It would have been best to implement piracy checks from the beginning, but this had to be part of the 1.1+ update. Since 1.0 I have released versions 1.1 and 1.2, and have only seen version 1.1 ‘cracked’ and uploaded to websites, but I have tested this out myself, and my piracy checks do exactly what they are supposed to do, crash the app rendering it useless.

Before any details on protecting your apps, I will explain how the piracy system works for iOS apps.

Each application is code-signed with a certificate, which can be verified by the iOS to make sure that the current device has sufficient privileges to install/run your application. During development the certificates last ~12 months (you can even wind your clock back after the certificate has expired in order to launch the app again) and for a lifetime when you get it from the app store. When you submit your application to the app store, Apple resigns your app with their own certificate.

Of course, on a jailbroken phone, these certificate checks can be disabled, or your app can be resigned with a bogus certificate for distribution on the web or services like Crackulous.

Usually when people take a version of your app and crack it for illegal distribution they will use a tool that will do the exact same thing on each app it is used on, designed to work on all apps that don’t do any piracy checks, which is most of the apps out there. Even if you put in a basic piracy check, chances are the person using this tool has no real cracking talent and wont be able to do anything about it. It’s never impossible to protect anything 100% in the IT world, if somebody wants your app cracked that badly they can modify your app’s binary to bypass the security checks, but the more difficult you make it will discourage the cracker.

There’s a great tool from Cocoanetics I purchased called AntiCrack, which has a one time purchase fee. You may think I’m writing this blog just to sell you something, but if you’re serious about selling your app it will pay itself off in 15 downloads or so (or you could try and implement the techniques below yourself).

Check if your program is being debugged:
When building for release/distribution mode, the first thing your main function should do is check whether the app is being debugged. If so, crash/exit the app. A debugger will make a cracker’s job 10x easier, so don’t give them the opportunity. There’s a method Apple provides for this (AmIBeingDebugged())

Check the signed certificate:
Have your app look at the certificate is has been bundled with, if it’s not valid then crash/exit the app.

Obfuscation:
If your app connects to the web I highly recommend you obfuscate the urls it connects to (or any other vital strings your app uses). Your original strings wont be in the binary, and will be decoded at runtime. If the cracker manages to bypass the crash/exit you have implemented, they will still need to figure out your cipher algorithm to get the original strings back. If your app is web focused and the urls can’t be decoded, your app wont have much functionality

Inline methods and defines:
Implement the above methods using inline methods or defines. Using a standard function means at runtime the code within that function only exists in one place, when it’s needed to run the program will jump to that code and then jump back to where the function was called from then continue. Your cracker can find out where this one place is and remove any jumps to it, or make it jump back before any real checks are performed. Using inline methods and defines means your checks will be scattered throughout the program, everytime the method/define was used, meaning the cracker will need to remove each instance of your piracy checks.

You’ll get to know us all a little better, and keep posted because we have heaps of cool videos coming up!

• Nigerian emails
  I say Nigerian but in reality these can come from anywhere. These emails often follow the lines of “somebody has passed away and I can transfer $1 million to your name if you give me your bank account details”. It’s common sense, but people actually fall for this. Never give out your bank account details, and don’t trust these emails.

• Dodgy links
  Make sure you check where suspicious links actually lead to. It is very easy to have a link look like it leads to a legitimate site but instead it takes you somewhere else. See this link for example www.google.com. It would appear to take you to Google but instead leads to Yahoo. You can hover your mouse over the link and check the bottom left of your browser window to see where links really lead.

• Phishing
  One of the most effective ways bad people can hijack an account is by setting up a website that looks exactly like the real one. This is called Phishing. Always check the URL in your browser to make sure you are on the correct website, this is often combined with dodgy links. A better solution is to bookmark the correct website and using the bookmark when you want to access it.

• ‘Congratulations’ ads
  You are not the one millionth viewer, you have not won any money. Ignore these.

• Secure browsing vs. insecure browsing
  When browsing the web there’s two ways your data can be sent. Encrypted, making it useless for spying on, and unencrypted, where anybody between you and the website you are trying to access can view everything that is being sent and received – to get your data to where it needs to go it actually travels through many other computers, any could be malicious. When you access a secure website it will have a padlock at the top of the browser. If you think the website is secure but you get a security prompt, close the site, somebody could be trying to see your information. Because over a regular insecure connection everything you send can be spied on, never enter personal information or credit card details if the website isn’t secure and doesn’t show the padlock.

• Simple passwords
  You have probably seen the bars that rate how strong or weak your password is. Always try to use a strong password, use capitals, lowercase, symbols and numbers. The reason for this is the more possibilities, the harder your password is to figure out. Using standard words from the English dictionary makes your account extremely vulnerable.

• Sharing passwords
  Use a different password for all the websites you use. If you share the same password between WebsiteA and WebsiteB, the owner of WebsiteA may try your password for WebsiteB. If they are the same then your WebsiteB account has been compromised.

• Recovery answers
  I make it a rule of thumb to enter long and random answers for recovery questions. Questions such as “What is your mother’s maiden name?” can be easily guessed, and a casual conversation could have you spilling the beans to an account with simple questions.

• Public wifi
  A free wifi hotspot might seem like a dream come true, but hold on a minute. Anybody connected to that hotspot can see all traffic on the network. Avoid wifi networks without passwords, and if you need to use one, don’t enter any passwords, personal information or credit card details.

• Spoofed emails
  An email from your.best@friend.com may not actually be from your best friend. The sender’s email address shown in an email can easily be spoofed to make it appear like it came from somebody you know. Even if it actually has been sent from your best friend, their account may have been compromised, so don’t trust links, even from people you know.

• Antivirus software
  Install antivirus software and run checks regularly, once a month or so. If you think you may have been hacked, run a virus scan immediately and don’t login to any websites until you are sure your computer is safe.

• Logout of sites when finished
  When you have finished using a site you have logged into, logout. Generally when you login to a site your browser is supplied with a ‘session key’, which gets sent with every request to the website, instead of sending your username and password every single time. If an internet bad guy gets this ‘session key’ they can see what you would have seen, this is called ‘session hijacking’. When you logout your session will be destroyed by the website, making your old ‘session key’ invalid, and useless for anybody trying to use it. Sometimes the ‘session key’ may exist within the URL, so if you send somebody a link to a site you have logged in to, make sure you are not supplying them with your ‘session key’ accidentally.

I couldn’t resist seeing this in action, but I’m not a Comm bank customer. So a quick stroll to the local branch, signed up a basic account, agreed to a $4 a month fee and I was ready to roll with my new account number in hand.

I downloaded the app, signed up, set my pin to 1234 (not my real PIN) and bang. It loaded. I could see my generous account balance of $0 and some other options. All I’m interested in remember is paying using PayWave. I jumped to the Commonwealth bank website to transfer some $$ to play with.

Now back into the App, enter my PIN which is 1234.

Error. I try again. Error. And again. Error.

Maybe I accidentally changed my PIN. So I tried to login with my internet banking password.

Error. I try again. Error. And again. Error.

I contacted Commonwealth Bank to see if they could fix it, and they provided some instructions on how to try again. This still didn’t work.

So on to Twitter to try and close the account and get my $4 fee back.

So sorry everyone, I was hoping to review the App and see if the contactless payments worked on the iPhone (Bluetooth? Wifi?). Looks like the App has some technical issues so please share your experiences with me in the comments section below.

As far as I knew, no apps were using my location, I was under the impression the GPS in my phone was off (the GPS being one of the big battery consumers). If you venture to the bottom of the location services list in the settings app, hidden away is a system services section. Open this up and there’s a list of operating system services that use your location, which is no issue, but at the bottom of this list is a switch which determines whether you are told about the operating system using your location or not. By default it is set to off.

So others don’t fall into the same trap I did, here is a list of ways to save power:

• Turn down screen brightness
• Turn off bluetooth
• Turn off wifi
• Turn on Airplane mode
• Turn off location services
• Reduce the auto lock time
• Close running apps (double tapping the home button and holding down on an app)
• Perform a battery cycle every few weeks
• Reboot the device every few weeks

HTML5 has introduced a new properties for the type attribute for input elements. The new values are for contact details and include:

• an email address (type=’email’)
• a website addres (type=’url’)
• telephone number (type=’tel’)

You won’t see any difference when viewing on your desktop HTML5 compatible browsers however if you view the forms with Mobile Safari it will automatically use the appropriate keyboard for the job.

The Code

By default text fields are given the type=”text” attribute. Simple change the type value from text to the relevant type of contact detail such as email for an email address field.

<label for="email">Name:</label><input name="name" id="name" type="text" />
<label for="email">Email:</label><input name="email" id="email" type="email" />
<label for="email">Phone:</label><input name="phone" id="phone" type="tel" />
<label for="email">Website:</label><input name="web" id="web" type="url" />

The iOS keyboards

The image below shows the different types of keyboards you will see for each of the HTML5 type attributed fields.

A very simple enhancement that is sure to pleasantly enhance your users web experience!

When you add an object to an array it gets retained, when you remove the object from the array it is released. If you use an array of delegates you will need to avoid adding the delegate into the array directly, and use a container class. You can build your own, but there’s no need, Apple has one for you. Add an [NSValue valueWithNonretainedObject:obj] into your array instead, the NSValue will be retained but your delegate will not. Remember to have your delegate remove itself from the delegate list when it is deallocated. To get the delegate back use id delegate = [[delegateArray objectAtIndex:0] nonretainedObjectValue];

Many of us are already making diet plans for the rest of 2012 while others are still in holiday mode.  Either way, there are some guidelines you have to keep in mind in order to achieve your dietary goals.

Diet:

An average person in this day and age consumes between 3000 to 3500 calories per day. This is while most jobs involve sitting at a desk or behind the wheel. On the other hand an average person burns about 2000 to 2500 calories considering them being moderately active. So where does the extra 1000 calories go?

Yes , you’ve guessed it right ! They’ll store in your face, stomach, chest, buttocks, thighs and everywhere else.

Now get this, every 7000 calories roughly burn 1Kg of fat and the opposite. So basically by eating that Big Mac with Fries and Coke, you’re about 1500 calories away from gaining a kg of weight… Is that really worth it?

Let’s talk about things we need to be careful of:

Carbs:

Carbohydrates are fearsome to a lot of people which leads to bad dietary decisions in some cases. Carbs for us are like petrol for cars, our body needs them to survive. For that reason there’s no way you should avoid eating carbs.

What to bear in mind is the type of carbs you take in and how you take control of it.

Whole grains are the best source of carbohydrates because they are less processed and therefore healthier. Vegetables and fruits contain “healthy” carbohydrates as well which burn much easier and quicker in the body.

Although carbs are the main source of our energy, it’s best for them to be eaten in the first half of your day. This is so that they provide you with the energy to last a whole day and avoid being stored in your body while sleeping if you eat them at night instead.

Protein :

Protein is an essential element of our everyday diet which helps the body recover, build and grow. Meat, poultry, soy products, eggs, nuts and grains and etc … are great sources of protein which help your brain function better and your muscles recover faster.
Based on ‘betterhealth victoria’ a female body needs 0.75g/kg and male body needs 0.84g/kg of protein per day.  But remember that if you exceed the amount your body absorbs, the rest will just be rejected and simply flushed out of your body.

Alcohol

Other than kidney and liver damages, alcohol has several other destructive effects on the body. Alcoholic drinks are high in calories (chart of calories in alcoholic drinks) and they dehydrate your body, meaning all the water which is used to break those fat contents is drained out.

Another effect is that alcohol steals your metabolism; in other words no less fats and carbs are used to fuel the body once you drink alcohol. Scary? I don’t know about you but I’m going to avoid binge drinking and stick to having 2 standard drinks per sitting.

Physical activity:

Remember when I said an average person needs to have an intake of 2000-2500 calories per day?

Well, that’s for a moderately active body where you get at least 45 minutes of exercise each day. This exercise could be anything from speed-walking to the train station to simply jogging with your dog, literally anything to increase your heart rate and cause rapid breathing. But do we all do that? I don’t think so …

Most of us consume above 3000 calories per day AND don’t do anything that increases our heart rate which purely allows our body to store fat hence making us heavier and lazier.

So I suggest the following for those who drive to work every day like me:

Gym:

Yes, ever since the early 80s and the increase in obesity, gyms have been one of the biggest money makers in the last 30 years. A lot of us joined these clubs hoping to actively sweat off our fats and calories everyday but guess what? After the third week, probably half of us have forgotten about the membership! I’ll tell you what works as a good reminder for our memberships, it’s not the extra pounds you put on, it’s the extra pounds and dollars that go out of your bank account every month. So ladies and gentlemen, why not make good use of what we’re actually paying for?

Believe it or not, you don’t need to be pumping weights like Mr. Muscle in the corner of the gym to look good. A 30-minute cardio session and some basic muscle training every day will get you there in a few months.

I suggest you to start slow with easy interval cardio trainings and light weight exercises, and then slowly increase the intensity as you see progress in your body.

*Music is highly recommended. If you do not enjoy the 90s techno music that they play in the gym, bring along your own iPhone or MP3 player to workout to your favourite jams.

Group classes:

This is for those of us who exercise better with a partner and hate to train alone. Most of the gyms out there now offer group classes, take advantage of those, don’t be shy or afraid. Join them; you’ll have fun while burning those calories.

All it takes is a little change in lifestyle, getting off the couch and sweating.

You don’t need to be super skinny or super muscular to look good, you need to be fit and healthy to stay away from hospitals and avoid diseases.

I’m doing it now, so why can’t you ?

I’ve been working with B2cloud in recent weeks on an iPhone app. It’s a standard client/server affair. B2C is writing the client while my job is to expose our database to the world via a JSON webservice. It is our intention that, while the iOS client will be its first consumer, the webservice will hopefully pave the way for future SOA efforts (if you haven’t read the recently ‘leaked’ google plus post on the topic, its a great read. I think the original has been pulled, but there’s a copy here).

We weren’t too far into the design process before Tom (B2Cloud) and I found ourselves in a debate about security. The basic plan was that the client would make first contact by calling a login function, passing a memberID and password. On the server, I’d validate the combination and, on success create a row in a database table that had a GUID (aka UUID) as a primary key. This “session key” would be symmetrically encrypted and base 64 encoded before being sent back to the client.

What would happen on subsequent requests is where Tom and I differed in opinion. Tom suggested that on each subsequent function call, in addition to the ‘payload’ data required by that function, we pass both the session key and the memberID back for authentication. The thought was that, although it was very unlikely that a duplicate session key could ever be generated (according to wiki, “generating 1 billion UUIDs every second for the next 100 years, the probability of creating just one duplicate would be about 50%.”), there was a chance that one could.

Should a duplicate key be returned, then a client could be authenticated against someone else’s account and … well, without being overly dramatic, the entire Earth would implode. By passing back the additional memberID, this could never happen as, back in server land, I’d validate that the session key was indeed generated for that user.

Now, for reasons that I wasn’t really able to properly articulate at the time, the idea of passing back two strings for authentication with every function instead of one really grated with me. It just seemed “messy” and unnecessary. If this webservice is a success, one day it could literally have hundreds of functions. The idea of requiring an additional input field on each of those was unnecessary and unpalatable. For reasons probably more to do with my own personal neuroses rather than logic, It actually really bugged me. I suppose that, like many programmers (by no means all!) I take pride in my work. Whats more, by definition, these functions will be public. One day when we surpass Amazon.com in size, millions of people across the globe will use them every day (ok…ok… But a guy can dream) and I will be under the scrutiny of other devs for this decision.

I wanted to drop the memberID and rely solely on the uniqueness of the GUIDs for security. Tom challenged me along the lines of  ”what’s the big deal? By passing the memberID we’re ensured security. Why risk it?”.

For the record, I think that both solutions are acceptable. Passing an additional field really is no big deal and the chance of a duplicate GUID are acceptably improbable. If I had a balanced work/life perspective …. I probably would’ve dropped it all here. But, alas, I don’t and I didn’t.

The thing is though, something else was really bugging me. As hard as it was for me to admit at the time, Tom was right. Even if it was one chance in several trillion that my proposal would fail, near enough wasn’t good enough.

Once I accepted that, another thing bothered me. I admit that this discussion so far really has been making a fuss over nothing. However this next point I believe is worth exploring more.

I didn’t like the idea of the client passing two fields because it ‘feels’ like it is putting some of the onus for security on the client as opposed to the server. Now remember, even though I trust Tom and his app, this web service is public. As its creator I have to assume that clients may be malicious. Having the Client pass back a memberID just seemed like “too much information”. Once again, I know that there’s probably little chance that someone could use this to gain an advantage (however, really, what do I know about subverting security systems?), but it’s the principle of the thing. It just seemed inelligant.

In the end, Tom and I agreed on a solution. The session key that I returned would be the GUID concatenated with the memberId and then encrypted/encoded. That way, each key could only ever access one account (unless in the future we decide to embed more info in the key and extend the functionality…. which is purely a server side matter) and we don’t have to require an additional unnecessary field. Win win.

In summary, I’m taking away the following learnings from this experience.

1. When you’re building a web service – the server is boss. What’s more, It appears to me to be good practise to keep the exposed ‘surface area’ of your functions to the minimum required. Perhaps this has a bearing on security (or perhaps it doesn’t!) however, at the very least, it will keep your interfaces ‘cleaner’.
2. Debate is good. There were quite a few emails back and forth about this one which lead to a solution which I believe is better than the original ones proposed.

All the best and happy new year

DS

Today the web audience is less excited by the glitter, and instead they want information fast. Very fast. With the huge growth in mobile browsing and IDC predictions that mobile internet will shortly surpass wired/desktop, what in the world will happen to Flash?

We have fond memories 

Everyone has a fond Flash story be it from high school assignment, to a university project. It puts a smile on your face, followed by a little embarrassment in hindsight of what you used to think was cool. It was an enabling technology that allowed game developers to share their projects with the world and beyond the school LAN. I asked around the office for some nostalgic Flash moments.

Tom shared with us a very cool game he built in high school called Night of The Pumpkin Men

Marco shared a little animation that he built for his SEO business that showcases the character “Little Business“.

Flash still looks great

Its amazing that you can load up a Flash website from 1998, designed for a 640 x 480 monitor with low colour specs  and load it in 2012 on a massive 27 inch monitor and it still looks bloody good. My point is that there is nothing in the web sphere that performs as well as Flash when it comes to screen size compatibility.

The same goes for animation. Sure we are seeing CSS and HTML5 move leaps and bounds but its not there yet. What is the middle ground between static informational websites and multimedia experiences? Do users want a multimedia experience on the web for anything else other than games?

It never became native

Flash has never really been accepted like other web technologies, and it has never just worked seamlessly on all browsers. On re-building my web design company site in 1999, I had a choice to make. Do I use flash, dazzle my audience and potentially shy away business when visitors don’t want to download the plugin? Or do I build 2 websites, one flash and a second HTML and use an auto forwarder? Eventually I put a flash applet in my html site, a win-win. (Its still online, many thanks Optus!)

Ironically 14 years later we face the same decision. Building a website solely on Flash means it won’t be natively supported on Apple technology and other browsers that don’t pre-install the plugin. One must ask if its worth losing visitors in exchange for some dazzle.

The final blow

The web is more mobile than ever, technology powerhouse Apple decided not to support Flash, Native applications are in extremely high demand and mobile web is the focus for business presence globally. So when Adobe announced it would no longer support mobile Flash, market confidence in the once booming multimedia technology plummeted.

With 750 jobs cut at Adobe late last year, and a continued focus on developing wrapper solutions to Apps through Adobe Air (see Will’s post on middleware), one must question the sustainability of Flash on all platforms. I think its time to start saying our goodbyes to a technology that inspired us all.

If you have any old Flash projects you have worked on, please email them to me (josh at b2cloud.com.au) and ill add them to this tribute!