App Accomplished: Strategies for App Development Success Book Review

The process of getting a successful mobile application deployed can be complex and daunting. Architecting, designing and developing natural user interfaces for touch and gesture on mobile devices is not the same as web and desktop UI design and development. Mobile devices are used in different contexts, and bring different personas to the table. Having web and desktop architecture, development, and UI design experience does not make you a qualified mobile architect, developer, or UI designer. Although it was much worse back in the Dot Com Boom days, I still see publication and commercial print designers trying to design web sites the way they design a magazine. A lot of them finally figured out web design is different, and we are now dealing with getting them to realize web and desktop UI design experience does not make you a qualified mobile UI designer. The same was true back in the Dot Com Boom days for developers and architects. Mainframe developers and VB6 developers carried over skills they needed to leave behind. Not all of them, but developing client server applications was different than building web applications. For the past decade or so, a ton of people have jumped on to the web development money cow, now they are jumping ship to the next money cow, mobile apps. To make money in the app stores, or as part of an enterprise effort, you need to know what you are doing. Regretfully, all we know, is what we have done. Luckily books like this come out and help us avoid a lot of the learning by trial and error. I have listed the chapters of the book below to give you a high level view of what is covered. 1. What Could Possibly Go Wrong? 2. The App Development Life Cycle 3. Prototyping and Wireframing Your App 4. Determining Your App’s Components 5. Finding the Right Tools 6. Skill Gap Analysis 7. Finding a Developer 8. Interviewing and Selecting a Developer 9. Managing to Milestones 10. Understanding What You’re Getting 11. Pulling the Plug Early 12. Communicating Using Bugs 13. Testing 14. Submission and Beyond The author won me over with his definition of a failed project. He summarized them in the four bullets below. 1.  The app failed to ship (that is, didn’t become available to users). 2.  The app failed to work (that is, didn’t work as intended for a noticeable percentage of intended users). 3.  The project cost significantly more money than planned (more than 10% or 20% over budgeted funding). 4.  The project took significantly more time than planned (more than 10% or 20% over budgeted time). I have witnessed some software projects succeed, some crash and burn, and the rest get close enough to success that the team can sell it as a success. Sometimes the later takes a heck of a sales job. I would say in my book 80% of those sold as successes failed. They either came in well over budget, well beyond their projected delivery date, or delivered such buggy software that the maintenance effort was as big as the development effort. I have seen teams only meet #1 in the author's list above, delivering an app so buggy it should not have been used. Success to the team simply meant they considered the project over for themselves, and they passed the headache on to support. You will find the members of those project teams run as fast as they can to the next project, instead of doing a retrospective study. After several months of releases to the app stores, the maintenance team got the major bugs out of the app. Each chapter of the book covers a ton of topics. For example chapter 4 covers Devices, Native apps, Web apps, Hybrid apps, Third-Party Frameworks, Analytics, Video and Audio, Peripherals, Accessibility, Custom or Complex Animations, Conditional Formatting, Localization, User Preferences, Data Storage, Servers, Syncing, Push Notifications, and Background Tasks. Chapter 6 covers Programming, Testing and Quality Assurance, Server Support and Troubleshooting, User Experience Design, Graphic Design, Sound Design and Music, Copywriting, Marketing, and Games. Covering so many topics does not allow for a deep discussion of each one. Instead the author introduces the topic and provides enough information that you understand the topic well enough to continue learning more about it. There is also a lot of cohesion in the chapter's topics, which helps to provide a context for the topics as a whole. The one thing I had a little trouble with is that in certain places in the book the author gets into a mode of "That having been said", and then saying it is ok to do the opposite of what he recommends. That is fine, but it drags out those sections with info that is repeated over and over. At least that is the way it felt. Prototyping and Wireframing Your App was where this came through pretty hard. In this section he also seemed to get a little simple for the reading audience by covering in detail how to cut and paste images into Keynote from OmniGraffle. I am not going to ding the book for this, because I feel it is just a writing style. I have learned over the years there are a lot of people who like this style of writing. One of my favorite parts of the book are the sidebar case studies. Here is a partial list of them- API documentation, app development company outsourcing, Auto Layout UI code, cookie refreshing, design changes, Groovy and Grails languages, miscommunication with developer, missing source code, multiple bug reports, number comparison bug, optimization updates, outsourcing developers, plagiarism detection, spaghetti code, and vague requirements. The case studies really help tie the topics being covered in the chapter to the real world. They are also lessons learned the hard way. By reading them, you gain the experience of having made the mistake yourself, without actually having to make the mistake. You just reap the lesson learned. Over all I highly recommend this book to anyone getting into the mobile application world. The book is good for getting a sweeping view of the mobile world in its current state.

App Accomplished: Strategies for App Development Success

App Accomplished: Strategies for App Development Success

Android Security Essentials LiveLessons (Video Training) Review

I unintentionally watched all three hours of this video series in one sitting. The presenter hooked me and before I knew it, it was three hours later. It is a very fast paced tour of the security issues that can arise when using the Android platform. The tour is built around the Open Web Application Security Project (OWASP) top 10 Mobile Security Risks as a guideline.

The Open Web Application Security Project (OWASP) top 10 Mobile Security Risks are -

M1: Weak Server Side Controls
M2: Insecure Data Storage
M3: Insufficient Transport Layer Protection
M4: Unintended Data Leakage
M5: Poor Authorization and Authentication
M6: Broken Cryptography
M7: Client Side Injection
M8: Security Decisions Via Untrusted Inputs
M9: Improper Session Handling
M10: Lack of Binary Protections

It seems like every security consulting firm engagement I hear about lately finds one or two things that in some other context/environment would make them dangerous, tells you to fix them, and recommends you review the OWASP top ten lists. They get their check and say see you in 6 months.

I have seen companies blindly follow the directions given by a compliance/security audit that were a total waste of a lot of money on completely unwarranted requests. Everyone involved with approving and allowing them to be done should have been assessed for competency.

This type of thing happens a lot as technologies change. Web and mobile applications are not the same thing. To think you can simply hop from one to the other is nuts, and no, using HTML5 everywhere does not change that. This happens in more areas than just security, but with regards to security, although the high level types of attacks seem similar, the details of how they are carried out and what you need to do to protect your systems are not.

Luckily this video series drills in on the details of Android attacks. You won't walk away from this series a security expert, but you will walk away with an appreciation for how far hackers will go to get your data. You will also have a solid baseline understanding of the entire spectrum of the Open Web Application Security Project (OWASP) top 10 Mobile Security Risks, how they can be used to secure your android applications, and how hackers are going to attack your applications.

The presenter is engaging and easy to follow, there are a ton of demos, and all the material is very interesting. I would recommend this video series to anyone involved with an Android development project, but if you are a developer and you want to understand the details of what the presenter is talking about, you should have Android development experience. I say anyone can watch it, because even if you don't understand all the technical mumbo jumbo, you will understand how serious security should be taken, and what the end result will be if you don't.

Below is the description from the products web page. I simply pasted it below because I felt it was very accurate and it explains each lesson clearly.

You can check out previews and buy the series here.

Android applications make use of advanced hardware and software, as well as local and server data, exposed through the platform to bring innovation and value to consumers. To protect that value, the platform must offer an application environment that ensures the security of users, data, applications, the device, and the network. Securing an open platform requires a robust security architecture and rigorous security programs, as well as developers who are aware of the security issues that may come up.

Android Security Essentials LiveLessons alerts developers to the security issues that can arise when using the Android platform and guides them though solutions. Godfrey Nolan covers best practices for Android security by examining common security scenarios. Each lesson begins by presenting the concept behind the security problem at hand, with snippets of code introduced as the problem is explored. This is then followed by examination of code or demonstration of tools showing you how to implement the concepts presented.

Lesson 1: Android Security Basics
This lesson explains the problems with Android from a security perspective. We dive right in and show how to reverse engineer an Android APK to view its source as well as backup an APK’s data to see what runtime customer information is exposed. The lesson also introduces the OWASP Mobile top 10 risks from the Open Web Application Security Project which we cover detail in each lesson.

Lesson 2: Dealing with Insecure Data
Lesson 2 walks you through where runtime data is stored on the Android device, how to use Android file permissions to securely write data to an SD-card and also looks at how to write securely to a SQLite database.

Lesson 3: Weak Server Side Controls
This lesson deals with storing and securing data stored on backend web servers or in the cloud. You learn what the implications are of using remote servers for storing application data as well as how to secure the data.

Lesson 4: Insufficient Transport Layer Protection
This lesson builds on what we learned in Lesson 3. You learn how to perform a man-in-the-middle attack to see how insecure data is transmitted and how SSL can secure the traffic.

Lesson 5: Client Side Injection
Many Android apps are not 100% native and contain one or more HTML pages as webviews. Learn how to secure these hybrid apps by understanding how cross-site scripting and SQL injection are used to attack your web server.

Lesson 6: Poor Authorization
This lesson explains what the options are for logging in to an Android app, how they can be compromised and best practices for user authorization.

Lesson 7: Improper Session Handling
Building on Lesson 6, this lesson explains why mobile sessions are different from web sessions. Learn how to implement mobile sessions securely as well as use OAuth to log in to social media websites.

Lesson 8: Security Decisions via Untrusted Inputs
Learn how the Android framework manages communication between Android apps and how that can be exploited. Understand the principle of minimum Android manifest permissions and what permissions should be avoided.

Lesson 9: Side Channel Data Leakage
Android apps, probably more than other mobile platform, have a tendency to leak information in log files. In the past, third party libraries from advertising companies have also collected more customer information than they needed. In this lesson learn how to remove all logging for your production app and how to use proxy servers and decompilers to know exactly what your third party apps are collecting.

Lesson 10: Broken Cryptography
Learn what types of synchronous and asynchronous encryption can be used in Android apps, why it’s not a good idea to store the keys in the code or on the device, how to store the key using the NDK as well as encryption best practices using asynchronous techniques.

Lesson 11: Sensitive Information Disclosure
While Lesson 2 looked at the runtime information that may or may not be exposed, Lesson 11 looks at how developers are exposing information hard coded in the compiled application such as encryption keys and how this potentially exposes more customer information.

Lesson 12: Conclusion
In the final lesson we review the OWASP top 10 and use a tool from OWASP called GoatDroid that will help you get a better understanding of how to write more secure Android code.

You can check out previews and buy the series here.