Skip to content

Posts from the ‘Software Development’ Category


Encryption is easy. Don’t be lazy.

I was working on an internal app for our support staffs. It’s a web app that connects to iFormBuilder through the public API. To use it, one will have to get the API key, secret, etc., from the server.

It’s a very light-weight app so I didn’t want to setup another database. So I thought, yeah, it’s internal anyway, let’s just put the key, secret, and server id in cookies.

So I went about finishing the app with just that. 3 parameters saved in cookies.

All is good.

Except not. A voice came into my head as I walk down the hall.

“Sze, are you sure? Is this going to be that one other thing that you will regret later? Come on! Hold yourself to a higher standard!”

So I walked back to my desk, put headphone on. Shortly after, the following is in place:

$clientId = $_REQUEST['clientId'];
$clientSecret = $_REQUEST['clientSecret'];
$serverId = $_REQUEST['serverId'];
$token = "$clientId::$clientSecret::$serverId";
$key = '...';
$encrypted = base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, md5($key), $token, MCRYPT_MODE_CBC, md5(md5($key))));

And on the other side:

$key = '...';
$encryptedToken = $_COOKIE['apiToken'];
$decryptedToken = rtrim(mcrypt_decrypt(MCRYPT_RIJNDAEL_256, md5($key), base64_decode($encryptedToken), MCRYPT_MODE_CBC, md5(md5($key))), "\0");
$tokens = explode('::',$decryptedToken);
$global_clientKey = $tokens[0];
$global_clientSecret = $tokens[1];
$global_serverId = $tokens[2];

And that’s it.

This post is to remind myself that Encryption is easy. Don’t be lazy.



FISMA / HIPAA Compliance on iOS

Last night I presented at the MoDevDC Meetup on the topic of security on the iOS platform. It was a fun discussion among 50+ local mobile developers.

In this presentation, I am going to discuss the technical challenges
of how we secure our app (iForm ES) in order to satisfy various
requirements from FISMA and HIPAA. This is a technical presentation
and code examples will be shared.

- The basics: OS level security, keychain, file attributes,
- Getting to jailbreak proof: local authentication, prevent keyboard
cache, local database encryption
- FISMA/HIPAA Compliance: FIPS 140-2, two factor authentication, intrusion prevention,
end-to-end PKI, X.509 digital signature

Disclaimer: This is not a check list of how to get FISMA/HIPAA certifications. We are simply sharing our experience.

Here is the presentation: MoDevMeetup-05042011

And Code Examples


The world with tablets

I was having lunch with a friend and we chat about the future where most people will use the tablet more than a PC. ( I know, that’s Steve Jobs’ vision, but it’s also Bill Gates’ and also mine. ;) ) Anyway, he start asking questions like, “but is the tablet powerful enough to handle everything”.

This reminds me of the early day of digital photography when people asked, “wow, if we are taking hundreds of pictures, wouldn’t it cost a lot to have them developed?” “how do I put them in albums?” “what do I do with my baby book if I don’t print all the pictures out?” “So I won’t be able to flip through the pictures?”

With new technology, your behavior will change. There will be give and take but to the better for the most part. I think it will be the same in the tablet world. A world where most ‘computing’ is done from a tablet like device rather than a PC. Some people will love it, some will hate it, most will adjust to it. That’s progress and I like it.


Keep your iPhone apps from crashing

Yes, once again I found myself having to track down some memory issues. Today I tracked down 3 major areas that cause apps to crash. Yes, even if you do all the great Objective-C alloc/release/dealloc you still will be faced with these.

I think most apps have at least 1 of these 3 potential issues so I’m writing down what I did to mitigate the issues and keep the apps from crashing.

So here are the 3, in the order of memory consumption:

1. SQLite – no, there is no memory leak in sqlite, but most people keep one opening connection throughout the app and as you keep creating and freeing prepare statements, it continues to use to memory until the database connection is closed.

2. The Photo Picker – yes, you thought Apple have fixed it in 3.0. They did, but it’s still leaking! If your app takes one or two pictures, then it’s fine. But if your app allows users to potentially take 100 pictures, then eventually you run out of memory, and crash.

3. Network connection. NSURLConnection to be specific. Now-a-days most apps are network enabled and connects to the backend. Some people on the web says the leak is minimal so there’s no need to worry about. Well, if your app (like games) ping the server every second, then a 100 byte leak will soon add up.

And here are my solutions:

1. To deal with SQLite, you have two options. One is to open and close connections frequently. Depends on where you grow up, you may or may not like this option. I happened to grow up in Oracle land, so creating connection every time is something that I tend not to do. What I did is to force temp tables to be created in files instead of memory, thus reducing consumption. Just add the following line after opening a database connection:

if (sqlite3_open([path UTF8String], &database) == SQLITE_OK){

sqlite3_exec(database, “PRAGMA temp_store=1″, NULL, NULL, NULL); //Force using disk for temp storage to reduce memeory footprint.

2. Now the Photo Picker that we all learn to love to hate. The easiest work around is to create a singleton class to limit the memory leak. Basically avoid creating multiple Photo Picker (As everytime you create one, it leaks like 3K).

@interface ZCImagePicker : UIImagePickerController {}

+ (ZCImagePicker*)sharedInstance;


static ZCImagePicker *myInstance = nil;

@implementation ZCImagePicker

+ (ZCImagePicker *)sharedInstance {

@synchronized(self) {

if (myInstance == nil) {

myInstance = [[self alloc] init];



return myInstance;


- (void)dealloc{

[super dealloc];



3. Finally on NSURLConnection, just avoid using sendSynchronousRequest. Use the standard async methods you will be fine.

Hope this can help to keep your next iphone apps from crashing.


iPhoneDevCamp DC Demo

For those of you who will attend my presentation in the iPhoneDevCamp tomorrow, please do the following in advance to follow along in the demo:

1. Download exZact Lite from the App Store.

2. Goto the Setting screen, key in the following:

Email Address: ipdcdc (Yes, it’s not really an email address, it will work, trust me.)


3. Hit Sync Data With Server

See you all tomorrow.


iPhoneDevCampDC Presentation Overview

I’m going to the iPhoneDevCampDC tonight and tomorrow. I will try to present the following. Hope I can get the vote.


Handling NULL type in the XMLRPC2 package

While working on a client project, I came across an interesting issue in the PEAR::XMLRPC2 package. By default, it uses the xmlrpc C extension in the system. Now that is great but the implementation of that library is so slightly different between different platforms. I found that on Ubuntu, that library can’t handle utf-8 encoding (if you know how to do that, let me know), and in some other system it’s missing all together.

I also found out that you can switch it to use the Php implementation of XML encode/decoding so it should be more cross platform. Great. However, that package doesn’t handle the NULL type, which the xmlrpc extension does!

As we already have multiple projects using this and many databases have NULL in it, I don’t want to do through every project to ensure we don’t send NULLs across, I went ahead and hacked the Php implementation to handle NULL.

Here is what I did (May not be completely correct, if you have better solution, let me know).

STEP 1: Update Value.php
Goto: XML/RPC2/Backend/Php/Value.php. Search for NULL. You will see it explicitly throws an exception. Change the case statment:

case ‘NULL’:
$explicitType = ‘null’;
case ‘resource’:
case ‘unknown type’:

Then a few lines below, yet another switch-case statement, add the handling of Null:

case ‘Null’:
return ”;

That’s it for Value.php. Now any independent Nulls will be handled correctly.

STEP 2: Update Struct.php
To avoid Struct calling encode() on a null pointer, goto /XML/RPC2/Backend/Php/Value/Struct.php. Goto encode(), add two lines:

$result .= ‘<value>’;
error_log(“element is $element”);
if ($element==null) $result .= ‘<string></string>’;
$result .= ($element instanceof XML_RPC2_Backend_Php_Value) ?

That’s it.

Now your xmlrpc will return empty string for NULL.

OK, so null is not empty string right? And one should not try to send null through XML? Correct. That’s why on new code, like on the iPhone, I’m coding to avoid sending NULL through XML. But on server code, many many of them, I’m just lazy.

Again, should you have better solution, let me know.


WordPress Expert!

Yesterday, my co-worker called and said where can he find a wordpress expert and said someone should be able to get it done in an hour. So, I asked, what do you need?

  • I have 3 themes that I like, I want to mix them up.
  • I want to do wrapper pages just like I could in Joomla.
  • and…

Wo, wo, I said, even if someone is very good with WordPress they can’t get that done in an hour. So, Sze being Sze, said, “I will look into it.”

By 3 pm, I finished:

- Mixing the overeasy theme with videographer theme so some posts uses videographer’s templates.
- Created custom sidebar for different pages
- Created a new wrapper template for wrapper external pages.

Am I a wordpress expert? No. I am just a friend.


UIButton setTitle issue in iPhone OS 3.0

I was working on a client project and come across a bizarre issue. I eventually solved it. Here is the issue, see if you can spot where the problem is.

The following few lines of code generates a button with label “Next” in SDK 2.2.1 but under 3.0, the label is gone.

UIButton *nextButton = [[UIButton buttonWithType: UIButtonTypeRoundedRect] initWithFrame:CGRectMake(183, 30, 65, 25)];
[nextButton addTarget:self action: @selector(nextSettings) forControlEvents: UIControlEventTouchUpInside];
[nextButton setTitle:@"Next" forState:UIControlStateNormal];
[nextButton setTitleColor:[UIColor blackColor] forState: UIControlStateNormal];
[self.view addSubview:nextButton];


Setting up headless Ubuntu with XFCE and VNC (Slicehost)

I recently have to setup a headless Ubuntu box (on slicehost) with GUI support. After search the web I couldn’t find a clean solution. So here it is, hopefully people don’t have to spend as much time as I did.

This solution is based on Ubuntu install on slicehost.

First, setup your machine’s basic security by following this:

Next, ssh to your box with your admin user (not root) and install xfce and vnc:
>sudo aptitude install vnc4server
>sudo aptitude install xfce4

Now we want to run a quick test on the vncserver:
>vnc4server -geometry 1024×768

It should ask for a password, type in something you can remember, this will be your vnc password.
You should see something like:

You will require a password to access your desktops.

xauth:  creating new authority file /home/adminA/.Xauthority

New 'HostA:1 (adminA)' desktop is HostA:1

Creating default startup script /home/adminA/.vnc/xstartup
Starting applications specified in /home/adminA/.vnc/xstartup
Log file is /home/adminA/.vnc/HostA:a.log

All seems fine. Now kill vnc:
>vnc4server -kill :1

Setup vnc to start xfce:
>vi ~/.vnc/xtartup (or use your favorite editor)

The file should look lie:

# Uncomment the following two lines for normal desktop:
# exec /etc/X11/xinit/xinitrc
[ -x /etc/vnc/xstartup ] && exec /etc/vnc/xstartup
[ -r $HOME/.Xresources ] && xrdb $HOME/.Xresources
xsetroot -solid grey
vncconfig -iconic &
xterm -geometry 80x24+10+10 -ls -title "$VNCDESKTOP Desktop" &
twm &

Now change the last couple of lines to:

xsetroot -solid grey
vncconfig -iconic &
# xterm -geometry 80x24+10+10 -ls -title "$VNCDESKTOP Desktop" &
# twm &

Server setup is now DONE!

STEP 5 (Client):
If you have followed the setup in Step 1, your iptables should be configured to open only http, https and ssh. Instead of opening port for VNC, we will do ssh tunneling. (Slightly more hassle but much more secure):

On your client machine (Windows, Mac, etc), with your favorite ssh client:

(assume you setup your ssh port in step 1 to 4567, hostA is the server name, adminA is the username)

>ssh -p 4567 -L 5902:localhost:5901 hostA -l adminA

On Putty (PC),

Goto the Tunnels setting inside Connection->ssh
Source Port : 5902
Destination: localhost:5901
Hit Add. The following should show up in the Forwarded ports list:
“L5901 localhost:5901″

Once logged in the server, start vnc:

>vnc4server -geometry 1024×768

Then leave the session running. You are almost done.

STEP 6 (Client):
Now just start your favortie VNC client and connect to: localhost:5902

Note because we are using SSH tunnel, VNC to connect to localhost instead of your server. Port should be 5902 and not 5901. SSH will do the rest.

XFCE should now show up.

STEP 7 (Client)
Yes, there is a Step 7. That’s the clean up. We don’t want VNC to be running all the time so when you are done, before killing the ssh session, kill VNC:

>vnc4server -kill :1

From now on all you need to do is to repeat Step 5-7.