Security testing and hardening Android apps

Interesting talk by Scott Alexander-Bown on Android security and hardening at the second day of Droidcon.uk.

The OWASP mobile security project provides guidance on threats, testing and patterns to make static and dynamic analysis of apps harder for hackers.

 

Advertisements

How to debug deep linking in iOS

What is deep linking?

Deep linking basically enables you to open an app from another app or a website while passing on parameters. This mechanism works with custom URL schemes which you can define in the .plist of your app.

Why deep linking?

If you have an app with lookup functionality (e.g. an app for finding song lyrics) you might want to perform a lookup without having to navigate to the designated screen and typing in the query. This can be achieved by opening the following example URL MyAppScheme://myAction=lookup&myQuery=What%20is%20the%20meaning%20of%20life in another app of the browser. In this case the app is programmed to read the ‘myAction’-parameter on startup to determine the action and the ‘myQuery’-parameter for the search query. Often, deep linking doesn’t go as planned and you might need to debug your app.

Why is debugging this difficult?

Deep linking might occur in three kinds of scenarios:

  1. The app hasn’t been installed yet
  2. The app is running in the background (or foreground for that matters)
  3. The app is installed but not running at all

Scenario 1 is irrelevant in this case, so we’ll skip this one. Scenario 2 should be no problem since the app is running on the device (or simulator) while in a debug session. Scenario 3 requires you not to have the app running, but you need the debug session to be able to debug. This is a problem because Xcode starts the app automatically when starting a debug session. Instead of letting Xcode start the app, you want to do it yourself using the deep link URL.

So… tell me how to do this

There is a convenient option which enables you to start a debug session by manually starting the app. To achieve this, go to the ‘Edit scheme’ screen and tick the ‘Wait for MyApp.app to be launched manually’ option on in the ‘Run’ configuration.

Image

Whenever you run the target in Xcode, the app doesn’t automatically starts and the debug session will only start when you manually start the app.

So start kicking some bugs ass!

Mobile Down South in Eindhoven

On Friday June 7th 2013 Mobile Down South (MDS) will be held in the beautiful High tech campus in Eindhoven (visit the website to get tickets).
MDS is a conference by developers, for developers working with mobile technology. This years theme is how mobile will bring us closer together.
Read more about the conference and schedule here: http://www.mobiledownsouth.nl/139/programma.html
Last year we presented at MDS, this year we will be sitting back, enjoying the long awaited sun and relaxing with our fellow mobilists in Eindhoven.

What do I think about the iPad mini?

The iPad mini has been around for a few days now, giving us a chance to play with it. To be honest I was sceptical wasn’t sure if I should buy one. After all, I’m very satisfied with my iPad third generation. But all the reviews and positive words made curious and wonder about how the apps that I had helped develop will look on this smaller screen. Will text be readable and can users still press the buttons easily? Those questions and a dozen others persuade me to buy one.

After unboxing the first thing I noticed is how amazingly light it is compared to its 10 inch brother. The finish of the iPad mini looks and feels nice and solid. It feels like an iPad, yet smaller and easier to hold. After playing with it for a while I must say that the user experience is excellent! The whole UI feels very smooth and is sometimes even faster than the iPad third generation. I now understand why Apple decided to upgrade the iPad third generation. I haven’t played with a fourth generation iPad yet but I’m convinced that the user experience will feel similar to the iPad mini.

The screen size is just right. Any smaller and it would feel like a big iPhone. The only downside is the lower resolution and that the colors are less vivid than on the iPad third generation. It is clearly noticeable if you’re used to the iPad third generation but way better than the iPad 2. Below is a screenshot comparison of some apps I worked on. From left to right: iPad mini, iPad 2, iPad third generation.

If you enlarge the thumbnails you can see that text is still clear and buttons can be pressed with ease. I would not replace my iPad third generation, but If I had an iPad 2, I would definitely replace it. Over all I’ve used the mini more often than I expected and I’m very satisfied with it.

iOS 6 rant

iOS has been around for a few weeks now. Developers have been able to see progressive beta versions for a few months. Much has been written about the sudden disappearance of all things google (see http://www.readwriteweb.com/mobile/2012/09/apple-ditches-youtube-google-maps-in-ios-6-who-wins-who-loses.php for an overview).
What is particularly annoying about the lack of Google product support in iOS6 is that no-one benefits. There are no cool replacements for youtube and google maps. Users will waste time looking for alternatives but they will doubtless find other ways to get to the content the want.
Meanwhile businesses and App developers are footing the bill. Here’s an uncool example:
Many apps we make for customers have youtube video integration. Even the most basic integration – opening a browser with a link to youtube has changed or is broken. Aaargghhh why? As though nobody has anything better to do than update an App to cope with random operating system changes. We will have to make the changes, and businesses will have to pay.

How-To: Alert Dialogs on iOS

When designing your application for an iOS device, you might run into a common interface feature; The Alert Dialog. These dialogs are simple and easy to use features for a user, but without careful positioning of buttons and the overall know-how of alert dialogs, it could turn out into a disaster for the user. To counter this, just follow the basics as described below.

The Description

Alert dialogs are temporary views that will appear on top of your application to bring the user’s attention to some detail or ask the user to confirm an action being done. An alert dialog will popup in the center of the screen and all other interaction with the application is disabled until the dialog is canceled.

The Layout

An alert dialog consists of three separate parts; a title, a message body and one or more buttons. Below is a visual representation of an alert dialog:

1. Title

The first element is the title. Try to avoid titles that contain only one word or take up more then one line. Keep them short and descriptive. Do not forget to use title-style capitalization, in which the first character of most words is capitalized. An example for a good title could be “New Text Message”, so do not use a title like “You have a new text message”.

2. The Message

While an iOS device gives you enough space to show the user a lot of information, try to keep the message within an alert dialog short and to the point. Mostly this ends up with using two lines long sentences, where only the first character in the first word in each sentence is capitalized (sentence-style capitalization). Whenever your message will contain too many words, the device will create a scrolling alert dialog. This is something you really want to avoid, since it gives a bad user-experience.

3. The Buttons

The buttons within the alert view are the controls that could make or break your workflow. An alert dialog mostly consists of two buttons. Using three or more buttons is not preferred and could give the user some difficulty to read and respond to to the information you are presenting in your dialog.

A very important part of the buttons is the positioning;

  • Whenever you are deciding to show an alert dialog that performs a risky or destructive action, place a light-colored Cancel button on the right and place a dark-colored OK button on the left.
  • Whenever you are deciding to show an alert dialog that performs a positive action, place a light-colored OK button on the right and an dark-colored Cancel button on the left.

The coloring and meaning of the buttons are always the same, where the left button is dark-colored and represents a negative action and the right button is light-colored and represents a positive action.

While it might seem useful for bringing the user’s attention to your dialog, try not to overuse them. Using too many dialogs in your application decrease in how important they are and they will most often slow down the flow within your application. Instead, try designing a way to show your users more information within the screen that is currently available.

Debugging webservice problems on iOS devices

Most apps we develop integrate with a server through some kind of XML or JSON based webservice. Sometimes these webservicesa already exist. But more often our customers are developing them at the same time or even after we develop our iPhone and Android apps. Inevitably this leads to minor but time consuming problems getting the Apps and the webservice to play nicely together. A lower and upper case character mixed up somewhere can mean hours of debugging.

So there are a number of options to troubleshoot:

  • DO NOT: Rig up some debugging code in the iPhone or Android client to spit out details about the call. This is a bad idea – the code is often forgotten and sits around in production causing an extra performance hit.
  • AS A LAST RESORT: Examine log files on the server. This can be painful. Often the logs are buried somewhere deep on the server – i assume to fool the iranians ;). And even if you find them, chances are they won’t contain any clues to what is going wrong.
  • DO: Use an HTTP proxy. This works well, can be switched off and on without requiring code change and is quite easy to set up. Since we develop on Mac’s we use the free burp HTTP monitor. Check out http://www.tuaw.com/2011/02/21/how-to-inspect-ioss-http-traffic-without-spending-a-dime/ for a step by step instruction. Basically you change your iPhone network settings to send all WiFi traffic through your HTTP proxy on your PC. Then you can see all HTTP traffic between your device and the server, reproduce it and even change requests to the server. The nice thing about this is that you can use this with any app, even apps that have been downloaded from the App store.Of course the HTTP proxy method doesn’t work if you enforce valid SSL certificates in your app. But that is easily solved by putting debugging code in the app that allows self-signed certificates to be used.