With the surge in native mobile applications and the advent of players like Android, IPhone, Palm and other big players into this market, providing frameworks to develop applications native to the device, it is important for developers to understand performance implications for every operation that the application is going to perform.
WHY THE PROMINENCE?
The service layer has always been a most important factor for any enterprise as that is where they have put all their money in. During the last ten years, organizations have made significant investments in SOAP-based infrastructure such as Enterprise Service Buses (ESBs) and Business Process Management (BPM) software based on WS-BPEL. The SOAP binding will allow organizations to leverage those investments in building interoperable content repositories.
Within the enterprise and in B2B scenarios, SOAP is still very attractive. This is not to say that REST is not enterprise ready. In fact, there are known successful RESTful implementations in mission critical applications such as banking. However, enterprise applications can have specific requirements in the areas of security, reliable messaging, business process execution, and transactions for which SOAP provides solutions.
SO, WHY THE CONFUSION?
With the advancement in hardware for the devices under smart phone category and the increasing usage of mobile internet, consuming web services is imminent for a native application. Now the question arises as to which type of web services to implement and consume for a mobile application.
Although the debate is long standing and very trivial to what the application does and the scope of the users using the application, this article focuses on which is better, SOAP or ReST, in case of operations that are very much abode to mobile.
GPS, photos, videos or other media transfer, location based data exchange are some of the operation that an application developer would like to go into his mobile client or it might be the plain old stock quotes that he might want to add to his application as a ticker.
I have laid down the preferred ways of implementing and consuming the service in a way that I have always wanted and never have got, the domain/operation specific way. Before that I would want to tell you an easy pointer to tell the difference – You use SOAP to wash and you REST when you are tired!
EASE OF IMPLEMENTATION AND MAINTANENCE
In case of implementation, SOAP overtakes REST as there are established development kits in case of SOAP. But REST developers would argue that it’s got interface flexibility.
Verdict: SOAP
HEAVYNESS/LIGHTNESS
ReST is definitely lightweight as it is meant for lightweight data transfer over a most commonly known interface, - the URI. And there are many extension to it as one can easily implement and consume ReST/JSON service which matters a lot for mobile applications.
Verdict: ReST
BANDWIDTH USAGE
This is a very interesting and important parameter as in a mobile application there can be many more network calls which in turn calls for moderate bandwidth usage. SOAP requires an XML wrapper around every request and response. Once namespaces and typing are declared, a four- or five-digit stock quote in a SOAP response could require more than 10 times as many bytes as would the same response in REST. Like SOAP, REST still needs a corresponding document that outlines input parameters and output data.
The good part is that REST is flexible enough that developers could write WSDL files for their services if such a formal declaration was necessary. Otherwise it could be a human readable declaration.
Verdict: ReST
CACHING
Since HTTP based / Rest-ful APIs can be consumed using simple GET requests, intermediate proxy servers / reverse-proxies can cache their response very easily. On the other hand, SOAP requests use POST and require a complex XML request to be created which makes response-caching difficult.
Verdict: ReST
SECURITY
This is much of a debatable and dicey parameter as it depends on what you transmit. Although the SOAP camp insists that sending remote procedure calls through standard HTTP ports is a good way to ensure Web services support across organizational boundaries, REST followers argue that the practice is a major design flaw that compromises network safety. REST calls also go over HTTP or HTTPS, but with REST the administrator (or firewall) can discern the intent of each message by analyzing the HTTP command used in the request. For example, a GET request can always be considered safe because it can't, by definition, modify any data. It can only query data.
A typical SOAP request, on the other hand, will use POST to communicate with a given service. And without looking into the SOAP envelope—a task that is both resource-consuming and not built into most firewalls—there's no way to know whether that request simply wants to query data or delete entire tables from the database.
As for authentication and authorization, SOAP places the burden in the hands of the application developer. The REST methodology instead takes into account the fact that Web servers already have support for these tasks.
Verdict: SOAP/ReST
Who uses ReST?
All of Yahoo's web services use REST, including Flickr, del.icio.us API uses it, pubsub, bloglines, technorati, and both eBay, and Amazon have web services for both REST and SOAP.
Who uses SOAP?
Google seems to be consistent in implementing their web services to use SOAP, with the exception of Blogger, which uses XML-RPC. You will find SOAP web services in lots of enterprise software as well.
CONCLUSION
We sure must take into account the fact that ReST is not for everything. There are situations wherein ReST proves the best, but one mustn’t forget the scope of SOAP is too large and there is much backing for SOAP and many large enterprises thrive on SOAP in their service layer.
To have a well balanced, high-performance mobile application, the decision needs to be atomic with respect to the operation that the application allows the user to perform.
Wednesday, December 23, 2009
Tuesday, December 15, 2009
Microsoft Mobility Solutions Competency Strengthens Aditi's Mobility Offerings
In-depth Mobile Expertise, Mobile Customer References, In-House Training and Professional Certification Helped Attain the Competency
Aditi Technologies, a leading provider of software product and application development services has attained Mobility Solutions Competency as part of Microsoft's Gold Certified Partner program. This will enhance Aditi's effort to develop Windows Mobile based solutions, applications and services using Microsoft tools and technologies; including, but not limited to Systems Integrators, Custom Application developers, Independent Software Vendors (ISVs), Consultants & Solutions Resellers.
Aditi has attained "Microsoft Mobility solutions" competency through its in-depth Mobile expertise, Mobile customer references, in-house training and professional certification for our resources. "Today, we have a very strong and competent team dedicated to providing mobile solutions across the various technologies and ladders", says Mini Manakame, General Manager-Mobile Services, Aditi Technologies.
The mobile industry is growing at a rapid pace, thus creating new business opportunities. The changing content provider landscape is creating avenues for value added services and content applications. However, the rapid growth in Mobile Technology is posing challenges to companies which seek quicker time-to-market and cost-effective solutions.
Aditi has mastered mobile application/platform development across various technologies and over 200 devices. Our key strength lies in end to end development and maintenance of carrier grade applications on upcoming devices/platforms. In addition to product development, we also provide Professional Services support to our customers.
The certification bolsters Aditi's commitment to developing carrier-grade mobile applications on key mobile platforms including iPhone, Android, Symbian, Blackberry and of course, Windows Mobile. Aditi will also benefit from getting upfront access to information about the latest Windows Mobile product releases, roadmaps and related resources on an ongoing basis directly from Microsoft.
You can see the articles on this at
http://www.google.co.in/search?hl=en&source=hp&q=Microsoft+Mobility+Solutions+Competency+strengthens+Aditi%E2%80%99s+Mobility+Offerings&meta=&aq=f&oq=
To know more about Aditi's offerings in Mobility, contact us at MobileServicesSales@aditi.com
Aditi Technologies, a leading provider of software product and application development services has attained Mobility Solutions Competency as part of Microsoft's Gold Certified Partner program. This will enhance Aditi's effort to develop Windows Mobile based solutions, applications and services using Microsoft tools and technologies; including, but not limited to Systems Integrators, Custom Application developers, Independent Software Vendors (ISVs), Consultants & Solutions Resellers.
Aditi has attained "Microsoft Mobility solutions" competency through its in-depth Mobile expertise, Mobile customer references, in-house training and professional certification for our resources. "Today, we have a very strong and competent team dedicated to providing mobile solutions across the various technologies and ladders", says Mini Manakame, General Manager-Mobile Services, Aditi Technologies.
The mobile industry is growing at a rapid pace, thus creating new business opportunities. The changing content provider landscape is creating avenues for value added services and content applications. However, the rapid growth in Mobile Technology is posing challenges to companies which seek quicker time-to-market and cost-effective solutions.
Aditi has mastered mobile application/platform development across various technologies and over 200 devices. Our key strength lies in end to end development and maintenance of carrier grade applications on upcoming devices/platforms. In addition to product development, we also provide Professional Services support to our customers.
The certification bolsters Aditi's commitment to developing carrier-grade mobile applications on key mobile platforms including iPhone, Android, Symbian, Blackberry and of course, Windows Mobile. Aditi will also benefit from getting upfront access to information about the latest Windows Mobile product releases, roadmaps and related resources on an ongoing basis directly from Microsoft.
You can see the articles on this at
http://www.google.co.in/search?hl=en&source=hp&q=Microsoft+Mobility+Solutions+Competency+strengthens+Aditi%E2%80%99s+Mobility+Offerings&meta=&aq=f&oq=
To know more about Aditi's offerings in Mobility, contact us at MobileServicesSales@aditi.com
Monday, December 7, 2009
Security concepts and Threat Modeling for Mobile Applications
Traditionally, the mobiles were just used for voice communication. Currently it has transformed in to a tool for end to end information exchange. Where ever there is exchange of information there are chances of information leakage, spoofing and all sorts of hacking.
People think that the phrase “Secured Mobile Application” as an oxymoron. Many mobile app developers least think about the security of their applications and give much emphasis to jazzy UI and funky features.
Though the security features for mobile application is same as a desktop app, the security risks and security considerations vary somewhat because of mobile hardware and nature of the mobile usage.
Security considerations for a Win Mobile based mobile application
Preventing Data theft
Most of the mobile apps store the user related data on the device. It can be password or any user preferences etc. These data should be secured on the device.
Data can be stolen in many ways. Below are a few examples of the way data theft happens.
- Hacking: This is by far the most common way of stealing data with least chances of getting caught. A hacker gets into a system where he or she is not supposed to be, and steals whatever data was aimed at. Hackers find their gate way through gaps in the security system or by hoodwinking gullible employees / surfers in order to gain access to a system.
- Posing: Appearances can be deceiving. The attractive website that has popped up offering you a great holiday treat may actually be a data thief trying to get into your system under the mask of a piece of harmless spam.
- Remote Access: Does the indicator show that a program is running even when you are not working on anything and have no windows open? Do not ignore the symptoms; a data thief is already sitting in your computer. Remote access allows the thief to gain control of your machine from wherever he or she is and operate it, steal data from it, and even distribute virus from it!
- Spyware: Spyware is often brought in by adware. The thief may not sit in your system, but your key strokes or mouse clicks would be spied upon, revealing what you are doing and reading the data as you put it in. And you have opened the gate by clicking on an innocent looking ad.
- Podslurping: Music is now stored in iPods for almost all domestic users. You would usually not suspect an employee rocking to music while working as usual. The thief knows this and is using the iPod to obtain data outputs from the computer where it is plugged in.
- Bluesnarfing: Bluetooth devices have become popular in a very short while. Using his or her Bluetooth-enabled cell phone or laptop, the data thief lifts data from a restricted computer in silence and mostly unnoticed.
Microsoft SQL Server Compact (SQL CE) is a compact relational database produced by Microsoft for applications that run on mobile devices and desktops. Most of the win mobile apps store data on this DB. The SQL CE databases should be encrypted and every application should have a login to provide security to the data. By this we can configure the application to wipe out the data after considerable amount of attempted failed logins.
If the data of the application is stored on the storage card then it has to be ensured that the data is encrypted as these storages are easily removable and readable.
Use of Cryptography
Cryptography basically refers to practice and study of hiding information. Before we analyze the application of cryptography on mobile we need to understand the concepts of cryptography in detail.
Cryptography can be defined as the conversion of data into a scrambled code that can be deciphered and sent across a public or private network. Cryptography uses two main styles or forms of encrypting data; symmetrical and asymmetrical. Symmetric encryptions, or algorithms, use the same key for encryption as they do for decryption. Other names for this type of encryption are secret-key, shared-key, and private-key. The encryption key can be loosely related to the decryption key; it does not necessarily need to be an exact copy.
Symmetric cryptography is susceptible to plain text attacks and linear cryptanalysis meaning that they are hackable and at times simple to decode. With careful planning of the coding and functions of the cryptographic process these threats can be greatly reduced. Asymmetric cryptography uses different encryption keys for encryption and decryption. In this case an end user on a network, public or private, has a pair of keys; one for encryption and one for decryption. These keys are labeled or known as a public and a private key; in this instance the private key cannot be derived from the public key. The asymmetrical cryptography method has been proven to be secure against computationally limited intruders.
Windows Mobile provides a range of symmetric and asymmetric encryption algorithms with the implementation of CAPI – Cryptography Application Programming Interface. In addition, the Microsoft .NET Compact Framework 2.0 has managed classes that are in line with the desktop framework classes and provides simple access to the crypto library.
The processing power of a mobile device is significantly less compared to that of a desktop device. The CPU strain of processing the cryptographic algorithms has to be considered while designing a mobile application. Asymmetric algorithms can take a significant amount of CPU effort to process and can slow the device noticeably. When we use the asymmetric algorithm the amount of data that needs to be safeguarded should be kept minimal and we need to decrypt the data only when it is necessary. We can use a symmetric key to decrypt a bulk data and use asymmetric key to encrypt the symmetric key. This will have lesser strain on mobile processor and have positive impact on the battery life.
Key management
As explained above the main ingredient of the cryptography is a key. In cryptography, a key is described as a piece of information (a parameter) that determines the functional output of a cryptographic algorithm or cipher. The keys used for encryption and decryption should be stored somewhere on the device that is accessible to mobile applications. The process of storing the key securely on the device is referred to as – “Key Management”.
Key management brings its own challenges regardless of platform, but mobile device key management can become an acute problem. Windows Mobile doesn’t offer a machine or user protected store for key management in the same way as the desktop operating systems do, so storage of keys on the Windows Mobile powered device is tricky. Storing the master key in code or on a file on the store is rarely an acceptable solution because Windows Mobile does not implement object level security; therefore files cannot be individually restricted from external access by other processes or via a technology like Active Sync. The easiest and safest way to deal with a master key is to give it to the user and remove the problem from the device – that means deriving the master key from a user password at the perimeter of the device or at the perimeter of the mobile application.
References – Microsoft Technet
Security features of an IPhone app
Sandboxing and Mandatory Access control Framework
In computer security, mandatory access control (MAC) refers to a type of access control by which the operating system constrains the ability of a subject or initiator to access or generally perform some sort of operation on an object or target. In practice, a subject is usually a process or thread; objects are constructs such as files, directories, TCP/UDP ports, shared memory segments, etc. Subjects and objects each have a set of security attributes. Whenever a subject attempts to access an object, an authorization rule enforced by the operating system kernel examines these security attributes and decides whether the access can take place. Any operation by any subject on any object will be tested against the set of authorization rules (aka policy) to determine if the operation is allowed.
On the similar lines a sandbox is a security mechanism for separating running programs. It is often used to execute untested code, or untrusted programs from unverified third-parties, suppliers and untrusted users. The sandbox typically provides a tightly-controlled set of resources for guest programs to run in, such as scratch space on disk and memory.
Some examples of sandboxes are:
- Applets are self-contained programs that run in a virtual machine or scripting language interpreter that does the sandboxing.
- A jail is a set of resource limits imposed on programs by the operating system kernel
- Rule-based Execution gives users full control over what processes are started, spawned (by other applications), or allowed to inject code into other apps and have access to the net.
- Virtual machines emulate a complete host computer, on which a conventional operating system may boot and run as on actual hardware
- Capability systems can be thought of as a fine-grained sandboxing mechanism, in which programs are given opaque tokens when spawned and have the ability to do specific things based on what tokens they hold. An example of capability-based user-level sandboxing would be HTML rendering in Google Chrome.
Cryptography
The MAC OS provides “CSSM” - Cryptographic Services Manager to implement cryptography which is not supported by IPhone OS. Most of the cryptographic functions are provided by the Certificate, Key, and Trust Services API. Certificate, Key, and Trust Services operates on certificates that conform to the X.509 ITU standard, uses the keychain for storage and retrieval of certificates and keys, and uses the trust policies provided by Apple.
Code Signing
Developers are expected to add a digital signature to their apps without fail and this is mandatory for an IPhone app. In addition, Apple adds its own signature before distributing an IPhone OS application. The addition of a digital signature to an application or block of code is often referred to as code signing.
Code signing ensures the integrity of the program and allows the system to recognize updated versions as the same program as the original. Once a program is signed, any change in the code not intended by the developer—whether introduced accidently or by hackers—can be detected by the system. On iPhone an application that hasn’t been signed by Apple will not get executed.
References – Apple Developer Reference Library
Security and threat modeling is a vast arena and I have covered only few important concepts here. I will explain the other security concepts available for win mobile, IPhone app and even for other mobile operating systems in my future blogs. Mobile apps security is mandatory if you want to gain the trust of the customers and the end users of the app. The mobile app should safe guard the user data and the mobile app itself should not become an entry point for malicious code on their devices. If you haven’t yet thought about security for your mobile application, this is the time to start….
Sunday, December 6, 2009
Handling Memory constraints and Performance in Android
Memory and performance are some of the key parameters which determine the success of any product and a mobile app in particular. Since Android supports multiple processes to run simultaneously, the memory constraint is even more in Android devices. Typically Android phones support 16MB per process. Here are some key areas to look out for when developing an Android application:-
--Always avoid using Reflection as it decreases performance. Reflection is usually used to change the runtime behavior .Reflection decreases performance as JVM optimization cannot be performed.
--Whenever possible use REST based web-service calls as against SOAP. SOAP based calls are least preferred for mobile devices. REST is more Light-weight and it also gives results in readable format.
--Go for SAX parser versus DOM, whenever you have a choice. DOM uses more memory and is slower compared to SAX. SAX does not to create a default Java object model on top of the XML document and hence increases performance and memory usage.
--Use weak reference and soft reference wherever necessary, especially when you know that some of your objects will eat up a lot of your application memory. You are guaranteed by the JVM that your Soft reference will be garbage collected before throwing OOM. Depending on your application needs you can decide which reference type to be used.
--Always display as much data that the user can actually see. If you have 1000s of records to display, do-not bring in more than 10 records at a time. That is design your application in such a way that only the items that are visible to the user at a time are brought over from the network from each network call. In this way you have decreased user-wait time as well as the battery.
--If you have images/bitmaps to display in your lists, implement scroll listeners and bring the images only when the user scrolls to view those images. This helps battery life. Use Bitmap.recycle() to free the memory.
--Use the hierarchy viewer to note the depth of your UI layout. As the depth of the layout decreases the performance increases.
--Use the layoutopt tool that helps you identify holes in your layout and thus increase performance.
You can also refer to the detailed documentation in the developer site for more information
--Always avoid using Reflection as it decreases performance. Reflection is usually used to change the runtime behavior .Reflection decreases performance as JVM optimization cannot be performed.
--Whenever possible use REST based web-service calls as against SOAP. SOAP based calls are least preferred for mobile devices. REST is more Light-weight and it also gives results in readable format.
--Go for SAX parser versus DOM, whenever you have a choice. DOM uses more memory and is slower compared to SAX. SAX does not to create a default Java object model on top of the XML document and hence increases performance and memory usage.
--Use weak reference and soft reference wherever necessary, especially when you know that some of your objects will eat up a lot of your application memory. You are guaranteed by the JVM that your Soft reference will be garbage collected before throwing OOM. Depending on your application needs you can decide which reference type to be used.
--Always display as much data that the user can actually see. If you have 1000s of records to display, do-not bring in more than 10 records at a time. That is design your application in such a way that only the items that are visible to the user at a time are brought over from the network from each network call. In this way you have decreased user-wait time as well as the battery.
--If you have images/bitmaps to display in your lists, implement scroll listeners and bring the images only when the user scrolls to view those images. This helps battery life. Use Bitmap.recycle() to free the memory.
--Use the hierarchy viewer to note the depth of your UI layout. As the depth of the layout decreases the performance increases.
--Use the layoutopt tool that helps you identify holes in your layout and thus increase performance.
You can also refer to the detailed documentation in the developer site for more information
Subscribe to:
Posts (Atom)
