Real World Software Architecture

Real World Software Architecture is dedicated to providing information and experiences from the field of Software Architecture.



Subscribe with RSS or ATOM Add to Google

Links

  • Home Page
  • Real World Software Process Engineering
  • Suggested Reading
  • .NET Dev and Arch Collection
  • SEI Essays on SA
  • Software Architecture
  • Bredemeyer
  • wwisa
  • Product Line Engineering
  • PLEES
  • Software Product Lines
  • MSDN Architecture Center
  • patterns & practices






Thursday, October 30, 2014

App Accomplished: Strategies for App Development Success Book Review

The process of getting a successful mobile application deployed can be complex and daunting. Architecting, designing and developing natural user interfaces for touch and gesture on mobile devices is not the same as web and desktop UI design and development. Mobile devices are used in different contexts, and bring different personas to the table. Having web and desktop architecture, development, and UI design experience does not make you a qualified mobile architect, developer, or UI designer.

Although it was much worse back in the Dot Com Boom days, I still see publication and commercial print designers trying to design web sites the way they design a magazine. A lot of them finally figured out web design is different, and we are now dealing with getting them to realize web and desktop UI design experience does not make you a qualified mobile UI designer.

The same was true back in the Dot Com Boom days for developers and architects. Mainframe developers and VB6 developers carried over skills they needed to leave behind. Not all of them, but developing client server applications was different than building web applications. For the past decade or so, a ton of people have jumped on to the web development money cow, now they are jumping ship to the next money cow, mobile apps.

To make money in the app stores, or as part of an enterprise effort, you need to know what you are doing. Regretfully, all we know, is what we have done. Luckily books like this come out and help us avoid a lot of the learning by trial and error. I have listed the chapters of the book below to give you a high level view of what is covered.

1. What Could Possibly Go Wrong?
2. The App Development Life Cycle
3. Prototyping and Wireframing Your App
4. Determining Your App’s Components
5. Finding the Right Tools
6. Skill Gap Analysis
7. Finding a Developer
8. Interviewing and Selecting a Developer
9. Managing to Milestones
10. Understanding What You’re Getting
11. Pulling the Plug Early
12. Communicating Using Bugs
13. Testing
14. Submission and Beyond

The author won me over with his definition of a failed project. He summarized them in the four bullets below.
1.  The app failed to ship (that is, didn’t become available to users).
2.  The app failed to work (that is, didn’t work as intended for a noticeable percentage of intended users).
3.  The project cost significantly more money than planned (more than 10% or 20% over budgeted funding).
4.  The project took significantly more time than planned (more than 10% or 20% over budgeted time).

I have witnessed some software projects succeed, some crash and burn, and the rest get close enough to success that the team can sell it as a success. Sometimes the later takes a heck of a sales job. I would say in my book 80% of those sold as successes failed. They either came in well over budget, well beyond their projected delivery date, or delivered such buggy software that the maintenance effort was as big as the development effort.

I have seen teams only meet #1 in the author's list above, delivering an app so buggy it should not have been used. Success to the team simply meant they considered the project over for themselves, and they passed the headache on to support. You will find the members of those project teams run as fast as they can to the next project, instead of doing a retrospective study. After several months of releases to the app stores, the maintenance team got the major bugs out of the app.

Each chapter of the book covers a ton of topics. For example chapter 4 covers Devices, Native apps, Web apps, Hybrid apps, Third-Party Frameworks, Analytics, Video and Audio, Peripherals, Accessibility, Custom or Complex Animations, Conditional Formatting, Localization, User Preferences, Data Storage, Servers, Syncing, Push Notifications, and Background Tasks.

Chapter 6 covers Programming, Testing and Quality Assurance, Server Support and Troubleshooting, User Experience Design, Graphic Design, Sound Design and Music, Copywriting, Marketing, and Games.

Covering so many topics does not allow for a deep discussion of each one. Instead the author introduces the topic and provides enough information that you understand the topic well enough to continue learning more about it. There is also a lot of cohesion in the chapter's topics, which helps to provide a context for the topics as a whole.

The one thing I had a little trouble with is that in certain places in the book the author gets into a mode of "That having been said", and then saying it is ok to do the opposite of what he recommends. That is fine, but it drags out those sections with info that is repeated over and over. At least that is the way it felt.

Prototyping and Wireframing Your App was where this came through pretty hard. In this section he also seemed to get a little simple for the reading audience by covering in detail how to cut and paste images into Keynote from OmniGraffle. I am not going to ding the book for this, because I feel it is just a writing style. I have learned over the years there are a lot of people who like this style of writing.

One of my favorite parts of the book are the sidebar case studies. Here is a partial list of them- API documentation, app development company outsourcing, Auto Layout UI code, cookie refreshing, design changes, Groovy and Grails languages, miscommunication with developer, missing source code, multiple bug reports, number comparison bug, optimization updates, outsourcing developers, plagiarism detection, spaghetti code, and vague requirements.

The case studies really help tie the topics being covered in the chapter to the real world. They are also lessons learned the hard way. By reading them, you gain the experience of having made the mistake yourself, without actually having to make the mistake. You just reap the lesson learned.

Over all I highly recommend this book to anyone getting into the mobile application world. The book is good for getting a sweeping view of the mobile world in its current state.



App Accomplished: Strategies for App Development Success

App Accomplished: Strategies for App Development Success

posted by tadanderson at 8:31 AM 0 comments

Android Security Essentials LiveLessons (Video Training) Review

I unintentionally watched all three hours of this video series in one sitting. The presenter hooked me and before I knew it, it was three hours later. It is a very fast paced tour of the security issues that can arise when using the Android platform. The tour is built around the Open Web Application Security Project (OWASP) top 10 Mobile Security Risks as a guideline.

The Open Web Application Security Project (OWASP) top 10 Mobile Security Risks are -

M1: Weak Server Side Controls
M2: Insecure Data Storage
M3: Insufficient Transport Layer Protection
M4: Unintended Data Leakage
M5: Poor Authorization and Authentication
M6: Broken Cryptography
M7: Client Side Injection
M8: Security Decisions Via Untrusted Inputs
M9: Improper Session Handling
M10: Lack of Binary Protections

It seems like every security consulting firm engagement I hear about lately finds one or two things that in some other context/environment would make them dangerous, tells you to fix them, and recommends you review the OWASP top ten lists. They get their check and say see you in 6 months.

I have seen companies blindly follow the directions given by a compliance/security audit that were a total waste of a lot of money on completely unwarranted requests. Everyone involved with approving and allowing them to be done should have been assessed for competency.

This type of thing happens a lot as technologies change. Web and mobile applications are not the same thing. To think you can simply hop from one to the other is nuts, and no, using HTML5 everywhere does not change that. This happens in more areas than just security, but with regards to security, although the high level types of attacks seem similar, the details of how they are carried out and what you need to do to protect your systems are not.

Luckily this video series drills in on the details of Android attacks. You won't walk away from this series a security expert, but you will walk away with an appreciation for how far hackers will go to get your data. You will also have a solid baseline understanding of the entire spectrum of the Open Web Application Security Project (OWASP) top 10 Mobile Security Risks, how they can be used to secure your android applications, and how hackers are going to attack your applications.

The presenter is engaging and easy to follow, there are a ton of demos, and all the material is very interesting. I would recommend this video series to anyone involved with an Android development project, but if you are a developer and you want to understand the details of what the presenter is talking about, you should have Android development experience. I say anyone can watch it, because even if you don't understand all the technical mumbo jumbo, you will understand how serious security should be taken, and what the end result will be if you don't.

Below is the description from the products web page. I simply pasted it below because I felt it was very accurate and it explains each lesson clearly.

You can check out previews and buy the series here.

Android applications make use of advanced hardware and software, as well as local and server data, exposed through the platform to bring innovation and value to consumers. To protect that value, the platform must offer an application environment that ensures the security of users, data, applications, the device, and the network. Securing an open platform requires a robust security architecture and rigorous security programs, as well as developers who are aware of the security issues that may come up.

Android Security Essentials LiveLessons alerts developers to the security issues that can arise when using the Android platform and guides them though solutions. Godfrey Nolan covers best practices for Android security by examining common security scenarios. Each lesson begins by presenting the concept behind the security problem at hand, with snippets of code introduced as the problem is explored. This is then followed by examination of code or demonstration of tools showing you how to implement the concepts presented.

Lesson 1: Android Security Basics
This lesson explains the problems with Android from a security perspective. We dive right in and show how to reverse engineer an Android APK to view its source as well as backup an APK’s data to see what runtime customer information is exposed. The lesson also introduces the OWASP Mobile top 10 risks from the Open Web Application Security Project which we cover detail in each lesson.

Lesson 2: Dealing with Insecure Data
Lesson 2 walks you through where runtime data is stored on the Android device, how to use Android file permissions to securely write data to an SD-card and also looks at how to write securely to a SQLite database.

Lesson 3: Weak Server Side Controls
This lesson deals with storing and securing data stored on backend web servers or in the cloud. You learn what the implications are of using remote servers for storing application data as well as how to secure the data.

Lesson 4: Insufficient Transport Layer Protection
This lesson builds on what we learned in Lesson 3. You learn how to perform a man-in-the-middle attack to see how insecure data is transmitted and how SSL can secure the traffic.

Lesson 5: Client Side Injection
Many Android apps are not 100% native and contain one or more HTML pages as webviews. Learn how to secure these hybrid apps by understanding how cross-site scripting and SQL injection are used to attack your web server.

Lesson 6: Poor Authorization
This lesson explains what the options are for logging in to an Android app, how they can be compromised and best practices for user authorization.

Lesson 7: Improper Session Handling
Building on Lesson 6, this lesson explains why mobile sessions are different from web sessions. Learn how to implement mobile sessions securely as well as use OAuth to log in to social media websites.

Lesson 8: Security Decisions via Untrusted Inputs
Learn how the Android framework manages communication between Android apps and how that can be exploited. Understand the principle of minimum Android manifest permissions and what permissions should be avoided.

Lesson 9: Side Channel Data Leakage
Android apps, probably more than other mobile platform, have a tendency to leak information in log files. In the past, third party libraries from advertising companies have also collected more customer information than they needed. In this lesson learn how to remove all logging for your production app and how to use proxy servers and decompilers to know exactly what your third party apps are collecting.

Lesson 10: Broken Cryptography
Learn what types of synchronous and asynchronous encryption can be used in Android apps, why it’s not a good idea to store the keys in the code or on the device, how to store the key using the NDK as well as encryption best practices using asynchronous techniques.

Lesson 11: Sensitive Information Disclosure
While Lesson 2 looked at the runtime information that may or may not be exposed, Lesson 11 looks at how developers are exposing information hard coded in the compiled application such as encryption keys and how this potentially exposes more customer information.

Lesson 12: Conclusion
In the final lesson we review the OWASP top 10 and use a tool from OWASP called GoatDroid that will help you get a better understanding of how to write more secure Android code.

You can check out previews and buy the series here.

posted by tadanderson at 7:48 AM 0 comments

Previous Posts

  • DevOps: A Software Architect's Perspective Book Re...
  • Scaled Agile Framework (SAFe) LiveLessons Video Se...
  • Bulletproof Android: Practical Advice for Building...
  • Swift for Programmers Book Review
  • Security in Computing (5th Edition) Book Review
  • Swift in 24 Hours, Sams Teach Yourself Book Review
  • Sparx Systems Releases Enterprise Architect 12
  • Learning Swift Programming Book Review
  • Android Security Internals: An In-Depth Guide to A...
  • Adaptive Code via C#: Agile coding with design pat...



Archives

  • December 2005
  • January 2006
  • February 2006
  • March 2006
  • April 2006
  • June 2006
  • August 2006
  • October 2006
  • November 2006
  • December 2006
  • January 2007
  • February 2007
  • March 2007
  • April 2007
  • May 2007
  • June 2007
  • July 2007
  • August 2007
  • September 2007
  • October 2007
  • November 2007
  • December 2007
  • January 2008
  • February 2008
  • March 2008
  • April 2008
  • May 2008
  • June 2008
  • July 2008
  • August 2008
  • September 2008
  • October 2008
  • December 2008
  • January 2009
  • February 2009
  • March 2009
  • April 2009
  • May 2009
  • June 2009
  • July 2009
  • August 2009
  • September 2009
  • October 2009
  • November 2009
  • December 2009
  • January 2010
  • February 2010
  • March 2010
  • April 2010
  • May 2010
  • June 2010
  • August 2010
  • September 2010
  • October 2010
  • November 2010
  • December 2010
  • January 2011
  • February 2011
  • March 2011
  • April 2011
  • May 2011
  • June 2011
  • July 2011
  • August 2011
  • September 2011
  • October 2011
  • November 2011
  • December 2011
  • January 2012
  • February 2012
  • March 2012
  • April 2012
  • May 2012
  • June 2012
  • July 2012
  • August 2012
  • September 2012
  • October 2012
  • November 2012
  • December 2012
  • January 2013
  • February 2013
  • March 2013
  • April 2013
  • May 2013
  • June 2013
  • July 2013
  • August 2013
  • September 2013
  • October 2013
  • November 2013
  • December 2013
  • January 2014
  • February 2014
  • March 2014
  • April 2014
  • May 2014
  • June 2014
  • July 2014
  • August 2014
  • September 2014
  • October 2014
  • December 2014
  • February 2015
  • March 2015
  • April 2015
  • June 2015
  • July 2015
  • September 2015

Powered by Blogger