<a href="./" title="Course Homepage">Mobile Application Design and Development</a><br/>Spring 2010

This work is licensed under a CC
Attribution 3.0 Unported License

<a href="./" title="Course Homepage">Mobile Application Design and Development</a><br/>Spring 2010 — INFO 152 (CCN 42504) Erik Wilde UC Berkeley School of Information Spring Semester 2010 2010 Erik Wilde

Date	Subject	Slides	Required Reading	Additional Resources	Assignments
	: —

Overview and Introduction 2010-01-20 bSpace Site This introductory lecture covers organizational issues of the Mobile Application Design and Development course. We will discuss the course topics and the syllabus, the assignments and what we expect in terms of prerequisites and how assignments will be supported, and some administrative issues. Abstract

Syllabus Topics Covered

Landscape, history, and mobile application use cases
Application technology (Web-based apps vs. run-time environments vs. native apps)
Application technology (Web-based apps vs. run-time environments vs. native apps)
Content technology (HTML, CSS, scripting, Ajax, frameworks, …)
Content delivery (HTTP, XML, JSON, CDN, …)
Content management and services (feeds, authentication, queries, …)
User experience and interface design (mobile-specific issues)

Assignments Focus on Web-Based Applications

Device-independent (well, almost …)
Easier to get started
Easier for a diverse set of developers

Assignment 1: Setup

Install local browsers (Fennec, Safari)
Configure access to Web-based browser emulator (Opera mini)
Install local device/browser emulator (Android)
Setup account and Web space for serving Web content

Assignment 2: jQuery

jQuery is a JavaScript framework for Web page development
JavaScript frameworks have two major purposes:

make Web development easier (support popular design patterns)
make Web pages more robust (deal with issues caused by browsers)

Use two popular data sources for Web pages:

flickr as a popular photo-sharing service (allows geo-coding photos)
twitter as a popular microblogging service (allows geo-coding updates)

Assignment 3: jQTouch

jQTouch is a jQuery plugin for iPhone/iPod look&feel
Turns Web-based applications into device-specific applications
Native look&feel but much cheaper/faster to develop

Assignment 4: Map-Based Data

Location-based services are a popular use case for mobile applications
Use map-based display for flicks and twitter data
Map-based display always is a mashup between data sources

the map service serving the map tiles
the data service serving data that is put on the map

Assignment 5: mobileOK Content

Many mobile browsers are not as powerful as desktop browsers
mobileOK is a test suite for testing for compatibility with basic browsers

small screen, small memory, no scripting, …

mobileOK sites typically have reduced functionality

even map-based display is possible with server-generated images

Assignment 6: Server Configuration

Mobile devices come in many shapes and sizes
Wider variability of devices/browser means one size does not fit all
Servers can deliver content based on incoming requests

Assignment 7: Performance Analysis

Bandwidth still is a critical resource
Many Web pages today are very resource-intensive

Web pages need many Web resources (images, …) to be rendered
Web pages need many network resources (bandwidth, …) to be rendered
Web pages need many local resources (local memory, …) to be rendered

Performance analysis for mobile Web pages is essential

Assignment 8: Server-Side Programming

Client-side functionality is limited by several factors
Outsourcing functionality to the server can save resources

Web development in recent years has done the opposite

Server-side functionality can be reused across applications

can be used by different version of Web applications
can be used by native applications

Assignment 9: UI Design

Mobile settings have specific requirements

more constrained environment in a variety of ways
more task-oriented users

Designing mobile applications may change applications pretty radically

more limited functionality of applications/services
maybe even different applications depending on the task/role

Final Project

Use the skills learned in all assignments
Design and build a mobile app for managing geospatial information
Two full weeks for design and implementation issues

Administration Course Times

Meeting times Mon/Wed/Fri 13.00-14.00

Mondays typically lectures on concepts and background information
Wednesdays typically lectures on technologies and applied concepts
Fridays practical issues, demos, experiments, lab time

Grading

Class participation: 10%
Assignments: 60%

all assignments must be turned in on time
all assignments must be graded at least as satisfactory

Final Project: 30%

the final project must be turned in on time
the final project must be graded at least as satisfactory

About Me

Computer Science at Technical University of Berlin (TUB) (88-91)
Ph.D. at ETH Zürich (92-97)
Post-Doc at ICSI, Berkeley (97/98)

book on Technical Foundations of the World Wide Web

Various activities in Switzerland (98-06)

teaching at ETH Zürich and FHNW
working as independent consultant (training, courses, consulting)
research in various XML-related areas

Professor at the School of Information (since Fall 2006)

Technical Director of the Information and Service Design (ISD) program

About this Course

Course Web page: http://dret.net/lectures/mobapp-spring10/
Course mailing list: mobapp-spring10@bspace.berkeley.edu

archived in the bSpace email archive

About these Slides

Generated from Hotspot XML
Designed for online presentation and use (lots of links!)

Firefox Go Up allows easy navigation up one level
Firefox Site Navigation Bar supports navigation of links
Firefox Link Widgets requires a bit more configuration (more flexibility)
for printing, use a (all slides), and then s (smaller font) a couple of times

Mobile Applications Landscape 2010-01-22 Mobile Ecosystem Wikipedia: Mobile Device · Wikipedia: Mobile Web · Wikipedia: Mobile Browser Mobile Applications can be defined and approached in a variety of ways. In this lecture, we look at the landscape of mobile applications and the various facets that are relevant for them. This is mostly an overview of the landscape of mobile applications and the factors that are important for that landscape. Specifically, this lecture discusses settings, users, devices, content, and transport issues and how these factor into the design and development of mobile applications.

Abstract Settings What does <q>Mobile</q> mean?

Laptops are mobile devices

in fact, any non-mainframe computer is a mobile device
laptops are a popular point in a design continuum

Mobile is better defined by settings than by devices
Mobile settings can be defined by various properties

usage of a device with constrained capabilities
more task-oriented than exploration
location in many cases is a relevant factor
circumstances allow less focus on interaction and presentation

Mobile Computers

Outdoor Offline Users

Social Connections

Location Search

Mobile Guidance

Mobile E-Books

Producers vs. Consumers

Mobile does not specify what the mobile part is

the service may provide access to information with a mobile component
the service may be consumed in mobile settings
in many cases, both of these issues are combined

Mobile Producers require the service to provide location-based information

clients/users must be able to request information based on location
the protocol for accessing the service contains location concepts
it may be irrelevant for the service where the client is located

Mobile Consumers are accessing services/data from mobile settings

clients/users may have a way to determine their location
data can be stored locally or accessed over a network
location of the client/user is an important parameter

All these issues can become complicated and distributed across services

use a camera to take pictures on a trip (tagged with timestamps)
carry a GPS receiver to create a time-coded GPS track
process the pictures to add location tags based on their timestamps

Producing Mobile Data

View Larger Map

Consuming Mobile Data

Users Professional Users

Exclusively task-oriented
Regulatory and legislative side-effects

any medical application must be very secure (patient privacy)
sometimes it may be necessary to be able to trace everything (audits)

Device landscapes can be managed top-down

Blackberry's are not especially good, but very convenient for centralized IT
lock-in often has short-time savings and long-term costs

Social Users

Goal-oriented instead of task-oriented
Choice of technology or channel is opportunistic
Technology must be simple to use and convenient

little need for latest technologies or devices

Cost often is an important issue

Exploring Users

No specific goal or task orientation
Technology use as entertainment

technology itself is used as entertainment

Typically less cost-sensitive than social users

Devices Device Differences

Screen size (15" to 1")
Screen technology (color or monochrome, LCD or e-ink)
Keyboard input (regular, virtual, numbers only, T9)
Pointing device (none, mouse, trackball, touchscreen)
Device functions (video, audio, phone, Wi-Fi)
Internal environment (OS, runtime environment, APIs, content formats)

Mobile Computers

Smartphones

Dedicated Devices

Pervasive Computing

Content Web-Based Applications

Server-side applications serve Web pages
Client-side browsers let the user navigate pages
More diversity than in the pre-mobile age

Devices and platforms and browsers are more diverse

Easiest way to make content available to users worldwide

limitations based on HTML/CSS/scripting and the local platform
HTML5 and more powerful devices are narrowing the gap

Runtime Environments

Virtual machines as hardware abstraction
Decoupling between concrete OS and application runtime environment
Building a complete and good virtual platforms is hard

performance can be problematic (optimization possible but hard)
security is a big problem (a complete new set of attack points)

Interesting as a hybrid approach between Web and native

Native Applications

Built specifically for one platform (OS plus runtime environment)
Allows the highest degree of sophistication

access to all capabilities of the platform

Requires the highest degree of developer sophistication

programming often requires a complex non-scripting language
the programming environment is complex and hard to learn

Economically only feasible for popular platforms

Transport Connecting Clients and Servers

Worldwide there are two dominant information networks

the worldwide phone network
the Internet

Connections change over time

for a long time there only was the postal service
telegraph services were the first global immediate services

Phone Transport Fax

Telefax has been around for a long time

the service in immediate scan/print to a phone endpoint
all of that service can be easily replicated differently
fax machines are still used and sold mostly for convenience

Fax was the first major non-speech usage of the phone network

Internet access started as over-the-phone but outgrew phone line capacities

Messaging

SMS (texting) started in GSM countries

CDMA initially did not have texting capabilities

SMS is one of the most interesting reappropriation stories

it was intended for brief diagnostic messages (hence the 160 character limit)
it took off as email for phone users (asynchronous messaging)
it now is a major source of income for all mobile operators

SMS often is used as a ubiquitous and simple messaging channel

only requires cell phone service and no Internet connection

Internet Transport Raw Data

Internet connectivity establishes bare data services
Internet connectivity allows various application protocols

email is one popular set of application protocols
file transfer (old-style or file sharing) is popular as well
Voice over IP becomes increasingly popular
video telephony has some success in professional settings

Web Traffic

Web traffic is just one type of Internet traffic
Browsers and servers exchange HTTP messages
Browsers can send requests without loading a new page (Ajax)
Applications often also use Web traffic to talk to servers

non-Web traffic often is affected by network filters (firewall)
Web services can be used by applications and by browsers

Web services have become the standard way how to provide services

many business-level services are exposed as Web services
building mobile applications should be based on Web services

Conclusion

The mobile landscape is diverse and complicated
Technology is only one part in a more complex picture
Major parts of this landscape are evolving continually
5 years from now, many things will be very different

Mobile Applications History 2010-01-25 Mobile History A1: Setup (assigned: 1/25; due: 2/1) Wikipedia: PDA · Wikipedia: Psion · Wikipedia: Palm The design and development of mobile applications has already gone through a number of stages of development, and the current landscape very likely will change substantially into yet unknown directions. Looking back at the short but surprisingly varied History of Mobile Applications not only is a good exercise in better understanding different approaches, but it is also interesting to look at why certain approaches may have failed or succeeded. Often, the deciding factors are not just technical, but economical and social issues play an important role as well. Abstract

Offline Mobile Personal Digital Assistant (PDA)

Introduced as a new class 1992 for the Apple Newton
Personal data management and personal productivity applications
Offline and regular synchronization/backup as the initial model
Online (or at least occasional online) went through several stages:

dial-up services (modem) for Internet connectivity
IrDA for synchronization with other devices
Bluetooth for synchronization with other devices
cell phone data services (GPRS, EDGE, 3G) as advanced dial-up
Wi-Fi for using hotspots and home/office networks

Smartphone seems to be the new term for PDA

PDAs

The Last Psion

The First Netbook (1999)

PDA/Phone Merger

Smartphone Sales Q2 2009

Parallel Universes Walled Gardens

Combining access and content
Attractive in early stages and for several reasons

security and safety and easier to implement and control
market models are easier to develop and more predictable

Walled gardens often have a limited life-span

selection and curation of content is expensive
users may move to competitors or just leave the garden
an increasing disconnect between the garden and the world

i-mode Access and Services

Mix of access and content technologies
Developed and deployed by one mobile carrier (DoCoMo)
Launched in 1999 as a tightly controlled walled garden

content and services are hosted in centralized data centers
the business model was predefined by the environment

Successful not only for market but also for social reasons

talking on the phone in the public is frowned on in Japan
data-oriented services (chatting, messaging) are important in Japan

i-mode never caught on outside of Japan

2006: i-mode 46.8 million customers in Japan; 5 million in the rest of the world
no other mobile operator was able to establish a working market

Wireless Application Protocol (WAP) The Internet in your Pocket

WAP is just a set of access technologies

no content landscape/environment as in
WAP started with zero content and high hopes for adoption

WAP had some very questionable approaches to security

did not allow end-to-end encryption
providers always can listen in by running WAP gateways
security-sensitive providers refused to deploy any WAP services

cleaned up but came too late

mostly a set of profiles for existing Internet technologies
's design flaws tarnished the WAP brand name

WAP 1.x Rebuild Everything

New specifications for almost any Web standard

WML (extended subset of HTML)
WMLScript (incompatible with JavaScript)
WBXML (binary encoding of XML)
WBMP (derived from PNG but incompatible)
transport protocols (WCMP, WDP, WTP)

Secure connections were not end-to-end but through a WAP gateway

not acceptable for security-sensitive applications (e.g., e-banking)
this design still has consequences 10 years later

Some banks set up their own WAP gateways

technically a working solution (trusted WAP gateway)
terrible for consumers because of WAP configuration issues

WAP 1.x Protocol Stack

WAP 2.x Reuse Existing Standards

WAP 2.x completely replaced the entire
Failure in Europe and the USA, successful in Japan
WML is replaced by a profile of XHTML

much easier the develop than WML content (tool support)

WAP gateways now are regular HTTP gateways

end-to-end transfer with open and popular protocols
no more security issues for encrypted connections
gateways can add information to requests (phone numbers, location, …)

Runtime Environments Content vs. Applications

Traditional HTML is static content

initial browsers did not support scripting
the browser wars made scripting very cumbersome

Multimedia content was required for commercial content

Java was an existing (but heavy) solution from enterprise IT
Flash evolved from a more content-centric perspective

Today's browsers are runtime environments themselves

rich and fairly robust scripting environments
more limited access to OS resources than add-ons

Java Write Once, Run Anywhere Duke Waving

Java is a runtime environment supported on many operating systems
Strictly speaking, Java is three different things

an object-oriented programming language
an extensive set of class libraries as supporting environment
the Java Virtual Machine (JVM) for executing Java Bytecode

Complete Java installations (Java SE) are very heavyweight

the runtime support for programs is rich and complex
Java has it roots in enterprise IT and not in lightweight Web

Java Applets are a special kind of Java app

running inside a browser (can be started from the Web)
running inside a sandbox (security model for limiting OS access)

Java Micro Edition (Java ME)

Java ME (formerly J2ME) is a smaller version of the full Java SE

different devices implement different profiles of Java ME functionality
MIDP defines a set of standardized profiles
many mobile devices implement some MIDP version plus some additional JSRs

Installing J2ME applications often is a cumbersome process

installation somewhere outside of the usual Web access
procedures vary widely between different phone models

Running J2ME applications can be a frustrating process

device makers are using different J2ME implementations
feature support and implementation quality vary widely

JavaFX

Shedding the brand
More Web standards for developing content

CSS as a way to specify the layout of content
scripting as a faster way for application development

Success and support currently unclear

Flash Multimedia on the Web

Robust scripting for desktop browsers

good strategy for deploying Flash as a browser add-on
gets harder with the growing variety of browsers (iPhone)

Started as an animation platform for content developers

includes many of the functionality now developed in HTML5

Many accessibility issues on Flash-oriented sites

navigation can be completely inaccessible
content can be hidden from search engines
content is less fluid than even the simplest HTML/CSS

Mobile Web Mechanics 2010-01-27 In this lecture, we look at the mechanics that are required to make Web-based mobile applications possible. This starts with basic networking capabilities, the question how individual devices establish Internet connectivity, and how the devices then communicate with the next hop in the communications chain. Based on this connectivity, we look at what it takes to establish a Web connection, how clients and servers are connected (how the data is actually routed), and how this can be influenced by intermediaries. Finally, we look in more detail at the endpoints of such a conversation, the browser and the server. How does a browser on a mobile device access the network, and how does a server receiving a request route it to the appropriate logic for processing it? We will discuss many of these in more detail later, but this lecture presents the big picture of how they all work together to make the mobile Web work. Abstract

Current Events iPad or iSlate?

Bigger is Better

Connectivity Networking Capabilities

Mobile/Cell phone technologies

CDMA as the main technology in the U.S.
GSM as the main technology everywhere else
3G for faster speeds (W-CDMA/UMTS or CDMA2000)

Several sub-technologies and sub-generations developed

GPRS for GSM networks (often referred to as 2.5G)
EDGE for GSM networks (often referred to as 2.75G)
EV-DO for CDMA2000 networks

Devices often are limited to one family of standards

iPhone started as a GSM phone and there is no CDMA version
Kindle started with EV-DO and needed to be adapted for Europe

Internet Protocols are able to bridge the network gaps

that's the reason why it is called Internet
Internet protocols work in (almost all) possible network worlds

Cell Phone Tower

Cell Phone Traffic

Cell sizes vary between less than a mile and 30-45 miles

sometimes limited by technology design (timing issues)
always limited by the low-power signals emitted by devices

Cell towers forward traffic into the carrier network

in many cases using land lines (fiber optics)
in remote locations via specialized radio relays

Uncovered areas can be covered by satellite service

world-wide network coverage for mobile devices
expensive and requires dedicated satellite equipment

Internet Connectivity

Mobile carriers handle traffic inside their networks

network call traffic never has to leave the carrier network
data traffic and inter-network calls have to leave the network

Joining the Internet means to connect to a connected gateway

mobile carriers often have few central gateway locations
all mobile Internet traffic passes through these locations

Technically, mobile networks work very much like company Intranets

a centrally managed and organized infrastructure
carriers can enforce their own rules and regulations within this network

Where Does It Go?

Internet connectivity needs a few essential configurations

IP address assigned to the device (global or local/NAT)
subnet mask (identification of directly reachable hosts)
gateway to be addressed for outgoing traffic
DNS server(s) for domain name lookups
optionally, other servers such as time servers

These configurations can be made dynamically or statically

static configuration often is used for desktop/server computers
DHCP is used for most other computers/devices

Static Internet Configuration

Transport Web Communications

All Web traffic uses HTTP as application protocol

a common language for request/response interactions

Some Web traffic needs an additional layer of security

most Web traffic uses unencrypted HTTP traffic
some applications need security/privacy and use a security layer (SSL/TLS)

HTTP as the common language allows for various optimizations

traffic can be inspected and handled by
intermediaries can to inspection, optimization, or even conversion

End-to-End Transport Establishing Connectivity

HTTP traffic need a transport infrastructure

clients open connections for sending HTTP traffic
HTTP is a set of conventions regulating traffic over the transport

Any Internet host can establish Internet connections

IP is responsible for sending packets from and to computers
TCP is responsible for handling connections between programs

Routing on the Internet is a complex process

backbone routers routinely exchange large routing tables
Internet traffic always is packet-based, each IP packet travels alone
IP is packet-based for robustness

Secure Connections

Intermediaries Proxies

HTTP is the language of the Web
Clients may want to use proxies for a variety of reason

proxies can make the Internet a more secure place (content filtering)
proxies can make the Internet a safer place (content filtering)
proxies can make the Internet faster (caching)
proxies can allow access to controlled content (library proxy)
proxies can be required by company policies (firewalls/logging)

Proxies are HTTP intermediaries and exist in different configurations

User Agent Proxies

Configured by the client
Useful if a client knowingly wants to delegate HTTP requests
Can be global or for certain domains only

library proxies must be used for accessing publisher sites

Reverse Proxies

Configured by service providers
Clients connect to the server (they think)

server-side configuration redirects traffic to the reverse proxy

Allows sophisticated server-side load balancing
Similar goals can be attained with advanced DNS resolution

resolve the same DNS name to different IP addresses
allows completely different IP addresses for the same server name

Provider Proxies

Configured by Internet providers

intercepting traffic on various levels
useful for monitoring/filtering/augmentation/transcoding

Monitoring allows providers to track Internet traffic
Filtering can be based on connections or content
Augmentation can add information (e.g., user location)
Transcoding can change content (e.g., adapting to mobile browsers)

Conclusions

Mobile Web requests need a complex infrastructure
We will look at some aspects in greater detail
Understanding the general mechanics is important
Layering allows us to hide certain details

Web developers should understand things down to TCP/SSL

Browser and Server Setup 2010-01-29 Filezilla · XAMPP As a starting point for the assignments in this course, we are setting up a server and files on the server for accessing them with (mobile) clients. This lecture looks at some of the practical issues such as how file access works through a file system and through server software, how server software can even provide multiple access paths (virtual hosts), and how working with Web-oriented content can be made more convenient by setting up a local environment (a local Web server). Abstract

Browsers Sending HTTP Requests

Clicking a link creates an HTTP request

HTTP request to the host specified in the URI
adding information about the client (HTTP metadata)
adding information about client state (cookies)

Ideally, a local HTTP library should take care of HTTP

a common cache among all HTTP clients on the device
HTTP should be considered as essential as TCP/IP

Practically, many Web applications have their own HTTP handling

different browsers all come with their own HTTP code
caching across browser cannot be shared

Browsers and Platforms

Browsers use the platform's Internet support

requesting a connection from the OS
Internet connectivity handling is handled by the platform

Mobile devices can be offline

native applications should properly handle offline situations
HTML5 adds a lot of offline capabilities to Web applications

HTTP Resources and Web Pages

Web pages almost always need more than one resource to be displayed

the page itself as HTML code rendered in the browser
images that have to be included in the HTML rendering
stylesheets that are required for the page layout
scripting code that is required for dynamic HTML (DHTML)
additional content embedded in the page (e.g., Flash)

Ajax refers to pages that dynamically load new resources

adding new content based on user interaction or other events
closest possible way to resemble a real application

Servers Handling HTTP Requests

Incoming connections are targeted at a specific program

IP specifies the target machine (identified by an IP address)
TCP specifies the target port (80 is the default)

Web servers typically listen on port 80 for incoming requests

if a connection is opened to port 80, it is assumed to carry HTTP
servers getting non-HTTP traffic will respond with an error

The request contains the request URI and metadata
Servers must respond with a proper HTTP response

in most cases the response contains the requested resource
it may also contain an error message or a redirect response

Serving HTTP Requests

GET requests ask to get a certain resource's representation
URI identify resources to be manipulated through HTTP requests
URI can identify various kinds of server-side resources

a file to be retrieved from the file system
a file to be retrieved and parsed and processed before being served
a program to be invoked which will produce the resource

HTTP servers can be standalone or integrated

standalone servers must have a way to invoke server-side programs
integrated servers run in the environment that executes the program

Practical Issues File Access vs. Server Access

Files are available through different methods

access through the file system (command shell or file browser)
server access through HTTP server (incoming HTTP requests)
server access through FTP server (through FTP sessions)

Accessing files is done by different users

logged in user through the file system
configured account for server access
server access must be granted by the file owner

Local Servers

HTTP servers respond to incoming requests from the Internet

localhost always refers to the host's own interface

HTTP servers are available from various open source projects
Better local testing of Web-oriented projects

local servers replicate what will happen over the Web
file-based access (file URI) can have unexpected side-effects

XAMPP

XAMPP is a software installation package

available for a variety of platforms (Windows, Linux, MacOS, Solaris)
Apache as Web server
MySQL as a database
PHP and Perl as programming languages
control panel for ease of use

Why running a Web server on the local computer?

browsing local files using HTTP
testing server configurations locally
testing server-based code locally
running a local database and a Web-based interface for it

XAMPP is not required but recommended for this course

Accessing Files

The lecture pages are available at four different places

file:///c:/Documents%20and%20Settings/dret/Desktop/drectures/mobapp-spring10
http://localhost/drectures/mobapp-spring10
ftp://tik50x.ethz.ch/home/dret/public_html/lectures/mobapp-spring10
http://dret.net/lectures/mobapp-spring10

Using a local server makes local development easier

uploading the working result to the server should just work
however, to really make it just work, URIs must be used responsibly

Server Names

One server can have more than one name

names are resolved to IP addresses for establishing connections
multiple names can be very useful for hosting environments

Requests to the same server go to the same IP address

servers use a special request field to learn about the host
requests then are routed to the configuration for that host

Server space is available through people and people

both servers are configured to look into ~/public_html
the mobapp configuration writes to log files in ~/mobapp-logs

Relative URIs

URIs are identifications of resources on the Web

they can use a variety of access protocols (HTTP, HTTPS, FTP, …)
they can be relative or absolute

Relative URIs are interpreted relative to their context

http://dret.net/netdret points to aquadret.jpg
dereferencing the image link works regardless of the page's base URI
HTML and JPEG always have to be managed together

Deciding on how to use absolute and relative URIs is important

relative: for references to resources in the same management domain
absolute: for references to resources that are managed differently

HTML, CSS, and DOM 2010-02-01 CSS Spec · CSS Properties · CSS Tutorial · CSS Validator A2¹: Web App (flickr) (assigned: 2/1; due: 2/9) The Hypertext Markup Language (HTML) is the most important content type on the Web. Modern browsers are expected to support HTML, CSS for styling the content of a HTML page, and scripting so that server-supplied scripting code can run in the browser, update the HTML and/or CSS, and interact with the user or the browser. This lecture presents an overview of how the building blocks of HTML, CSS, DOM, and scripting fit together to provide Web applications with a standardized and robust platform. Abstract

Hypertext Markup Language (HTML) HTML Definition

HTML's structure is defined by a Document Type Definition (DTD)

formally speaking, a DTD defines the grammar of the HTML language
(and if you really want to know, SGML defines the syntax)
colloquially speaking, a DTD defines how to combine elements and attributes

HTML Validation

Web-based tools allow validation from anywhere
W3C's markup validation service supports three modes:

validation by URI (pointing at a random Web page)
validation by file upload (allows validation of non-Web files)
validation by copy/paste (lightweight mode for small experiments)

Markup validation is only one facet of checking Web content

HTML and WYSIWYG

Thinking of HTML as a layout-description language is wrong
HTML has been designed as a structure-description language

structured contents can be reformatted and reflowed

HTML rendering depends on a many client properties

screen/window size, resolution, and color depth
different available fonts
fonts with the same family name but different metrics
different hyphenation algorithms
hyphenation setting defaults
hyphenation dictionaries
different size spaces
different line-breaking algorithms
different widow/orphan/keeptogether rules

Web Browsers Web Browser Usage

██ Internet Explorer (59.21%)

██ Mozilla Firefox (28.29%)

██ Chrome (5.02%)

██ Safari (4.54%)

██ Opera (1.68%)

██ Other (1.26%)

Web Browser History

Cascading Style Sheets (CSS) CSS in Action HTML and CSS

CSS specifies how HTML elements are formatted

formatting can be attached to every element (redundant inside document)
formatting can be included in document (redundant across documents)
separate CSS files describe the formatting (best reuse)

Any combination of these methods is possible

Formatting Model

are central to the CSS formatting model

create a document tree (the DOM tree)
identify the media type (e.g., screen or print)
retrieve all stylesheets required for the media type
assign values to all properties in the document tree
generate a formatting structure (a different tree)
render the formatting structure on the target medium

Properties control the rendering of elements
Styling in CSS means assigning values to properties

CSS Properties

Properties define how elements are formatted

they define a specific facet of formatting
they may have interdependencies with other properties
they can be assigned explicitly
they may be defined through or

A property has a name and is used in a name/value-pair

the name identifies the property that is being set
the value space depends on the property
some properties accept complex values
sets of values: p { font : bold italic large Palatino }
sequences of values: p { font-family : "Segoe UI", verdana, helvetica, arial, sans-serif }

Property specifications can be grouped

.thinboxed { border-width : 1px ; padding : 10px ; margin : 5px }

CSS Selectors

are applied to elements

properties can be directly applied in an element's style attribute
in all other cases, selectors are used to select the styled elements

Selectors are good for reusable CSS code

identifying the most appropriate formatting classes is not easy
planning for CSS for a larger site is a difficult task

CSS project management should separate selectors and properties

selectors are about which things should be identified and styled
properties are about how this styling is implemented

Cascading

Stylesheets may have three different origins

page authors associate CSS with their pages
users configure their browser to use some CSS
user agents (browsers) have built-in CSS how to style content

Conflicts must be resolved using the following algorithm

find all matching declarations (matching media type and selector)
sort according to importance (browser < user < author)
same importance must be sorted by specificity (more specific selectors)
finally, sort by order in which they were specified

!important rules can influence the algorithm

they are interpreted in step 2 (sorting by importance)
browser < user < author < author(important) < user(important)

Inheritance

Properties often are inherited by children

setting a table's color sets the color for all contents
without inheritance, CSS stylesheets would have to be very large

Inheritance is mostly intuitive

in reality, it is a bit more complicated

specified value: what the property specified (, inheritance, or initial)
computed value: computed based on the environment (e.g., ex → px)
used value: converted to an absolute value (e.g., percentage widths)
actual value: specific for the environment (e.g., borders with pixel fractions)

Document Object Model (DOM) From HTML to DOM

HTML is a representation for hypermedia documents

a representation is required to store and transmit the document
HTML uses markup for representing the document structure

Browsers must render HTML documents (i.e., apply CSS and execute JavaScript)

GET HTML from server and receive as text/html document
parse document and deal with any errors by fixing them
interpret document as if it had been error-free
GET all additional resources (CSS, images, JavaScript, …)
build internal model (DOM) based on error-free interpretation
apply CSS rules to determine styling of document (e.g., margins and font sizes)
render into visual structure
start executing JavaScript code
listen for events (keyboard, mouse, timer) and execute code
discard everything and start over when user navigates to a different page

Browser Handling of HTML

Document

The document (HTML) is the interface language for Web applications
Most programming environments have visual interface models

almost everything has moved to window-oriented interfaces
Windows, MacOS, and Linux provide similar visual metaphors

Web applications must use HTML as their model for the interface

HTML forms are a simple way to build an interface
forms can be extended with client-side helpers (validation, repeating entries)

Object

Documents are static, programming is dynamic

documents and code must be connected
objects are a common abstraction in programming languages

Objects usually have a type and methods

types for HTML-based objects are based on HTML's elements
methods define the allowed to interact with objects
interactions can be read-only or they can change the document structure

Model

Models are idealized/abstract views of something
Model interfaces allow to expose that idealized/abstract view
DOM introduced a common way of how browsers deal with HTML

without a DOM, there can be no interoperable scripting

Abstractions are also limitations

some vendors add/support extensions to the basic DOM model
any code based on these extensions is not interoperable

Markup to Trees

Browsers build a DOM tree from the (fixed) markup

scripting code never works on the markup text, it works on the tree

DOM trees are an abstraction of the markup

trees provide convenient navigation facilities
abstractions provide an insulation against irrelevant markup details

DOM is available in a large number of programming languages

JavaScript is the language supported in Web browsers
DOM is also available for Java, C, C++, Python, Perl, C#, Ruby, …

DOM History

DOM0 was invented by Netscape (backing LiveScript/JavaScript)
DOM1 was the first DOM version produced by the W3C
DOM2 is the currently available stable version of DOM

major changes to be compliant with XML and the XML Infoset

DOM3 is highly modularized and still under development

more XML technologies such as the ability to use XPath

HTML5 extends the landscape of DOM

HTML5 itself adds new capabilities to DOM
a variety of additional specs add even more functionality

Scripting with JavaScript 2010-02-03 Nick Doty Firebug This lecture introduces JavaScript as a programming language and discusses some of the most important features of the language. We also look at how to use JavaScript inside of a browser interactively with a debugging tool called Firebug, and start looking at some of the ways in which jQuery makes Web development with JavaScript less programming-heavy, more reliable, and more declarative. Introduction to jQuery 2010-02-05 Ryan Greenberg jQuery In this second lecture on scripting, we look in more detail at the jQuery framework. We focus on how selectors allow to select nodes in the DOM tree, how these can be manipulated using jQuery methods, and how they can be used as starting point for traversal of the DOM tree. We also look at some of the mechanics of event handlers and some of the finer points of when and how event handlers and events should be managed in jQuery. Structured Data: XML and JSON 2010-02-08 Wikipedia: DHTML · Wikipedia: Ajax · XML Spec · Structuring Content with XML · JSON · JSON vs. XML A2²: Web App (twitter) (assigned: 2/8; due: 2/16) Many mobile applications are based on communications with a service. In most cases, these communications are based on structured data, with the client receiving and/or sending structured data to a service. The two most popular data formats for exchanging structured data in use today are the Extensible Markup Language (XML) and the JavaScript Object Notation (JSON). This lecture explains and compares these two formats, and is the foundation for the following lectures about Content Syndication and Ajax. Abstract

Dynamic HTML (DHTML) Ajax = DHTML + HTTP

uses JavaScript locally (changes in the browser)

the scripting code reacts to user events and accesses the DOM structure
changes are either hardcoded or reactions to user events

Ajax adds an HTTP request method to JavaScript

scripting code can now request additional data from an HTTP server
changes can thus be made based on any data received from the server

Ajax dramatically reduces the number of page reloads

any change of the page can be done without a complete reload
based on user interactions, parts of the page can be reloaded

Ajax has the same interoperability problems as DHTML

Ajax and DHTML Comparison of Ajax and DHTML

JavaScript and XML

The XMLHttpRequest API has been built for requesting XML via HTTP

this is useful because XML is a very popular data format
all requested data has to be processed by using DOM traversal in JavaScript

JavaScript does not have XML as its internal data model

the XML received via XMLHttpRequest has to be parsed into a DOM tree
DOM access in JavaScript is inconvenient for complex operations
alternatively, the XML can be mapped to JavaScript objects (also requires parsing)

JSON encodes data as JavaScript objects

more efficient for the consumer if the consumer is written in JavaScript
this turns an XML service into an object-oriented service
for large-scale applications, it might make sense to provide XML and JSON
using , this can be negotiated on the HTTP protocol level

Extensible Markup Language (XML) XML Use Cases

XML is a metalanguage supporting application-specific vocabularies
RSS and Atom are XML vocabularies for newsfeeds

Doc or Die: RSS feed vs. Atom feed
browsers now incorporate and/or integrate newsfeed readers

OpenDocument (ODF) is a language for office application documents

designed for open and interoperable exchange
standardized by ISO (which now also standardizes Microsoft's Open XML)

Scalable Vector Graphics (SVG) for portable vector graphics

designed for embedding in Web pages
good example for compound documents: HTML containing SVG

XML also can be used for representing complex structured documents

Markup?

Structures are encoded using special characters

a fundamental difference in comparison to binary formats
markup languages can be read and modified using text-based tools
programs must treat markup characters in a special way

Documents are content interspersed with markup (i.e., structures)

XML-aware software interprets the markup
XML-unaware software just sees a text file
modifications must be made XML-aware (e.g., inserting AT&T as AT&T)

You have to pay the
You need a parser for interpreting the markup

Basic Concepts

XML Documents have an XML declaration (optional)
There is exactly one document element (a.k.a. root element)
Elements may be nested (there is no conceptual limit)

elements may be repeated (they can be identified by position)

Elements are marked up using tags

most elements have content, surrounded by start tags and end tags
empty elements are allowed and may use a special notation

Elements may have attributes (zero to any number)

attributes can only occur once on an element (i.e., they cannot be repeated)

Tree Syntax

Markup is important, but only a notation
XML documents are trees with different node types

nodes so far: document, element, attribute, text

Elements

Elements can use a wide variety of names

Allowed: html, id9832798472, _, :, こんにちは
Disallowed: leading numbers, spaces, control characters

Element names usually convey some information about the content

this is not reliable and highly language-dependent
it is very useful when working with a known vocabulary
it is potentially harmful when working with an unknown vocabulary

Elements are the foundation for XML's versatility

they can be nested (<address><city>Berkeley</city><zip>94720</zip>…)
they can be repeated (<givenname>Erik</givenname><givenname>Thomas</givenname>)
their sequence can convey additional information (given names have a sequence)

Attributes

Additional information pertaining to elements
Traditionally, anything that is not considered content

SGML is a document markup language
XML uses SGML's concepts
XML has its roots in the document world

Elements: Content (i.e., Data); Attributes: Metadata
Documents often distinguish by what is textual content

Attribute Syntax

Naming rules are the same as for
Attributes always appear within an element's start tag
Attributes are name/value-pairs

the value is enclosed in single or double quotes

Attribute with a single-quote value: elem attr="Single: '"/
Attribute with a double-quote value: elem attr='Double :"'/
How can attribute values contain both?

The Price for Markup

Markup characters have a special meaning

< opens a tag
for attribute values, quotes delimit the value

The literal use of a markup character requires escaping

XML's entities can refer to pieces of content
entity syntax is &name; for referring to the entity name
XML has 5 predefined entities: <, >, &, ', "

Attribute using both kinds of quotes: <elem attr="Single ' and Double ""/>

Attribute using both kinds of quotes: <elem attr="Single ' and Double &quot;"/>]]>

JavaScript Object Notation (JSON) XML Example JSON Example Object Notation

Uses a subset of JavaScript syntax (static data structures)
Data model is derived from JavaScript's data model

number, string, and boolean for simple values
objects represents sets of values (using curly braces)
arrays represent sequences of values (using square brackets)
null as a special value

Based on JavaScript but usable in many languages

can be readily mapped to the data models of many programming languages
XML is not native in any major programming language (research: E4X/XJ)

JSON via URI Parameter

Many services provide structured data in various formats

logically speaking these are just different representations of the same content
depending on trends and technologies, new formats may be added

URIs allow query strings for transmitting data to a resource

HTML forms use query strings for submitting form values

Query strings can also be used manually in a URI

hackable URIs are convenient for developers

http://api.flickr…1313291@N20&lang=en-us&format=rss_200

JSON via Content Negotiation

XML or JSON are just different representations

they represent the same underlying resource (as identified by the URI)

allows to specify preferences

clients specify preferences and server respond with the best match

HTTP Accept specifies the accepted media type

resources may be available in HTML, XML, or JSON
depending on the HTTP request, the server responds with the best representation
reduces processing time on the client and can be cached

Really smart Ajax frameworks could even hide the content negotiation

request JSON or XML, with XML being the lower priority
if XML is sent by the server, it has to be parsed into a JavaScript object
the end result is always a JavaScript object for the framework user

Conclusions

Many applications need service access
Most applications need access to structured data
XML is a flexible format for representing structured data
JSON is a little less flexible but easier to use
JavaScript code is much easier to write for JSON services

Content Syndication 2010-02-10 Atom · AtomPub · Validator · Identifying Atom For many information sources on the Web, it is useful to have some standardized way of subscribing to information updates. Syndication formats such as RSS and Atom can be used by these information sources to publish a feed of updated information items. Extensions allow feeds to carry additional data, for example in podcasts. While RSS and Atom are read-only formats, the Atom Publishing Protocol (AtomPub) build on top of Atom and provides a protocol for submitting new items to feeds. Abstract

Content Feeds

Early Web content was static or updated very infrequently

there was not yet the requirement to reuse content in different contexts

Frequently updated Web content quickly became a very common scenario

as commercial interests took over the Web, users should have a reason to re-visit a site
presenting a steady stream of new content creates the image of a live Web site

There are two major use cases where HTML is not sufficient

users want an efficient way to get the updated content from a site
sites want to aggregate updated content from other sites and re-publish it

are designed to support these two use cases

container formats for updated items
a small amount of metadata about these items for automated processing

Syndication Formats RSS RSS History

The Myth of RSS Compatibility provides a good overview
RSS is a schoolbook example for why standards are a good thing

RSS 0.9 was created for the My Netscape portal in March 1999
RSS 0.91 (a simplification) was introduced in July 1999 (as an interim solution)
the AOL/Netscape merger removed the format from the company's portal
RSS was without an owner, and different parties claimed/denied ownership
RSS 1.0 was created by an informal developer group
RSS 0.92 (and 0.93 and 0.94) were published without acknowledging RSS 1.0
finally, RSS 2.0 was released as a follow-up to the RSS 0.9x versions

Using RSS has become an exercise in managing a menagerie of versions

RSS 2.0 Example Podcast Example The Case for Content Management

RSS is very rarely produced by hand

by definition, RSS contains redundant information for a specific purpose

If a Content Management System (CMS) is used, RSS can be generated

basic metadata can be generated by the CMS (title, author, date)
better tagging of content results in better tagging of feeds
well-tagged feeds are better foundations for large-scale reuse of feed items

Blogging is simply a specialized case of a CMS

Web-based interface for controlling everything
strictly time-ordered sequenced of published items
navigation features primarily based on the time-specific facets of the blog (maybe tags)
all blogging tools include feed support

Consuming RSS

RSS feeds often have quality problems

surprisingly often feeds do not even deliver well-formed XML
the use of embedded markup in RSS is not well-defined

Writing an RSS reader from scratch is not a good idea
There are three major tasks which RSS readers must do

accept non-XML RSS feeds and fix them to be XML
look at the feed contents and bring them into a unified form
produce a unified view of feeds regardless of the RSS version

RSS Political Problems

Multiple and incompatible are still in widespread use

RSS 1.0 and RSS 2.0 are incompatible by design (RDF vs. non-RDF)
none of the RSS versions is maintained by a universally accepted standards body

None of the specifications is being updated or fixed

some of the lessons learned by RSS deployment are not used in a new version
it is unlikely that a new version will be produced which merges the RSS landscape

Invent something new instead of trying to fix RSS

started in 2003 (called Echo at first)
W3C or IETF would have been promising candidates for a new RSS
W3C is more formal, IETF is more developer-centered
IETF was chosen over W3C because the of Atom community's preferences

Atom Atom History

RSS's shortcomings were very apparent and could not be fixed
In mid-2003, discussions started about an improved format
It also became apparent that the format should have a protocol
Atom 0.3 was released in December 2003 but had no formal home
IETF was chosen as the new home with a working group in June 2004
RFC 4287 was published in December 2005
AtomPub has been published as RFC 5023 in October 2007

Atom vs. RSS

Standardized by the IETF (well-defined process)
Classification of entries (user-defined categories)
More XML-like markup design (more nesting)
Namespaces are used and supported as standard mechanism
Atom feeds must be well-formed XML (there even is a schema)
Interpretation of content is well-defined (various content types)
Support for xml:lang and xml:base

Atom Example Atom Content

RSS had no safe way of finding out what an entry's content is

this led to different implementations being smart about what the RSS author really wanted
one of Atom's main goals was to improve this in a well-defined way
Atom allows escaped markup (the only way to include non-XML HTML in an XML format)

Each content element should have a type (the default is text)
Atom's content interpretation algorithm (use first applicable rule):

if type is text, no child elements are allowed (plain text content)
if type is html then RSS's method of escaped markup is used
if type is xhtml then there must be an div containing XHTML markup
if type is an XML media type then the content should be treated as this type
if type starts with text/ then no child elements are allowed
for all other values, the content must be an base64-encoded entity of the specified MIME type

Atom Content Examples


  
	One bold foot forward
  
]]>

The "atom:content" element either contains or links to the content of the entry. The content of atom:content is Language-Sensitive.]]>

The <code>atom:content</code> element either contains or links to the content of the entry. The content of <code>atom:content</code> is <a href="http://www.ietf.org/rfc/rfc3066.txt">Language-Sensitive</a>.]]>


iVBORw0KGgoA … TAAAAAElFTkSuQmCC
]]>

]]>

Syndication Aggregation End-User Aggregation

Users often have a small number of preferred Web sites

news can be tracked by subscribing to their feeds
this requires an feed-aware client (Firefox is not a good feed reader)

Ajax-based feeds could be implemented as a client-side application

retrieve the feed, transform it to HTML, and render the result
but the security restriction of XMLHttpRequest gets into the way
there is a way around this as used in the Ajax RSS reader
Google Reader accesses Google's own copy of the feed ()

How can users find a feed?

feeds have URIs (they are Web resources) and can be referenced from within HTML

<link rel="alternate" type="application/rdf+xml" title="…" href="…" />
<link rel="alternate" type="application/rss+xml" title="…" href="…" />

<link rel="alternate" type="application/atom+xml" title="…" href="…" />

Aggregation Intermediaries

RSS is a frequently used format between content providers

news agencies want to distribute news items as easy as possible
by using a single format, producers and consumers can more easily interoperate

The caused publishers to look for something better

had a head start and still is widely used
is a much better format and will eventually replace RSS

User-configured portals are the merger between both scenarios

users select a number of feeds as their preferred information sources
the feeds are presented on a single personalized Web page
by sharing and re-publishing items, users are becoming aggregation intermediaries

FeedBurner Fixing Feeds Cleaning Up Feeds

Load Balancing Providing Feed Load Balancing

Statistics/Analytics Providing Feed Statistics

Atom Publishing Protocol Syndication Format Protocols

LiveJournal (very simple text-based protocol)

not very good at handling structures (re-inventing for encoding structure)

Blogger (now at Google after Google bought Pyra)

no support for titles or any other sort of entry metadata
protocol from the early days of blogging before tagging became popular

MetaWeblog (an attempt to improve Blogger)

extends Blogger using a very bad design (RSS XML as XML-RPC structure encoded as XML)

Atom Publishing Protocol (AtomPub) is an attempt to provide a clean alternative

use the same document structures for feeds and the protocol interacting with them
use a REST approach to provide a simple and Web-compatible protocol
add and for additional tasks

RESTified Syndication

Atom is a format for retrieving a set of entries as a feed document

feeds often are time-based and are refreshed periodically or whenever needed
feeds can use any other strategy for deciding what to publish

Read-only access to feeds should be complemented by full access

full access needs the CUD out of the CRUD set of operations
many Web-centric technologies try to build on the Web's REST model of interaction

AtomPub builds on Atom and adds a REST-based protocol on top of it

POST for creating new entries (sending the request to the collection)
PUT for updating existing entries (overwriting the existing entry)
DELETE for deleting entries from a collection

Protocol Summary

Resource	HTTP Method	Representation	Description
Introspection	GET	Atom Service Document	Enumerates a set of collections and lists their URIs and other information about the collections
Collection	GET	Atom Feed	A list of member of the collection (this may be a subset of all entries in the collection)
Collection	POST	Atom Entry	Create a new entry in the collection
Member	GET	Atom Entry	Get the Atom Entry
Member	PUT	Atom Entry	Update the Atom Entry
Member	DELETE	n/a	Delete the Atom Entry from the collection

Service Documents

Service Documents represent server-defined groups of Collections, and are used to initialize the process of creating and editing resources.

The real top-level construct of AtomPub is the workspace

collections on a server are organized into different workspaces
workspaces have no AtomPub semantics and no operations can be performed on them

Service documents list constraints on the members of collections

accept specifies a comma-separated list of media ranges (with entry as special value)
categories defines the list of categories that can be applied to members (can be fixed)
AtomPub servers are likely to reject operations not satisfying these constraints

Service Document Example Category Documents

Categories are important for creating and reading entries

they may contain metadata using any classification scheme

contain a list of allowed categories
AtomPub defines a document format for standalone category documents

a useful interface between AtomPub systems and other systems using classification schemes

Category Document Example Conclusions Semantic Web Light

Syndication creates representations for universal concepts
Atom adds some concepts to RSS's model
Syndication revolves around the idea of interacting with items
Atom-based interaction is one way of implementing REST
For more semantics, Atom is only the foundation

Web Foundations (URI & HTTP) 2010-02-12 Why Mobile? Cool URIs · Live HTTP Headers · URI Spec · HTTP Spec The Web's architecture has very simple principles revolving around the ideas of placing a heavy emphasis on a consistent and global identification mechanism for resources, a standardized way of how resource representations can be retrieved, and a standardized way of how resource representations should be usable by using standardized media types. Based on the Internet, the Web's transport protocol transmits representations of resources identified by a Uniform Resource Identifier (URI) between Web servers and clients. The most important protocols for data transfer on the Web is the Hypertext Transfer Protocol (HTTP). Abstract

Uniform Resource Identifier (URI) Resource Identification

The Web is centered around resources

HTTP has been designed to manipulate resources
HTTP provides methods for getting, putting, updating, and even deleting resources

Resources are useful abstractions for interfaces

instead of an API, interaction is built around manipulating resources
APIs change and bind closely, documents can better withstand change and bind loosely
the whole Web is built around resources, not APIs

URI Schemes

URI = scheme ":" hier-part [ "?" query ] [ "#" fragment ]

http://dret.net/lectures/web-fall09/foundations#uri-schemes

URIs in their general case are very simple

the scheme identifies how resources are identified
the identification may be hierarchical or non-hierarchical

Many URI schemes are hierarchical

it is then possible to use relative URIs such as in a href="../"
the slash character is not just a character, in URIs it has semantics

Query components specify additional information

it is non-hierarchical information further identifying the resource
in most cases, it can be regarded as input to the resource

Hypertext Transfer Protocol (HTTP) DNS & HTTP

The two basic protocols which every Web browser must implement are DNS access and HTTP. However, most operating systems provide an API for DNS access, so the browser can use this service locally and only has to implement HTTP. TCP (which is required as the foundation for HTTP) is usually provided by the operating system.

The Web's Protocol

provided by CacheLogic Inc.

HTTP Basics HTTP Messages

HTTP needs a reliable connection

the foundation for HTTP is TCP
DNS resolution yields an IP address
open TCP connection to port 80 or port specified in URI (http://rosetta.ischool.berkeley.edu:8085/)

HTTP is a text-based protocol

the connection is used to transmit text messages
all HTTP messages are human-readable (not all entities, though)
basic HTTP operations can be carried out by hand

start-line
message-header *

message-body ?

HTTP Header Fields

Header fields contain information about the message

general header: Date as the message origination date
request header: Accept-Language indicates language preferences
response header: Server contains system information
entity header: Content-Type specifies the media type of the entity

HTTP defines a number of header fields

unknown fields must be ignored (extensibility)
unstandardized fields should use a X- prefix

HTTP is about acting on these fields

HTTP defines what HTTP implementations must or should do

HTTP Content Negotiation

have interaction semantics

depending on the header type they convey different information

HTTP Content Negotiation allows representation negotiation

the client specifies a number of preferred content properties
the server responds with the representation that fits best

Server-driven negotiation can use a number of request header fields

Accept uses a list of media types
Accept-Charset uses a list of character sets
Accept-Encoding uses a list of content encodings
Accept-Language uses a list of language codes
User-Agent specifies the client's identification

Client-driven negotiation lets the server send a list of URIs

two steps are required to get the best alternate representation

HTTP Requests

After opening a connection, the client sends a request

the method indicates the action to be performed on the resource
HTTP's most interesting methods are: GET, HEAD, POST
other interesting methods are: PUT, DELETE

The URI identifies the resource to which the request should be applied

absolute URIs are required when contacting proxies
absolute paths are required when contacting a server directly
the URI may contain query information

The Host header field must be included in every request

Method Request-URI HTTP/Major.Minor
[Header]*

[Entity]?

HTTP GET

Retrieval action based on the URI

maybe implemented by reading a file
maybe implemented by processing a file (PHP)
maybe implemented by invoking a process

Semantics may change based on header fields

If-*: only reply with the entity if necessary
Range: only reply with the requested part of the entity

Cacheability depends on header fields of the response

GET / HTTP/1.1
Host: ischool.berkeley.edu

HTTP Responses

The server's response to interpreting a request

the status code is given numerically and as text
2** for variations of ok
3** for redirections
4** are different client side problems (404: not found)
5** are different server side problems

Header fields specify additional information

information about the server
information about the entity (media type, encoding, language)

HTTP/Major.Minor Status-Code Text
[Header]*

[Entity]?

HTTP Performance

HTTP/1.0 allowed one transaction per connection

TCP connection setup and teardown are expensive
TCP's slow start slows down the initial phase of data transfer
typical Web pages use between 10-20 resources (HTML + images + CSS + scripts)
typically, these resources are stored on the same server

HTTP/1.1 introduces persistent connections

the TCP connection stays open for some time (10 sec is a popular choice)
additional requests to the same server use the same TCP connection

HTTP/1.1 introduces pipelined connections

instead of waiting for a response, requests can be queued
the server responds as fast as possible
the order may not be changed (there is no sequence number)

HTTP Connection Handling

HTTP Authentication HTTP Access Control

HTTP servers can deny access through access control

401 Unauthorized means the resource is access controlled
403 Forbidden means the resource is inaccessible
405 Method Not Allowed signals a request using the wrong request method

Two different approaches to unauthorized access are possible

repeat the HTTP request with the proper authentication credentials
redirect to a and establish an authenticated session

HTTP Authentication

Basic HTTP Authentication

Authentication is based on authentication realms

a set of resources for which the authentication is required
an opaque name which is used to signal which login is required
username/password often is specific for a given realm

Users supply username and password through the client

sent as Base64 encoded username:password string
username and password are not transmitted securely
basic authentication should always use HTTPS

Authorization is handled on the server side

HTTP/1.0 401 Unauthorized
	WWW-Authenticate: Basic realm="SokEvo"

GET /private/index.html HTTP/1.0
	Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

Repeated Access

Clients typically access more than one protected resource

a perfectly stateless client would always request authentication from the user
using the realm clients can identify repeated accesses

Web interactions by default are perfectly stateless

each request is completely independent from other requests
stateless interactions make the Web loosely coupled and scalable
concepts like the realm or cookies introduce state

Clients remember the authentication and replay it automatically

browsers provide little control over this feature
logging out of HTTP authenticated sessions is hard

works with browser controls (including the window)

no possibility to log out without using browser-specific controls
client side security depends on browser security measures

Using HTML forms gives more freedom in session management

authentication and authorization are completely application-based
if there were secure personal browsers this would not work very well

Conclusions

HTTP is much more than file transfer

it is a protocol for the concept of resource manipulation
it is a distinct step away from the API approach to building distributed systems

HTTP servers can be configured to deliver good or bad service

this is a question of how well they are configured on the HTTP level
it is also a question of how good the Web design is
both issues together are required to set up a good Web server

Scripting with Server Access 2010-02-17 Animation with jQTouch DHTML · Wikipedia · XMLHttpRequest Spec A3: Touch App (assigned: 2/17; due: 3/1) Scripting is used on the majority of today's modern Web sites. Scripting can be used to improve the usability and accessibility of a Web site (for example for validating form data on the client side), it can vastly improve the user experience with new interface design (the smooth scrolling of Google Maps vs. older click to scroll map services), or it can be used to implement behavior that would be impossible without scripting (for example the online applications of Google Docs). Asynchronous JavaScript and XML (Ajax) takes Dynamic HTML (DHTML) to the next level by allowing server access from within scripting code. This is accomplished by using a standardized API for client/server communications, the XMLHttpRequest object. This objects allows using HTTP connections from within scripting code, and thereby allows scripting code to dynamically reload data from a server in response to user interactions. Abstract

Current Events MeeGo = Maemo + Moblin

RIM goes WebKit

Web App Development Scripting on the Web

Early Web pages were static HTML

HTML forms were the only interactive part of Web pages
interaction was only possible by clicking links and visiting new pages
CSS introduced limited dynamic behavior (such as mouseOver events)

Netscape invented the and LiveScript

Java was new and hip, so the language was renamed to JavaScript
pages with scripting (a.k.a. Dynamic HTML or DHTML) allowed richer user interfaces
other browsers invented their own versions of DOM/JavaScript

Scripting was and is often used to implement missing functionality

good scripting supports graceful degradation (leaving the page functional)
bad scripting compromises accessibility when the scripting code does not work

Any non-trivial scripting has to deal with browser differences

help by providing a foundation to build on

The Joys of Web Design Time Breakdown of Modern Web Design

Ajax Mechanics Misleading Name

All parts of the XMLHttpRequest name are misleading
XML sounds as if it can only handle XML transfers

supports any payload (as long as it is text-based)
XML is special because it is automatically parsed into a DOM

HTTP sounds as if it always uses HTTP

all major implementations also support HTTPS
some implementations even support protocols beyond HTTP(S)

Request sounds as it is only covering requests

HTTP interactions are request/response exchanges
XMLHttpRequest handles all HTTP interaction mechanics

XMLHttpRequest essentially is a client-side HTTP API

Minimal <code>XMLHttpRequest</code> Example HTTP Interactions

HTTP has various request methods

GET is used for the vast majority of Web requests
other methods allow to make changes on the server

XMLHttpRequest allows all HTTP methods to be used

good support for servers implementing RESTful interfaces
it is possible to GET, PUT, POST, and DELETE resources

Despite its name, XMLHttpRequest can be used for any content type

XML is just a special case and has some extra support
any other content can be used as long as it is text-based

Handling <code>XMLHttpRequest</code> Responses

HTTP responses always have a media type

the server indicates the media type of the response content
the client can process the response according to that type

responseText always contains the entity body of the HTTP response
XMLHttpRequest treats XML-oriented responses in a special way

text/xml, application/xml or …+xml responses are XML media types
XML media types are recognized and processed

responseXML contains XML parsed into a DOM tree

DOM trees allow DOM-based navigation
DOM tree navigation is not the most convenient way of navigating structured data

Inspecting <code>XMLHttpRequest</code> Responses

XMLHttpRequest allows all header fields to be inspected

getResponseHeader() returns a specific response header
getAllResponseHeaders() returns all response headers

// The following script:
var client = new XMLHttpRequest();
client.open("GET", "test.txt", true);
client.send();
client.onreadystatechange = function() {
	if(this.readyState == 2) {
		print(client.getResponseHeader("Content-Type"));
	}
}

// ...should output something similar to the following text:
Content-Type: text/plain; charset=utf-8

Requesting <code>XMLHttpRequest</code> Responses

HTTP allows content negotiation

the can specify list of supported/preferred media types
the server responds with the best match

XML/JSON can be distinguished by URI or by media type

URI requires different addresses to be used in request
media type requires the type to be specifically requested

// The following script:
var client = new XMLHttpRequest();
client.open('GET', 'ajax-data');
client.setRequestHeader('Accept', 'application/json;q=1.0, application/xml;q=0.8');
client.send();

// ... results in the following header being sent:
...
Accept: application/json;q=1.0, application/xml;q=0.8
...

Using XML Structures Using JSON Structures Ajax Practicalities Same-Origin Policy

Browsers combine content from various sources

HTML loaded from one site
images/CSS/scripting may come from other sites
resources are identified by URIs which may point anywhere

Content may have data integrity and privacy implications

stealing cookies effectively means stealing an authenticated session
access to content should be isolated across sites

Same-Origin Policies isolate content by domain name

not perfect and can be circumvented with certain types of attacks
the first policy implemented on the Web and the only one you can trust

<code>XMLHttpRequest</code> Implementations

Different browsers support different implementations

IE started supporting it as a browser-specific functionality
standardization took a while to complete the official API

Developers have to deal with the different APIs in browsers

code has to deal with different APIs
code has to be changed when new browsers show new behavior

JavaScript Frameworks Abstraction and Reality

Browsers are not entirely standards-compliant

Acid Tests are a way how to test browser compliance
compliance depends on what you test for (versions of the standards)

Running Acid3 for current browsers is disappointing

Chrome and Safari are equal (because they both use WebKit)
Firefox and Opera are not that bad (but not perfect)
IE8 is a disaster

In some cases, implementations have to make guesses

complex combinations of HTML, CSS, and JavaScript interactions

JavaScript frameworks have two major functions

hiding the fact that browsers need a lot of special case handling
providing support for common Web design patterns

<code>XMLHttpRequest</code> in jQuery (Setup) <code>XMLHttpRequest</code> in jQuery (Interface) <code>XMLHttpRequest</code> in jQuery (Core) Web Design Patterns

Many Web pages use similar ideas/visualizations
Factoring them into design patterns enables tool support
Providing access to a tree-structured set of resources

folder views are a common design pattern

Displaying image captions based on mouse events

dynamic image captions help combining images and their captions

Tabs are well-known from desktop applications and popular in Web design

Ajax Tabs can even load content dynamically

Image-heavy Web sites might need image viewing support

image zooming can make it more convenient to zoom into images

Popular Frameworks

Different needs produce different frameworks

There is no such thing as the best JavaScript framework

for any given project, decide on the support you need
evaluate frameworks for the support they provide
evaluate for functional requirements (is there a collapse/expand folder view?)
evaluate for non-functional requirements (is the framework openly licensed)

Important Framework Questions

How big is it?
How is it licensed?
How is it maintained?
How well does it support graceful degradation?
How well does it mix with other JavaScript code?

Conclusions

Scripting has become as essential part of Web-based applications
DHTML is local scripting, Ajax is scripting + server access

Ajax implements a lightweight client/server model
Ajax can range from helper functions to complete client-side applications
Creating better interfaces for Ajax applications is a research topic

Deciding between client-side and server-side is hard
JavaScript frameworks help developing script-based applications
Graceful degradation becomes more important on the mobile Web

Cross Site Scripting (XSS) 2010-02-19 iPhone Web App HIG JSONP & jQuery · ProxyPass Many mobile applications use data from a variety of sources, the most popular example being map-based applications with often combine map data from one site with placemarks and other map overlays from a different source. Depending on the implementation, this design might be limited by the Same-Origin Policy implemented by clients, which originated in an attempt to reduce the risks of Cross-Site Scripting (XSS). In this practical lecture, we look at some of the workarounds that are possible, specifically at JSON with Padding (JSONP), which is a client-based approach, and at reverse proxying, which is a server-based approach. Abstract

XSS Risk and Mitigation XSS Risk: Cookie Theft Same-Origin Policy

Browsers combine content from various sources

HTML loaded from one site
images/CSS/scripting may come from other sites
resources are identified by URIs which may point anywhere

Content may have data integrity and privacy implications

stealing cookies effectively means stealing an authenticated session
access to content should be isolated across sites

Same-Origin Policies isolate content by domain name

not perfect and can be circumvented with certain types of attacks
the first policy implemented on the Web and the only one you can trust

Mobile Applications and XSS

Mobile applications often use different services

the limitations of browsers can be inconvenient
cooperation with well-behaving 3rd-parties can be essential

Accepting data from 3rd parties can be risky

many data formats have the capability to embed code
any data format that can embed code should be properly sanitized
if data formats can load more data (and code), things become very complicated

Proper sanitization should be done by all applications

many applications do not sanitize and there should be a fallback
if applications willingly allow XSS they should be risk-aware

Allowing XSS

Server-side methods channel everything through one domain

write a program that accepts and forwards requests (custom proxy)
use an HTTP proxy and configure it as a reverse proxy

Client-side methods engineer around the browser security model

same-origin policies only apply to some resource classes
cleverly reusing unrestricted access circumvents same-origin policies

Requesting scripts vs. requesting data from within scripts

scripts can be requested from any origin
scripts can request data only from the same origin they're from
but scripts can request other scripts to be loaded

Client-Side Solution <code>XMLHttpRequest</code> Restrictions

XMLHttpRequest in its original design implements the same-origin policy

XMLHttpRequest implements the same-origin policy
XMLHttpRequest2 is less limited but not yet widely deployed

HTML has a number of elements without request policies

img requests images from any domain
iframe requests HTML from any domain
HTML has a large number of linking elements
script is a link to a script that is loaded and executed

JSON is JavaScript

XMLHttpRequest implements the idea of script-based data access

access is limited by the same-origin policy

script is not limited by any security policy
Scripts adding new script elements is legal and unrestricted

this does not add new risks to the risky practice of loading 3rd-party scripts
there is quite a bit of risk to the practice of loading 3rd-party scripts

JSON with padding (JSONP)

Serve JSON as a script instead of just data

JSON data is just a data structure

{ "JSON" : "Hello World!"}

JSONP data is a function call and thus can be executed

jsonp({ "JSON" : "Hello World!"})

JSONP-aware services must serve data with the padding

many JSONP services support setting the function name in the URI

http://api.flickr.com/…&format=json&jsoncallback=flickrfeed

JSONP clients must implement the JSONP function call

the control flow is the same as for Ajax
the handler function is called as soon as the JSONP script loads

jQuery handles JSONP internally

JSONP Example JSONP Handling in jQuery Server-Side Solution HTTP Server Configuration

XMLHttpRequest requests are subject to the same-origin policy

accept requests for a 3rd-party URI at some same origin URI
forward the request to the 3rd-party URI

Proxies are used for re-engineering HTTP traffic

forward proxies are configured and used by the client
reverse proxies are configured and used by the server

The solution we need is a reverse proxy

not visible for the client (looks like a same-origin request)
passed through to the 3rd party server (additional HTTP hop)

Server Requirements

Apache needs to support proxying and rewriting URIs

LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule rewrite_module modules/mod_rewrite.so

Proxying support allows the server to make HTTP requests
Rewriting allows the server to map incoming URIs to outgoing requests

Mapping Remote Resources

RewriteEngine On
ProxyRequests Off
<Proxy *>
	Order deny,allow
	Allow from all
</Proxy>
RewriteRule ^/staticmap(.*) http://maps.google.com/maps/api/staticmap$1 [P]

Conclusions

Combining data can take a bit of engineering
Creativity in re-engineering can help solving problems
Creativity in re-engineering can introduce vulnerabilities
Mobile applications are particularly vulnerable

users trust and handle their mobile devices differently
badly engineered applications can cause a lot of damage

Do not trust anybody you don't have to

Designing Mobile User Interfaces 2010-02-22 Jeffrey Nichols Mobile Design Mobility is Different · Research and Design Process In this lecture, I'll describe both the general process for designing user interfaces and variety of guidelines for designing mobile user interfaces. The mobile guidelines are based on a variety of studies conducted at IBM, my own personal experience, and Barbara Ballard's book Designing the Mobile User Experience. Evaluating and Iterating on Mobile User Interfaces 2010-02-24 Jeffrey Nichols Mobile Web vs. Native Using the Experience Sampling Method to Evaluate Ubicomp Applications In this lecture, I'll describe a variety of methods for evaluating mobile user interfaces. These vary from traditional lab-based user interface evaluation methods, including heuristic analysis and think-aloud studies, to field-based methods that are better suited to mobile interfaces, such as diary studies, the experience sampling method, and logging studies. Mobile Web vs. Web 2010-02-26 Types of Mobile Apps Touch Web · Acid3 Test · CSS3 Selectors Test · Mobile Browser Test Web-based mobile applications inherit important properties and constraints both because of their dependency on the Web, and because of their focus on mobile scenarios. In the previous two lectures, we have looked at the differences caused by typical mobile device usage, which often translate into different designs, and might even make Web-based solutions less than optimal in some situations. From the technical perspective, an important question is how easy it is to design and build Web-based applications for mobile devices, and in this lecture we look at the most important component in that picture, the mobile browser. Abstract

Mobile Browsers and Browsers Mobile's Share of Web Consumption

Smartphone Sales Q2 2009

Web Requests by Smartphone OS

Browser Wars Revisited

Two major developments are referred to as Browsers Wars

Netscape vs. IE in the late 1990s
IE vs. others (Mozilla, Safari, Opera, ) since 2003

Economic battles fought with policies and technological weaponry

deploy default browsers on major platforms
make it hard for users to change their default browser
make browsers and other Internet software behave like malware
introduce features and deploy tools that depend on these features

Browser wars consume a lot of energy

browser developers concentrate on features and not on quality
content developers have to negotiate the battlefield

Browser War I

Browser War II

Firefox Safari Opera Netscape Mozilla Chrome Other

Browser War III

Mobile browsers are platforms for mobile applications

competition with native applications requires advanced browser capabilities
mobile devices vary widely in their features and configurations
defining the standard mobile platform is more challenging than for computers

Many mobile platforms are designed like old fat clients

have a basic browser for simple and low-fidelity tasks
require installed native applications for more advanced tasks

Computers moved away from fat clients a while ago

thin clients are more cost-effective (less local maintenance)
managing data and applications in the cloud adds flexibility
robust browser support allows advanced applications (Web 2.0)

Application Stores

Application Stores remove some of the native application problems

unified billing platform (eBay for applications)
one-stop shop (catalog and search functions)
quality control (stability and security issues)
ease of installation (one-click installation procedure)

Application Stores introduce typical monopoly problems

opaque procedures for acceptance to the store
no competition and thus skewed economies
highly centralized market instead of decentralized ecosystem

The lifetime of today's application stores is probably limited

Browser Evaluation Mobile Browser Evolution

Mobile Safari was the first desktop-quality mobile browser

almost all features of the desktop version of Safari
unique properties and problems because of the multi-touch interface

Touch Web is a new term for explicitly touch-friendly Web pages

current focus is on being friendly to small-screen devices
iPad and other tablets may create a new category of large-screen touch browsers

Identifying the target group for an application is not easy

native applications always will only work on one platform
Web-based applications can work across platforms
projections for application lifetime and update frequency are essential

Acid2 CSS3 Selectors Test

CSS3 adds more selectors to CSS

better capabilities to apply formatting to specific elements

Reduces the need for non-declarative mechanisms

less need to use a lot of identifying class attributes
less need for scripting to identify certain element classes

Testing CSS3 selectors identifies CSS-savvy browsers

tr:nth-child(2n+1) /* represents every odd row of an HTML table */
tr:nth-child(odd)  /* same */
tr:nth-child(2n+0) /* represents every even row of an HTML table */
tr:nth-child(even) /* same */

Acid3

Acid2 tested only for CSS2 implementation

testing CSS selectors to always select the correct elements
testing CSS properties to produce the correct layout

Acid3 adds a number of Web 2.0 technologies

JavaScript and DOM2 for basic scripting compatibility
SVG, XML, and data URIs for additional functionality

Six major groups of tests (called buckets)

DOM Traversal, DOM Range, HTTP
DOM2 Core and DOM2 Events
DOM2 Views, DOM2 Style, CSS 3 selectors and Media Queries
Behavior of HTML tables and forms when manipulated by script and DOM2 HTML
Tests from the Acid3 Competition
ECMAScript

Acid3 Result Acid3 for Firefox 3.6

W3C Mobile Browser Test

Very specific choice of tested technologies

XMLHttpRequest
canvas
contenteditable
geolocation API
input type="date"
AppCache (offline launching for Web-based applications)
video
audio
Web Workers (threads for scripting)
local storage (persistent local key/value storage)
session storage (temporary local key/value storage)
@font-face

Testing browsers is easy but might miss some details

video/audio critically depend on the supported codecs

Developing Mobile Web Applications Targeting One Platform

The Web is becoming increasingly segmented

vast majority of accesses are from regular computers (PC/laptop)
increasing share of accesses are from smartphones (mobile Web)
other platforms such as tablets, e-books, cars, consoles, …

Use the correct statistics based on your audience

platforms vary greatly across countries
platform usage can change fairly quickly over time

Targeting a single platform is high risk and high profit

cheaper development than native applications
UX not as polished as with native applications
same platform limitations as native applications

Least Common Denominator

The least common denominator is really low

state-of-the-art mobile browsers are limited to smartphones
most regular phones have very minimal WAP-inspired browsers
basic HTML, no CSS, no scripting

Trade-off between audience and sophistication

good as a utilitarian approach if people have to use a service
risky as an approach where people have to become engaged

Class-Based Development

Good theory but hard to implement in practice

what are the most useful classes to identify?
how to reuse as much content/code across classes?
how to make sure that class cost match class coverage?

Nowadays often implemented in a two-class approach

regular site assuming a laptop/desktop computer and environment
mobile site either very basic (WAP) or touch-specific (iPhone)

Publishing/authoring frameworks might become more sophisticated

generating different versions of sites (based on target audiences)
CSS Media Queries allow better client-side adaptation

@media all and (orientation:portrait) { … }
@media all and (orientation:landscape) { … }

<link rel="stylesheet" media="print and (color)" href="http://…" />
<link rel="stylesheet" media="print and (monochrome)" href="http://…" />

Translation/Adaptation

Fully automated approaches are research topics

usual problem of perfect separation of content and layout
many research projects are based on the idea of pure content
many real-world projects use a mix of content and layout

Database-driven solutions typically are good candidates

the content almost by definition has no inherent layout
designing translation/adaptation has a good starting point

Mobile Platforms 2010-03-01 HTML5 APIs · PhoneGap A4: Maps (assigned: 3/1; due: 3/8) This lecture takes a closer view of the spectrum between native and Web-based mobile apps. Specifically, we look at the gap, how that gap might be closed by the activities referred to as HTML5, and what still remains as open issues even with HTML5. We also look at the hybrid approaches such as PhoneGap, and at the more desktop-inspired approaches of Flash Light and JavaFX. Abstract

Delivering Mobile Web Applications URIs for Mobile Resources QR Code for http://dret.net/lectures/mobapp-spring10/

URIs identify resources for interactions
Perfect URIs are independent of the actual representation

more an ideal than something that is often done in practice

URIs should be the entry point to interactions

identifiers that can be published, shared, reused, …
there should only be one entry point

<q>One Web</q> URIs

Ideally, all interactions go through the same set of URIs
In practice, Web sites can be structured/designed very differently

mobile applications are based on different use cases and usages
mobile sites may have a different URI structure from the regular site

Different approaches for handling One Web URIs

perfect: serve content that may be specific to the request
good: redirect to content that is specific to the request
sometimes good: allow users to switch between different representations

Different representations often are developed by different teams

not necessarily a one-to-one correspondence between all resource
try to provide mappings between the most important resource URIs

<q>Mobile Web</q> URIs

Most mobile sites use specific URIs for mobile content

different TLD: http://berkeley.mobi/
different domain: http://m.berkeley.edu/
different path: http://berkeley.edu/mobile

.mobi has not seen much adoption

there is no reason why mobile content should have one specific TLD

Different subdomains make it easy to set up separate servers

convenient for entirely different mobile applications
high risk of fragmentation and partial reuse becomes brittle

Different paths are creating as little separation as possible

all content is available through the same server
setting up and maintaining redirects can be handled more easily

Native Runtime Platforms Mobile Platform Overview

The Legacy of J2ME

J2ME was a disaster in usability and stability
Instead of selling implementations, it was a licensed spec

there were no conformance requirements and no conformance testing
anything that was labeled as J2ME could be shipped

Installation procedures were/are not user-friendly

phone-specific ways of how to download/install applications
often no easy way to find and manage installed applications

Developing J2ME applications became surprisingly device-specific

writing code to address/circumvent properties of devices
far from Java's original Write Once, Run Anywhere vision

Tightly Controlled Platforms

iPhone development works well because there is only one device

3GS supports video and has a compass but those are all differences

iPad development makes development considerably harder

much larger differences in device capabilities
maybe a completely different UX/UI approach is required

Tightly controlled platforms allow better tool chains

SDK and other tools are under control by one vendor

The long story of Flash on the iPhone

Apple controls the complete code base running iPhone applications
Flash would introduce code controlled by a different vendor
stability/performance issue cannot be addressed by Apple

Open and/or Licensed Platforms

More open models mean platforms are reused for various devices

Android is open source and reaches beyond smartphones (nook, netbooks)
Windows Mobile is licensed to a variety of device makers

Device diversity can become a problem

diversity is good but also makes it harder to rely on device capabilities
until today, all Windows Mobile devices are required to have IR ports

Android development is a different challenge from the iPhone

development for only one device?
if for multiple devices, what is the target class of devices?
development across classes faces the iPhone/iPad challenge

Cross-Platform Development

Platform	Language	Sophistication
iPhone	Objective C	complicated & polished
Android	Java	Eclipse
Blackberry	Java	not great
Windows Mobile	.NET and/or C#	complex
Nokia (Maemo/MeeGo)	C++, Java, Flash Light, Web techs	not focused
Palm (WebOS)	Web techs	?

Web-Based Runtime Platforms Web-Based Mobile Platform

iPhone Platform

Web as a Platform

Code is delivered on demand using Web standards

HTML is the interface structure language (the windowing metaphor)
CSS is the layout language (layout controls for the windowing metaphor)
JavaScript is the programming language (runtime control of HTML/CSS)
HTTP is the communication method (JavaScript access to the Internet)

Web technologies are migrating into the OS

a long time ago, Internet technologies were doing the same thing
HTTP support by the OS still is the exception and not the rule
more complete packages (rendering & scripting) are available (WebKit)
WebOS treats Web technologies as the native API

ChromeOS is using the browser as a platform

browser = WebKit + user controls (a.k.a. chrome)
ChromeOS and WebOS are not all that different (technically)

Current Web Capabilities

Web technology is rather limited in its device support

keyboard/mouse perspective is built into numerous technologies
output is visual and bitmapped (Aural CSS might still happen)

Many Web pages rely on non-standardized technologies

Flash for rich media (mostly video playback)
Silverlight for Rich Internet Application (RIA) implementations

Web technology is limited to online scenarios

Google tried changing this with Google Gears (offline support)
offline capabilities are now added in various places
most Web-based apps by their very nature are online-oriented

HTML5 Capabilities

HTML5 is a complicated and evolving set of technologies

turning HTML4 into something with more predictable browser behavior
adding some new features along the way

Some HTML5 features were spun off into standalone specifications

Not all documents at the W3C have the same support and maturity

Programmable HTTP Caching and Serving
Contacts API
Indexed Database API (competitor of Web Storage)
File API

Missing Pieces

Non-traditional interactions

(multi-)touch screen for pointing interactions
accelerometer for measuring device movement
vibration for giving tactile feedback

Access to device hardware

camera, compass, …

Access to additional information sources

phone API for phone calls and messaging
contacts, calendar, social networks, …

Special graphics capabilities

essential for advanced rendering (gaming, 3D visualization)
non-traditional bitmapped displays such as e-ink

Hybrid Runtime Platforms Java Revisited

Write Once, Run Anywhere
Java's appeal of a virtual platform remains strong

Java's main success was for non-interactive applications
abstracting the traditional OS functions probably is easier to do

Taking Java to the Web

Java Applets never really took off (too heavyweight and ugly)
Flash was much more lightweight and more Web-friendly
ActiveX was Microsoft's backdoor into native features
Silverlight is both for embedded and standalone applications
AIR is Adobe's standalone Flash

Embedded in the Browser

Plugin architectures of browsers allow browser extensions

applet specifically supports Applets only
object allows any object to be embedded

Browsers must have the extension installed for content to work

plugin installation is complicated and security-sensitive
fallback can be implemented but often is too costly and not supported

Browser plugins are not subject to the same security policies

they run as native code (the plugin is installed as an OS-level library)
vulnerabilities of the plugin turn into vulnerabilities of the browser

More lightweight approaches may be required for mobile devices

Flash Light is a version of Flash for limited devices
JavaFX and JavaFX Mobile are intended to replace Applets/J2ME

Browser/Flash Platform

Standalone Runtimes

Removing the limitations of the browser

essentially recreating Java's virtual machine approach
often more friendly to Wen technologies (built-in HTML/CSS/Scripting)

Transitioning outside of a browser breaks the Web flow

standalone apps mean that there is no back button
it is harder to integrate these applications with others

Most examples of standalone applications are black holes

they are not supposed to connect to the fabric of the Web
overcoming the black hole effect is easier in a browser

Flash Standalone Platform (AIR)

Compiled Runtimes

Application and runtime compiled into a native application

less dependency on installation status of the client
only reasonable with a lightweight runtime

PhoneGap acts mostly as glue for native functionality

exposing currently unsupported functionality as JavaScript APIs
the actual functionality is supported/implemented in the OS

PhoneGap focuses platforms that are sophisticated enough

currently supported are iPhone, Android, and Blackberry
support is planned for Windows Mobile, Nokia, and Palm

PhoneGap on the iPhone

Conclusions

Navigating the current landscape is complicated
Devices, platforms, and technologies are evolving quickly
There is no best solution for mobile applications
Web-based applications will see better support in the near future
Mobile will probably follow the path of the Web

Geolocation 2010-03-03 Geolocation API · Geolocation Privacy · Geolocation Demo Mobility is (one of) the defining characteristics of mobile devices, and many use cases and scenarios not only depend on mobility (the ability to move), but on location (the knowledge of where something moved to). Determining the location of a mobile device can be done in a variety of ways, and in this lecture we briefly look at various localization technologies (IP address, Wi-Fi, cell phone, GPS). We then look at the W3C Geolocation API, which is currently under development and allows scripting code to request the location of the device it is running on. Finally, we discuss some privacy issues around automated access to location information. Abstract

Mobility and Geolocation

Mobile devices change position and thus position is interesting

most abstract mobility information: something moved or is moving
most concrete: coordinates, elevation, speed, heading

Location information can be obtained in a number of ways

the mere act of obtaining location information can produce a location trail
there should be an abstraction layer for location information
users might want to control how their location is obtained/exposed

Location is interesting both technically and economically

location-based services establish spatial context that is useful in many scenarios
location information is a useful input for recommendations and advertising
different scenarios need very different spatial resolution

Desktop Location

Determining Location Where Are You?

Different devices/situations ask for different methods

available identifications from network technologies
available signals for location technologies (GPS)

has been used for a long time for targeted advertising

often not good enough for a precise location
often good enough for broad categorization (country, state, city)

Location technology should work robustly and reliably

determine location under a variety of conditions
determine location as precisely as possible in a given scenario

Connectivity Matters

IP address from local Wi-Fi:

IP address through AT&T 3G:

IP Positioning Internet Addressing

Basic Internet connectivity requires IP addresses

each device connected to the Internet has an IP address

IP addresses are assigned and used in blocks

Class A networks are assigned to a few big entities
other classes are less wasteful but still assigned in blocks
identifying a block's owner can be done through public registries

IP has (almost) run out of addresses several times

the IP address space has only 4 billion addresses
because of IP's design, optimal allocation of addresses is not possible
various fixes have been developed and deployed since the mid-1980's

IP Address Problems

Modern network technologies made IP addresses less reliable

Network Address Translation (NAT) hides device IP addresses to the outside world
Dynamic Host Configuration Protocol (DHCP) makes IP addresses less static
Virtual Private Network (VPN) technology assigns internal addresses for external devices
phone-based access makes IP addresses only useful on the national level

IP addresses are still useful as a fallback and for stationary devices

big organizations often have a well-defined location and IP addresses
for location on the regional level this often is good enough

IP addresses are almost useless for phone-based connectivity

some carriers may support additional technologies (WAP)

Wi-Fi Positioning Wi-Fi Networks

Wi-Fi networks have unique identifiers

Media Access Control (MAC) which uniquely identifies each manufactured device
Service Set Identifier (SSID) which is not unique but publicly visible and reasonably good

Wi-Fi networks have short range and thus provide good localization

maximum indoor range of 802.11n is 70m (230ft)
maximum outdoor range of 802.11n is 250m (820ft)

Wi-Fi networks are widely deployed and easy to identify/scan

Wardriving started the trend of collecting Wi-Fi information
big databases nowadays contain tens of millions of Wi-Fi networks

Open Wi-Fi Databases

Cell Phone Tower Positioning Mobile Internet Access

Most mobile connectivity nowadays is via cell phone networks

cell phone technology has had data support for a long time
WiMax and similar data-centric technologies are not yet widely established

Localization can differ greatly based on various factors

cell phone technology (CDMA has wider range than GPS)
topology (hilly areas require more towers but make localization harder)
coverage (densely populated areas have more towers)

For emergency calls localization is required by law

known as Enhanced 911 (E911) in the U.S.
implemented under different names in various other countries

Location Provider

Cell phones see various towers

cell phone tower triangulation can be done with tower IDs
this requires nothing but the ability to get to tower IDs

Towers receive traffic from cell phones

Cell of Origin (COO) only use one tower's location
Time Difference of Arrival (TDOA) triangulates between synchronized towers
Angle of Arrival (AOA) allows towers to detect the origin of the signal
AOA-based localization requires additional equipment in the towers
AOA-based localization can only be done by the cell phone operator

Some cell phone operators provide their own location services

E911 is required by law
additional services such as Verizon's Family Locator

Global Positioning System (GPS) Military Technology

Long-range ballistic missiles need global navigation
Cold war technologies were often visionary and expensive
GPS was conceived in the mid-1970's and development started soon

first experimental satellite launched in 1978
10 experimental satellites were launched to validate the concept
new generation of satellites launched in 1989
initial operational capability was achieved in December 1993
Selective Availability (SA) was switched off in 2000

Satellite-based means global availability

satellite orbit is 20,200km (12,550 miles)
signal strength is low and receivers need line of sight

GPS Satellite Visibility

GPS Precision

GPS positioning precision depends on various factors

Selective Availability (SA) was switched off in 2000 (limit to 100m)
satellite reception quality (15m precision with optimal reception)

Augmentation services can enhance precision dramatically

WAAS/EGNOS/MSAS achieves precision in the 3m range
Differential GPS (DGPS) achieves sub-meter precision
Nationwide Differential GPS (NDGPS) is a DGS operated by federal agencies
Real-Time Kinematic (RTK) achieves centimeter precision (even in elevation)

Accuracy information given by receivers often is wrong

it reflects the receiver's local model (satellite reception)
external influences (distorted signals) can have a strong effect

Geolocation API Geolocation API Demo Geolocation-Based Image WGS84 Coordinates

GPS-based coordinates have become the norm

globally usable and readily available from GPS receivers
printed maps start supporting WGS84 coordinates as well

interface Position {
	readonly attribute Coordinates coords;
	readonly attribute DOMTimeStamp timestamp;
};

interface Coordinates {
	readonly attribute double latitude;
	readonly attribute double longitude;
	readonly attribute double altitude;
	readonly attribute double accuracy;
	readonly attribute double altitudeAccuracy;
	readonly attribute double heading;
	readonly attribute double speed;
};

Geocoding and Reverse Geocoding

The current API only supports coordinates

civic locations will be supported in the next version

Geocoding turns locations into coordinates

Berkeley, CA → (37.875733,-122.265092)

Reverse Geocoding turns coordinates into locations

(37.875733,-122.265092) → Berkeley, CA

Geocoding is not a simple 1:1 mapping operation

most locations are not points; they are areas
most points can be associated with more than one location

Geonames.org provides data and Web services for (reverse) geocoding

Location Privacy Issues Handling Privacy

Implementation requirements defined in the specification

User Agents must not send location information to Web sites without the express permission of the user.
User Agents must acquire permission through a user interface, unless they have prearranged trust relationships with users.
The user interface must include the URI of the document origin.
[…] permissions […] must be revocable and User Agents must respect revoked permissions.

Service requirements defined in the specification

Recipients must only request location information when necessary.
Recipients must only use the location information for the task for which it was provided to them.
Recipients must dispose of location information once that task is completed, unless expressly permitted to retain it by the user.
Recipients must also take measures to protect this information against unauthorized access.
If location information is stored, users should be allowed to update and delete this information.

This is essentially opt-out, an opt-in model would have been possible

configure the requirements when/how location is made available
allow exceptions if services want to exceed the preferences

Sensitive Data

Location data reveals sensitive information

location data allows to physically locate devices/users
historical location data can be mined for a lot of information

Many devices use location providers for determining location

highly sensitive data flowing in a very distributed scenario
the term third party often is defined in a very fuzzy way
the location providers become very powerful information brokers

Maybe some regulation/legislation will be introduced

location might be treated as sensitive data (such as medical data)

Location Fuzzing

Many/most applications do not need GPS precision

some services have more nuanced models (FireEagle provides choice)

Coordinate-based fuzzing can be attacked more easily

possible to determine a smaller region given sufficient fuzzed location

Should there be support for user-specified locations?

plausible and consistent lying is not easy (but maybe desirable)
there are numerous useful scenarios for providing false locations

Local Storage 2010-03-05 Web Storage · Web SQL Database · State · Cookies Spec Mobile applications face two main challenges that call for local data storage: they must be able to go offline so that they can work when there is no connectivity; they must be able to store data locally so that they can better optimize network traffic. In this lecture, we look some of the established mechanisms for local storage (Cookies) and traffic optimization (HTTP caching), and look at the HTML5 mechanisms that provide more extensive client-side support for local data storage: Web Storage and Web SQL Database. Abstract

Optimization and Expansion

Better local storage allows better data handling

local HTTP caches are useful but not for everything
almost every application uses some sort of (local) data storage

Local storage allows meaningful offline applications

it is a necessary but not a sufficient condition for offline applications
for real offline applications both data and code must be offline-enabled

What kind of data types are required?

introduced the idea of minimal client-side data (just a session ID)
more extensive data storage might look for key/value storage
advanced client-side data management can benefit from a structured model and language

Minimal Web Storage Demo Local Storage vs. Caching

Local storage is explicitly done by the application

the application has full control and responsibility

Caching is transparently done by the local HTTP implementation

the application has no control or even knowledge
caching is supposed to work as an optimization
Programmable HTTP Caching and Serving is interesting but unlikely to happen

Caching works perfectly for resource-oriented client/server applications

not all applications are (exclusively) client/server
many mobile applications are a mix of local logic and client/server logic

Local Storage vs. Cookies

are managed through HTTP interactions

their context is the domain from which they are set
browsers automatically send a cookie when they contact the server
servers can set cookies at any time based on their origin

Cookies are scoped at the browser level

cookies are managed by and thus identify browsers
tabbed browsing has introduced a different level of granularity
managing multi-tab sessions requires careful use of cookies

What is the best scope for client-side state?

cookies at the browser level are useful for authentication
cookies at the browser level can be problematic for user interactions
combining cookies and URI rewriting can be a good approach

Cookies Tracking Sessions

Invented as a way to compensate for HTTP's lack of state

application state is being sent to the client (Set-Cookie)
the client transmits application state in requests (Cookie)

Cookies do not contain code that is executed

some data that represents application state (by value or by reference)
this data is stored by the client and returned to the server
the client is not supposed to interpret the data in any way

Cookies can be used in many different ways

when used for tracking application state they are unproblematic
when used for tracking resource state they introduce problems

Cookies for State Management

Cookie Mechanics (Initial Request) Cookie Mechanics (Authenticating) Cookie Mechanics (Cookied Repeat) Third-Party Cookies Advertising & Privacy

Big ad servers are digital hubs in the commercial Web

consumers switch content providers but get the same ad provider
tracking consumers across content providers is very valuable

Cookies set by ad providers are sent very frequently

each site that uses the ad provider triggers the cookies to be sent
detailed profiling can be employed for creating consumer profiles

Content and ad providers can cooperate for better profiling

consumers log in to content providers and are reliably identified
their personal profile can be matched with the ad provider's profile
ad provider consolidation makes this scenario realistic

Browsers Assemble Web Pages

Typical Web resources (HTML pages) are assembled from a number of resources retrieved by HTTP. Any resource not originating on the server that is hosting the HTML page is considered a third-party resource. If the HTTP response for such a resource contains a cookie, it is a third-party cookie.

The World's Most Popular Script

<script type="text/javascript">
	var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
	document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
</script>
<script type="text/javascript">
	try {
		var pageTracker = _gat._getTracker("UA-xxxxxx-x");
		pageTracker._trackPageview();
	} catch(err) {}
</script>

Key/Value Storage Limitations of Cookies

Cookies are designed to work without client-side scripting
Cookie storage space is limited (RFC 2965 makes recommendations)

at least 300 cookies
at least 4096 bytes per cookie
at least 20 cookies per unique host or domain name

Cookies are browser-scoped, not tab-scoped

many applications do not work well when used in multiple tabs
cookie-based interactions implicitly interact between tabs
allows local storage to be scoped by session

Cookies are transmitted with each interaction (HTTP mechanism)

browser manage cookie storage space automatically
cookies should be small (implementation limits and HTTP overhead)
allows local storage to be managed by scripting

Simple Storage Interface

Scope is determined by document origin

access control based on the same concepts as other Web technologies
handles sessions as well as (some) access control

Storage is organized as a list of key/value pairs

there can only be one value per key (identification by key)

Order is defined but not stable across changes

items can be requested by position (useful for scanning all items)
order can change when items are added or removed

interface Storage {
	readonly attribute unsigned long length;
	getter DOMString key(in unsigned long index);
	getter any getItem(in DOMString key);
	setter creator void setItem(in DOMString key, in any data);
	deleter void removeItem(in DOMString key);
	void clear();
};

Session Storage Storage per Top-Level Browsing Context

Session storage is scoped by two mechanisms

one session storage per document origin
one session storage for top-level browsing context

Session storage behaves in the same way as local storage

only the scoping (and thus persistence) is different

Session storage changes are indicated by storage events

applications can install and implement storage event handlers

Local Storage Storage per Browser

Local storage is scoped by one mechanism

one local storage per document origin

Local storage behaves in the same way as session storage

only the scoping (and thus persistence) is different

Local storage changes are indicated by storage events

applications can install and implement storage event handlers
event handlers are more important for local storage (multiple tabs)

Relational Storage Local SQL Database

Browsers often have built-in databases

managing fast access to history information
managing caching and other internal data structures

Local applications often have sophisticated storage needs

relational storage is the most mainstream data metamodel
allowing scripting to access relational storage open new opportunities

Browser databases are not always exposed to scripting

SQLite is included in Firefox and WebKit (and many other products)
Firefox has decided to only allow access for add-ons (e.g., Zotero)
WebKit exposes database access to scripts as the Web SQL Database API

Minimal Web Database Demo (Create Tables) Minimal Web Database Demo (Use Tables) Minimal Web Database Demo (Join Tables) Specification Problems

User agents must implement the SQL dialect supported by SQLite 3.6.19

not acceptable as a Web standard
defining a reasonable and useful subset of SQL is not easy

Currently only usable for targeted development

supported by some major browsers (WebKit, maybe Opera)
not supported by other major browsers (Firefox, IE)
will probably be changed if it ever becomes a standard

is the better solution for storage

Conclusions

Walking the line between local application and Web UI can be challenging
Good online and offline capabilities are not easy to design/build
Local storage provides some interesting additional functionality
Maybe Web frameworks will start providing support for syncing
Current technologies provide very basic support but no useful patterns

Server Side Technologies 2010-03-08 PHP · SimplePie A5: mobileOK (assigned: 3/8; due: 3/19) Navigating the mobile landscape means that depending on the targeted mobile devices, it might be impossible to rely on sophisticated client-side support for Web technologies. In such a case, it is necessary to move the functionality to the server-side, so that mobile applications can be used by simpler clients as well. In this lecture, we look at the concepts that can be utilized on the server side, standalone web servers, general programming frameworks, and Content Management Systems (CMS). Abstract

Mobile Applications

Mobile applications use one of three designs:

Local application only

games and navigation and personal productivity applications
more and more of those local applications have online features as well

Server-side application only

functionality and data is entirely implemented and exposed server-side
most Web-based applications qualify
RIAs (Flash/Silverlight/HTML5) are supporting more local functionality

Mix of local and server-side functionality

local capabilities compensate for disconnects and slow transfer rates
server-side capabilities compensate for limited devices and risk of data loss
well-designed switching between both modes is useful but not easy
good developer support for this type is in its infancy

Web Server Computing Cycles

Mainframes started as server-side and dumb terminals
PCs took over as cheaper alternatives and local-only
Client/Server Computing combined PCs and central servers
Thin Clients were providing display services only (X11)
Web Clients were a better implementation of the thin client idea

display and local capabilities may look similar to dumb terminals
the architectural principle changed and is very different (REST)

Rich Internet Applications move more functionality to the client

HTML5 is the latest fat client development

Mobile Applications require specific design considerations

scripting code runs about a hundred times slower than on a desktop
online/offline support and standalone mode are essential features

HTTP and File Systems

HTTP servers read content from file systems

this is the simplest possible setup (static content in files)
content also can be post-processed by the server
content can be dynamically created by a program

Server-side and client-side always is a trade-off

server-side solutions are slower (round-trip) and less elegant
client-side solutions depend on client capabilities

Serving Content from Files

Serving Content from Files with SSI

Server-Side Includes (SSI)

Simple server-side processing

add the modification date of the file
include another file

Minor extensions cover conditional processing

conditional statements for request-specific processing

Depends on server type and setup

enabled by default in most Apache configurations

Ability to execute external programs (started via CGI)

Common Gateway Interface (CGI)

Protocol for connecting programs with Web servers

rules for how information about the request is handed to the script
rules for how the result of the script is handed to the server

CGI can be embedded into pages or produce complete pages

embedded CGI results are expected to produce HTML fragments
complete CGI results are expected to produce complete HTML content
http://radblast-aa.wunderground.com/cgi-bin/radar/WUNIDS_map?station=MUX&brand=wui&num=6&delay=15&type=N0R&frame=0&scale=0.498&noclutter=0&t=1165711666&lat=37.86912155&lon=-122.26962280&label=Berkeley%2C+CA&showstorms=0&map.x=400&map.y=240&centerx=470&centery=334&transx=70&transy=94&showlabels=1&severe=0&rainsnow=1&lightning=0

CGI is not always a good solution for heavy load servers

the external program is started every time a request is processed
the overhead depends on the type of CGI script

Server Side Programming From Processing to Programming

PHP started as a simple inclusion processor

Personal Home Page reflects the original goal as a simple site management tool
PHP: Hypertext Processor reflects the more generalized approach of PHP today

Functionality was added incrementally

recent versions of PHP turn it into a complete programming language
the design of the language is more pragmatic than elegant

PHP Hello World Minimal Server-Side Feed Reader Adding jQuery Content Management System (CMS) Content on the Web Content and Structure

Content is what matters most

content itself often has some internal structure
content may explicitly link to other content

Macro-structure often is more representation than content

displaying the current context of the content
displaying related content
displaying some overall structure (site navigation)

Content often is reusable across application scenarios

publishers have used Content Management Systems for a long time
adding a new publication channel to a CMS should be evolutionary

Content may require very different support depending on the channel

newspapers need fine-tuned layout and good control over content size
Web needs good interlinking and navigation

CMS Evolution

Web servers reading from files
Web servers implementing primitive content management (SSI)
Scripting languages implementing better management
Management code getting hooked up to databases
Better handling of client-specific behavior
Databases getting more diverse (RDB, XML, RDF)

The Rise of the CMS

File-based content management works well for small sites

simple site structure and small number of files
redundant parts can be manually synchronized
no software is required other than a Web server

Web servers soon developed rudimentary CMS functions (SSI)

rudimentary support is better than no support
managing a non-trivial setup with SSI still is a challenge
SSI allows includes but no backlinks and thus hides dependencies

Content management is similar to code management

simple setups require no or little tool support
serious projects need tools to manage dependencies and changes

File Systems are Databases

A file system is a simple hierarchical database

it does not know data types and simply stores any content
its structure is a tree with a few extra tricks (such as symlinks)

Many scenarios have much more structured data models

products, people, financial institutions all have complex data models
content should be stored and queried based on these models

Databases are better optimized for storing structured content

better methods for structured storage and retrieval
better strategies for managing large datasets
sophisticated tools for access control, backup, and versioning

Tables (Relational Model)

Most widely used model for large collections of structured data
Very mature products and many skilled people available
The biggest advantage is that it is not hierarchical (no structure bias)
Advantages of relations:

well-understood model and maps well to existing data
the non-hierarchical model allows views from different perspectives
highly scalable solutions available

Disadvantages of Relations:

bad for sequences and variable structures (choices, repetitions, …)
very bad for structured documents

ER Model

Ordered Trees (XML)

XML has a heritage of document processing
XML tools can be used standalone and are widely supported
XML and HTML have a very similar foundation
XML has two built-in directions: hierarchy and ordered children
Advantages of XML:

maps well to HTML and XHTML
well-suited for document-oriented content

Disadvantages of XML:

not good at representing non-tree data
databases not as mature as relational products

XML Content

The term Mixed content in XML refers to elements which have text content mixed with elements. What these elements do depends on the elements , but the important point is that they are on the same level as the text nodes of the mixed content.

Directed Graphs (RDF)

RDF is the metamodel of the Semantic Web
Highly granular, less rigid than tables, less ordered than trees
Advantages of RDF:

any structure can be mapped to RDF triples
support still limited but getting better

Disadvantages of RDF:

no model for document boundaries and self-contained units
bad for sequences
very bad for structured documents

Representational State Transfer (REST) 2010-03-10 What is REST? · REST Interfaces REST vs. SOAP · RESTwiki Representational State Transfer (REST) is an architectural style for building distributed systems. The Web is an example for such a system. REST-style applications can be built using a wide variety of technologies. REST's main principles are those of resource-oriented states and functionalities, the idea of a unique way of identifying resources, and the idea of how operations on these resources are defined in terms of a single protocol for interacting with resources. REST-oriented system design leads to systems which are open, scalable, extensible, and easy to understand. Abstract

The Web as a System

The Web is one distributed hypermedia system

the main architectural components are URIs, HTTP, and HTML
all other Web technologies are built on that foundation
if they are not, they are very likely not well-designed Web technologies

The Web is amazingly open, scalable, extensible, and easy to understand

openness allows new technologies to be introduced
scalability ensures that the system does not contain bottlenecks
extensibility allows the Web to evolve without any redesign of existing parts
simplicity makes sure that the system survives and evolves

No other information system gets even close to the Web

but not all information system designs can accept the Web's limitations
REST should be seen as a guideline how to build a true Web application
other applications will continue to be built using other approaches

Web System Design

There are two ways of constructing a software design: One way is to make it so simple that there are obviously no deficiencies, and the other way is to make it so complicated that there are no obvious deficiencies. The first method is far more difficult.

C. A. R. Hoare, The Emperor's Old Clothes, 1980 Turing Award Lecture

Technologies and Implementations Object-Orientation

Object-Orientation is a Software Engineering Style

it can be applied to any programming language
depending on the language, this is more or less easy
OO languages support or even enforce certain design patterns
spaghetti code can be written in every programming language

Implementations can always be bad or good

the quality of the implementation depends on the programmer
programmers can be better supported and controlled with an OO language
implementation quality metrics must be based on the product, not the language

Good programmers always produce good code
Bad programmers always produce bad code
Average programmers need good tools to produce good code

Technologies are Tools

Technologies help solving problems

they are built with certain goals in mind
they specialize in solving a problem in a specific way

Technology choices are very important

the technology (i.e., the tool) shapes the way a problem is solved
working against the tool is possible, but hard and rarely done

Technologies sometimes cloud the more important issues

the problem must be well-defined and fully understood
the general approach to solve a problem must be identified
finally, a technology supporting this approach must be chosen

Implementations are Products

Implementations are built on (and shaped by) technologies
Implementation = Concepts + Technologies
Implementation quality depends on both factors

the right choice of technologies is very important
the responsible use of that foundation is equally important

Good REST is as hard to grasp as good OO

products may claim that they are REST/OO
they may even use technologies which support REST/OO
only careful inspection reveals the truth of this claim
in most cases, this only happens when the product needs to be changed

REST Principles Definition

Resources are defined by URIs
Resources are manipulated through their representations
Messages are self-descriptive and stateless
There can be multiple representations for a resource
Application state is driven by resource manipulations

Resources

Resources are defined by URIs

resources can never be accessed or manipulated directly
REST works with resource representations

Resources are all the things we want to work with

if you cannot name something, you cannot do anything with it
a popular resource type on the Web are documents
documents usually are a structured collection of information

Documents are abstract concepts of descriptive resources

they may be used in different contexts (e.g., formats)
different applications may be interested in different representations
the underlying resource is always the same

State

State is represented as part of the content being transferred

server interruptions do not create problems for the client
it is possible to switch between servers for different interactions
clients can simply store the representation to save the state

State transfer makes the system scalable

data transfer is not state-specific (no stateful connection handling)
state is transferred between client and server

Establishing a Common Model

Distributed systems must be based on a shared model

traditional systems must agree on a common API
REST systems structure agreement into three areas

REST is built around the idea of simplifying agreement

nouns are required to name the resources that can be talked about
verbs are the operations that can be applied to named resources
content types define which information representations are available

Nouns

Nouns are the names of resources

in most designs, these names will be URIs
URI design is a very important part of a REST-based system design

Everything of interest should be named

by supporting well-designed names, applications can talk about named things
new operations and representations can be introduced

Separating nouns from verbs and representations improves extensibility

applications might still work with resources without being able to process them
introducing new operations on the Web does not break the Web
introducing new content types on the Web does not break the Web

Verbs

Operations which can be applied to resources
The core idea of REST is to use universal verbs only

universal verbs can be applied to all nouns

For most applications, HTTP's basic methods are sufficient

GET: Fetching a resource (there must be no side-effects)
PUT: Transfers a resource to a server (overwriting if there already is one)
POST: Adds to an existing resource on the server
DELETE: Discards a resource (its name cannot be used anymore)

Corresponding to the most popular basic database operations

CRUD: Create, Read, Update, Delete

<http>POST</http>ing

POST adds instead of an overwriting update
POST can have different effects

by POSTing, state is changed and a new resource is created
by POSTing, only the existing resource is changed
the server signals the difference using HTTP responses (200 OK or 201 Created)

This is a design choice

if the added information needs to be accessible individually, create a new resource
for changes of an existing resource, no new resource has to be created

Make sure that resources are navigable using URIs

if appropriate, a relationship can be represented in the resource format

Content Types

Representations should be machine-processable

they don't have to, they may be opaque to applications
in many cases, machine-processable representations are advantageous

Resources are abstractions, REST passes representations around

resources can have various representations (i.e., content types)
clients can request content types they are interested in

Adding or changing content types does not change the system architecture

different clients and servers support different content types
allows content types to be negotiated dynamically

REST vs. <q>Web Services</q>

REST is a description of the Web's design principles

it is not something new, it is simply a systematic view of the Web
REST's claim is to be able to learn from the Web's success

Web Services (the SOAP flavor) do not build on REST

they use HTTP as a transport protocol
they re-create Web functionality through additional specifications (WS-*)
they have been built by programmers using a top-down approach

REST and Web Services have different design approaches

REST starts at the resources and takes everything from there
Web Services focus on messages, which in most cases are operations

REST Implementation REST Technologies

REST is not tied to a particular set of technologies

are the most common choice for nouns
methods are the most common choice for verbs
is the most common choice for content types

Choosing other technologies should have a very good reason

building a REST system should make it open and accessible
technology choices are as important as architectural choices

URIs

REST requires a lot of URI design

instead of being generated as a side-effect, they are the core of the system

Designing URIs and starting from them is a new way of thinking

URIs are much more powerful than just being an address of a Web page

URIs are names for concepts

concepts are never transmitted, only their representation
having to focus on concepts rather than representations is helpful

HTTP

HTTP is the most successful RESTful protocol

HTTP's author Roy Fielding coined the term REST in his Ph.D. thesis

HTTP should be regarded as an application-level protocol

Web Service technologies use HTTP as a transport protocol
HTTP has much more to offer than a firewall-penetrating pipe

Web infrastructure is built around proper HTTP usage

caching is built into HTTP and caches optimize the Web transparently
authentication can be done using HTTP's authentication methods
secure data transfer can be done using HTTPS

XML

URI-identified resources are abstract concepts

for machine-based processing, XML is a good representation
for human-oriented interactions, HTML probably is a better choice

Connections to other resources must be done by URI

XML does not make built-in assumptions about identifiers
but it does support URIs, for example with XInclude and XML Base
RESTful applications are about navigating a Web of URI-identified resources

Conclusions Better Services

REST is an architectural style

URI/HTTP/HTML/XML may be replaced
the general principle of resource-based interaction remains valid

RESTful system designs can create better systems

a little bit more design effort in the beginning
a lot less headaches later

SOA often are not really RESTful

SOA often focuses on operations
REST focuses on resources

Offline-Capable Applications 2010-03-15 Going Offline Offline Applications · HTML5 Mobile settings should not rely on the client being online all the time. For Web-based applications, however, this is a challenge, because the traditional model of Web-based applications has no notion of offline mode. HTML5, however, introduces the ability to design and build offline-capable applications. One important part of that is local storage, the ability to persistently store data on the client. The other important part is the application cache, the ability of a Web-based application to list all the resources that are necessary for offline mode. Clients can then reliably store all these files locally for offline capabilities. Abstract

Webless Web-Based Applications Limitations of Web-based Applications

Limited access to device hardware

input and output devices based on traditional desktop computers

Limited rendering model (HTML/CSS box model)

CSS2 floats, absolute positioning, and z-index add sophistication
CSS3 Advanced Layout adds more flexible/advanced layouts
HTML5 Canvas 2D adds vector graphics to HTML's layout

Dependency on HTTP interactions

and Ajax can make HTTP a runtime decision

Always invoked in Software as a Service (SaaS) mode

software is not installed but served remotely
client-side code is only supported as part of general HTTP caching

iPhone Apps

iPhone released in 06/2007 with no add-on applications

Safari Mobile as a high-end mobile browser
support for sophisticated Web applications and offline mode

Developers were disappointed by the lack of device access
10/2007 early announcement of native SDK, officially announced in 03/2008
iPhone OS 2.x released 07/2008 supported native applications

SDK released in 03/2008 based on Apple's Cocoa Touch framework
applications can only be distributed through the AppStore

Caching Application Code Going Offline/Online

Switching offline/online is controlled by the user agent

it can be controlled by the user (explicit work offline command)
it can be controlled automatically (monitoring connectivity)
ideally, the device should have a status of online/offline

Mobile applications can go offline at any point in time

ideally, switching between modes should not result in failure
applications doing more than a GET are more challenging to design

HTTP Cache vs. AppCache

HTTP caches are part of (almost) all user agents

they cache HTTP responses based on HTTP methods and metadata
they are supposed to be transparent and should not change behavior

Caching application code can be just optimization

all code/resources for Web-based applications is delivered as HTTP responses
if everything is reliably cached, offline applications are possible

Caching application code needs some explicit hints

all required resources need to be available
updating the cached application is only possible in online mode
in some cases, application caching should be aggressive
user agents should have a general control for removing origin-specific data

What Applications Need

Web Pages (HTML)
Style Sheets (CSS)
Scripting Code (JavaScript)
Images (GIF, PNG, JPG)
Additional resources

in many cases this may be dynamically changing data
this might also include resource access other that GET

Media Resources

Detecting State Changes Going Offline/Online

Applications should be able to check connectivity

do not even try HTTP if there is no connectivity
avoid network access or start using

HTML/DOM has attributes and events

interface Window {
// the user agent
	readonly attribute Navigator navigator; 
	readonly attribute ApplicationCache applicationCache;
// ....
	attribute Function onoffline;
	attribute Function ononline;
// .... };

interface Navigator {
  // objects implementing this interface also implement the interfaces given below };
Navigator implements NavigatorID;
Navigator implements NavigatorOnLine;
Navigator implements NavigatorAbilities;

[Supplemental, NoInterfaceObject]
interface NavigatorOnLine {
	readonly attribute boolean onLine; };

Minimal Online/Offline Demo Caching Application Data Going Offline/Online

How does a browser know whether it is online or offline?

UI controls may allow the user to go offline/online
network monitoring allows the browser to understand the status
OS events could be used to alert the browser of state changes

Being online should cause a browser to cache all data

the application cache could be a special part of the regular cache
application caching has to be done before connectivity is lost

Many applications have an infinite/updated stream of data

some resources may be static (code, layout, old data)
some resources are dynamic (REST allows infinite exploration)

Media Resources

Minimal Online/Offline Demo

HTML5 code linking to the cache manifest

Cache manifest listing all files that must be cached

Cache manifest must be served as text/cache-manifest

Manifest Sections

Manifests have three different sections

CACHE: can and should be cached by the browser
NETWORK: requires a live connection
FALLBACK: pair-wise lists of fallback alternatives

CACHE MANIFEST
CACHE:
style/default.css
images/sound-icon.png
images/background.png
NETWORK:
comm.cgi
FALLBACK:
/ /offline.html

Updating Cached Applications

Must be done by the client every time the application is loaded

can be invoked and controlled by the client application itself

interface ApplicationCache {
// update status
	const unsigned short UNCACHED = 0;
	const unsigned short IDLE = 1;
	const unsigned short CHECKING = 2;
	const unsigned short DOWNLOADING = 3;
	const unsigned short UPDATEREADY = 4;
	const unsigned short OBSOLETE = 5;
	readonly attribute unsigned short status;
// updates
	void update();
	void swapCache();
// events
	attribute Function onchecking;
	attribute Function onerror;
	attribute Function onnoupdate;
	attribute Function ondownloading;
	attribute Function onprogress;
	attribute Function onupdateready;
	attribute Function oncached;
	attribute Function onobsolete;
};

Camera Access 2010-03-17 W3C DAP As a case study, we look at the (seemingly) simple task of how to add camera access to a mobile application. It turns out that this cannot be easily done in any Web-based application that is supposed to be working across a large range of devices. However, as an exercise of surveying the mobile ecosystem (and thus highlighting the difficulties of navigating this constantly changing landscape), in this lecture we look at the available options, and at the trade-offs involved with every of those options. Abstract

Camera Access Sharing Experiences Memory card with integrated Wi-Fi

Cameras and phones are still in the process of merging

phone cameras are becoming increasingly sophisticated
dedicated cameras are still making substantial progress
a relevant share of cameras are also phones

Cellphone cameras have a problem with sharing pictures

backup/synchronization allows handling similar to dedicated cameras
MMS extended SMS (and added outlandish pricing models)
email clients allow some sharing (not tied into the Web)
mostly native apps for easy taking/uploading/sharing

There are other ways of how sharing can be implemented

cameras can upload pictures without user intervention
Web-based services then can implement sharing strategies
Eye-Fi allows automatic push from cameras

Mobile Cameras

Flickr Camera Models

Decoding Encoded Reality QR Code for http://dret.net/lectures/mobapp-spring10/

QR codes can provide entry points

they can be used as a springboard into the Web
they can be used as data input in any application

Many closed application scenarios rely on QR tagging

users can be expected to have appropriate devices and behavior
there can be assumptions about the encoded data

Web technologies have not yet embraced QR codes

is there any browser that supports QR for addresses or data input?
things might with more and more QR Codes in the wild

Cameras and Privacy

Camera access is highly sensitive to privacy considerations

Web applications have to go through some access control
access management is both important and complicated

Applications may be more trustworthy than the Web

not technically true but applications simply are more heavy-weight
the browser as a sandbox traditionally has protected users

Mobile Devices and Privacy

Mobile devices introduce a new dimension of privacy problems

more trusted than computers (but more trustworthy?)
part of many more activities and situations
an increasingly sophisticated array of sensors

W3C Device APIs and Policy Working Group has a long-term focus

targeting devices specifically from the mobile ecosystem
some aspects excluded from scope (widgets, geolocation, notification)
hopefully some common framework for device access APIs and privacy issues

Balancing features/power and privacy is a delicate issue

adding more control elements to browsers does not solve the problem
should the Web remain disconnected from privacy-sensitive data?

Mobile Platform Landscape Overview

Web Technologies HTML Forms Generic File Upload

Forms allow general file uploads

most form fields are for direct data entry
one special form field activates the OS file selection dialog
this is the only access to a client's general data storage

Form file uploads are using the platform-specific file selection

files are selected based on the client's conventions
files are sent as multipart messages with POST requests

Form uploads essentially use the same mechanism as email

HTML forms can upload any number of files
servers are expected to unpack and process them
processing options are file storage or input to further processing

HTML Form Example Form Uploader Example HTML Forms Limitations

Not supported on all mobile devices

iPhone Mobile Safari always disables file upload controls in forms

Inconvenient for multiple uploads (frequent use case for images)

only one file per form control can be selected
additional form controls can be created via scripting
one form control per file in many cases is not convenient

Workarounds are used in different forms

Flickr uses Flash upload (allows selection of multiple files)
Facebook uses Java Applet (allows previews and preprocessing)
email uploads circumvent forms altogether (magic email address)

Pro/Con

Advantages:

very well-established Web technology

Disadvantages:

very indirect (take picture, store it, upload it)
inconvenient for multiple uploads
not supported on some embedded devices (e.g., iPhone)
no support for more advanced interactions (live capture)

MMS Multimedia Phone Services

Multimedia Messaging Service (MMS) extended SMS

adding the ability to send multipart messages

MMS composition on phones can add attachments
Web-based applications could invoke MMS composition

there is no standard scheme for identifying MMS URIs
phones support for MMS URIs would take a while
the image is transported via an out-of-band mechanism

MMS implementation uses HTTP but is inaccessible to developers

MMS handsets retrieve receive MMS messages via HTTP
MMS is essentially expensive multipart email

Pro/Con

Advantages:

can use a phone's existing multimedia support

Disadvantages:

no URI scheme for MMS addressing
no phone support for composing MMS messages from Web content
out-of-band messaging
may incur substantial costs

HTML5 Camera Access on the Web

Hardware access is traditionally limited on the Web

screen-based output is the only output medium
input is limited to keyboard and mouse

Multimedia applications often bypass standard Web technologies

audio support is simple in Flash and other plugins

HTML5 APIs start targeting more advanced access to data/devices

camera access is identified but not yet included

Pro/Con

Advantages:

none

Disadvantages:

cameras not yet part of official HTML5 plans

Platform-Specific Runtimes Flash The 900lb Gorilla

Used to be taken for granted in the pre-mobile days

iPhone/iPad seriously challenge the ubiquity of Flash support

Support limited based on underlying OS

Flash support for iPhone/iPad is unlikely to happen
Flash support for Android is planned (probably only 2.1 and later)
Flash support for WebOS and Windows Mobile can be expected

Camera access from Flash is trivial

Pro/Con

Advantages:

widely deployed on the computer Web
may see some adoption on the mobile Web
some developers have experience with Flash

Disadvantages:

not part of the Web (develop Flash code instead of Web code)
only works with a (potentially small) subset of mobile devices

BONDI Pre-HTML5 Advanced Web APIs

Platform vendors attempting to bridge the gap

phones are providing increasingly sophisticated features
browsers become more powerful but provide little platform support

BONDI has been established as a vendor initiative

phone manufacturers, network operators, service providers
first reference implementation based on Windows Mobile 6
BONDI 1.1 approved in early 2010 and should be available soon

Pro/Con

Advantages:

some support across vendor platforms
comprehensive platform for better platform access

Disadvantages:

future is uncertain (alignment with HTML5/DAP is pending)
support seems to be very limited as of today

WRT <q>Nokia's BONDI</q>

Nokia-specific API for platform services

available on Symbian devices only
support on Maemo/MeeGo may or may not happen

APIs and widget development environment

APIs for providing access to platform-specific functions
widget support for development and deployment of applications

Pro/Con

Advantages:

good market coverage (Symbian has a large market share)

Disadvantages:

only supported by a subset of installed Symbian versions
only supported by Nokia devices (not even all Nokia smartphones)
unclear alignment with BONDI and HTML5

PhoneGap/QuickConnect Bridging the Gap

Bundling access to missing functionality
Based on WebKit and adding access to device APIs
Web code and PhoneGap/QuickConnect runtime are bundled as a native application
Application development requires native SDK access

setup and configuration can be complicated
native SDKs for all targeted platforms must be available

Pro/Con

Advantages:

good mix of Web development and API support
requires no framework installation on the device
porting applications just requires rebuilding it

Disadvantages:

requires installation on the device (packaged runtime)
requires approval in some application stores (depending on platform)
application updates can be tricky (depending on design)

Native Applications Sophisticated and Expensive

Provides full access to the underlying API

device APIs can be more powerful/flexible than Web-level abstractions
QR recognition is more convenient with constant capture

Development is complex and very platform-specific

different programming languages
different framework conventions
different APIs on each platform

Deploying can be difficult

platform vendors may have strict guidelines for application deployment
installing applications may be a complicated process
users have to find/install/setup the application

Pro/Con

Advantages:

no limitations other than actual device limitations
some platforms have managed application purchasing services

Disadvantages:

complex development (expensive and fewer available developers)
very little reuse across various platforms

Final Project Setup 2010-03-19 SCVNGR Discussion about the scope and possible ideas for the final project. More details about the exact requirements and constraints for final projects will be made available at a later date. Abstract

Scope Client Side Development

Mobile applications need specifically mobile-aware designs

the user context often is very different
mobile devices provide a very diverse landscape

Having well-defined starting points is essential

what are the situations in which users are using the application?
what kind of interactions/devices is the application supporting?
what are contexts/devices specifically excluded from the design?

Server Side Development

Many mobile applications need some service

social applications by definition must have a place to connect
personal applications might need backup or synchronization
mobile interfaces may be limited in functionality

Tight Coupling vs. Loose Coupling

mobile applications should be able to work with slow networks
mobile applications should be able to handle offline scenarios
mobility across devices (e.g., mobile to laptop) is an interesting topic

Client/Server Interactions

How to design mobile scenarios with client/server interactions

REST as the underlying principle is a good starting point
how to specifically design and implement RESTful services?

Understanding the impact of connectivity and speed

designing the right granularity can make a big difference
designing smart caching/offline can make a big difference

Requirements Design and Implementation

Applications are as good as their weakest part

great design and poor implementation does not work very well
poor design and great implementation will not attract many users

Very different approaches between corporate IT and open IT

users of corporate IT solutions often have no alternatives
open IT is a free market where users can walk away any time

Bridging the front-end and the back-end

front-end can be challenging because of heterogeneity
how well does the back-end support very different front-ends?

Design

Users, personas, use cases, scenarios

based on current uses and devices
looking forward to slightly futuristic uses and devices

Interaction Design of users (i.e., user agents) and services

RESTful design is all about identifying resource interactions
how do users navigate the space of available resources?
identifying resources and their connections is a key issue

Implementation

Design the implementation yourself (starting from the )

explore the design options and critically review the trade-offs
focus on building a client (platform issues)
focus on building a server (empowering certain classes of platforms)

Use an existing implementation framework

pre-built platforms such as SCVNGR
explore and critically review the trade-offs of the selected platform
can the platform be extended/augmented to better fit your needs?

Options Project Focus

UI/UX design with an eye on implementation issues

how do technical issues inform the UI/UX side of the project?

Implementation design with an eye on UI/UX issues

how do UI/UX requirements inform technical design decisions?

Final Project Proposal 2010-03-29 A6: Proposal (assigned: 3/29; due: 4/5) The final project is supposed to cover a mobile application all the way from the use cases to implementation issues. In this lecture, we look at the expected format of the project proposal and the different issues that need to be addressed in the proposal. Most importantly, the proposal has to contain a section on application design as well as a section on application implementation. Abstract

Project Outline Scope

Focus on something achievable

final projects will not lead to complete applications
we do expect some level of detail in design/implementation
deciding what to do specifically can be hard

Try to not re-invent the wheel

hard to do because there are many existing applications and services
if there is competition, describe what is different

Use Cases

Describe scenarios in which your application will be useful

describe how it is useful for the end-user (black box)
describe what the application/service needs to do (implementation)
describe other necessary components (community or services)

Non-Use-Cases can be helpful as well

describe scenarios that you are not targeting

Project Design User Contributions

Activities where the application is useful

describing typical scenarios/situations
how might the application be useful in that specific case?
how does this compare to a situation without having the application?

Several inputs are required from the user

direct inputs in the form of data entry
indirect inputs because of user context (e.g., time or location)
3rd party triggers (user arrives at a location)

Application Contributions

What is the application doing as a black box?

what are the inputs/outputs of the black box?
list all required inputs to get to the proposed output
do not assume some magic entity solving the hard part

Briefly think about scalability issues

would it still work with thousands/millions of users
does scale add value or cost or both?

Community Contributions

Is there some form of community?

if so, then the data model must include this as well

What is the community model?

users are on their own
reusing one of the existing networks (Facebook, Twitter, …)
building a new network

How does the community provide input?

User Interface Design

How is the user interface going to look like?

different implementation choices result in different UI options

UI design should start with simple sketches and outlines

design-focused proposals will need to develop specific UI designs
implementation-focused proposals might focus on functionality instead

Project Implementation Layer Cake

Technical descriptions should be layered

Separation of Concerns helps to better describe scenarios

Data models help a lot to figure out the data structures
Behavior models help a lot to figure out the processes
Sophisticated models use many different diagram types

UML 2.2 has 14 diagram types to model systems

Client Side

Implementation platform

talk about the and where you fit in

What is the client side implementation using?

list all client side requirements

What other implementation options exist?

explain why some implementations might not work

Server Side

Which services are provided by a server implementation?
What are the resources applications interact with?

figure out the resource types
figure out all relationships between these types
figure out all interactions supported for each of the types

Looking at Flickr is a good starting point

images are the first central resource type
users are the second central resource type
sets and collections allow users to organize pictures
groups allow users to share pictures
important additional details are tags, comments, galleries, …)

Hardware/Platform Opinions 2010-03-31 Based on the first experiences with the new devices, today we briefly review some impressions about that device and the platform it provides. This involves listing some observations about likes and dislikes regarding the device/platform in general, as well as some initial ideas how useful that platform will be for the mobile application of the final project. Abstract

Creating QR Codes

Reading QR Codes

Good Things Geolocation/Mapping

Most functionality from the Web-based map

terrain view available as a layer
all of My Maps available as individual layers

There also is a My Maps API

create maps programmatically for mobile services
add them to a user's maps to make the available on Android
Maps application would need some interface changes

My Maps

My Maps QR

Camera Quality

Decent resolution and autofocus for acceptable quality

additional settings for advanced controls

LED flash for reasonably lit indoor scenes

it even doubles as a flashlight

Handling images seems to suffer from some coordination problems

rotation does not seem to be handled by all applications
the Facebook application uploads stamp-sized versions of pictures

Open Platform

No mandatory review with opaque decision procedures
Availability on various devices with different characteristics

application development becomes harder (fragmentation)
platform development may split into various code lines

How much openness can phones afford?

if it works well without tinkering, probably a lot
if it remains stable with tinkering, probably a lot
if it compromises the phone's utility, not too much

Bad Things Email

There is no general-purpose Email client

good support for Gmail users (Gmail application)
almost no support for non-Gmail users (Email application)

Good integration with Google services is an advantage

Email, Calendar, Contacts, Maps, …

Lack of support for standard services is disappointing

Quality Control

Less polished experience than the iPhone

less sophistication in UI design and refinement
fewer guidelines for developers
no curated market with quality control for applications

Web Application Support

Adding bookmarks is more complicated than it should be

bookmark the page you want to add to a home screen
go to the home screen you want to add the link to
long-press in an empty space to bring up the Add to Home Screen menu
select Shortcuts
select Bookmark
choose the bookmark (it will get a generic/favicon combo)

No support for Web-based widgets

widgets are native Android applications

Final Project Considerations Observations of Daily Living (ODL)

supported in the browser
supported in the browser
WebKit-based browsers (supports all major Web standards)
Starting a Web-based version as a prototype and demo application

more advanced features might require switching to PhoneGap/native
developing a Web-based prototype will be a good starting point

Final Project Design and Implementation 2010-04-02 As an example of a final project, in this lecture we discuss the scenario of Observations of Daily Living (ODL) and how this information can be created, managed, and exchanged with mobile applications. While the back-end of the particular scenario is connected to a lot of highly complex systems and interfaces managing health-related information, the front-end and the user-centered management can be regarded as an application that should be more or less self-contained. Abstract

QR Codes in the Browser Generating QR Codes in Firefox with Mobile Barcoder

Outline Capturing Health-Related Observations

Information exchange between medical professionals

existing standards for information exchange between professionals
existing services for storing and managing health records

How to get health-related information from patients

current scenarios look mostly at information sharing between professionals
patient data (observations and notes) are not part of the current landscape

Developing a model and an application for patient-generated data

Observations of Daily Living (ODL) can be very useful for doctors
the models around creation, sharing, delegation, and exchange have to be flexible

Personal Health Information

Monitoring Body Weight

Design Scenarios

Activities where the application is useful

elder activities (CMU Project)
asthma and depression or anxiety (BreathEasy)
youth with obesity and depression (iN Touch)
tracking chronic disease (Crohnology.MD)
monitoring low birth weight infants (FitBaby)

Requirements derived from those use cases

various activities require different data to be captured
data should be captured in a structured form for easier use/analysis
data input must be simple and easy
augmenting observations should be possible (using connected devices)

Acquiring User Input

Different scenarios need different data input

some template mechanism is required for acquiring structured data
templates could be used to generate form-based data entry
part of the templating mechanism should be external data

Pulling in external data can be done in various ways

custom-built based on individual mechanisms per data provider
based on generic Web standards such as feeds (and some extraction mechanism)
based on specific standards for sharing health data (e.g., Continua)

Delegating User Input

ODLs may be entered by caretakers or parents

identification/authentication must allow delegation
ownership and access right model has to be flexible

UI Design Issues

Structured data entry should be encouraged

use interface elements that make structured data entry easy
use interfaces that are specific (templates)
entry helpers (yesterday's ODL) may make data entry easier

Immediate feedback for providing incentives

show graphs/trends of values after an ODL has been added
interface/interaction should be

Implementation Open and Extensible Model

ODL reports should be usable for various scenarios
Openness means that application can add specific data

openness creates the problem of how to understand added data
various additions can have overlapping meaning

Extensibility means that the model might be extended later

in the best case, old implementations can deal with new data
in the usual case, new implementations can deal with old data

Web-Based for Cross-Platform

Data entry should be possible across platforms

it may be more convenient on a regular computer
mobile data entry is necessary to ensure ODL coverage

Text and simple data entry can be done Web-based

some mobile platforms may even support speech-to-text soon
with templates/types data entry can be made easier

More advanced forms of data entry are not yet supported

Capture API just published and not yet implemented
no ability to connect to Bluetooth-enabled devices

Resource Types

Users are needed for identification and authentication
ODL reports are needed for capturing records
ODL templates should provide some outline for ODL reports
Services may be used to represent ODL consumers

Resource Relationships

Users may have a variety of (possible authorizing) relationships

family relationships may allow access to ODL records
professional relationships (e.g., caretakers)
temporary relationships (delegating data entry for a period of time)

ODLs are created by a user and for a user
ODLs are created according to a template

templates define/guide what is contained in an ODL
templates can also be used for validation of ODLs
templates are provided by services and used by users

ODLs are accessible by a service (which might have modification rights)

can services delegate access rights?
can access rights be selective (only parts of the ODL)?

Resource Interactions

Users and user relationships required for user management

creating new users is the sign up process
modifying relationships permanently (family) or temporarily

Getting templates as the starting point for creating ODLs

find the service providing the template and select it

Creating ODLs based on a template

only accept the ODL if it validates against the template
how to deal with existing ODLs when a template changes?

Access a stream of ODLs as published by users

services need a way how to get new ODLs (push or pull)

Customizable <q>Portals</q> Weather Application

Weather.gov Web Pages

Server Configuration 2010-04-05 A7: Offline App (assigned: 4/5; due: 4/12) Apache Documentation · FastCGI In all scenarios using Web-based services (in Web-based UIs as well as in native applications accessing Web-based services), it is important to control the way in which the server is using HTTP. Popular examples are setting appropriate media types (making sure resources are handled correctly), setting appropriate expiration dates (making sure resources can be cached), handling redirections (if server setup changes should be managed gracefully) and configuring access control (for non-public resources). While all of this can be handled programmatically, using a Web server and server configuration allows many things to be handled in a declarative way. Abstract

Current Events Android 2.1 New OS Version Droid Android 2.1 Update

iPad Release Getting Ready iPad Queue

The One

HTTP and Applications REST as Infrastructure

REST is the architectural style of the Web

very simple Web servers can be set up by just copying files
simple Web servers can be set up by tweaking server configuration
Web applications need some server-side code implementing the logic
complex/large Web applications may need very specific Web server tuning

HTTP is the RESTful language of the Web

resources can be manipulated using GET, PUT, POST, and DELETE
header fields allow clients and server to exchange interaction metadata
HTTP support should be part of a Web programming environment
Ajax is the client-side (i.e., browser) implementation of the Web

Any server speaking HTTP is a Web server

many sites use existing software products as Web servers

Web Server Survey Netcraft Server Survey

Detecting Server Types Inspecting HTTP Header Fields

HTTP Servers Standalone or Embedded

Standalone Servers are running as separate processes

they are usually started when the system is started
they listen for incoming requests
serving requests may require reading files and/or other processes

Embedded Servers are part of an application platform

they are started when the application is started
they listen to incoming requests
serving requests means dispatching them to application code
Apache Tomcat is an implementation of Java Servlet/JSP

Server Control

Process Management

Standalone servers run in a separate OS process

Apache allows to control how many processes are running
tuning processes requires knowledge of the hardware and the OS

Web servers often need to connect to application servers

Web servers are the Web front-end of the application
application servers are the back-end of the application

Web servers and application servers may be different machines

simple and small-scale applications run everything on one machine
complex and large applications have layered server schemes

Server Layering

Web servers are the main component for handling HTTP
Web caches can be a first line of defense for the servers

Squid is a popular open source caching proxy

Load balancers can be placed in front of caching proxies

spreads load evenly across any number of proxies
still a centralized architecture for content delivery over the Web

Content Delivery Networks (CDN) support non-centralized delivery

requests are routed to the best delivery point in the network
load can be spread and is more localized than in centralized scenarios

Server Setup

CDN Request Routing

CGI and FastCGI

CGI connects servers and applications

a set of conventions for how to package request/response information
the conventions are based on Inter-process Communications (IPC)
IPC only works between processes on the same machine

FastCGI extends CGI to be Internet-based

CGI conventions packaged to be transported via TCP

FastCGI has two major benefits over CGI

communications are not limited to processes on the same machine
application server processes are running continuously

Integrated Server Handling

PHP (and other code) can be run as a module or via CGI
Modules are compiled/configured into the server code
Modules have advantages and disadvantages

advantages: faster
disadvantages: tighter coupling (crashes, code updates)

CGI executables have advantages and disadvantages

advantages: more secure (different processes/account)
disadvantages: less performance (process creation)

Access Control 2010-04-07 Apache Access Control Many resources for mobile applications need to be access controlled. Common reasons for this are security or privacy considerations. There are a number of common methods of how access control can be implemented, and in this lecture we look at some of the fundamental methods (HTTP Basic Authentication and Digest Access Authentication which need to be configured in the server) and the underlying methods for encoding and encrypting data. Abstract

Web Server Configuration Server Rules

Web servers are server-side implementations of HTTP
Running them requires a set of rules

on which port to listen for incoming requests
from where to accept incoming requests
where to read documents from
how to allow/deny access to documents
what to do with those documents
how to return them in HTTP responses

Rules might apply to the whole server or on a per-directory basis

General Server Setup

Server start means reading the configuration file

there typically is a compiled default location
it is also possible to set the location ar runtime

/usr/local/apache/bin/httpd -f /usr/local/apache/conf/httpd.conf

Server start may fail due to a variety of reasons

it is not allowed to use the specified network port
some other program is already bound to the specified network port
access to required files (e.g., log file) is not possible

Restricting Access Document Root File Handling and Processing What's Going On? What Went Wrong? Overriding Server Setup

httpd.conf is the global server configuration

it can be more reasonable to outsource certain configurations
for community servers some users might want to add/change the configuration

Apache allows to make configurations on a per-directory basis

.htaccess files are read before a request is processed
they can only change what has been allowed on AllowOverride
using .htaccess has a noticeable performance impact (for high load)

.htaccess uses the same configuration syntax as httpd.conf

Security Concepts Identification

Identity is required for any non-anonymous communications

groups can have an identity (facebook members see more than non-members)
pseudonyms are hidden identities (the real identity is not visible)
personal identity should be tied to a person itself

Proof of Identity is important for any privileged operation

signatures and seals are traditional ways
traditional ways are mostly protected by law (but not really safe)
more modern ways often include technical methods for

Client identity on the Web can be bound in three ways:

Computer (most of the time identified by an )
Browser (in the form of a stored cookie)
User (identified through some authentication method)

Authentication

Authentication is the process of verifying an identity

the weakest form of authentication is simply trust
legal consequences can make it more risky to falsify authentication
technical measures should make it hard or impossible to falsify authentication

Authentication on the Web comes in different flavors

implicitly by accessing a server from some range
presenting a cookie from a previous formal authentication
presenting a password as a proof of identity
proving that you are owning additional authentication hardware (often PIN-enabled)

Risk and potential damage should justify authentication methods

Authorization

Authorization is the question of allowing operations

is necessary to identify the initiator
is necessary to verify the initiator's identity
if the initiator is authorized, the operation can be performed

Web pages often are public or restricted

public web pages do not require any identification (and thus authentication)
restricted access Web pages can be group pages (internal company pages)
personal access is another popular scenario (email, facebook, online banking)

Web servers have well-defined ways of performing authentication

HTTP Authentication HTTP Sessions

HTTP is a stateless protocol

each individual request is independent of others

Authentication often is based on state/sessions

users provide credentials and enter a trusted state
based on some method the trusted state can be left

Cookies were invented to simulate sessions

they can be set by servers and thus are state kept with the client
cookies are popular for browsers but not so popular for other clients

HTTP has its own methods of supporting authentication

not used by many Web sites (because of browser inconveniences)
a simple and standardized option for Web-based services

Logging In

Clients ask for a resource that is access controlled
Servers respond with an HTTP header asking for authentication
Clients ask the user to provide the required information
The request is repeated with the user credentials
Servers check for proper authorization and respond accordingly
Clients are allowed to remember the credentials for the realm

Logging Out

You cannot logout because you never logged in

HTTP has no session concept
repeating authentication for each request is not an option
clients store authentication credentials and repeat them for the user

Logging out is entirely under the control of the client

when does the client discards the credentials?
easier to decide in APIs than in browser implementations

Browser Controls Logging out of HTTP Authentication

Basic Authentication Configuration Steps

Create a list of users and their passwords

htpasswd -c …/passwords.txt dret

Users and passwords are stored in a user file/database

Configure the server to apply basic authentication

Control files by placing them in the appropriate directory

First HTTP Request

GET /drectures/mobapp-spring10/src/basic/basic.html HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.7,de-de;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://localhost/drectures/mobapp-spring10/src/basic/
If-Modified-Since: Wed, 07 Apr 2010 16:54:02 GMT
If-None-Match: "a00000002d8d8-160-483a868c94a7c"
Cache-Control: max-age=0

HTTP/1.1 401 Authorization Required
Date: Wed, 07 Apr 2010 17:55:05 GMT
Server: Apache/2.2.9 (Win32) DAV/2 mod_ssl/2.2.9 OpenSSL/0.9.8i mod_autoindex_color PHP/5.2.6
WWW-Authenticate: Basic realm="Protected by Basic Authentication"
Vary: accept-language,accept-charset
Accept-Ranges: bytes
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1
Content-Language: en

Second HTTP Request

GET /drectures/mobapp-spring10/src/basic/basic.html HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.7,de-de;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://localhost/drectures/mobapp-spring10/src/basic/
If-Modified-Since: Wed, 07 Apr 2010 16:54:02 GMT
If-None-Match: "a00000002d8d8-160-483a868c94a7c"
Cache-Control: max-age=0, max-age=0
Authorization: Basic ZHJldDpzdXBlcnNlY3JldA==

HTTP/1.1 304 Not Modified
Date: Wed, 07 Apr 2010 17:55:12 GMT
Server: Apache/2.2.9 (Win32) DAV/2 mod_ssl/2.2.9 OpenSSL/0.9.8i mod_autoindex_color PHP/5.2.6
Connection: Keep-Alive
Keep-Alive: timeout=5, max=100
Etag: "a00000002d8d8-160-483a868c94a7c"
X-Pad: avoid browser bug

Authentication Security

Username/password are encoded in Base64

an encoding is not an encryption

Decoding Base64 is a very simple process

an encoding is not an encryption

Basic authentication should never be used without HTTPS

people will be broadcasting username/password on wireless networks
they often try other username/password combinations as well

Digest Access Authentication Configuration Steps

Configure the server to support digest access configuration

Create a list of users and their passwords

htdigest -c …/passwords.txt "Protected by Digest Access Authentication" dret

Users and passwords are stored in a user file/database

Configure the server to apply basic authentication

Control files by placing them in the appropriate directory

First HTTP Request

GET /drectures/mobapp-spring10/src/digest/digest.html HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.7,de-de;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://localhost/drectures/mobapp-spring10/src/digest/
If-Modified-Since: Wed, 07 Apr 2010 16:53:43 GMT
If-None-Match: "2a00000002d8e0-178-483a867a21110"
Cache-Control: max-age=0

HTTP/1.1 401 Authorization Required
Date: Wed, 07 Apr 2010 18:00:04 GMT
Server: Apache/2.2.9 (Win32) DAV/2 mod_ssl/2.2.9 OpenSSL/0.9.8i mod_autoindex_color PHP/5.2.6
WWW-Authenticate: Digest realm="Protected by Digest Access Authentication", nonce="lsP1VKmDBAA=c14f7b87339d28d745e26b2911b0bef46792a929", algorithm=MD5, qop="auth"
Vary: accept-language,accept-charset
Accept-Ranges: bytes
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1
Content-Language: en

Second HTTP Request

GET /drectures/mobapp-spring10/src/digest/digest.html HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.7,de-de;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://localhost/drectures/mobapp-spring10/src/digest/
If-Modified-Since: Wed, 07 Apr 2010 16:53:43 GMT
If-None-Match: "2a00000002d8e0-178-483a867a21110"
Cache-Control: max-age=0, max-age=0
Authorization: Digest username="dret", realm="Protected by Digest Access Authentication", nonce="lsP1VKmDBAA=c14f7b87339d28d745e26b2911b0bef46792a929", uri="/drectures/mobapp-spring10/src/digest/digest.html", algorithm=MD5, response="00067dc79112f87c811e23a36ec4a5ed", qop=auth, nc=00000001, cnonce="be2bd6d9be1058b4"

HTTP/1.1 304 Not Modified
Date: Wed, 07 Apr 2010 18:00:11 GMT
Server: Apache/2.2.9 (Win32) DAV/2 mod_ssl/2.2.9 OpenSSL/0.9.8i mod_autoindex_color PHP/5.2.6
Connection: Keep-Alive
Keep-Alive: timeout=5, max=100
Etag: "2a00000002d8e0-178-483a867a21110"
X-Pad: avoid browser bug

Authentication Security

Username/password are not transmitted in the response
401 response contains a nonce for authentication

nonce values allow to prevent replay attacks
realm and nonce are required to calculate credentials

Client packages credentials in a secure way

username, realm, and password are turned into a hash value
request method and request URI are turned into a hash value
these two hashes and the nonce are hashed

Digest access authentication implementations differ

security depends on the exact feature set used by client and server
using HTTPS is a good idea in this scenario

Security Mechanisms 2010-04-09 Browser Security Security · Privacy For the HTTP authentication methods introduced in the last lecture, some fundamental cryptographic methods and protocols already have been taking for granted. In this lecture, we look a bit more systematically at the fundamental cryptographic methods (hash sums, one-way functions, symmetric encryption, asymmetric encryption) and how these are combined into cryptographic protocols. Abstract

Current Events iPhone OS 4

Multitasking Hello, Skype

Multitasking Services

Audio (e.g., Pandora)
Voice over IP (e.g., Skype)
Location (e.g., Loopt, Navigation)
Push Notifications
Local Notifications
Task Completion
Fast App Switching (sleep)

Background Audio Hello, Pandora

Location Services Hello, Stalker

Advertising Location-Based Ads

Social Gaming Good bye, OpenFeint

Security 101 Cryptography

Cryptography is structured into different layers

layering is a well-established principle for separation of concerns

Cryptographic primitives implement very basic functionality

changes and advancements in this area are limited to very specialized researchers
it is easy to make fatal mistakes which then compromise everything built on top if it

Cryptographic protocols assemble primitives into application-level solutions

primitives solve very basic security problems (fingerprints, encryption, …)
protocols combine these into applications (digital signatures, secure communications, …)
installing trusted applications is a common mobile security scenario

Hash Functions Simple Hash Functions

Hashes (or message digests) are well-known in computer science
Hash values are of fixed and short length and make it easier to compare data
Collisions are the most problematic case in hash algorithms

length in bytes is even/uneven: risk of collision is 50%
length in bytes: collisions happen when data is simply replaced

Hashing is often done on an ad-hoc basis

lengths are a form of hashes
time stamps are a form of hashes

Hashing is also used for computing error correction codes

many technologies (hard drives, networks, …) use Cyclic Redundancy Code (CRC) hashes
error correction codes computation has to be done very fast

One-Way Function

One-way functions are cryptographically safe hashes (a.k.a. cryptographic hash)

very hard to find an input producing a given output
very hard to find two inputs producing the same output (collision)
small changes in input should cause entirely different output

MD5 has been a very popular cryptographic hash

MD5 turns data into a 128bit hash value (often encoded as 32 hex characters)
various security flaws have been discovered over the years
MD5 Hash Function → e367cdcfd2e16f28e81bbc58c9d3339c

SHA is the most popular cryptographic hash in use today

SHA-1 turns data into a 160bit hash value (often encoded as 40 hex characters)
SHA-1 Hash Function → afd38b77186afba44123093827c2e0f3732726c4

Secret-Key Cryptography Plausible Encryption

Secret-Key is was most people think of when thinking of encryption

symmetric cryptography is another popular term

One key for encryption and decryption
Revealing the key makes encrypted data openly readable

there must be a secure channel to transport keys, such as diplomatic pouches

Good for long-term relationships with few partners

exchange secret keys as part of the initial setup of a relationships
adding partners requires a secure channel for key exchange
changing keys requires a secure channel for key exchange

Almost impractical in an environment with many ad-hoc partners

Notice the Arrow Secret-Key Cryptography

Public-Key Cryptography Implausible Encryption

Public-Key intuitively is hard to accept as a concept

asymmetric cryptography is another popular term

Key pairs of one public and one secret key

key generation is the process of generating these key pairs

The public key can be made available to the public

only the secret key can do the inverse operation of the public key

Good for short-term relationships with many partners

publish your public key so that it can be used worldwide
everybody can encrypt data using the public key
only the owner of the secret can can decrypt the message and read it

Computationally expensive and not good for a large amounts of data

No Arrow Here … Public-Key Cryptography (Encrypting with Secret Key)

Cryptographic Protocols Building Secure Applications

Cryptographic primitives in most cases are not sufficient

they provide basic functionality for fundamental tasks
they must by combined to provide solutions for real-world problems

Typical problem #1: How to ensure key authenticity

with insecure keys, the majority of cryptographic methods is worthless

Typical problem #2: How to communicate securely without shared keys

many interesting scenarios are based on ad-hoc interactions
secret-key does not work, public-key needs to verify the peer

Typical problem #3: How to check authenticity and integrity of data

integrity can be done with checksums, but these could be forged
authenticity needs a cryptographically secure way of combining identity and data

Certificate

Certificates are digital signatures issued by a trusted party

most digital signatures are created with certified public keys
this means the digital signature is created based on a digitally signed key

Who can you trust on the Web?

trust can only start to grow based on initial trust in something
many systems come with pre-installed trust (root certificates)
certificates from other issuers will cause browsers to complain

Certificates (like domain names) are a very easy way to make money

in theory there are different levels of certificates with different levels of identity checking
in practice most sites choose the cheapest one that does not give an error message

Creating a Digital Signature

Verifying a Digital Signature

Authentication 2010-04-12 Browser Options · HTTPS · HTTPS Spec · OAuth Continuing the topic of security in mobile settings, we look at the two main applications in mobile security, which are securing communications with SSL/TLS in HTTP, and securing application code via digital signatures. Another important concept in access control and authentication is that of third-party access to access-controlled resources. We look at OAuth, which is one way of managing access in scenarios where applications want to gain access to resources that are hosted by other services and are access-controlled. Abstract

Browser Security & Privacy Trust and Security on the Web

Web-based applications introduce many risks

do you trust your browser? (it may not safeguard your information)
do you trust your computer? (it may have a virus)
do you trust your network? (it may be monitored on various levels)
do you trust the server? (it may be a fake phishing server)
who do you trust, regarding what, and why? and what does it mean?

Most of these risks are amplified by the Web's scale

phishing and spamming only work because the Web makes fraud more effective

Controlling Web access is important for safe browsing

trusting shared browsers is risky (they may store logins and cache pages)
trusting the network can be risky (more and more networks are wire-tapped)
trusting the server is risky (phishing and poor server security)

Privacy Options Firefox Options: Privacy

Security Options Firefox Options: Security

Encryption Options Firefox Options: Encryption

HTTP over SSL (HTTPS) Secure Communications

Public-Key cryptography is computationally expensive

it is possible to encrypt all traffic using asymmetric key pairs
this generates considerably more load on the server side

Combining public-key and secret-key cryptography

check the public key for authenticity (using a )
generate a key for a symmetric encryption scheme
use the public key to securely transmit the generated key
use the generated key for securely transmitting the payload

Combines the advantages of both methods

the ability of public-key algorithms to work without a secure channel (handshake)
the lower complexity of secret-key algorithms (record layer)

HTTP and Security

HTTP sends clear-text messages
Making HTTP secure requires additional mechanisms
Encryption is done by a layer on top of TCP

Secure Sockets Layer (SSL) is the protocol layer invented by Netscape
Transport Layer Security (TLS) is the standardized Internet version
TLS adds more encryption schemes and more flexibility

Lower-level methods may also provide encryption

Virtual Private Networks (VPN) provide IP-based encryption
WEP and WPA provide network interface encryption
lower-level methods typically are not end-to-end (i.e., browser/server)

HTTP and SSL

Preconfigured Trust

Clients have a long list of pre-installed root certificates

who is managing HTTP/HTTPS/SSL/TLS? the client application or the device?

A Certification Authority (CA) can issue trusted certificates

there is no real definition of what a CA is supposed to do
CAs may have the right to delegate CA status to other CAs
CAs may have different levels of certificates

Updated CA lists often are part of system or browser updates

Microsoft and Apple include CA lists in system updates
3rd party browsers sometimes manage their own CA lists

Certificates in Firefox Firefox Certificate Manager

Certificates in Opera Opera Certificate Manager

Certificates in Windows (i.e., IE/Safari/Chrome) Windows Certificate Manager

Application Security Web Application Security

Browsers are supposed to provide a safe sandbox

broken code cannot harm the computer
malicious code cannot steal data from the computer
malicious code cannot steal data from other sites

Browsers should not be able to lie to their users

the address bar shows users what they are looking at
the lock icon allows users to inspect security

Introducing trusted 3rd parties in this scenario is not easy

any form of external site verification can easily be forged
the Web guarantees connectivity to a site and not a well-behaving site

Trusted Computing

Developed to avoid the threats of malware

programs must be signed before they can be executed
basic procedures are built into the hardware of the computer
it is impossible for such a computer to execute untrusted code

Often data storage also is managed cryptographically

only trusted code gets access to managed data
data is never stored unencrypted and thus cannot be easily stolen
security vs. convenience and lock-in are important questions

Digital Rights Management (DRM) was also pulled into the platform

content owners would have much better control over content use

Native Application Security

The return of the trusted computing platform

Apple's iPhone implements what Microsoft dreamed of 10 years ago

Only software submitted to and verified by Apple can be executed

signing up as a developer creates an identity verified by Apple
submitting an application means that it is signed with that identity
accepting the application means that Apple is signing with its identity
software installation only works with signed installation packages

Jailbreaking the iPhone is disabling this authentication chain

applications need not to be signed by Apple anymore

Android has a simple user setting to allow unsigned applications

installation packages do not have to be signed at all

OAuth Open Authentication

Applications often use resources from a variety of sources

browser-based applications often are called mash-ups
server-based applications might be called mash-apps

Browser-based applications might run into browser restrictions

JSONP is one way to get around browser restrictions
setting up proxies is another way for achieving the same goal

Access control for 3rd party resources is a common scenario

granting access without revealing the access credentials
give them a token instead of giving them credentials

Delegation vs. Federation

Delegated Authentication allows services to delegate authentication

services delegate user authentication to other services
the set of authentication services often is small and fixed

Federated Authentication allows services to share identities

authentication is done locally but the account information is openly available

Credit card procedures provide real-world examples for both methods

using generic cards is federated: stores accept payments when approved by Visa
using branded cards is delegated: cards have to be authenticated by the brand

OpenID is a popular federated authentication scheme

it's actually open identification and not all implementations are federated

OAuth Control Flow

OAuth Process

OAuth supports the 3-legged authentication scenario

users are interacting with applications
service providers are providing access-controlled resources
consumers need access to the resources on behalf of the user

OAuth uses a scheme with redirects and authentication tokens

users access the consumer who then need access to the service provider
consumers get a request token from the provider
consumers redirect the user to the service provider
users authenticate with the provider based on the request token
successful authentication means that the access token is marked
the user is redirected back to the URI provided in the first redirect
the consumer exchanges the request token into an access token
the type of access allowed by the token is controlled by the provider

Constraints of Mobile Applications 2010-04-14 Mobile application development faces the same performance challenges as application development in general, which means that performance considerations have to be an integral part of any real-world application design. However, on mobile devices, the challenges related to performance issues are quite a bit bigger, because the runtime platforms may be limited in their functionality, the platforms are inherently limited in their resources (mostly processing power and memory), and the devices often have connectivity that may be substantially slower than best-case scenarios, or may even be intermittent. Abstract

Mobile Application Design

Design depends largely on constraints.

Charles Eames, What is Design?, An Interview with Charles Eames

Performance Bottlenecks Client-Side Constraints

Limitations of the Mobile Platform

general limitations of the mobile platform (HTML5 has no camera API)
specific limitations of one implementation of that platform (Firefox has no SQL support)

Limitations of the runtime environment

memory is a problem on all mobile platforms (no support for virtual memory)
limited processing power is a problem on all mobile platforms
smartphones are increasingly used as general-purpose computers

Layering does have some problems on mobile devices

layering creates inefficiencies (JavaScript on iPhone 100 times slower)
layering takes away possibilities for optimization (UI and execution)
some platforms oppose/prevent layering out of general principle

Client Devices

iPhone hardware comes in two different memory configurations

first generation iPhones have 128MB of RAM
3G and 3GS iPhones have 256MB of RAM

Android hardware is less predictable and varies more widely

the Droid has 256MB of RAM
for many devices getting hardware specs is almost impossible

Bundling data might not always be a good idea

Android applications can only be installed in the onboard memory (Droid: 512MB)
applications requiring a lot of local data should store it separately

Network Constraints

Network connectivity is potentially slow and unreliable

applications should be designed to work well with a slow network
applications should be designed to behave reasonably with no network

Offline behavior largely depends on the application scenario

considering offline behavior in use cases should always be included

Enabling any Web-app for offline use may be a good idea

not all browsers support offline applications
browsers may start removing cached applications more aggressively
HTML5 AppCache is only a caching hint for a browser

Native vs. Offline Web

Native applications are under control of the user

users decide what to install, update, and uninstall
the only networking part is how to get the installation package

Web-based applications are under control of the server

services decide to provide a manifest and become off-line capable
browsers implement some strategy for caching those applications
updates have to be initiated and implemented by the service

Challenges for offline Web-based applications

giving users better control over what to cache
caching data probably should be handled different from caching code
allowing applications to expose widget-like behavior

Client-Side Performance Analysis In-App Analytics

Analytics are useful for a variety of purposes

they allow to track user behavior and identify possible improvements
they allow to track application behavior and identify possible problems
they are important for all kinds of business-oriented analyses

Google Analytics is the most popular service for Web-based analytics

Web pages embed code hosted by Google Analytics
scripting collects information which is collected by Google Analytics
Web masters can access Web-based tools for accessing the collected data

Google Analytics Google Analytics of dret.net

Pinch Media Analytics with Pinch Media

Browser-Based Analysis

Web-based applications run in standardized implementations

users use the same resources regardless of the implementation
using browser-based debugging yields cross-platform results

Client-side analysis can generate many interesting analyses

is the scripting code distributed across many JavaScript files?
would it be possible to minify the JavaScript code?
is the CSS code distributed across many CSS files?
would it be possible to minify the CSS code?
can the images be compressed more effectively?
are components served with useful HTTP metadata?
are components served in a compressed format?
does the site use cookies?

Browser Tools YSlow Analysis of Web Content

Server-Side Analysis

Less intrusive but more limited than

all requests go to the server-side (unless there is a CDN)
server-side analysis is able to capture client requests

Server logs are the simplest way of gathering usage data

in the simplest scenario log files are written by the server
one entry per request with a configurable set of fields in the entry

More sophisticated scenarios write log data to a database

can be very convenient for immediate analysis and query support
can be very risky because database writing tends to be slow

Most scenarios use simple writing and delayed analysis

entries are added to simple text-based files
log files are rotated on a regular basis
completed log files are processed for traffic analysis

Speeding Up Mobile Applications 2010-04-16 Best Practices · Caching Tutorial In order to speed up mobile applications, the optimization of network traffic often is one of the areas where significant improvements can be achieved. Since most network traffic uses HTTP, it is important to understand how HTTP caching works, and how servers can be configured to make caching work more effectively. However, since servers have no control over the clients and possible HTTP intermediaries, it is also important to understand the general architecture of HTTP caching, and how applications may or may not have good caching support on the platform they are built on. Abstract

Server-Side Performance Analysis Server Logs

Connecting to the Server

Log File Display

Navigating to the log file directory

cd ~/mobapps-logs

Apache writes two log files

mobapps_access_log is the access log of the server
mobapps_error_log is the error log of the server
the structure of the entries is defined in the server configuration

Displaying the lines added to the access log

tail -f mobapps_access_log

Displaying and filtering the lines added to the access log

tail -f mobapps_access_log | grep "/~dret"

MobApps Server Logs

Server Log Analysis

HTTP Caching Resource Orientation

REST's focus on resources is good for caching

resource representations are sent in HTTP messages and can be cached
HTTP methods allow caching to be used only when appropriate

HTTP is supposed to supply useful metadata in HTTP messages

some HTTP headers are about the client or server agent
some HTTP headers are about the entity contained in the message
some HTTP headers serve general purposes

Most applications require a mix of static and dynamic resources

some resources never change (code and chrome)
some resource classes are constantly growing (your Flickr images)
some resources are ephemeral (any representation based on time)

Cache Locations

HTTP allows caches to exist in various locations

reverse proxies are used for removing load from application servers
proxy caches are used for making the network more effective
client caches are used for making the client work faster

Caching in many cases is not (easily) predictable

caching depends on the scenario but always needs HTTP header information
being a well-behaving HTTP citizen is a good idea
caches should not change application behavior (it is just optimization)

Client Caches can be provided by platforms or applications

many desktop browsers have their own HTTP implementations and caches
mobile (and modern) platforms should move HTTP (and caching) into the platform

Caching in the Platform

HTTP Metadata

GET /4026/4519445803_06922b9171_b.jpg HTTP/1.1
Host: farm5.static.flickr.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.7,de-de;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://www.flickr.com/photos/dret/4519445803/sizes/l/

HTTP/1.1 200 OK
Date: Fri, 16 Apr 2010 17:02:20 GMT
Content-Type: image/jpeg
Connection: keep-alive
Server: Apache/2.0.52 (Red Hat)
Cache-Control: max-age=315360000
Expires: Mon, 28 Jul 2014 23:30:00 GMT
Last-Modified: Wed, 14 Apr 2010 04:57:32 GMT
Accept-Ranges: bytes
Content-Length: 361084
X-Cache: MISS from photocache510.flickr.gq1.yahoo.com
X-Cache-Lookup: MISS from photocache510.flickr.gq1.yahoo.com:81
Via: 1.1 photocache510.flickr.gq1.yahoo.com:81 (squid/2.7.STABLE6)

Caching in the Application

Caching in the Cloud Opera Mini and Opera Turbo

Cache-Friendly Services

Do not use aliases (different URIs for the same resource)
Reuse content whenever possible (no copies of the same resource)

reuse has to be Web-friendly (symlinks save disk space but are not cache-friendly)

Serve static content with long expiration times
Serve dynamic content with synchronized expiration times

even dynamic content often does not expire immediately

Avoid touching all files on your hard disk

this will update all timestamps and make cached copies invalid

Only use HTTPS when necessary

HTTPS is end-to-end encrypted and bypasses some caches

Client Caching Caching Conformance

Caching is optional and HTTP implementations may not cache at all

caching eliminates some requests entirely
caching allows responses to be more effective (304 Not Modified)

Implementations that support caching must follow the rules

any cached local resource must always use the latest version
if HTTP metadata expires that version it should not be used
servers can mark resources to disallow the use of stale versions

HTTP allows explicit and heuristic expiration

not all resources are explicitly marked with expiration dates
caches are allowed to guess expiration dates (e.g., using Last-Modified)

Mobile Safari Caching

Mobile Safari does a bad job at caching

caching behavior is not documented and cannot be changed
the mobile browsing experience is substantially degraded

It seems that caching is based on the platform's minimal RAM

nothing bigger than 15KB is cached (some sources say the limit is 25KB)
total cache size is 1.5MB (very likely caused by RAM-only caching)
there seems to be no persistent cache (no storage outside of RAM)

AppCache can be used to improve caching

risky strategy because it may have unintended side-effects
inconvenient because everything must be packaged as an application
incomplete because this only works for HTML5 implementations (no proxy support)
clients may start treating AppCache differently if it becomes (too) widely-used

Native Application Caching

Caching is important for almost any network activity

Web-based applications by definition primarily use HTTP communications
native applications in most cases also use HTTP communications
instead of implementing HTTP they typically use HTTP libraries

NSURLRequest is the iPhone OS API for requesting URIs

NSURLRequestCachePolicy allows to set the cache policy for a request
HTTP headers are set based on the selected request policy

How is the caching architecture of the iPhone library?

caching is only done in RAM (i.e., there is no persistent cache)
caching is done on a per-process base (i.e., there is no shared cache)

Mobile platforms seem to not support HTTP very well

caching has to be implemented in the application (Flickr app)
it could be made reusable (Facebook app and three20)

Server Configuration for Caching More Metadata is Better

HTTP supports a comprehensive set of metadata fields

more metadata can be used to support better caching

Tuning caching is important but non-trivial and application-specific

requires knowledge about what can/will change and when
HTTP servers should automate/support as much as possible

HTTP servers support more advanced interactions with clients

clients can advertise compression support with Accept-Encoding

Freshness of Responses

Expires tells a cache how long data is fresh

defined by HTTP/1.0 and easy to use and support
caches will typically simply reuse data before the expiration date
caches have to check for changes after the expiration date

Cache-Control supports a more nuanced caching model

introduced in HTTP/1.1 to address Expires limitations
expiration dates can now be made relative
support for caching and control of authenticated content

Caching support should set the right headers

Apache supports caching and uses both headers
caching only works when validators are present

Configuration Steps

Configure the server to support setting expiration dates

Configure the setting of dates for a specific directory

Configure how dates should be set for certain types

Content will now be served with the appropriate headers

Apache's mod_expires supports a wide variety of settings

Entity Tags (Etags)

Timestamps are weak identifiers for caching

timestamps may change even if nothing changed

ETag is a server-assigned identifier for a response entity

caches store ETags alongside the actual representation
when validating content clients/caches include the ETag

What is the relationship between URIs and ETags?

URIs identify abstract resources that can be accessed via the Web
ETags identify a concrete version of such a resource
ETags change when something relevant happens to the resource

The Problem with ETags

ETags are meant to be unique tags for one version

CMS-based servers can use IDs generated from the CMS
file-based servers have to generate unique identifiers

File-based content often uses rule-based ETags

Apache uses inode-size-timestamp as the value of the ETag
such an ETag depends on the actual file system (not just the file itself)

FileETag INode MTime Size

Server farms often use load balancers and replicated files

file replication will produce different inode values
ETag-based caching in such a scenario is server-specific
the files are equal but not identical

ETags should be configured as correctly as possible

FileETag MTime Size

Content Adaptation 2010-04-19 Adapting to Devices .mobi · WURFL Mobile applications need to address the diversity of clients, and can do so in a variety of ways. In this lecture, we take a brief look at how to implement client-side adaptation, which uses client-side mechanisms (HTML and scripting) to adapt to the capabilities of the client. We also look at server-side mechanisms such as HTTP content negotiation, and at various ways in which mobile-specific content can be published on the web. Abstract

Compressing Resources Displaying Request Headers

`host`	www.cylog.org
`user-agent`	Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)
`accept`	text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
`accept-language`	en-us,en;q=0.7,de-de;q=0.3
`accept-encoding`	gzip,deflate
`accept-charset`	ISO-8859-1,utf-8;q=0.7,*;q=0.7
`Keep-Alive`	115
`connection`	keep-alive
`referer`	http://www.google.com/search?q=http+header+display&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a
`content-length`	0

Displaying Response Headers

Web-based HTTP clients allow HTTP response header display
Sending request…

GET / HTTP/1.1
Host: www.google.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)
Referer: http://www.rexswain.com/httpview.html
Connection: close

Receiving header…

HTTP/1.1 200 OK
Date: Mon, 19 Apr 2010 16:43:41 GMT
Expires: -1
Cache-Control: private, max-age=0
Content-Type: text/html; charset=UTF-8
Set-Cookie: PREF=ID=c28e991dec69844c:TM=1271695421:LM=1271695421:S=ubsNGUpXiUn3I2mg; expires=Wed, 18-Apr-2012 16:43:41 GMT; path=/; domain=.google.com
Set-Cookie: NID=33=YSu8-UTI70uOYYVs4Q1AlCK017SE_w6nL_3ApNfs_mM_FdGs6-plZ2IsxR6awHC8Gssg49FxWC-uOpdMJv1PmEiKYq0YEkMeJn79DQd6SdjTfjwrcfwyL3FHSYHwRMKW; expires=Tue, 19-Oct-2010 16:43:41 GMT; path=/; domain=.google.com; HttpOnly
Server: gws
Connection: close

Receiving content…

<!doctype html><html

HTTP Compression

Web data formats vary widely in compression

media formats (GIF, PNG, JPEG) already use advanced compression methods
source formats (HTML, CSS, JavaScript) has a lot of redundancy

Some formats have well-established methods for compression

minification removes all redundant information from HTML/CSS/JavaScript
obfuscation even rewrites the non-redundant parts for compactness

HTTP supports the idea of transfer encodings

clients can advertise their support with Accept-Encoding
servers can serve content with a supported Transfer-Encoding

Configuring HTTP Compression

Configure the server to support compression

Configure support of HTTP compression for certain types

HTML content will now be served in compressed form

Apache's mod_deflate supports a wide variety of settings

Client-Side Approaches Graceful Degradation

HTML's basic idea is to allow graceful degradation

clients not supporting advanced features should still work
anything that does not gracefully degrade compromises accessibility
Flash is the poster child for non-graceful degradation

HTML/CSS is the best example for graceful degradation

partial or even no CSS support does not change the basic rendering
graceful degradation becomes hard beyond a certain level of complexity

DIY Degradation Server-Side Approaches Serving Different Content

Servers often serve different content

requests are sent by clients
requests can be inspected or generated in a client-specific way
server-side logic can be used to specifically process requests

Server-Side approaches can be hard to maintain and extend

how to integrate new content into the existing service
how to deal with new clients/devices when they appear

All approaches need some robust idea of buckets

individual client types are sorted into buckets
new client types most often are sorted into an existing bucket
adding a new bucket is expensive and should be done rarely

HTTP Content Negotiation Inspecting Client Requests

Clients disclose their type in the User-Agent header field

Mozilla/5.0 (iPad; U; CPU OS 3_2 like Mac OS X; en-us) AppleWebKit/531.21.10 (KHTML, like Gecko) Version/4.0.4 Mobile/7B334b Safari/531.21.10

Mozilla/5.0 (iPhone; U; CPU like Mac OS X; en) AppleWebKit/420+ (KHTML, like Gecko) Version/3.0 Mobile/1A543a Safari/419.3

Servers can send content based on HTTP or sniffing info

Multiple URI Spaces Mobile Naming Variations

URIs can be used in a number of different ways

any Web-based publishing should have a strategy for using URIs
being consistent is almost as important as doing it right

For variations of URIs, various parts of the Web architecture can be used

DNS names for naming servers
various parts of the URI name
protocol mechanisms of HTTP or

This problem is similar to multilingual pages

handling both problems in a consistent way is important
organizational issues can be more important than architectural purity

Subdomains for Mobile Pages

http://m.example.com/some/page

Defines DNS subdomains for mobile pages
Advantages

offers easy load-balancing to different servers (but code must kept in sync)
bookmarks identify the mobile variant

Disadvantages

no easy way to get from one variant to another in terms of URI navigation
scheme requires DNS updates and management

<code>.mobi</code> for Mobile Pages

http://example.mobi/some/page

Use the mobi DNS TLD to identify the mobile page
Advantages

bookmarks identify the mobile variant

Disadvantages

requires registration of additional DNS entry (effort, costs, domain squatting)
managing two DNS spaces can become challenging
what if there is more than one mobile variant?

URI Paths for Mobile Pages

http://example.com/mobile/some/page

Encodes mobile as the first path segment of the URI path
Advantages

bookmarks identify the mobile variant

Disadvantages

logically, the URI path does not represent the hierarchy of resources
no easy way to get from one variant to another in terms of URI navigation
hard to maintain if this is used as the actual layout of documents in directories

Final Project Planning Project Development

Timeline:

projects assigned this week
lecture time as lab time plus lab times next week
HTML mockups dues for presentation 5/3 and 5/5
final project due 5/14 (submission of report, code, and phone)

Your proposal is your deliverable

but we have to make sure you have well-defined and achievable goals
doing several smaller steps is better than doing one big step
we will ask for reports and code for all projects
the minimal code part is the HTML code due at project halftime
design projects need to include a complete UI/UX description
implementation projects need to to include some functioning code

Try to cleanly separate the vision from the tasks

your final project report/code should demonstrate a part of the solution
submit partial code instead of submitting dysfunctional code

Designing and Developing Mobile Tools for the Active Market 2010-04-21 Maria Ly Skimble (iPhone|mobile) · three20 · HTML5 Now Skimble's case study of how we developed our activity tracking and sharing tools for people on-the-go. Learn about the trials and tribulations we experienced from Skimble's conception stage all the way to launching our first application in the iTunes App Store. TBD 2010-04-23 Kiyo Kubo Spotlight Mobile Kiyo Kubo is CEO of Spotlight Mobile.