Thursday, September 4, 2014

How to add an iOS Image Set to an Asset Catalog using Xamarin Studio

 

With the official launch of iOS 8 just around corner, I thought it was time to get up to speed on on Asset Catalogs, and with that, Image Sets.

Image Sets allow you to organize versions of your images in image sets, and then add these sets to an Asset Catalog.  This will allow you to create multiple versions of the same image and have iOS automatically load the create version at runtime depending on the device.

Traditionally this would be used for providing regular and retina assets, as well as adding different versions depending on the idiom (ie iPhone / iPad).  And Apple has made it clear this year at WWDC 2014 that this is going to be much more powerful when using Universal Story boards and storing different versions of the image based on traits (but that’s a whole other conversation).

So let’s see how we go about creating an Image Set in Xamarin Studio.  The first thing we need to do is create an Asset Catalog:

Right click on your project and select “Add” –> “New File” and then select “Asset Catalog”.

NewAssetCatalog

Give it a name and click the “New” button.

By default the asset catalog includes Image Sets for application icons and launch images.  And this is a great way to keep them organized, but if you’re adding your application assets manually you can delete these two sets.

Next, right click on the Asset Catalog and select “Add” –> “New Image Set”

AddImageSet

Now just click on the content.json file and drag files from finder to the appropriate location.   Currently you can set universal assets as well as adding device specific assets (iPhone / iPad) and I’d expect to see further support for traits when iOS 8 is officially released.

AddingAssets

Tuesday, September 2, 2014

A Security Perspective on the Cross-platform Mobile Space

The August Vancouvermobile.net meetup focused on mobile application security and covered some basics tips on how developers might go about securing data within their applications.  Specifically looking at a couple of encryption methods to secure data from prying eyes.

In preparing for the meetup I did some research on the security of the mobile platform to understand the scope of the problem and where the vulnerabilities lie.  There are a number of reports published by well respected technology companies that review this area, a handful that were reviewed are:

The statistics and positions referred to in this post borrow from these reports.

The discussion starts from a fundamental premise – data has value.  Data can be viewed as the online currency, with different types of data having different degrees of value.  Not surprisingly the greater the value of the data the greater the risk of malicious actors trying to attack it.  In trying to generalize the value of different data types, here is an interpretation of three types of data-value classification:

  1. Personal Data – this is data that identifies an individual; however, having this data does not necessarily enable a malicious actor to do any harm.  An example of personal data might be e-mail addresses, telephone numbers or even a home address.   Things get interesting when you combine several pieces of personal data, the correlation of this data might lead to information that is more sensitive.  Personal data may be subject to regulatory control depending on the geography that you are in.  For example here in Canada there is the Personal Information Protection and Electronic Documents Act (PIPEDA) .  The act establishes rules for the management of personal information by organizations involved in commercial activities.
  2. Sensitive Data – this is data that an individual would want to keep private.  Examples of sensitive data might be credit card numbers, social insurance numbers, passwords or PIN numbers.  This type of data is likely to be subject to local legislation such as PIPEDA but may also have specific additional regulatory legislation in place.  For example PCI compliance is required when dealing with financial data.
  3. Business Data – this post is really talking about personal and sensitive information but it is important to remember that a device may be used for business purposes and business data has a different type of value.  The presence of business data may increase the risk of a mobile device being targeted.

This establishes a foundation where there is an understanding that data on a mobile device has value, not only to the user who will want it protected but to malicious actors who may want to gain from stealing that data.  Malicious actors who want to obtain personal and sensitive data for financial gain often use tools that fall under the generic heading of crimeware.  This term is used to define a sub-set of malware which is used to facilitate cybercrime, such as identify theft.

One of the most popular crimeware platforms highlighted by the Verizon report is Zitmo (Zeus in the Mobile).  Zitmo is a variant of the Zeus malware targeted specifically at mobile platforms.

There are a few themes that run through all of the reports that highlight the importance for software developers to secure their apps to protect data.
  • The mobile platform is seeing increased interest from malicious actors as a platform worth attacking.  Although the amount of malware targeting mobile devices specifically is still small the trend is showing that this is rapidly growing.
  • Android currently appears to be the largest target for malware, CISCO reports that Android users make up 71% of the encounters with web-delivered malware with iOS coming in second place at 14%
  • Physical theft of mobile devices still presents a real threat.  The easiest way to reduce the risk of data theft from a stolen device is to use encryption on mobile devices.
  • To be most effective security should be considered from the start of a development not as an afterthought to be layered into a product after completion.
  • Mobile devices only make up one aspect of a service, security needs to be considered within the device, across the network and into the cloud service that may be supporting the mobile application.

What can mobile app developers do?  There were a few things that came out of the meet-up, this is by no means a comprehensive list, but a summary of the topics discussed within the time we had available on the night:
  • Consider the types of data being used within your mobile app:
    • What is the value of that data to the user?
    • How should the data be appropriately secured?
  • Use the right method to secure data depending on the data type and it's sensitivity:  
    • Use encryption where it is necessary to store and retrieve data and consider the right type of encryption for the type of data being stored.  
    • Use hashing for data such as passwords and PIN numbers where there is no requirement to de-crypt the data in the future.
  • Consider the use of shared services, like OAuth, so that sensitive data need not be stored within your app.

To finish off, there is a great quote that puts a good perspective on IT security:
"Security in IT is like locking your house or car - it doesn't stop the bad guys, but if it's good enough they may move on to an easier target." - Paul Herbka