# Update 1

After posting this on HackerNews some developers / users feel my hypothesis is wrong and one can not repeat the steps below without having physical access to an user’s phone or locked devices. I agree to this. I also need to check for on which iOS version this is secure. Because as per as I remember, this is definitely doable in earlier version of iOS. But the original problem still remains same. These files are unencrypted and unprotected and one can copy your entire mail contents if he/she has access to your phone.

File Protection API won’t be enough to protect data for unlocked phones. For which one might require to encrypt documents or files with a key and the key being stored in some secure location.

I am building some concept apps to try out few things. Stay tuned …

Last year I developed immense interest in iOS app security and discovered many interesting facts and tools about the same that I presented in my talk in GeekCamp.sg

I love iOS apps and developers. And it’s the apps that I love motivates me to write better codes. However, Mailbox is an exception. I like the UX of this application but I dislike its data protection approach more. As a matter of fact, there’s no data protection at all.

Apple discussed about “Protecting the User’s Data” in WWDC session 714. There you can get to know about all the data and file protection APIs a developer gets out of the box from their SDK.

Tools I used to extract the information

I used iExplorer, which is a tool that lets users to transfer music, movies and playlists from any iDevices to computers and iTunes. But wait it gives you more, it gives you access to an application’s Document and Library directories on your devices. These are the usual places, where iOS developers store their database, plist files or other resource files and can be extracted to a system if device is stolen. You don’t need to jailbreak the device, you do not even need to unlock the device.

So if anyone else can get hold of your phone, he can access to files of those apps where data is not protected.

Information that I got from Mailbox app

On top level of the Documents directory there’s a folder called ‘Attachments‘. It consists of all the attachments that I received or sent. Be it a source code of some app, my bank statements or some confidential information. All these files are there unencrypted and unprotected, ready to be stolen if you lose your phone for some reason!

attachment

The same folder consists of a sqlite file which contains your email contacts, actual email contents and more.

db

One can just use any SQlite manager tool to open this file and see contents of it. There’s a table called ‘ZORCONTACT’ that contains details of your contacts and another table called ‘ZORITEM’ that contains details of your emails. Depending on what you do with your emails, this can be pretty scary!

email_body

How Mailbox can improve

Now for an app that I waited almost a month to get my hands on, I expect more.  I do not know if Mailbox is already working on adding these security features or not but this is something they should to retain their users. It’s all about adding few extra lines of codes to their iOS app to increase the security level. iOS SDK gives a developer a list data protection APIs (as displayed in the image below) for protecting documents, database and other sensitive files that consists of confidential information about your users. I would love to try my hands on a better Mailbox iOS app, that is more secure. Until then I have deleted my accounts from Mailbox.

data_protection_api_list

Couple of weeks back I spoke in GeekCampSG about iOS security where I demonstrated how insecure some of the iOS apps are when it comes to protecting user data. Popular apps like Whatsapp, EverNote, Instagram also fall into that categories.

During my talk I talked about 3 things:

  • How data is insecure when stored unprotected in Filesystem
  • How data is insecure while application communicates with a backend server
  • How insecure these data can be on a jailbroken device where reverse engineering is possible in GDB prompt

You can view the slides of my GeekCamp talk below. I have already talked about part-2 “which is securing iOS apps through file protection api” in iOS Dev Scout # Sept meetup. I will post the slide of the same here as well.

XCode makes the life of iOS developers easier by providing the ability to debug code using break points, backtrace error logs and pin point the cause of errors when they occur. You can also let the compiler speak out the log message. If you haven’t played with it just go ahead and edit one of your break points to add an action when an error occurs.

But every now and then you will notice this beast “EXC_BAD_ACCESS”. As an iOS newbie you will hate this error and often I have seen pro devs struggle to find out the exact cause of this error. As this is one such error that will mostly throw you to your main.m file and you can’t find what exactly is causing this crash.

One thing I have learnt over last few years and that has helped me to debug an error faster is – “An error is what the error says”.

So before posting your ugly error message on stackoverflow or before even hitting google, stop for a while and look carefully what the error message tells. So let’s say I get this error on my tableViewController, or scrollViewController then before getting into what is wrong in my so and so view controllers, I would probably look first into what does “EXC_BAD_ACCESS” mean if I don’t know about it. Apple’s error messages are verbose and self explanatory. Hence, as one can clearly make out from the description “EXC_BAD_ACESS” means you are doing bad access or in other words you are accessing something that you shouldn’t.

Talking more in Obj-C terms – a message was sent to an object that doesn’t exist or that doesn’t understads the message. Hence, bad access.

You will get EXC_BAD_ACCESS error mostly in the following scenarios:

  1. You are trying to access an object that is not initialized.
  2. You are trying to access an object that no longer exists. Either it’s being released or it’s nil. In ARC mode, make sure you take ownership of the object that you want to use.
  3. You are passing an message to an object that the object doesn’t understand. It can also happen for bad typecast. Like the lines below where I am trying to access an int with %@ in stead of %d.
int myAwesomeInt = 9;
NSLog(@"%@", myAwesomeInt);

How to debug:

Identify what you did that caused the crash. Did it crash while view of a particular view controller didLoad or in a delegate method or on a particular action. That will often help to find the object that is casuing the error.

  • Most of the time “NSZombies” can help to identify the dead object. You can enable NSZombies by editing your scheme Product -> Edit Scheme -> Diagnostics.
  • If you still don’t find the root cause then always go backwards from child view controller to parent view controller to see what object needs to be retained or what message needs to be passed properly.
  • Look into Static Analyzer and Instruments for advanced debugging. 

6 months ago Me, Michael and Mugunth re-started the iOS Developer meetup group in Singapore and iOS Dev Scout was born. We started this community with a dream that this will help iOS developers in Singapore collaborate with each other, share knowledge & passion and build some kick-ass iOS apps together. So we meet for monthly meet-ups where speakers talk about great iOS technologies and showcase their cool apps. We also occasionally meet for longer coffee break sessions where we hack together on various apps.

Few months ago, Peter Kim (one of our meetup speakers) suggested to have an iOS Hackathon. The organizers liked it, the members were excited about the idea and tech companies and government organizations in Singapore stepped forward to support it. Many thanks to our sponsors iDA, Plug-In@BLK71, BuUuk, ELC, Quantum Inventions, Cloudy Rec, BubbleMotion, Viki for supporting us in organizing the 1st iOS centric Hackathon in Singapore. The local tech media communiy were very supportive as well. E27 and SGEntrepreneurs helped us in promoting the event. So 75 participants registered for the event. Chinmay helped us in live streaming the event so that people who couldn’t join could still catch the glimpse of this event live.

The day started with few tutorials on iOS, Objective-C, User Experience and API Integration. After a great keynote from SayaneeMichael and Nav talked during the 1st half of the tutorial sessions. Me and Sithu shared more knowledge post lunch. About 16 ideas were being pitched. With plenty of Red Bull and Caffeine close to 35 people participants survived the night fighting with NSZombies. On demo day 13 apps were being demonstrated. Mentors from Founder Institute and local tech community provided feedback to the participants. We organizers applauded their work and rewarded 8 teams with Amazon gift vouchers who showcased great passion in building those awesome apps.

I was personally helping the participants to get started with iOS and Objective-C. It was great fun to see them learning really fast. Around 4 AM I started building a small proof of concept app for a friend of mine. And in couple of hours I was ready with the basic version of an iOS app for Learnemy. Elisha is a good friend of mine and hope she can make a good use of the app to showcase her product.

Out of those 13 apps my favorites are Alan’s Shadow and Thumbatar. We were happy to have newbies and students in the event as well who leaned Objective-C and iOS really fast and showcased some application on the same day. We hope to continue same in future to encourage and inspire iOS developers in building great apps and make Singapore a fun place to live for all the Hackers.

Join our Facebook group to get updated about our upcoming events and find our more about what iOS developers in Singaproe are hacking on.

  
So much talk about inclusion of Near Field Communication with iPhone 5. We can never know whether it’s going to be supported soon or not.

Few months back Apple filed a patent that reveled about their upcoming product called iWallet. This makes other similar initiatives by other providers or vendors look naive. This will arguably change the way mobile payments are being done today and definitely the one that will rule the world as mentioned in the article below.

The creative engineers at Apple have given enough thought to iWallet to make it work both in the scenarios of making transaction in person or remotely. This leads to another revolutionary steps that might replace credit cards, debit cards, gift card completely!

In stead of traditional One Time Password (OTP) that is being sent to a registered mobile device or a security token being used by an external devices; Apple is probably going to use an Application that’s running on iPhone / iPad / or on Mac to validate the transaction is authorized. A simplest thing I can think of is to validate authorization by iTunes password.

More over card holder can enable/ disable automatic authorization for certain merchants, below certain value and flag certain transactions as unauthorized that will immediately notify issuing bank or credit card association. The cardholder-not-present authorization functionality may also be combined with a distinctive gesture for example drawing a character or reverse swiping certain control.

From the screens below it’s clear that third party applications can be enabled for “MobilePay” to use the features of iWallet.

Reference Link: http://www.patentlyapple.com/patently-apple/2012/03/part-2-apples-iwallet-the-one-that-will-rule-the-world.html

My experience with many developers is that they can do amazing things with functionality but when it comes to user experience they don’t know how to start and always rely on UX professionals. While their professional guidance is helpful but most of time we need to take the first step ourselves.

Before I would list any of the thumb-rules I follow; I would like to clarify one thing. User experience is often not just about designing and creating the photoshop images. Those things an expert designer can do far more better than what we can come up with. As mobile app developers our goal should be to create some decent looking application with amazing user experience. And then sit with an expert to make it even better.

1. Read the “Human Interface Guidelines”

If you haven’t read it yet then this is a must read for you. And similarly for Android they have a better design guidelines now. Most of your design experience will come from these documents.

2. Check on App Store for similar products

If it’s a consumer app you can find similar apps on App Store but if it’s an enterprise app then look on sites like mobilecrunch or macrumors about reviews or articles about similar apps. Try to find out the thing or feature users like the most about those apps and what they find confusing. Often by doing a google image search you can see screens of similar apps.

3. Check www.dribbble.com (there are 3 “b”s in the name)

Dribbble is a closed social network for designers and UX professional where they share their work and seek advices from other designers. You can not post anything if you are not a member however you can observe other’s work and get inspiration. For example if you are building an iPhone app that requires a table view then just search for “iPhone Table” and see the various designs people have thought about and then find a direction for your story. Don’t just copy. The idea is to get inspired and come up with something that suits best for your application and customers. 

4. Always do it on pen and paper first before staring to code right away.

This is one golden rule that can potential save a lot of time that you might spend doing several iteration if the goal or scope is not clear or if you users don’t just get your designs.

5. Don’t over design.

Don’t try to put lot of animation or graphics if you have just learnt Cocos2d or OpenGLES. Remember the Spider Man’s catch-line “With great power comes great responsibility”. So if you know stuffs that can create the wow factor then use it smartly and control your enthusiasm.

6. Stick to default controls as much as possible

Don’t try to use a custom tab bar or navigation bar if those are really not required. Users are used to the default controls of these platforms and whenever you are introducing a new component it should be really obvious to use. For example Facebook or LinkedIn’s iPhone app shows how you can use simple animation and component to create a wow factor.

7. Rely on the power of these devices.

Smart phones are tablets these days are able to gain so much attention because of their ability to do things using touch, multi-touch and gestures. You don’t need to teach an user to flip a magazine by a simple gesture, zoom a photo by multi-touch. Tap into some of these gestures, touch and multi-touch action detection techniques to make it more interesting for users. Some of the good example of apps that became successful recently are Flipbook, Path, Band of the Day.

8. Image speaks thousand words

When things are little complicated to explain through words or sentences use meaningful images. Most of the time user will get it just by seeing the images. Ideally if possible use small text along with the image.

For example I like Navjot’s thinking on this image: http://dribbble.com/shots/239130-Record-Audio

I think it’s better than the record icon of the audio app on iPhone. The text in this case make it really obvious for the user to understand the purpose of the button.

A not so good example from the same guy would be: http://dribbble.com/shots/216782-New-Post

Here I don’t quite get the meaning of the icon until I tap on it.

9. Colors and Branding

Refer to design magazines like “Smashing Magazine” or “Think Vitamin” and you will get a set of guidelines for different type of applications. For example if you are building a finance app you might go with red color and if you are building a travel app using yellow or blue would be more relevant. Also think about where this app would be used in-doors vs out-doors. If the app is going to be used out-doors then if you don’t use proper colors or contrast users might not be able to read or see the app properly.

10. Every pixel counts

Very important: if you want to leave an impression among your users, every pixel counts. Even a bad alignment in one place can caught bad attentions and users won’t be satisfied. People have enough reasons in their lives to be unhappy about and you are going to give them another one by avoiding an extra effort to fix that alignment. Try to be an user first and before trying to be a developer or designer. Just trying to be an user can fix a lot of things. Never give up or let it go until you are satisfied yourself. I always believe as a developer or designer you always know what are your mistakes before anyone else figures those out.

 

Not very long ago Google announced about “Digital Wallet” leveraging on Near Filed Communication. Some retail store are also figuring out how you can use Augmented Reality and Face Recognition technology to auto-debit money from the customer’s account to enhance shopping experience.

However these technologies are still pretty unstable when you combine it with m-Commerce or e-Commerce. But one thing that’s unique about an user would be his thumb impression or palm impression. So bringing it into mobile applications would not only solve the issue of payment in retail but checkin to airports (which already some airports have tried).

Fujitsu has manufactured a system called PalmSecure that requires no hardware on the user side. The technology work just by waving your hand in front of the detector. It identifies the users and make payment on their behalf. Very useful for priority customers or gold customers in retail. Same thing can be applied to business class passenger in airlines enriching their boarding experience.

PalmSecure is a identification / security scheme that falls under the umbrella of biometrics. Examples of other biometric identifiers are fingerprint, voice, SIRI, face recognition etc. PalmSecure is uniquely unobtrusive as it requires the same gesture required to use an NFC phone wallet or to swipe a credit card, only you don’t have to have anything on your person to make it work.

Few organizations have adopted it already as a trial to replace Single Sign On to access to their enterprise systems. I am thinking of ordering some of these devices and try to see if you can connect it to an iPad which then can control anything starting from opening the door of a car to give me my medical history for last 6 months.

Reference: http://www.fujitsu.com/us/services/biometrics/palm-vein/palmsecure/index.html