Mike Kuphal's Thoughts

As I wait in the airport for my flight to board, I figured I would put together a quick Mobile Connections 2011 ’Top 5 take-a-ways’ post from my perspective. Lots more detail in my previous posts for each session, this is just my ‘mind dump’ without looking back at my individual session notes.

My original “big goals” coming into the conference were to get a feel from the experts on where cross platform mobile development is headed, if there are any tools to build for the four major platforms with one code base and if so… what tools are leading the charge now, and expected to lead in that space going forward.

#1 Take Away: Cross platform development via one code base (including HTML5) is tough at best, crazy to try at worst.   A number of the experts flat out said, if you want a average at best application, go ahead and try to use a cross platform tool.  Average meaning it won’t specifically feel like other apps on each platform… compromises have to be taken because of the lack of support for some features on each platform, as well as the different UI styles.  If you want a decent application, the UI needs to be built with native code.  Plain and simple.  Furthermore, this isn’t changing anytime soon so just get used to it.

#2 Take away: The “cloud” term has different definitions to different people (no surprise there), but the idea of the ‘private cloud’ vs ‘public cloud’ really hit home for me.  Our ability to leverage the cloud technologies without actually having to put our data/etc on some ‘public’ server is attractive… especially for a transition in the short term, as the technologies around public cloud based security/etc mature.  The ability to do hybrid Cloud offerings, having your web servers hosted by a public cloud provider but the data being hosted on company owned cloud technologies sounds great for SaaS providers that have sensitive data they need to protect the best they can, while still trying to allow for max scalability.  Cloud and Mobile really go hand and hand now, if you expect to support a significant number of mobile users anyway.

#3 Take Away: NoSQL solutions are super fast, and scale 1000’s of times better than Disk Based SQL solutions.  If you are going to be supporting numbers of mobile clients in the tens of thousands or more, you need to be utilizing this type of technology.  Redis seems to be mentioned in every conversation regarding this platform type.  (NoSQL at is most basic is a fully in memory key-value data store). Excellent tips were shared in my notes writeup of the Architecting Back End Systems for Mobile session.

#4 Take Away: SaaS companies (and others using web technologies) need to look at the product offerings that BiTKOO has. Their Keystone app is an amazing abstraction of Authentication/Authorization and from a coding perspective, is really Plug and Play.  Also, their SecureWithin application gateway brings about many possibilities regarding accessing corporately stored data on the web securely. More info can be found in my notes writeup regarding the session BiTKOO CEO gave.

#5 Take Away: The speakers at these conventions are top notch from a know how perspective.  The value they provide to the attendee’s in question answering after the sessions alone, is worth the cost/time invested to attend.

I do feel it’s important to throw in this ‘bonus’ takeaway… I will call it 1a as it’s a continuation of the first takeaway:

#1a Take Away: I did attend a workshop yesterday related to the RhoMobile toolset for cross platform development. Though I wasn’t crazy about how the session was conducted, the products they have do look very promising. Using web developer skills (Ruby), the tool supports all the major Mobile OS’s (WP7 and WinCE support too, in about a month) and generates Native code for each platform. It has a number of excellent features of which the one I liked most was it’s support for specific style sheets per OS. So you build your UI using web programming skills and the product styles the UI to look like the ‘normal’ app presentation for the OS. It comes with stock style sheets for each OS and it really does work well. Has support for camera, BlueTooth, etc, as well as a mapping control that makes the use of the OS’s preferred mapping API very nicely. The toolset also has a local data storage tier that takes advantage of SQLLite. If the platform you deploy to doesn’t have SQLLite embedded into it, the tool will deploy a binary representation of it so you can plan on a single local data source across all platforms. This tool has great promise from what I can tell.

Speaker: Tim Huckaby  Chairman of InterKnowlogy.com 

Uses Awesomium control to embed web content into WPF application for kiosks/etc.

Natural User Interface (NUI) =  touching the screen (or manipulating the screen without touching it)

Tenants

• The content should define the experience
•  The “Grandma Huckaby Test”: the ability to effectively use the kiosk without training
• No one should have to touch the machine to update content (remote deployment while running)
• Updating content should happen centrally and should have automated delivery
• Cant go to deep screens wise (maybe 2/3 levels deep at most)

If something is moving (even simple animation) a humans attention is caught.  You are going to look at it.)

Touch Capable Hardware Implementations:

• Capacitive – Think electric impulse (iPhone and others)
• Infrared – Expensive ones.  Think laser pointer(s) (best fidelity of touch… costs 10’s of thousands of $$)
• Resistive – Think push down and drag  (old,  No ‘cool’ devices use this anymore) 

Tip: 98% of time 2 people is all a device like this needs to support, though people think it will need to support more.  The use cases just don’t support the need to support more.

Given a typical user experience < 5 min on a kiosk type device, you need to keep the navigation shallow and intuitive.

.NET 4 has decent support for touch.  Before .NET 4 was very minimal support.

.NET 4 turned touch into a first class citizen for developers.

WPF does support true distributed computing.  (with .NET 4 version)

Convinced we gotta do mobile apps native.  The user experience in particular requires it.

“Azure is easy for .NET Dev’s”

Important aspects of storage:

• Space consumption & Transactional cost
• Some storage is designed for unlimited storage but you pay per transaction
• Other storage mechanisms are designed for limited storage but unlimited transactions

Biggest problem with Azure now is: No way to really know how much this thing is going to cost. 

Kinect can authenticate (differentiate between faces… and when voice is there, voices too)

Hooking Kinect into the windows OS sure looks to be a step to having a ‘Minority Report’ type User Interface for computers. 

This session was an excellent way to end the conference for me.  Tim is an excellent speaker and showed some really interesting technologies.  Peaked my interest regarding looking into some possible UI design changes we might be able to make.

Speaker: Wei-Meng Lee

Wei’s talk was very good, but unfortunately for me, it covered many points that I had already been introduced to in the two other Location based sessions I had attended within the past two days. 

Here are the main takeaways I got from the session that were not already covered in the other sessions:

TIP: (most common problems) Requires INTERNET permission in the android Manifest.XML file to get mapping control to work correctly.

Troubleshooting tip: if you don’t have internet access working in the emulator, or the Map API Key is not entered in your code, you won’t be able to see the map.. (95 % of the issues people have are these two)

Confirmed Native support for GeoCoding and reverse GeoCoding by Google Maps too.

Don’t use both location Manager = “GPS” and “Network” at same time… write the code to turn one off back and forth… otherwise your coords will change often.

Speaker: Doron Grinstein (BiTKOO)   (Involved with development of FastPass at Disney)

Cloud computing is not a server with a longer extension cord (co-location of our hardware).

Cloud computing definition (in his mind): Ability of 3rd party to store, process, search, compute, without being able to look at my data even with a court order.  Algorithms  should support this mechanism instead of just ‘trust’

Think: “Google for private data” Don’t have to know the background technologies.. Just ask for data and you get it back. This is what cloud computing is to him.

Real world example: why is there e-commerce?  What enables e-commerce regarding the entry of credit card info?  When you purchase online, you trust the protocol (SSL), don’t have to trust the intermediaries.

XACML helps enable such a situation for application access control.

Keystone is their application access control engine. it “provides fine-grained authorization using the XACML standard”.

Point: Security ‘goop’ of an app on average should take about 30% of the software development effort.  That’s a lot and it gets done over an over again as new software application get developed.  Why role this type of code into every new app, instead use the Keystone product to do it for you.  Just have to setup a metadata db for your elements and security roles/etc, then hook up a authentication adapter based on your existing authentication process, and the tool will take care of the access control.

My comment right from notes while watching demo: Wow this tool is amazing.  In essence allows for a person to setup a data dictionary via the cloud on application security. 

By externalizing authentication and authorization, you are no longer reinventing the world.  Just using this as a tool for authentication/authorization.

Tool enables federation without writing code.

Also showed tool: SecureWithin.  “As secure as your weakest link”

“Traversing the firewall is a job for a 12 year old.  Going to bypass the concrete wall, instead I will go through the window.”  (Windows = endpoints… weakest link most of the time)

Endpoints need to be protected (properly from within)… if your trusting the infrastructure to protect them… your in trouble.. It’s not a matter of if, but when.

All functions available in the GUI are available via WCF Calls too.

Wow.  This companies offerings are ground breaking.  Challenge the norm thinking.  Amazing.

Allow for 6 diff ways to get

1) Installable

2) Hardware appliance

3) VM Appliance (VMWare or Hyper-V)

4) Cloud (EC2, Azure)

5) Hybrid (1-3) + 4

6) Source

Most of the membership enforcement/etc is done via the ISAPI Filter type setup. 

Products used by Disney, Time Warner, Department of Defense, many other large companies/organizations.

Overall, this one hour session challenged many concepts I thought I understood prior to this session.  Authorization/Authentication via a product like Keystone is amazing, and can become a task for the more junior developer (to setup the metadata in the db in essence) as opposed to some of the most experience/important developers on your team, allowing them to focus on other important tasks.

BiTKOO looks to me to be a company to watch, and one I am wanting to talk to others I work with to start the buy-in process so we can possibly look into using such tools in the near future.

Speaker: Nils Puhlmann, Chief Security officer, Zynga Inc.  Co-founder Cloud Security Alliance

Zynga (maker of FarmVille, CityVille, Mofia Wars, etc) adds as many as 1000 servers a week to keep up with growth.

“We have to accept what we all know to be elemental – that taking a defensive position can, at best, only limit losses.  And we need gains. ” Peter Drucker.

Point of quote is to say we need to shape security as an enabler rather than just thinking about it as a way to be on the defensive.

Top mobile activities in US:

• – Sent text msgs 68%
• – Took photo 52.4%
• – Accessed news and info 39.5%
• – Used browser 36.4%

Point:Spectrum of usage is going wider

47 apps downloaded per user for iPhone/ITouch.  22 for Android per user.

Internet has changed from Internet of content/search, to a Internet of people interaction.

Social networking has surpassed email use now. People used to have Internet access to get to their email account(s), now it’s to get to Facebook or other social networking sites.

Most Security challenges of Social networks are not technical.

Non-technical info:

•  Obvious productivity impact
•  Information disclosure
•  The graying of personal and professional lives
•  Corporate disclosure
•  Social engineering made easy
•  Sharing of passwords/predictable user names

Technical:

•  Social networking malware
•  most AV Challenged the web-base malware
•  Bots
•  Bandwidth concerns

“AV is dead anyway”… Web Based malware eliminates the effectiveness of the desktop Anti-Virus products.

Top risks of Social Network’s

•  Unproven identity of profiles and info
•  Malware targeting social network sites and users
•  Inadvertent disclosure of private or sensitive info
•  Social engineering made easy
•  Complete loss of privacy
•  Identity theft
•  Frameworks for app dev and delivery can lead to malware distribution

Maltego.com… shows you info correlation/connection.  Check this out on your name

Touchgraph.com – Google tool that shows social relationships.

Key cloud security problems of today (from CSA Top threats research):

• Trust: lack of provider transparency, impacts governance, risk management, compliance
• Data: Leakage, Loss of storage in unfriendly geography
• Insecure Cloud software
• Malicious use of Cloud services
• Account/Service Hijacking
• Malicious insiders
• Cloud-specific attacks

Only way to drive risk down to a appropriate level is by managing vulnerabilities. 

Now more than ever, it’s important to have experts look at your data/apps/etc regularly.

it’s also important to have separation of duties.  Don’t want one person or the use of that person’s credentials to have too much access to allow for a lack of check pointing before changes to systems/etc get implemented. 

Security as a Service Initiative:

• Info assurance challenged by disruptive trends (cloud, mobile, social networking, etc)
• Cloud proves opportunity to rethink security (economics, arch, service delivery models, etc)

Speaker: Jinesh Varia   Amazon Web Services (AWS) Technology Evangelist

Lines are blurring between SaaS, PaaS, IaaS

Lots of new innovative business models.  Pay as you go, One time upfront + pay as you go, Requested bid price and pay as you go, Standard and Reserved.   These work best respectively in the following environments: Spiky workloads, steady state workloads, time insensitive workloads, for regulatory and compliant workloads.

Take-Away #1: Flexibility is the key for cloud options

– Can use any Programming Model, language, or OS/DB
– Can use any service individually or in any combo
– Can use as much (or as little) and only pay for what was consumed.
– Can use any existing System Management tools and extend the data center to the cloud

The cloud as a platform: Platform that provides Foundation to build innovation solutions on top, abstraction to hide underlying layers (hardware and software), is self service.

1 job, 1 machine, 500 hours = $1500 rack and stack on premises
1 job, 500 machines,  hour = $290

Netflix is almost 100% on AWS

Take Away #2: Elasticity is the fundamental property of the cloud

“Turn off, and not pay for it, when you don’t need it.”  That’s the beauty of the elasticity of the cloud.

“Build a Web application that sleeps at night or shrinks itself when there are no users accessing it”… Follow the sun and leverage the true power of on-demand elasticity and globally dispersed regions.  (follows the sun means high usage during the day, much less at night)

The day is not too far away where this is viable for most: Scalability, Security, high availability, Fault-tolerance, Testability and elasticity will be configurable properties of the app arch and will be an automated and intrinsic part of the platform on which they are built.

Cloud is a platform for computation, Research and Development.  Time to provision a server is a few minutes with cloud.

Don’t have to hug your servers anymore.. You can get complete control of the environment.

Cloud is a platform for:

• Computation
• R&D
• New Gen apps
• Internal Corp IT
• Storage
• Integration
• Platforms
• To realize your own ideas

Take Away #3: Redefining cloud security

In the cloud, security is a shared responsibility.

App needs to encrypt data in transit and at rest, protect your AWS Credentials, rotate your keys, security your application.

The cloud is more than its services.. Its an enabler

Future = “Internet as the Operating system of Services”

Session Speaker: Wally McClure (on intro slide said: aka: “.NET Judas”)

Where we are at now:

• Laptops are not quite convenient
• Power management is important
• Wifi is not everywhere
• Multiple smart phone platforms
• iPhone has tremendous mind share/market share
• Android has seen tremendous growth
• RIM is dominant in the corporate market still
• WP7 has shipped
• .NET Framework is popular

Mobile Dev issues:

• Battery
• Screen size
• CPU
• Memory
• Dev tools
• Using existing knowledge

Mono =  open source implementation of .NET

Mono for Android is a .NET/C# layer over native APIs which can use Visual Studio – IDE

Big issue currently: No design surface.  Use Droid Draw for graphical design surface

My take is Mono for Android is great for existing .NET devs to code up Android apps.  If you want your app to be really nice though, you are probably going to need to implement the UI natively, and could use Mono for Android as a tool to generate a component to call into for your main biz logic that might already be built in .NET.