What might surprise you about Windows 8 store apps written in HTML5/JavaScript?

by gc on Sunday, March 03, 2013
Labels: , , , , , , , , , , / Comments: (0)
The surprise: plain JavaScript source code can be viewed easily. The JavaScript codebase is available as one or more text files. No DLL. Just code sitting in the app directory. As shown previously, you can browse the Windows App directory and view assets for any store app.
 
36% of Windows Store apps are written using HTML5/JavaScript (WinJS). These apps are not just news reading apps, but more serious apps. One example is the Bank of America app.

Having worked on some other serious financial applications (www.bmwusa.com and a fully-automated trading system), I am certain that the Bank of America app is well analyzed and protected with extra security features across the service layer. Communication that crosses the service layer also crosses a security boundary. When a security boundary is crossed, you must assume that every call is a  potentially intrusion attempt. A zone where real security comes into play. Here are some actions to take and decisions to make when writing service apps that I wrote for the Microsoft Developer Network (MSDN) back in 2011: http://www.pursuitofgreatdesign.com/2011/08/why-use-decision-framework.html. When security is paramount, you should consider taking multiple countermeasures for each threat so that if one of the countermeasures is compromised or misconfigured, others are still in place to protect against the threat.

As for the JavaScript files (codebase) in plain text files, you can take extra steps to strip comments, minimize, and obfuscate the code — likely a good idea. This is a common technique for JavaScript producers since their source code can be viewed online as it is downloaded to browsers to run. Even C#/C++ apps can be decompiled, but with JavaScript there is no need.

Whatever you decide, make sure that you protect the service boundary. The service protector pattern could also help. Another option: use a message processing layer that can immediately deny and log offending messages; that is, where each message is analyzed before it is allowed to pass through to application code. This way, every message is guaranteed to be analyzed.

Enjoy.
Links to this post

What percentage of Windows Store apps are written in HTML5/JavaScript?

by gc on Wednesday, February 20, 2013
Labels: , , , , , , , , , , , , , , / Comments: (2)
Windows 8 provides a new touch first experience for Store apps. You can write Windows Store apps using a common API (WinRT) with language projections (bindings) to C#, Visual Basic, C++, and JavaScript. XAML (Extensible Markup Language) is used to create not only Windows Store apps, but also Silverlight and WPF applications. There are differences between Windows Store apps, Silverlight, and WPF apps, but knowing one makes the others easy. JavaScript uses HTML5 markup and CSS3 to create fully native apps.

Here is the breakdown according to Robert Evans, Microsoft Technical Lead for Windows Store App Labs (Source):

  • 59% XAML/.NET (C# and Visual Basic)
  • 36% HTML/JavaScript
  • 5% XAML/C++  

During my inspection of apps, there seems to be even a higher percentage of XAML/.NET apps; however, I trust the submission numbers. Just the ones I tend to use are generally written in XAML/.NET.

You can inspect your installed apps, too. You can look behind the Windows 8 curtain.

Despite the numbers, in my view all of us could be writing TypeScript/JavaScript or some other variant someday soon. I always thought that it would be a dynamic language, but never thought it would be based on JavaScript.

Whatever you pick, enjoy it.

Update: These percentages are based on over 4000 apps that have come through the app labs. These are mostly consistent with the numbers that I have found through limited inspection. Here is how:  http://www.pursuitofgreatdesign.com/2013/02/a-look-behind-curtain-of-windows-8.html
Links to this post

A look behind the Windows 8 curtain

by gc on Tuesday, February 19, 2013
Labels: , , , , , , , , , , , , / Comments: (0)
Windows 8 provides new kind of touch first apps available from the Windows Store. These Window Store apps use WinRT—the new windows runtime—not to be confused with Surface RT (the new ARM based tablet from Microsoft). WinRT provides language projections (bindings) for C#, Visual Basic, C++, and Javascript.

Loosely speaking, WinRT can be thought of as an object-oriented sandboxed secure replacement for Win32.

In my view, you will like Windows 8 Store apps even on a desktop or laptop. Give them a try. The Modern UI style that Windows 8 Store apps use can provide a better experience.

This quick look behind the curtain for Windows 8 Store apps answers these basic questions:
  • Where are the Windows Store apps located?
  • Where do the apps run?
  • Where do apps store your data?
  • Where is the WinRT?
  • Where do XAML apps get their style?

Where are the Windows Store apps located?


Windows Store apps are stored in the directory C:\Program Files\WindowsApps.

Each app will have its own subdirectory.  

Now, you will not be able to open the directory without first changing the ownership of the directory, so I have included terse instructions at the bottom of this post: [How To] change permission on the WindowsApps directory.
 

Once you dig deeper into the WindowsApps directory, you will notice a directory for each app (and an additional one for updates).

Digging further, you will notice that the majority of apps are written with XAML/C# apps, not HTML5/Javascript.

As you will see, one of the disturbing things about HTML5/JavaScript apps is that you can read the JavaScript code. While you can decompile C# code as well, it is a bit more disturbing just to see the source sitting there. This is a good reason to obfuscate and minimize your Javascript before shipping. Most JavaScript developers are already used to this since the majority is delivered to web browsers.

Where do the apps run?  


If the app was developed using HTML5/JavaScript, then it runs in a host process called WWAHost.exe. This host process runs Trident and Chakra engines along with the JavaScript projections to WinRT. You will have to view the command line parameters via ProcessExplorer or Task Manager to view the command line parameters to narrow down the app.

.NET Language C#, VB, and C++ are compiled into their own binary. MyApp.exe for example.   

Where do apps store data?


There are three main types of app storage:
  • Local: Persistent data that exists only on the current device   
    • Typical location: C:\Users\{username}\AppData\Local\Packages\{app_id}\LocalState

  • Roaming: Data that exists on all devices on which the user has installed the app. The current limit is 100K. The limit can be founding using the following WinRT call: ApplicationData.Current.RoamingQuotaLimit
    • Typical location: C:\Users\{username}\AppData\Local\Packages\{app_id}\RoamingState  

  • Temporary: Data that could be removed by the system any time the app isn't running
    • Typical location: C:\Users\{username}\AppData\Local\Packages\{app_id}\TempState  

Where is WinRT?


The API is specified in the following directory using but the code runs elsewhere winmd:

C:\Program Files (x86)\Windows Kits\8.0\References\CommonConfiguration\Neutral

The Windows Store apps (Metro) .NET profile can be found in the following directory:

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\.NETCore\v4.5\

Where do XAML apps get their style?


When styling your XAML apps, you will likely edit StandardStyles.xaml located in the Common directory of your app—by default. As you will notice, these styles reference other styles that do not seem to exist. You can find these referenced (default) styles in the following directory:

c:\Program Files (x86)\Windows Kits\8.0\Include\WinRT\Xaml\Design\themeresources.xaml". Generic.xaml

You can redefine the desired styles such as Font color from the default in your StandardStyles.xaml.

I find it useful to put them into corresponding sections called Standard Styles Overrides.       

Sidebar: [How To] take ownership of the Windows App directory
In order to take ownership of the Windows App directory, you will have to be Administrator.
 
You might also first need to set the option to display hidden directories. Once you can see the directory, then select the "Windows App" folder and select Properties of the following directory: C:\Program Files\Windows Apps\.
 
Select the "Security Tab" from the Properties window and select advanced. Change the owner using the "Change" link. Give yourself ownership. You will have to be Administrator in order to do this. 
 
Sorry for the terse description. If you need more help, you can search the web for how to take ownership of Windows directory.


I hope that this quick peek behind the Windows 8 curtain helps you understand how apps run, store data, and get their style.

Enjoy.

Links to this post

Security Alert: Disable UPnP on your router!

by gc on Monday, February 04, 2013
Labels: , , , / Comments: (0)
You should disable UPnP (Universal Plug and Play) on your router.

In case you have not heard, there are about 81 million routers on the internet that can be completely compromised via exposed UPnP—likely including yours. There are known vulnerabilities in UPnP that have been exposed externally by most every router vendor (~1500 vendors). Since it was found to be exposed to 81 million routers combined with known UPnP vulnerabilities, these routers can be easily compromised giving complete control of your network to anyone able to address your router. This is a very serious and widespread security vulnerability!

The main thing that you need to do: make sure that UPnP is not available externally. It could be acceptable to have UPnP enabled internally only, if your router supports it. Xbox live, BitTorrent, Skype, and other apps can benefit or require having it enabled internally.

It all starts with UDP port 1900 (UPnP Simple Service Discovery Protocol).

More details...
Vulnerability Note VU#922681: http://www.kb.cert.org/vuls/id/922681
Security Now (#389: Great explanation): http://twit.tv/show/security-now/389
Computer World: http://blogs.computerworld.com/malware-and-vulnerabilities/21717/check-your-router-now-lex-luthor-does
HD Moore’s blog post (he found it): https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play

Just wanted to help get the information out so you do not get pwned.
Links to this post

Fall in love with your work

by gc on Sunday, February 03, 2013
Labels: , , , , , , / Comments: (0)

"Once you decide on your occupation, you must immerse yourself in it. You have to fall in love with your work. Never complain about your job. You must dedicate your life to mastering your skill. That is the secret to success and is the key to being regarded honorably."

"All I want to do is make better sushi. I do the same thing over and over, improving bit by bit. There is always a yearning to achieve more. I'll continue to climb trying to reach the top, but no one knows where the top is. Even at my age after decades of work, I don't think I have achieved perfection, but I feel ecstatic all day. I love making sushi."

Jiro Ono - Jiro Dreams of Sushi

Perhaps, love does lead to great design. Dreaming should be encouraged. Enjoy.
Links to this post

Linus Torvalds' code now in a Microsoft development product

by gc on Thursday, January 31, 2013
Labels: , , , , , , , / Comments: (0)
Announced yesterday, TFS (Team Foundation Server) now supports Git as an integrated TFS repository. Microsoft has chosen Git as their DVCS (Distributed Version Control System) solution instead of building their own. They have full-time employees contributing to libgit2. I am really happy to see the TFS team move in this direction. Git repositories seems to support the full ALM (Application Lifecycle Management) features of TFS.

Great interview/overview with Martin Woodward, TFS Program Manager, yesterday on .NET Rocks: http://www.dotnetrocks.com/default.aspx?showNum=842

The irony: Linus Torvalds' code is now in a Microsoft development product. Thanks Linus. I, like many, appreciate your work and cannot wait to see your reaction. Years ago, Linux was the only operating system that I ran--even on a laptop. Linus Torvalds is the chief architect of the Linux kernel and also founded the Git project.

More details:
http://blogs.msdn.com/b/bharry/archive/2013/01/30/git-init-vs.aspx

Git support is still in CTP at this point and will only run on Visual Studio 2012 Update 2 (also CTP).

Enjoy!
Links to this post

Top 10 reasons why TypeScript will be widely adopted

by gc on Friday, October 05, 2012
Labels: , , , , , , , , , , , , / Comments: (11)
TypeScript is a new programming language launched this week by Microsoft. TypeScript is an open source JavaScript superset that adds classes, interfaces, modules, and arrow lambdas to JavaScript.

With a computer science career (or any other for that matter), it pays to pick the right technology; the one that will ultimately prevail. We invest a lot of time and energy in learning a new technology—granted it is fun—but it helps to be on target. It is easier. Companies and projects benefit as well; the development velocity increases when you pick a good technology, the approach, and business processes are simpler. Training and architecture are inherently easier. No matter the size, these matter.

Here are, in my view, the top 10 Reasons why TypeScript will be widely adopted:

#10: Works well with existing projects
TypeScript can be easily be adopted by any project that uses JavaScript today.

#9: Uses structural interfaces
Structural interfaces are automatically implemented by any object/prototype that complies structurally. This means that you can define an interface for existing JavaScript library as long as the object/prototype complies structurally; that is, it has the same properties and functions. It is powerful and practical.

#8: Generates JavaScript
TypeScript is compiled into Javascript to ensure compatibility. This means that it can instantly run in just about any browser—just needs to be ECMA Script 3 compliant.

#7: Great tool support
Even though TypeScript is at 0.8, there is great tool support especially in Visual Studio. Also, text editor support for Sublime Text, EMACS, Vim. Visual Studio IntelliSense is amazingly good for the TypeScript plug-in and the compiler is built-in.

#6: Simplicity
TypeScript has a simple design. The TypeScript compiler is written in TypeScript—an example of computational reflection—a beautiful thing. The C# compiler will only be implemented in itself in the next version. The typescript compiler is less than 25k physical lines of code excluding test cases and harness. Check it out the code out for yourself at CodePlex.

#5: Open Source
Microsoft has open-sourced the implementation and libraries. This is still in the best interest of Microsoft—internally they have large JavaScript projects to support Office, web properties that they own such as MSN, Windows 8 apps, etc. The code is available at CodePlex under an Apache 2 License.

#4: Anders Hejlsberg is involved
Anders Hejlsberg is a prominent Microsoft Fellow who co-designed several popular and commercially successful programming languages and development tools. He was the original author of Turbo Pascal and the chief architect of Delphi. Anders is the lead architect of C# and core developer on TypeScript.

I have admired Anders’ work since his first product: Turbo Pascal. Turbo Pascal, an amazing compiler and IDE, was written single handedly by Anders and it ran in less than 64k of memory. It was also lightning (turbo) fast. 

#3: TypeScript is a Javascript superset
TypeScript extends the JavaScript syntax. Any existing JavaScript program or library works with Typescript without a change. Existing frameworks such as JQuery and Node.js are full supported. In addition, type declarations are provided. You can also install via Node.js.

#2: Aligned with future JavaScript standards: ECMAScript 6
TypeScript is essentially an ECMAScript 6 bridge for us. Microsoft's aim is to get the class, interface, and module constructs added to the upcoming ECMA script 6 standard.

#1: Enables programming in the large
Introduces classes, interfaces, and modules—essential ingredients for programming in the large. JavaScript has often been criticized for not allowing programming in the large. In essence, moving us back. In my view, a great developer can produce good code in any language, but it is essential to have modules and other constructs to help with large teams.

Closing
Do not necessarily jump ship from .NET and start writing all your code in TypeScript. No doubt, we all have to write JavaScript from time-to-time and TypeScript can help improve the structure of it and increase its scale. Large scale JavaScript can be necessary for Windows 8 JavaScript/HTML apps.

This week, Scott Hanselman (@shanselman) tweeted, "he who is most likely to make declarative statements is most likely be to called a fool in retrospect." In my view, TypeScript will be widely adopted (or I am a fool). Tell me what you think?

Additional Resources
There are many ways to contribute to TypeScript: discuss the spec, write libraries, contribute to the CodePlex project, write code, submit bug reports, answer questions, learn it, provide feedback, and tell others.

TypeScript: http://www.typescriptlang.org/

Anders Hejlsberg introduction video: http://channel9.msdn.com/posts/Anders-Hejlsberg-Introducing-TypeScript

TypeScript Dart vs. TypeScript comparison by a Dart team member: http://www.reddit.com/r/programming/comments/10rkd9/welcome_to_typescript/c6g37xd

It is all about elegant code: simple yet powerful—the more the better; otherwise, much less is better. Enjoy.
Links to this post