For this particular post, I would like to share a white paper I recently came across summarizing a major research on the security of various types of software from off the shelf to custom built applications either by in house or by 3rd party developers.

As a software architect, looking back from my own experience over 20 years, I can easily agree with the results in this paper.  While it's foolish to think any software is 100% secure, it's undeniably true, aside from financial sector, business software is many times built with minimal focus on security.  In fact I would go as far and add, the levels of security obtained in the software is many times directly related to the level of experience the developer or team involved has.

In a room of 3 developers, with 1, 5, and 10 years of experience each, each would claim to have developed good and secure software based on the scope of their knowledge at the time.  All three can develop a sound solution meeting the functional requirements from the perspective of business or product owner.  However, as with any practiced discipline, the developer with 10 years of experience will usually build some additional safe guards for security or at a minimum is aware of certain of advanced topics such as code signing, etc. where such is unbeknownst to the less experienced developers.  Consequently the level of security in each is starkly different and is not easily measurable without explicit validation.

How do we apply metrics and quantify the level of security?  A business owner, unaware of programming details, is not able to measure this. A manager similarly, would be primarily concerned about timely delivery of functional aspects over any security needs which may delay the actual deliverable. Furthermore as the paper mentions, less than 20% "of organizations surveyed view security as the most important criterion when developing custom applications internally or when having customer software developed by third parties".

As a result, a concerted effort must ensue for education on secure development. Similarly a concerted effort must ensue to adopt patterns for security validation much like we have validation for functional requirements.  Some can be automated while some require human validation similar to automated unit tests and manual human tests of functional aspects in software.

In this day and age, its abundantly clear the software we write for the web is directly exposed to thousands and even local software running on computers or devices, is indirectly accessible by just as many -- security should be at the forefront moving forward.

Here is the white paper, which although shocking, I vouch for it's factual findings and is a worth while read for anyone in the business delivering quality secure software. 

ISC_The Need for Improved Software Quality_0.pdf (1.90 mb)

Quick Start

Details of how this works

I had a few Apple gift cards laying around and now using apple's Touch ID more often, I wanted to place these into Passbook for safe keeping and easier access. So how do we go about adding Apple gift cards to Passbook?

First, the simplest way to add a gift card to passbook is tapping the "Add to Passbook" button when receiving a gift card over email.  It looks something like this.

However, what if you already have a physical gift card and want to add this one to Passbook?  It turns out it's not too easy or straight forward.  Some people recommend downloading the Gyft iPhone app which allows you to import many gift cards from many merchants, however I'm a little skeptical of adding them to an app from a 3rd party other than Apple.  This app, and others similar to it, require you to enter all the confidential information from the gift card into the app and transmit it over the internet to their servers.  Although I'm pretty sure these are legit applications, I still had concerns over the security of my information.  Are the connections from the app to their cloud servers secure?  How secure are the servers themselves, etc.

So I then started to investigate the URL apple generates for "Add to Passbook" button.  Part of the URL includes the card number, but the remainder of the URL seems to be some unrecognizable encoded string.  Not relenting, after some research over the web, I discovered Apple has a specific URL they use to add Apple store gift cards to Passbook.  Since this URL is hosted by apple over a secure SSL connection, I feel quite comfortable using it to add my gift cards to passbook.  The url is:

https://storepass.apple.com/pc/v1/card/9999999999999/AAAAAAAAAAAA

where 9999... represents the card number and AAAA... represents the PIN of the card.

When I enter this URL into Safari on the iPhone, Safari reports it as an invalid card even for a valid one. The Passbook app however expects to scan a QR code to add cards, so I then searched online for a free QR code generator and came across this open source javascript project on github¹ which generates a QR code on the clients browser with JavaScript.  After reviewing the code to make sure there was no transfer of information, I used it to generate a QR code for the URL above replacing the 9999... and AAAA... with the numbers on the back of one of the Apple gift cards.  Once the QR code was generated, I then used the Passbook app to scan this code successfully adding my gift cards to passbook as shown.

I added all of my remaining cards with out issue.

I'm now embedding the generator for anyone to use as the wish here. This is pure javascript running on your browser and no information is delivered from your browser elsewhere.  Intact, the QR code changes in real time as you enter digits or letters. Simply enter your gift card number, pin number and then scan the generated QR code with passbook to add it to your passbook.

1.  http://davidshimjs.github.io/qrcodejs/

Everyone is feverishly asking if it's possible to use AT&T iPad Air with a Verizon SIMM or vice versa, a Verizon iPad Air with an AT&T SIMM?  How about a T-Mobile on a Verizon iPad and vice versa?

First lets clarify some confusion with 3rd generation and 4th generation iPad.  While it is true you can purchase an Verizon iPad and use an AT&T ximm card in it, you will only achieve the 3G or 4G speeds available on AT&T -- not AT&T's LTE speeds.

With iPad Air (5th generation), are iPads all the same model hardware and they are only differentiated by having the corresponding telco's simm card in the device for your convenience.  To confirm, this statement here is screen shot of Apple's web site on their LTE coverage vs. iPad model.  Notice how only one hardware model of iPad Air exists for all LTE telco's on the right.

When you compare this to iPad 4th generation, there were two hardware models as shown.

So in summary, no matter which iPad Air you purchased you do not need to swap the hardware to be compatible with another carrier's LTE network in the US.  Simply get the correct sim card and activate it.

I came across some dialog where adjustment to daylight savings time was being applied manually in SQL Server stored procedures or functions to calculate the appropriate timezone shift (e.g. sometimes -5 for EST and sometimes -4).  I figured it can be done automatically, so I did some research on the definition for Day Light Savings time and came across two rules:

The old rule states:

Starts on the first Sunday of April at 2am and ends on the Last Sunday of October at 2am.

Comparing the results I realized something was off when compared to my current computer clock so I rechecked and found the revised rule enacted a few years ago:

The new rule states:

Starts on the second Sunday of March at 2am and ends on the First Sunday of November at 2am.

Alan Watts: "What makes you itch. What sort of situation would you like. Lets suppose, I do this often in vocational guidence of students, they come to me and say "we are getting out of college and I have the faintest idea of what to do".  So I always ask the question - What would you like to do if money were no object.  How would you really enjoy spending your life.

Well it's so amazing, as a result of our kind of educational system, crowds of students say -- well, we like to be painters, we like to be poets, we like to be writers but as everyone knows you cannot earn any money that way.  Another person says I'd like to live an outdoor life and ride horses.  I said do you want to teach in a writing school?  Lets go through with it, what do you want to do?  When we finally got to something which the individual says he really wants to do, I would say to him you do that and forget the money.  Because if you say getting the money is the most important thing, you will spend your life completely wasting your time.  You'll be doing things you don't like doing in order to go on living that is to go one doing things you don't like doing -- which is stupid.  

Better to have a short life that is full of what you like doing, than a long life spent in a miserable way and after all if you do really like what your are doing, it doesn't matter what it is, you can eventually become a master of it.  The only way to become a master of something is if you really like it.  Then you'll be able to get a good fee for whatever it is.  So don't worry to much, somebody is interested in everything and you can be interested in you'll find others who are but it's absolutely stupid to spend your time doing things you don't like in order to go on spending things you don't like and doing things you don't like and to then teach your children to follow in the same track.  See, what we are doing, is we are bringing up our children, educating them, to live the same soft of lives we are living in order that they may justify themselves and find satisfaction in life by bringing up their children to do the same things so it's all retro and no vomit -- it never gets there.  And so, therefore it's so important to consider this question - What do I desire?"

Over the fall quarter of 2012, we created the Bank Failures app for iOS.  I thank a colleague of mine for the detailed graphics and CSV parsing library we ended up using extensively for this and other apps. The idea is very simple -- banks have been failing at a very fast pace since 2008 and there is no easy way to access this information in an organized way to search or simply filter this data by year or by state.

Since we were applying techniques in iOS development, we decided to leverage this need while at the same time applying advanced UI techniques in iOS such as UITableView among others. A recently blog covers some interesting details with UITableView's.

The following are some screenshots of the app as submitted to the Apple App Store.  In a future blog update, I will decompose the entire application from the nightly process which pulls bank data from us government web sites to the filtering, tab views, etc.

Most people who know me would say I'm an Apple buff and have "Appleitus" where anything and everything about Apple is just amazing to me.  For the most part this is true, and yet few realize I actually work and program on Windows most of the time making it just that more ironic.  Despite my "Appleitus" however I have to give credit where credit is due and this happens to be with Google's latest app update for Google Search on iOS.

Google search for some time now has updated their iOS app and slowly incorporated various features from the Chrome tabs, to one touch accessibility for most of their services.  Historically it has mostly been hidden under the barrage of apps I have on my phone rarely using it as it really didn't provide me any real significant benefit over what is already available on the iOS platform -- until today.

I can honestly say, I was impressed on my first use of the voice enabled search.  Unlike Siri which first listens and then sends your audio quickly to Apple servers for interpretation, Google voice search interprets your spoken words on the fly as you speak.  Not only does it do this on the fly, it also is context aware.  For example, as you speak, it changes the previous interpreted words while using the more recently interpret words if it feels you formerly meant another word.  If you ask for Apple's stock price, it first writes the word "apples" and then changes it to "Apple's" as soon as it interprets the next word and realized you are talking about the stock price for Apple the company.

Unlike Siri, you can pretty much ask Google search anything and Google uses it's vast amount of data to not only infer what you spoke with highest probability algorithm, but also provide custom search results where you can interact with.  For example, you can ask it what movies are playing now and you get a nice interface showing you the movie covers playing in theaters now allowing you to scroll horizontally and and tapping shows the details along with the show times for the nearest theaters.

You can ask it what is day light savings time and it explains it.  You ask it when is day light savings time and it tells you when it starts and when it ends.  You can ask it for "who is sheldon" and it promptly finds the actor Sheldon from Big Bang Theory.  You ask it for "who is penny" and it also shows the corresponding actress.  Follow that with "what is a penny" and you get a nice voice description of what a penny is.

The video below carries it's own weight.  It was convincing enough that the app became part of my dock.

xCode allows for multiple convenient ways for configuring the UITableView cells.  Using one of default custom configurations, specifying it in storyboard as a prototype, specifying it in a nib file which is then reused, and simply creating it in code directly.  While developing an app which makes use of the UITableView, I came across an interesting dilemma where I wanted the flexibility of using xCode's UI to configure it however I wanted to avoid certain issues each approach carries as described below.

One approach is to define each UITableViewCell as a prototype of each UITableView directly in storyboard as shown below,

however if there are going to be multiple UITableViews displaying cells in a similar fashion, the inclination is to configure them repeatedly in each UITableView.  This is very repetitious and may even lead to inconsistencies if one is not careful and generally is considered bad programming practice similar to copying a pasting an entire method just to make one small modification within.  One can improve upon this approach by inheriting a common base UITableView class where the configuration is specified in code, however this defeats the flexibility of using xCode's UI to custom configure the UITableViewCell's various sub views.

Another approach is defining the UITableViewCell in a separate nib / xib file, you can then register the nib and reference the UITableViewCell for reuse accordingly from any UITableView controller.  This method retains the configurability of the UITableViewCell via the xCode interface as shown below.

When reusing the UITableView cell in this fashion however, most online examples indicate to register the nib file for reuse and then dequeue as usual to populate the data for each individual cell.  The problem here is, the UITableView's rowHight property is not updated automatically as it is when one specifies the UITableViewCell as a prototype and at run time, you may see something like this:

Many online blogs emphasize the height should be specified as part of the cell construction while executing with the cellForRowAtIndexPath method within the UITableViewController.  The problem I have with this solution is quite frankly, even though perhaps only 10 or actual cells will be constructed and then reused, this code is repeated unnecessarily for those 10 or so times.

The easier route is simply to specify a fixed height in the nib file, say 60 and then specifying the same 60 points in the UITableView's rowHeight property as shown in both images below.

 This will produce the balanced height we are seeking as shown below:

While this has improvements on reuse as we will have consistently looking UITableViewCell's throughout our various controllers and retains the ability to configured and edited via the xCode UI, it still has the ill effect of having to maintaing the rowHeight in two or more different places whenever the height changes and is not yet to my satisfaction of cleanliness.

Further research online reveal many blogs emphasizing the implementation of the heightForRowAtIndexPath method for the UITableViewController. This method is great when there are UITableViewCells with dynamically varying content which need varying height for each cell, however this is not the case here. The problem with this approach continues to be the repeated calls for a UITableViewCell which doesn't vary in height.  Furthermore, in the various examples I found not only is the height specified repeatedly, but registration of nib is repeated as well and some additional lines of code which could also be avoided.

The Solution:

Since in this particular example, the UITableViewCell height will remain the same across all sections and rows and UITableViews, it makes sense to programmatically tell the UITableView it's rowHeight much like we would via the xCode UI, however do so once and be done with it.  The value should also be extracted programmatically from the UITableViewCell residing in the nib / xib file so if the height is ever changed in the future via the design tools, the UITableView is automatically adjusted accordingly without any further intervention in the code.

To accomplish this, the logical place to put such code would be in the UiTableViewController's viewDidLoad method as this code is executed once regardless of the number of rows to rendered.  In this method, we simply load the nib by name, register this nib with the UITableView, and then simply set the rowHeight of the UITableView to match the height of the first view in the nib which we already know is simply a UITableViewCell.

    UINib* nib = [UINibnibWithNibName:@"ADTableViewCell"bundle:nil];

    [self.tableViewregisterNib:nib forCellReuseIdentifier: [ADCustomCellIdentifier]];

    self.tableView.rowHeight = ((UITableViewCell*)[[nib instantiateWithOwner:selfoptions:nil] objectAtIndex:0]).bounds.size.height;

In the example code above, we additionally reference a predefined class method for the cell identifier we conveniently placed in the strongly typed class representing the UITableViewCell with [ADCustomCell Identifier].

As part of our collaborative efforts in building mobile applications, we needed to devise a way to maximize the opportunities of working together without being inhibited by our distance.  We first tried Google hangout. With google hangout one can share any window to the participating members, however the participating members cannot interact with the window themselves. The collaboration we were seeking was both visual and hands on by all participants. In order to share the code, we started to utilize the shared repository to check in & push, etc. so the others can pull and have access to the code.  This however was very cumbersome during a session and didn't provide the same experience as working physically together where one can hand over the laptop to the other for a brief moment as would be the case a typical extreme programming scenario.

We then decided to try other alternatives.  OSX borrows from the VNC technology and bakes this into the OS in a feature called Screen Sharing.  Traditionally VNC clients have allowed interaction, but have been somewhat sluggish while refreshing the screen on updates.  Surprisingly, OSX has a built in client hidden deep in it's file system which not only works similar to VNC, however it is many times faster and feels almost like working locally.  It also adjusts the resolution, say bringing a 21" iMac screen to a MacBook screen, elegantly where the local resolution feels somewhat native rather than jammed cramped as I've seen on other clients, however you may still need to do some manual font adjustments if the resolutions differ by too much.

Once we have this working (setup explained below) this solves the collaboration aspects of working on a single computer while participants are in remote locations.  The next step was to solve the person to person experience, e.g. physically seeing face to face and talking.  For example, showing the other a page of a book or an example of an app on the phone and of course conversing.  For this we decided to use FaceTime on our iPads placed to the side of our MacBooks.  The final result is demonstrated on this 60 second video:

SETUP

To enable screen sharing, simply go to System Preferences and choose the Sharing option.

The description to your right usually provides you your internal NAT IP address.  In my case it's 192.168.1.146.  This is important because you may need to modify the settings on your router to allow for the screen sharing traffic to pass through your router and have it directed to your designated computer which has screen sharing on.  On my particular router, I have a port forwarding section where I simply specify the incoming port and which machine/port the traffic needs to go to.

This prepares the host so clients can connect to it.  Anyone on the outside who wishes to connect to your machine now needs to use the VNC client to do so.  The VNC client is hidden in the OSX file system and even spotlight doesn't find it by name so you have go there step by step.  Starting from your OSX main drive, drill down to the following folder: System->Library->Core Services

and find and launch the application called "Screen Sharing" which looks like this:

Once this application is launched, the client is presented with a simple dialog to enter the host ip address as shown below.  Here, the client would enter the public IP address of the person hosting the session.

The easiest way to identify the public ip address of the host is simply to visit a web site called www.WhatIsMyIPAddress.com and it will be listed in large type for the host to send to the clients.