Android Permissions

To protect the system’s integrity and the user’s privacy, Android runs each app in a limited access sandbox. If the app wants to use resources or information outside of its sandbox, the app has to explicitly request permission. Depending on the type of permission the app requests, the system may grant the permission automatically, or the system may ask the user to grant the permission.

Declaring Permissions

Declare that your app needs a permission by listing the permission in the App Manifest.

Depending on how sensitive the permission is, the system might grant the permission automatically, or the device user might have to grant the request.

For example, if your app requests permission to turn on the device’s flashlight, the system grants that permission automatically. But if your app needs to read the user’s contacts, the system asks the user to approve that permission.

Depending on the platform version, the user grants the permission either when they install the app (on Android 5.1 and lower) or while running the app (on Android 6.0 and higher).

Requesting Permissions

Beginning in Android 6.0 (API level 23), users grant permissions to apps while the app is running, not when they install the app.

It gives the user more control over the app’s functionality; for example, a user could choose to give a camera app access to the camera but not to the device location. The user can revoke the permissions at any time, by going to the app’s Settings screen.

System permissions are divided into two categories

  • Normal permissions do not directly risk the user’s privacy. If an app lists a normal permission in its manifest, the system grants the permission automatically. Complete list of normal permissions can be found here.
  • Dangerous permissions can give the app access to the user’s confidential data. For these permissions, the user has to explicitly give approval to the app. Complete list of dangerous permissions can be found here.

Handling Permissions at Runtime

For applications to support new Runtime Permissions, in `grade.build` file  set `compileSdkVersion`  and `targetSdkVersion` to 23.

Moving forward, in <ActivityClass>.java, before accessing any restricted content we will need to check for appropriate permission at runtime. This is to be done using Android `checkSelfPermission` API.
`int hasWriteContactsPermission = checkSelfPermission(Manifest.permission.WRITE_CONTACTS)`

If permission is granted, we are good to go else we need to request permission.

We will need to explicitly call `requestPermissions` API to show the request permission dialog box, Android will not do this for us.

In line 5, we get current status for the permission. If permission is granted, we continue with our action else we request user for permission.

Handling Permission Results

Permission results are communicated to the app via onRequestPermissionsResult callback method. Override this to handle the result.

If permission is granted, we continue with our intended actions.

In case, the permission is denied,  check with Android if we should show a permission rationale. `shouldShowRequestPermissionRationale` allows us to communicate purpose of the permission to user.

`shouldShowRequestPermissionRationale` returns `false` if the user has denied permission with option `Never ask again`. In this case we can not invoke the Android permission dialog via `requestPermissions` API and user will have to enable permission via app settings. It makes sense to let user know of the missing permission.

`shouldShowRequestPermissionRationale` Gets whether you should show UI with rationale for requesting a permission. You should do this only if you do not have the permission and the context in which the permission is requested does not clearly communicate to the user what would be the benefit from granting this permission.

pp1

Gotcha: Above implementation only works for Android API level 23 and is not compatible with older versions.

Better Fix: Use `com.android.support:support-v4` as specified in build.gradle line 24. Now your code should use Support library and and make following changes

And we are done here!!

For targeting Android M or higher, refer to wrapper library EasyPermissions.

 

Advertisements

ChromeExtensions Message Passing

Google Chrome is an extensively used browser and is quite popular among developer too. A part of Chrome’s appeal is owed to its excellent extensions. Its not really hard to write simple extension for added convenience.

I am a Ruby on Rails developer and spend quite good amount of time using Google Chrome for development and testing Rails applications. I prefer some background music while working, it helps me cut out out the crap and concentrate better on my work.

Youtube is excellent music service for me. With youtube autoplay enabled, the game becomes even simpler.

Only problem now is, when I have to pause music I have to switch to youtube tab and then hit the pause button. And same when I want resume it.  This is a pain.

Solution:  Build a chrome extension to play/pause youtube without having to switch tabs.
All it needs is a little javascript, html and may be some css if you want things to be a little more pretty. Since we won’t do any user-interface here, we don’t need to think html/css.

How it Works ?

Extensions allow you to add functionality to Chrome without diving deeply into native code. You can create new extensions for Chrome with those core technologies that you're already familiar with from web development: HTML, CSS, and JavaScript.

We’ll do this by implementing a UI element Chrome calls  browser action, which allows us to place a clickable icon right next to Chrome’s Omnibox for easy access. Clicking that icon will play/pause the youtube video irrespective of the current active tab.

ChromeExtYTPP

Lets get started…

Every chrome extension needs to have a file named manifest.json in extension root directory. Lets create one.

manifest_version:2 We are using Chrome Extension menifest specification version 2.

name:YTPP Name for extension

version:0.1 Release version number. We need to increment this with every future release.

description:"YTPP: YouTube Play/Pause without switching tabs" Short description for out extension.

icons: {"128": "icon.png", "48": "icon_48.png", "16": "icon_16.png"} Icon files for different sizes.

author: {"name": "spidergears", "twitter_handle": "spider_gears", "github": "http://github.com/spidergears"} Author Info

browser_action: { "default_icon": "icon.png", "default_title": "YTPP"} Specifications for browser action.

"permissions": ["tabs"] List of browser permissions extension needs to be functional.

"background": {"scripts": ["ytpp_background_script.js"]} Register javascript to be run background. Will call code from this script on click of the browser action button.

"content_scripts": [{"matches": ["http://www.youtube.com/*", "https://www.youtube.com/*"], "js": ["ytpp_content_script.js"]}] Register javascript to be inject into page content. matches keys helps specify on which all websites will the script be injected.

We have manifest file ready. Lets bring in our content and background scripts.

Background Script

Background scripts are a part of background page that  runs in the extension process. Background page exists for the lifetime of the extension, and only one instance of it at a time is active. (Exception: if your extension uses incognito “split” mode, a second instance is created for incognito windows.)

In a typical extension with a background page, the UI — browser action button in our case is implemented by dumb views. When the view needs some state, it requests the state from the background page. When the background page notices a state change, the background page tells the views to update.

Now we want to play/pause youtube media when `browser action` button is clicked.

To accomplish this, we attach a click listener to our `action button` . On button click we loop through all open tabs and check if they are tabs running youtube. For all tabs running youtube, we send a message to our injected script. The inject script, on receipt of message will actually take action to play/pause youtube media.

Content Script

Content scripts are JavaScript files that run in the context of web pages. By using the standard Document Object Model (DOM), they can read details of the web pages the browser visits, or make changes to them.

Here are some examples of what content scripts can do:

  • Find unlinked URLs in web pages and convert them into hyperlinks
  • Increase the font size to make text more legible
  • Find and process microformat data in the DOM

However, content scripts have some limitations. They cannot:

These limitations aren’t as bad as they sound. Content scripts can indirectly use the chrome.* APIs, get access to extension data, and request extension actions by exchanging messages with their parent extension. Content scripts can also make cross-site XMLHttpRequests to the same sites as their parent extensions, and they can communicate with web pages using the shared DOM.

Let’s setup our content script that will be injected into the page. Our script will listen for a message from our browser action button. On message receipt it will grab the youtube play/pause button and click it to toggle media playback.

Easy!!!

Full source code is available in Github Repository.

Extension is published here.

 

Create a Github Repo from the Command Line

Git is a great version control system and Github is superb hosting service for git based repositories.

Github provides a nice web interface to create (blank) repositories at the start of project. But why visit github.com to  create  a blank repository, so here’s a simple bash script  to make this simple task even simpler.

Script is based on Curl and GithubApi.

 

Add this to bash_profile and reload it. Done 🙂
Use git-create to summon 146822610729350.

Be sure to configure github username and access_token in global git configure file.

Hint:

git config --global user.name <username>

git config --global user.token <access_token>

Idempotent Seeds

You Reap What You Sow rake db:seed

seeds

When working with database based applications more often than not, some seed data needs to be created. For example, I’ve used seed data to create an admin_user and a few dummy_users so the site can be used upon a fresh install. Some other common cases include things like, list of names of countries/states, list of user roles, list of permissions etc.
This post is about some ideas to manage seed data in a Ruby on Rails project.

In a Rails application seeds can be put at two places

  • db/seeds.rb [Standard practice]
  • db/migrate/232422_some_migration.rb [*its a possibility]

db/seeds.rb is the obvious place for seeds. Don’t mess around with it unless absolutely necessary.

Some points to keep in mind when sowing seeds:

  • Handling large seed data
    • Split seed files into multiple files clearly indicating your objects and business logic. A sample might look like
              |-app
                |-db
                  -seeds.rb
                  |-seeds
                    -user.rb
                    -roles.rb
                    -plans.rb
    •  Inside seeds.rb require sub seed-files as
      require 'seeds/user.rb'
      require 'seeds/roles.rb'
      require 'seeds/plans.rb'
    • If number of seeds for a business object is large, consider loading it from yaml files. Keeping business logic separate from data is a good practice.
  • Idempotent seeds
    • Idempotent,  a mathematical term that means that something remains the same when some operation is applied to it, using itself as input.
    • For example, multiplication by identity element  5 X 1 = 5.
    • Having idempotent seed files means, they can be run multiple times without causing any issue.
    • Instead of creating or updating objects blindly, it first tries to find the object and check its state.

The Psychopathology of Everyday Things

Key takeaways from the first chapter “The Psychopathology of Everyday Things” from the book The Design of Everyday Things by Don Norman

What is a good design?

  • Two of the most important characteristics of good design are discoverability and understanding.
  • Discoverability: Is it possible to even figure out what actions are possible and where and how to perform them?
  • Understanding: What does it all mean? How is the product supposed to be used? What do all the different controls and settings mean?
  • It is the duty of the machines and those who design them to understand people. It is not people’s duty to understand the arbitrary, meaningless dictates of machines.
  • Major cause of design deficiency are the engineers who are expert in technology but are limited in their understanding of people.
  • Design is a fascinating interplay of technology and psychology.

Fundamental principals of interaction

  • Affordance: It is the relationship between the properties of an object and the capabilities of the interacting agent that determine how the object can possibly be used. Example, A chair affords (is for) support therefore affords sitting.
  • Presence of affordance is jointly determined by the qualities of the object and the ability of the interacting agent.
  • Signifiers: Affordance determines what actions are possible. Signifiers communicate where the action should take place. These indicate the point of contact for an interaction.
  • Example: In case of a display with touch support, the capability to accept the touch gesture is an affordance of the display while a circle mark indicating the area to touch is a signifier. We need both.
  • Mapping: It is a term borrowed from maths, meaning the relationship between the objects of two sets. It is an important concept in design for layout of controls and displays. Use spatial correspondence between the layout of the control and the devices being controlled.
  • Feedback: It means communicating result of an action. It must be immediate and informative.
  • Conceptual Models: It is highly simplified explanation of how something works. These reside in the minds of the people who use the object.
  • For efficient usage of the object, the conceptual model object in the minds of the user should be close to the developer’s model of an object.
  • A good conceptual model allows us to predict the effects of our actions.
For details on each of the points above please read the book. Its a real good read for designers and developers alike.

 

Edit: This is what bad design can do to you.
bad design
Idea of a bad design

d3.js Appealing Visualizations

With ever-increasing amount of data, both in terms of quantity as well as quality, what we need is a precise and accurate way to represent it for better comprehension and facilitate decision making. That’s where d3.js comes to rescue.

d3 stands for Data Driven Document, i.e. when your web-page is interacting with data. Data can be as simple a simple array of integers or can be as complex as something else.

Why choose d3.js ?

  • it works seamlessly with existing web technologies
  • can manipulate any part of the document object model
  • it is as flexible as the client side web technology stack (HTML, CSS, SVG)
  • takes advantage of built in functionality that the browser has, simplifying the developer’s job, especially for mouse interaction.

What d3.js is not ?

  • it is not a graphics library
  • it is not a data processing library.
  • it doesn’t have pre-built visualizations

D3.js is a tools that make the connection between data and graphics easy. It sits right between the two, the perfect place for a library meant for data visualization.

D3.js is a JavaScript library for manipulating documents based on data. D3 helps you bring data to life using HTML, SVG and CSS. D3’s emphasis on web standards gives you the full capabilities of modern browsers without tying yourself to a proprietary framework, combining powerful visualization components and a data-driven approach to DOM manipulation. ~ d3js.org

Show me some code…

Simple bar chart

bar chart

Well… that’s only html and does look very nice and professional. We need more power.

Upcoming: How to use svg with d3.js to create more beautiful and appealing visualizations.

Writing a Chrome extension

With a large number of services available online, we tend to to spend most of our time on our browser. Well browser do come handy for a large number of activities from reading news to making travel and dining reservations. What can be better than a browser that can do some cool stuff with a click of mouse or a simple key stroke… I guess nothing

Google Chrome is the best web browser around right now (see usage statistics), and part of Chrome’s appeal is owed to its excellent extensions. Its not really hard write simple extension to get your work done.
All it needs is a little javascript, html and may be some css if you want things to be a little more pretty.

So lets build one…

Purpose: Export Chrome bookmarks to Pocket account.

Requirements:

  • Some javascript skills
  • poor html skills
  • since we want to talk to servers at Pocket, we need to know how the api works.

Authenticating with pocket api

  1. Obtain platform consumer key from Pocket
  2. Obtain a request token
  3. Redirect user to pocket to continue authentication
  4. Receive callback from pocket
  5. Convert request code from step 2 into a Pocket access token
  6. Begin making authenticated request to Pocket

Step 1 above needs to be performed only once while you will have to go through remaining steps overtime want to connect to pocket. More details can be obtained from Pocket docs rtfm.

When making a request to get request token from Pocket, we need to pass a redirect url, this is application specific url where Pocket will redirect our request after processing. We can obtain an unique redirect url for our chrome extension using the Chrome Identity api. The api provides a getRedirectURL() function just for this purpose. Hence we do chrome.identity.getRedirectURL() call to obtain the redirect url.

Writing Chrome browser extension

manifest.json:  the Anchor

Every chrome extension must have at the least one file named manifest.json, which holds the basics of the extension- its name, description, version number, permissions, etc.

So, in order to begin create a new folder for the extension, and within the folder a file called manifest.json.
Put following content in the file:

the first few fields are self explanatory, for others
browser_action: tells Chrome that we are making a browser extension that have a icon called import.png and default popup will show from file popup.html.
then there is some information about the icon and obviously the author.

content_scripts: Content scripts are JavaScript files that run in the context of web pages. By using the standard Document Object Model (DOM), they can read details of the web pages the browser visits, or make changes to them.
We will use import.js for all our js code required. We also specify that we will only communicate with getpocket.com domain and its subdomains, if any.

permissions: API to request declared optional permissions at run time rather than install time, so users understand why the permissions are needed and grant only those that are necessary.

  • bookmarks: API to create, organize, and otherwise manipulate bookmarks.
  • identity: API to get OAuth2 access tokens

Now we have our manifest.json in a good shape let’s begin with import.js, the core of the extension.

popup.html: User interaction

Within the folder create another file called popup.html and put in the following code

this is simple enough and goes without any explanation.

import.js:  Core application logic

Within the folder crate another file named import.js.

Put in the following content in the file.

the file contains the code for making XMLHttpRequests to Pocket api.

On page load e.i. when the pop-up has been initialised we call our first function  import_chrome_bookmarks.

This function invokes other functions in a chain in order to complete all the six steps mentioned above and hence successfully upload all our bookmarks to Pocket account.

We have used two of the Chrome APIs to fulfil our task

  • Bookamarks: chrome.bookmarks.getTree() api call gives us access to user’s bookmarks and also accepts a callback function to manipulate the bookmarks.
  • Identity: chrome.identity.launchWebAuthFlow() api call enables us launch webAuthentication process with Pocket api and accepts a callback function to process the redirect and generate access token.

Link to github Repo

temporary Files in Ruby

Working with Ruby on Rails applications, many a times  such as in case of file upload services, generating/processing csv data, uploading data to external services like amazon there is a need to create temporary files.
A very common solution is to create an usual file object and delete it later. Imagine a scenario where you had created a large data file (say a 2GB) for temporary usage and forgot to delete it.

The Solution… Ruby Tempfile Class

Tempfile is a ruby utility class for managing temporary files. The class can be used to create temporary files. The file is generated with a unique name each time and is garbage collected when it goes out of scope. This save you the trouble to have to remove them explicitly.
Since explicitly temporary deleting files is good idea you can still do it with Tempfile object, Tempfile#unlink .
All actions on a File object are also valid on a Tempfile object, hence no loss of functionality.

Creating a using a temporary file with Tempfile class

For complete documentation of class ref Ruby Tempfile .

gocsv.go Simple csv parsing with GO

Recently I was working with csv files in Ruby. Parsing csv files in Ruby code is easy, thanks to Ruby/csv.

Lets try it with golang.

Go seems to be pretty power-packed language for developers. Go, also commonly referred to as golang, is a programming language initially developed at Google in 2007 by Robert Griesemer, Rob Pike, and Ken Thompson. It is a statically-typed language with syntax loosely derived from that of C, adding garbage collection, type safety, some dynamic-typing capabilities, additional built-in types such as variable-length arrays and key-value maps, and a large standard library. And since its from Google, the big giant, Go has built in support for concurrency with go-routines, channels and select.

Lets get to work now.

Here is a sample csv file for tests.
Output:

CSRF and RAILS protect_from_forgery

Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts. Unlike Cross Site Scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user’s browser.Lets take a look at the schematic of the CSRF

CSRF Scheme
  • Step1: The Victim connect to secure Bank websites and logs into his account.
  • Step2: A cookie set in the Victims browser containing the session id of the victim.
  • Step3: Victim trips into visiting a malacious page.
    Step4: Victim recieves a html page containig malacious hidden form.
  • Step5: A web request is executed from the victims browser carrying the context of cookie set in Step2.
  • Step6: Bank Server completes the web requests.

Conclusion: Banking server failed to verify the validity of the web request and hence executed it without the victims knowledge.

Now we know what CSRF is, lets see how Rails help prevent CSRF.
As Rails uses MVC architecture, Controller actions are protected from Cross-Site Request Forgery (CSRF) attacks by including a token in the rendered html for your application. This token is stored as a random string in the session, to which an attacker does not have access. When a request reaches your application, Rails verifies the received token with the token in the session. Only HTML and JavaScript requests are checked, so this will not protect your XML API (presumably you’ll have a different authentication scheme there anyway). Also, GET requests are not protected as these should be idempotent. The requests are validated using the following peice of code

This can be enabled with the protect_from_forgery method, which will perform the check and handle unverified requests, if the token doesn’t match. And it will add a _authenticity_token parameter to all forms that are automatically generated by Rails. It is recommended that this method is added in your ApplicationController, and later on you can skip it in other controllers if not required.

With all this in mind lets take a look at Rails source code.

From the code, we figure out, CSRF protection resets session and lets the request through when CSRF token verification fails.
This in itself is a CSRF vulnerability since it allows anyone to logout users by directing their browser to a page that requires CSRF protection

With Rails 4 application, the ApplicationController now passes a parameter to protect_from_forgery.

This raises an exception when an unverified request is encountered. Same behavior can be achieved with Rails 3 by overriding the default handle_unverified_request method.