Category Archives: development

.net, development, java, professional

Java software quality: frameworks good, Struts or C++ bad says report

2 Comments

CAST has released an intriguing report on Java applications and software quality.

The company analysed 497 applications, comprising 152 million lines of code across 88 organisations and six global industries. It then looked at how software quality correlated with frameworks used.

◾Hibernate has the highest quality scores.
◾Applications built with Struts have the lowest quality scores.
◾Applications that did not use any framework had a huge variance in quality, which indicates that frameworks do in fact help develop applications of predictable quality.

A further investigation looked at what happens to software quality in mixed language applications:

◾Applications built in pure JEE, with no frameworks or multi-lingual mingling, had the highest quality scores.
◾Mixing Java with C or C++ lowers quality scores.
◾Mixing Java with COBOL, Java-DB, and Microsoft .NET delivered higher quality scores.

Frameworks are good but pure J2EE is better? Mixing with C/C++ lowers software quality, but mixing with .NET or COBOL raises software quality? These are odd results, and I wonder if this research is correlating the right factors. Here is a clue:

One common challenge for developers with framework usage is configuring them correctly. CAST data shows that a large majority of applications analyzed had some level of misconfiguration, indicating the need for better training or to simplify the use of frameworks.

I have a hunch that what this research really tells us is that the most competent developers deliver the highest quality code. Maybe the smartest developers do not use Struts.

bbc, development, mobile, professional

The cross-platform app problem. What should the BBC do?

5 Comments

The BBC released a new sports app last week. In the comments to the announcement though, there is little attention given to the app or its content. Rather, the discussion is about why the BBC has apparently prioritised iOS over Android, since the Android version is not yet ready, with an occasional interjection from a Windows Phone user about why there is nothing at all for them.

image

BBC I think you need to actually catch up on what’s happening. Android is huge now. You should be launching both platforms together. A lot of people I know have switched to an Android device and your app release almost feels like discrimination!

says one user; while the BBC’s Lucie Mclean, product manager for mobile services, replies:

Back in July, when we launched the Olympics app for iPhone and Android together, we saw over three times as many downloads of the iPhone version. Android continues to grow apace but this, together with the development and testing complexity, led us to the decision to phase the iOS app first.

BBC Technology correspondent spoke to head of iPlayer David Danker about this problem back in December. Danker claims that the BBC spends more “energy” (I am not sure if that means time or just frustration) on Android than Apple, and mainly blames Android fragmentation and the existence of more low-end devices for the delays:

It’s not just fragmentation of the operating system – it is the sheer variety of devices. Before Ice Cream Sandwich (an early variant of the Android operating system) most Android devices lacked the ability to play high quality video. If you used the same technology as we’ve always used for iPhone, you’d get stuttering or poor image quality. So we’re having to develop a variety of approaches for Android

A couple of things are obvious. One is that Apple’s clearly-defined iOS development platform and limited range of devices is a win for developers. Despite frustrations over things like the way apps are sandboxed or Apple’s approval process, it is easier to target iOS than Android because the platform is more consistent. iOS users are also relatively prosperous and highly engaged with the web and the app store, so that even though Apple’s overall platform market share has fallen behind that of Android, it is still the most important market in some contexts.

Another is that the BBC cannot win. From a PR perspective, it should probably do simultaneous iOS and Android releases even if that means a delay, but even then there will be complaints over differences in detail between iOS and Android implementations. Further, the voices of those neglected minorities, such as Windows Phone and soon, Blackberry 10 users, will grow louder if iOS and Android achieve parity.

In all this, it is worth noting that the BBC gets one thing right, prioritising the mobile web:

The decision to launch the core mobile browser site first (before either app) was itself to ensure that users got a quality product across as wide a range of devices as possible.

says Mclean.

Personally I wonder if the the BBC needs to do all these niche apps. The iPlayer app is the one that really matters, particularly when it offers download for offline viewing, but is a sports app so necessary?

Should it not concentrate instead on first, the mobile web site, and second, APIs that third-party developers can use, enabling developers on each platform to create high quality apps?

Another option would be to make cross-platform a religion, and cover all significant platforms while giving up some of the benefits of native code. High quality video is a problem; but in many scenarios the quality of the video is not such a big issue provided that it works and is intelligible.

Perhaps the BBC could make Cordova (an open source framework for cross-platform mobile apps) video work better. Having the BBC invest its publicly funded resources into open source cross-platform development is better PR than developing expensive apps for single platforms.

development, professional, ruby, software development

Got a Ruby on Rails application running? Patch it NOW

A security issue has been discovered in Ruby on Rails, a popular web application framework. It is a serious one:

There are multiple weaknesses in the parameter parsing code for Ruby on Rails which allows attackers to bypass authentication systems, inject arbitrary SQL, inject and execute arbitrary code, or perform a DoS attack on a Rails application. This vulnerability has been assigned the CVE identifier CVE-2013-0156.
Versions Affected:  ALL versions
Not affected:       NONE
Fixed Versions:     3.2.11, 3.1.10, 3.0.19, 2.3.15

and also worth noting:

An attacker can execute any ruby code he wants including system("unix command"). This effects any rails version for the last 6 years. I’ve written POCs for Rails 3.x and Rails 2.x on Ruby 1.9.3, Ruby 1.9.2 and Ruby 1.8.7 and there is no reason to believe this wouldn’t work on any Ruby/Rails combination since when the bug has been introduced. The exploit does not depend on code the user has written and will work with a new rails application without any controllers.

You can grab patched versions here.

How quickly can an organisation patch its applications? As Sourcefire security architect Adam J. O Donnell observes, this is where strong DevOps pays dividends:

Modern web development practices have made major leaps when it comes to shortening the time from concept to deployment.  After a programmer makes a change, they run a bunch of automated tests, push the change to a code repository, where it is picked up by another framework that assures the changes play nice with every other part of the system, and is finally pushed out to the customer-facing servers.  The entire discipline of building out all of this infrastructure to support the automated testing and deployment of software is known as DevOps.

In a perfect world, everyone practices devops, and everyone’s devops workflow is working at all times.  We don’t live in a perfect world.

For many organizations changing a library or a programming framework is no small task from a testing and deployment perspective.  It needs to go through several steps between development and testing and finally deployment.  During this window the only thing that will stop an attacker is either some form of network-layer technology that understands how the vulnerability is exploited or, well, luck.

This site runs WordPress, and if I look at the logs I see constant attack attempts. In fact, I see the same attacks on sites which do not run WordPress. The bots that do this are not very smart; they try some exploit against every site they can crawl and do not care how many 404s (error showing page not found) they get. One in a while, they hit. Sometimes it is the little-used applications, the tests and prototypes, that are more of a concern than the busy sites, since they are less likely to be patched, and might provide a gateway to other sites or data that matter more, depending on how the web server is configured.

c++, development, embarcadero, professional, software development

Hands on Cross-Platform Windows and Mac development with C++ Builder XE3

1 Comment

I have been writing about Embarcadero’s RAD Studio XE3, which includes Delphi and C++ Builder, and as part of the research I set this up for cross-platform development on a Mac.

My setup uses a Parallels Virtual Machine to run Windows 7, on which RAD Studio XE3 is installed. This is convenient for Mac development, since the IDE itself is Windows only. That said, if I were doing this in earnest I would use multiple displays or perhaps separate physical machines, since it is no fun debugging in a VM with the application running in another operating system behind it.

Is it straightforward to configure? Not too bad. You have to install Xcode on the Mac, and in addition, you have to install the Xcode command line tools, which you can do from Xcode itself, in Preferences – Downloads – Components, or as a separate download.

image

Then you need to find the Platform Assistant (paserver), an agent which runs on the Mac to support remote debugging. I was annoyed to find that this has a dependency on Java SE6, which to be fair it downloaded and installed automatically. Actually I find this amusing, after hearing from an Embarcadero VP how native code is all the rage and nobody uses managed code any more. Except Embarcadero for the paserver.

Once that is all up and running you are done on the Mac side. On Windows, you then need to sort out a remote profile, after having installed RAD Studio of course. The way to do this is first to start a new cross-platform project, which means using the FireMonkey framework. Then right-click TargetPlatforms in the project manager and add a platform. If you add OSX but no remote profile exists, you will be prompted to create one.

image

This is where something went slightly wrong. I created a profile and could connect OK. However, when I tried to build the project, I got an error: Unable to open include file ‘CoreFoundation/CoreFoundation.h’. You get this if for some reason the required library files have not been pulled over from the Mac. The fix is to edit the profile and click Update Local File Cache.

image

After that I was away. Set breakpoints if needed, build and debug.

image

Cross-platform is not new in RAD Studio; it was in XE2, and in some ways better, since you could target iOS as well as OSX. C++ Builder XE3 is actually a new generation though. In the 64-bit update 1, it is the first release to use Clang and LLVM, and from what I understand this represents the future for Embarcadero’s tools.

Updates are promised in 2013 for both Delphi and C++Builder – this roadmap is most of what we have to go on – which will add first iOS and later Android support, at what the company calls a “low cost”. Unlike the iOS support in XE2, the coming update will not use the Free Pascal compiler, but the new architecture based on LLVM. This also suggests that the add-on will replace some of the guts of Delphi when it arrives, so it will be significant and somewhat risky.

The cross-platform capabilities look good, though I am somewhat wary of FireMonkey which is less complete and mature than the Windows-only VCL. For example no Webbrowser component is supplied, which is a significant limitation, though I am sure there are ways of hacking this, perhaps through ChromiumEmbedded for which a Delphi FireMonkey exists.

It is worth a bit of effort, since Delphi and C++Builder are productive tools, and the output is true native code which still had advantages.

More information on RAD Studio XE3 is here.

development, google, open source

Google fights Android fragmentation with new SDK terms

4 Comments

Google has revised the terms of the Android SDK license agreement so that users must now agree not to fragment Android by deriving other SDKs from Google’s official offering. In fact, you now have to agree not to fragment Android in any way as a condition of using the Android SDK.

image

The key clauses seem to be these (I write as a non-lawyer):

3.2 You agree that Google or third parties own all legal right, title and interest in and to the SDK, including any Intellectual Property Rights that subsist in the SDK. "Intellectual Property Rights" means any and all rights under patent law, copyright law, trade secret law, trademark law, and any and all other proprietary rights. Google reserves all rights not expressly granted to you.

3.3 You may not use the SDK for any purpose not expressly permitted by this License Agreement. Except to the extent required by applicable third party licenses, you may not: (a) copy (except for backup purposes), modify, adapt, redistribute, decompile, reverse engineer, disassemble, or create derivative works of the SDK or any part of the SDK; or (b) load any part of the SDK onto a mobile handset or any other hardware device except a personal computer, combine any part of the SDK with other software, or distribute any software or device incorporating a part of the SDK.

3.4 You agree that you will not take any actions that may cause or result in the fragmentation of Android, including but not limited to distributing, participating in the creation of, or promoting in any way a software development kit derived from the SDK.

How much of this is new? Here are the terms as stored on my hard drive:

3.2 You agree that Google or third parties own all legal right, title and interest in and to the SDK, including any Intellectual Property Rights that subsist in the SDK. "Intellectual Property Rights" means any and all rights under patent law, copyright law, trade secret law, trademark law, and any and all other proprietary rights. Google reserves all rights not expressly granted to you.

3.3 Except to the extent required by applicable third party licenses, you may not copy (except for backup purposes), modify, adapt, redistribute, decompile, reverse engineer, disassemble, or create derivative works of the SDK or any part of the SDK. Except to the extent required by applicable third party licenses, you may not load any part of the SDK onto a mobile handset or any other hardware device except a personal computer, combine any part of the SDK with other software, or distribute any software or device incorporating a part of the SDK.

The clause 3.4 specifically concerning fragmentation is new, but the clause 3.3 forbidding the creation of derivative works is not new. When this was first added is an interesting question and please comment if you know.

Note that the Android SDK depends on the Java Development Kit, and that Google’s use of Java in Android was the subject of unsuccessful litigation from Oracle.

Free software advocate Torsten Grote has posted about the move here and says:

This situation is far from perfect for software freedom. Developing Android Apps in freedom is only possible as soon as the Replicant developers catch up. Looks like Android stops being a Free Software friendly platform.

Replicant is a free version of the Android software stack including an SDK, though of course it will not be possible to include new parts of the SDK only available under the non-free license.

.net, development, microsoft, mobile, mono, software development

Xamarin brings C# to development of apps for the Mac App Store

Xamarin has released Xamarin Mac which adds Mac support to the existing iOS and Android compilers from the company:

  • MonoTouch: apps for iPhone and iPad using the MonoDevelop IDE on the Mac
  • Mono for Android: apps for Android using either Visual Studio or MonoDevelop
  • Xamarin.Mac: apps for Mac OS X using MonoDevelop on the Mac

The major platforms missing from the above are Windows and Linux (unless you count Android), even though Mono began as a Linux implementation of Microsoft’s .NET platform.

Xamarin says that a Windows version is not necessary since you can use Microsoft’s tools to code in C# for Windows desktop and Windows phone.

You can also get Mono for Windows, Mac and Linux from the old Mono project site.

Why would you bother with paid-for Xamarin.Mac when you can get Mono for Mac as a free download? There is even a Mac packager which lets you create a standalone package for your Mono app. A good question, but I guess the answer is the benefit of Xamarin-specific libraries and support from the company. Xamarin has also done the work to ensure that you can distribute your app via the Mac App Store.

Xamarin.Mac costs $399 for personal use, or $999 for an enterprise license which allows internal as well as app store distribution. A one year, one seat license with priority support costs $2,499.

Xamarin knows how to charge then, and in the end that may be a key reason why the project is working, whereas Mono struggled as an open source project that never had the resources it deserved.

The Mono Project site now says that it is “sponsored by Xamarin” so open source developers are getting some benefit from the commercial offshoot.

Xamarin is important for the C# language, since it represents a viable implementation which is independent of Microsoft.

.net, development, microsoft, nokia, software development, windows

Trial apps and in-app purchases easy to hack on Windows 8 says Nokia engineer

5 Comments

A principal engineer at Nokia, Justin Angel, has written a piece showing how to hack apps on Windows 8, undermining their potential revenue for the app vendors. “This is an educational article written in the hope both developers and Microsoft can benefit from an open exchange of knowledge,” he says, adding that the article was written in his own time and has nothing to do with his employer.

The hacks he describes cover:

  • Compromising in-app purchases by modifying data held locally, such as app currency.
  • Converting trial apps to full versions without paying
  • Removing ads from games
  • Reducing the cost of items offered for in-app purchase
  • Injecting Javascript  into the Internet Explorer 10 process in order to bypass trial restrictions

image

There is an inherent security weakness in any app that has to work offline, since the decryption keys also have to be stored locally; this inherent weakness is not unique to Windows 8. However, Angel argues that Microsoft could do more to address this, such as checking for tampered app files and preventing Javascript injection. Code obfuscation could also mitigate the vulnerabilities.

Although Angel is writing in his own time, the issues are relevant to Nokia, which makes Windows Phone devices and may make Windows 8 tablets in future.

Should Angel have revealed the cracks so openly and in such detail? This is an old debate; but it is sure to increase pressure on Microsoft to improve the security of the platform.

c++, delphi, development, embarcadero, open source, professional, software, software development, windows, windows 7

Embarcadero launches C++ Builder XE3: first built on Clang

Embarcadero has released C++ Builder XE3, the first version built on the open source clang front end for the LLVM compiler. This has enabled the product to support many new features, including extensive C++ 11 support and a 64-bit compiler.

image

While it is a shame that the old Borland C/C++ Compiler is no more, it makes sense for Embarcadero to bring its VCL (Visual Component Library) and FireMonkey framework to Clang rather than continuing to work on its own compiler.

The other big change is cross-platform support. Through FireMonkey, C++ Builder XE3 supports Windows (including Windows 8) and Mac OS X, with iOS and Android promised for 2013.

Although Windows 8 is supported on the desktop, there is no official support for the Windows Runtime (Windows Store apps). Instead, Embarcadero has a curious application framework called Metropolis which fakes the Windows 8 style but with desktop applications, as if the Windows 8 world were not already sufficiently confusing.

The big question is how compatible VCL applications created for earlier versions of C++ Builder are with the XE3 release. With a new compiler and major changes to the VCL in order to support the new compiler, you might expect some issues.

“That’s what we’ve been spending all of our time on,” Embarcadero VP Michael Swindell told me. “This is fully compatible with all our previous C++ dialects. We’ve completely re-engineered the C++ front end but it’s engineered to be compatible with C++ Builder applications and Borland C++ applications.”

I would rather hear that from developers though, rather than from Embarcadero.

Although C++ Builder is a cross-platform compiler, it only runs on Windows. A common scenario is to run in Windows emulation on a Mac, using VMware Fusion or Parallels.

Similar changes are on the way for Delphi, which uses the same VCL and FireMonkey frameworks but with the Delphi language based on Object Pascal.

Note that the new Clang-based compiler is 64-bit only. You are meant to continue using the old Borland compiler for 32-bit, making it hard to maintain a single code base for both.

.net, development, microsoft, silverlight, software development, visual studio, web authoring, windows

Microsoft Silverlight: shattered into a million broken urls

35 Comments

There has been some Twitter chatter about the closure of silverlight.net, Microsoft’s official site for its lightweight .NET client platform. multimedia player and browser plug-in.

image

I am not sure when it happened, but it is true. Silverlight.net now redirects to a page on MSDN. Some but not all of the content has been migrated to MSDN, but Microsoft has not bothered to redirect the URLs, so most of the links out there to resources and discussions on Silverlight will dump you to the aforementioned generic page.

One of the things this demonstrates is how short-sighted it is to create these mini-sites with their own top-level domain. It illustrates how fractured Microsoft is, with individual teams doing their own thing regardless. Microsoft has dozens of these sites, such as windowsazure.com, windowsphone.com, asp.net, and so on; there is little consistency of style, and when someone decides to fold one of these back to the main site, all the links die.

What about Silverlight though? It was always going to be a struggle against Flash, but Silverlight was a great technical achievement and I see it as client-side .NET done right, lightweight, secure, and powerful. It is easy to find flaws. Microsoft should have retained the cross-platform vision it started with; it should have worked wholeheartedly with the Mono team for Linux-based platforms; it should have retained parity between Windows and Mac; it should never have compromised Silverlight with the COM support that arrived in Silverlight 4.

The reasons for the absence of Silverlight in the Windows Runtime on Windows 8, and in both Metro and desktop environments in Windows RT, are likely political. The ability to run Silverlight apps on Surface RT would enhance the platform, and if COM support were removed, without compromising security.

XAML and .NET in the Windows Runtime is akin to Silverlight, but with enough differences to make porting difficult. There is an argument that supporting Silverlight there would confuse matters, though since Silverlight is still the development platform for Windows Phone 8 it is already confusing. Silverlight is a mature platform and if Microsoft had supported it in the Windows Runtime, we would have had a better set of apps at launch as well as more developer engagement.

I posted that Microsoft’s Silverlight dream is over in October 2010, during Microsoft’s final Professional Developers Conference, which is when the end of Silverlight became obvious. It lives on in Windows Phone, but I would guess that Windows Phone 8.5 or 9.0 will deprecate Silverlight in favour of the Windows Runtime. A shame, though of course it will be supported on the x86 Windows desktop and in x86 Internet Explorer for years to come.

adobe, development, gaming, professional, software development

Adobe launches Game Developer Tools including Scout profiler

Adobe is reminding developers that Flash is still around as a game development platform, with the release of a Game Developer Tools package including a Gaming SDK, the Flash C++ Compiler which translates C++ to ActionScript, Flash Professional CS6 and Flash Builder 4.7.

The new thing here is the Scout profiler, previewed as Monocle, which is now available for Creative Cloud subscribers. Scout is a desktop app which profiles Flash apps that have telemetry enabled. The app has to be running in Flash Player 11.4 or higher and have Advanced Telemetry enabled for most of the features to work. You can analyse the time taken for ActionScript code to execute, CPU usage, rendering time for the Flash DisplayList, and record Stage3D commands (hardware accelerated 2D and 3D graphics).

Normally Scout analyses Flash content running on the same machine, but there is a companion agent that you can use on iOS and Android for remote profiling of mobile apps.

image

I downloaded and installed the Game Development but with only partial success, since I mainly use Windows 8 and the Flash Player there is behind that used on Windows 7 and Mac. The reason is that Flash Player is now updated via Windows Update, and this additional step seems to mean delays. I was able to try out Scout using Google Chrome, which has a Flash Player 11.5 installed, but have not yet figured out how to update the default Flash Player for the system which is used by Flash Professional and Flash Builder. At the time of writing this is Flash Player 11.3, which is insufficient for the Game Development Tools.

Flash is a strong platform for game development, though it has lost momentum now that Adobe is betting mainly on HTML 5. I also hear a lot about Unity for cross-platform game development. Unity lets you publish to Adobe Flash Player, giving you more choices than with pure Flash development.