcode. Open the Product menu in Xcode, choose Scheme then Edit Scheme:

Xcode Edit Scheme Window with Shared checked
Click the Shared checkbox then check in the project. The schemes will now be part of the build and it won’t hang mysteriously any more.

Work Kudos

Trux Meta

My team helped develop a demonstration Real-Time Health System described in this article.  It was a fun project using lots of different technologies:

  • Android
  • iOS
  • Spring/Java REST Services
  • iBeacon
  • Vertica
  • AWS

My team built the mobile apps that interacted with iBeacons to simulate the interactions described in the article, both Android and iOS published in their respective stores. We also built middleware, REST-based web services and the actual disease model that ran the simulation. These communicated to a Vertica back-end where another team performed analytics on the data.

The demo ran at four conferences, including HIMSS in both 2015 and 2016.