Kotlin’s emergence: Common coding mistakes to watch for

In May 2019, Kotlin, a programming language for modern multi-platform applications, became Google’s preferred language for Android app development. As a result, many developers have shifted from using Java, the original language for building Android apps, to embracing Kotlin. According to a recent survey, 62% of developers are now using Kotlin to build mobile apps, with an additional 41% using Kotlin to build web-backend projects, meaning the language is here to stay.

In tandem with Kotlin’s emergence, we’re also seeing a greater emphasis placed on mobile application security from prominent organizations, including the U.S. Government. Its recent Study on Mobile Device Security, commissioned through the Department of Homeland Security (DHS) in consultation with the National Institute of Standards and Technology (NIST), found that vulnerabilities in applications are usually the result of failure to follow secure coding practices and these vulnerabilities typically result in some sort of compromise to a user’s data—serving as a wakeup call to the industry at large.

Now, more than ever before, and in light of National Cybersecurity Awareness Month taking place throughout October, it’s important for developers to familiarize themselves with Kotlin and understand secure coding best practices for mobile apps when it comes to using this language. To do this, let’s look at some of the common pitfalls when using Kotlin:

  •     Insecure data storage

The Android ecosystem provides several ways to store data for an app. The kind of storage used by developers depends on the type of data stored, the usage of the data, and whether the data should be kept private or shared with other apps.

Unfortunately, a very common coding error revolves around storing sensitive information in clear text. For instance, it is frequent to find API keys, passwords, and Personally Identifiable Information (PII) stored on the ‘Shared Preferences’ or databases used by the app. We’re seeing this oversight increasingly lead to loss of confidential data since an attacker, able to access the database of the app (rooting the device, backup of the app, etc.), can retrieve the credentials of the other users using the app.

  •     Insecure communication

Currently, most mobile applications exchange data in a client-server fashion at some point. When these communications happen, data traverses either the mobile carrier’s network, or between some WiFi network and the Internet.

Although exploiting the mobile carrier’s network is not an impossible task, abusing a Wi-Fi network is usually much easier. If communications lack SSL/TLS, then an adversary will not only be able monitor traffic transmitted in clear text, they are also able to steal the exchanged data and can execute Man-in-the-Middle (MitM) attacks. In order to prevent insecure communication, it’s important to always assume that the network layer is not secure and continuously ensure that all communications are encrypted between mobile apps and backend servers.

  •     Insecure authentication

Weak, or insecure authentication for mobile applications is fairly prevalent due to mobile devices’ input factor: 4-digit pins are a great example of this. Either a weak password policy due to usability requirements, or authentication based on features like TouchID, make your application vulnerable.

Unless there’s a functional requirement, mobile applications do not require a back-end server to which they should be authenticated in real-time. Even when such back-end servers exists, users are typically not required to be online at all times. This poses a great challenge for mobile applications’ authentication. Whenever authentication has to happen locally, then it can be bypassed on jailbroken devices through runtime manipulation or modification of the binary.

Insecure authentication is not just about guessable passwords, default user accounts, or data breaches. Sometimes, the authentication mechanism can also be bypassed and the system will fail to identify the user and log its (malicious) activity.

  •     Code tampering

Once a mobile application is downloaded and installed on a device, both the code and data will be available there. Since most mobile apps are part of the public domain, this gives adversaries the chance to directly modify the code, manipulate memory content, change or replace the system APIs, or simply modify an application’s data and resources. This is known as code tampering.

Today, rogue mobile apps often play an important role in fraud-based attacks, becoming even more prevalent than malware. Typically, attackers exploit code modification via malicious types of apps, tricking users to install the malicious app via phishing attacks.

To prevent code tampering, it’s important that the mobile app can detect at runtime that code has been added or changed. From there, development teams should be able to react accordingly by reporting the code integrity violation to the server or shutdown the execution entirely.

Exploitation techniques are always evolving; new vulnerabilities might be found in the future based on dependencies that may reveal new application tampering points. By watching for these coding errors, developers can build more secure Android apps and avoid pitfalls that can lead to these avoidable scenarios. Additionally, developers can stay up-to-date by referring to the OWASP Mobile Top 10 security weaknesses list and reviewing Google Codelabs’ recent training modules that include Android Kotlin Fundamentals, Kotlin Bootcamp for Programmers, as well as Refactoring from Java to Kotlin.

The post Kotlin’s emergence: Common coding mistakes to watch for appeared first on SD Times.

via Click on the link for the full article

Report: Organizations are struggling to perform business analytics on growing data volumes

Most organizations aren’t able to obtain any valuable insights from their growing volumes of data. This is according to a new survey from Matillion and IDG, “Optimizing Business Analytics by Transforming Data in the Cloud.” 

According to the survey, data volumes are growing at an average of 63% per month, with 12% of organizations reporting over 100% percent growth every month. According to a survey by IDC, in 2018 alone, storage suppliers added more than 700 exabytes of storage capacity to keep up with growing data volumes. 

They also found that almost all organizations plan on utilizing the cloud for data management in some capacity in the next 24 months. Ninety percent of respondents have already placed some data in cloud data warehouses (CDWs).

But despite the growing interest in CDWs, their adoption alone doesn’t address all of the needs of data analytics. Over 90% of participants responded that it is a challenge to make data available in a format that is useful for analytics. Obstacles standing in the way of the data analytics projects include a lack of necessary data granularity, manual coding of data pipelines, and difficulty connecting with multiple data sources. 

The report also claimed that another area where organizations are struggling is in transforming data. Over one-third of respondents said they manually code their data into the necessary format before they load it into business intelligence and analytics tools. Only 28% actually load the data directly to the cloud and have the cloud handle the transformation process. 

“The massive amounts of digital data from thousands of potential sources can give companies critical information and insights into their operations, markets, and other areas when properly analyzed,” said Matthew Scullion, CEO of Matillion. “However, most organizations are not efficiently preparing their data, which makes the process costly and ineffective. Our research underscores both the demand and the urgency to utilize the flexibility and scalability of the cloud, not just to store data, but also to automate and accelerate data transformation.”

The post Report: Organizations are struggling to perform business analytics on growing data volumes appeared first on SD Times.

via Click on the link for the full article

SD Times news digest: Topcoder’s new data science and AI features, Microsoft’s bug bounty program for ElectionGuard and Samsung’s Linux on DeX removed in Android 10

TopCoder, a Wipro company, announced that it is adding new data science and AI features to its network and on-demand digital coder talent platform. 

This includes native GPU support and the ability to develop advanced analytic solutions with any tool, library or cloud application service. 

“Topcoder is a bridge between IT talent and the enterprises that need them most with a fast, scalable, flexible outcome-based software development model that makes groundbreaking design, development, data science and testing possible through the gig economy workforce,” said Michael P. Morris, global head of outsourcing for Wipro Limited.

Microsoft announces bug bounty program for its open-source election SDK
Microsoft announced a new bounty program for ElectionGuard to discover high impact vulnerabilities. 

ElectionGuard is a free open-source SDK that enables end-to-end verification of elections, open results to third-party organizations for secure validation, and allows individual voters to confirm their votes were correctly counted.

Eligible submissions with a concise proof of concept are eligible for awards up to $15,000. The full details are available here.

Samsung is reportedly removing support for Linux on DeX in Android 10
Samsung announced that it is discontinuing its ‘Linux on DeX’ program in Android 10. With the functionality, users were able to run a full Linux desktop on top of Android.

“Thank you for supporting Linux on DeX Beta. The development of Linux on DeX was all thanks to customer interest and valuable feedback. Unfortunately, we are announcing the end of our beta program, and will no longer provide support on future OS and device releases,” Samsung wrote in a statement obtained by 9to5 Google. 

The full details are available here.

The post SD Times news digest: Topcoder’s new data science and AI features, Microsoft’s bug bounty program for ElectionGuard and Samsung’s Linux on DeX removed in Android 10 appeared first on SD Times.

via Click on the link for the full article

Oracle co-CEO Mark Hurd passes at 62

Mark Hurd, Oracle’s co-CEO since 2014, died yesterday at the age of 62. Hurd and Safra Catz  replaced Larry Ellison as CEOs, who stepped down to executive chairman and chief technology officer. 

In a statement on Hurd’s personal website, Ellison wrote: “It is with a profound sense of sadness and loss that I tell everyone here at Oracle that Mark Hurd passed away early this morning. Mark was my close and irreplaceable friend, and trusted colleague. Oracle has lost a brilliant and beloved leader who personally touched the lives of so many of us during his decade at Oracle. All of us will miss Mark’s keen mind and rare ability to analyze, simplify and solve problems quickly.”

Just last month, Hurd announced he was going on leave for unspecified health reasons. Catz and Ellsion were managing Oracle in his absence.

“Though we all worked hard together to close the first quarter, I’ve decided that I need to spend time focused on my health,” Hurd at wrote in a statement according to Business Insider. “As you all know, Larry, Safra and I have worked together as a strong team, and I have great confidence that they and the entire executive management team will do a terrific job executing the exciting plans we will showcase at the upcoming OpenWorld. I love Oracle and wish you all success during my absence.” 

Oracle has not yet released an official statement at the time of this writing. 

Hurd leaves behind a wife Paula, who he married in 1990, and two daughters: Kathryn and Kelly. 

The post Oracle co-CEO Mark Hurd passes at 62 appeared first on SD Times.

via Click on the link for the full article

Android NDK r21 moves to beta

Android announced that NDK r21 is now in beta. Android NDK is a toolset for implementing parts of an app in native code. The release — which is the first long term support release —  includes improved defaults for better security and performance.

One of the key features in the release is an update to GNU Make to version 4.2, which provides a number of bug fixes, and enables ‘–output-sync’ to avoid interleaving output with error messages, the team explained. This is enabled by default with ndk-build.

Additionally, GDB, the GNU project debugger, has been updated to version 8.3, which includes fixes for debugging modern Intel CPUs. 

In addition, LLVM and all of its components was updated; Fortify is enabled by default when using ndk-build or the CMake toolchain file; and Arm code is now built with Neon by default. 

The Android team also said it is making changes to its release process to better accommodate users that need stability without hindering those who are eager for the latest features. The team will release LTS once a year for users who want stability. None-LTS “rolling” releases will happen quarterly and provide the latest features. 

The release supports minimum system requirements and 32-bit Windows is no longer supported. 

“We have the usual toolchain updates, improved defaults for better security and performance, and are making changes to our release process to better accommodate users that need stability without hindering those that want new features,” Dan Albert, NDK tech lead, wrote in a post. 

The post Android NDK r21 moves to beta appeared first on SD Times.

via Click on the link for the full article

Angular 9 will make Ivy available for all apps

At AngularConnect 2019, the Angular team shared some insight on innovations within Angular and the Angular community. 

During a keynote, the Angular team revealed its plans for the upcoming release of Angular, version 9. According to the team, a key goal of Angular 9 is to make the Ivy compiler available for all apps. The main benefit of Ivy is that it is able to significantly reduce the size of small and large-sized applications. 

RELATED CONTENT: 
Angular 8 release with builder APIs and web worker support
New Angular tools and practices for improving app performance

The team laid out the roadmap for Ivy going forward, as well. There will be an opt-out option in version 9, and available through Angular 10. Starting with version 10, libraries will ship Ivy code and on version 11, ngcc, which is a compatibility compiler that makes code ivy-compliant, will be used as a backup only. 

Other updates in Angular 9 will include updated dependencies, an updated build system and project config, and migrations. 

The post Angular 9 will make Ivy available for all apps appeared first on SD Times.

via Click on the link for the full article

SD Times news digest: Microsoft’s AI for Accessibility grants, Hyperledger Sawtooth 1.2, and Accusoft Barcode Xpress .NET Core

Microsoft announced that it is offering a grant to ObjectiveEd, the makers of the Braille Tutor app, which incorporates AI-based speech recognition to help students practice reading Braille with personalized learning plans. The grant is part of Microsoft’s AI for Accessibility program to help people using AI-powered technology.

The Braille Tutor app was created because currently, only 13% of blind or visually impaired students know Braille and in most public schools, teachers who know Braille only come to the schools once a week to teach personalized lessons, the company explained. The app aims to fix that by helping to teach Braille. 

“We have a huge opportunity and a responsibility to be making technology smarter and more useful for people with disabilities,” said Mary Bellard, Microsoft senior architect lead for accessibility. The aim of the AI for Accessibility program, which began in 2018 and now has 32 grantees, is to help people “build something really useful at the intersection of AI, accessibility and disability.”

MIT researchers develop algorithm to give robots a better grip
Researchers at MIT developed a new algorithm that speeds up the planning process that robots use to adjust their grip on objects, thereby giving them a better, faster grasp. 

Whereas traditional algorithms would require tens of minutes for planning out a sequence of motions, the team’s new approach shaves this pre planning process down to less than a second, according to a post. 

“Seemingly simple variations, such as how hard robot grasps the object, can significantly change how the object moves in the grasp when pushed,” Rachel Hollada, a graduate student in electrical engineering and computer science at MIT, explained. “Based on how hard you’re grasping, there will be a different motion. And that’s part of the physical reasoning that the algorithm handles.”

Hyperledger Sawtooth 1.2
Hyperledger Sawtooth 1.2 is now available, adding full support for the PBFT consensus engine and for mobile application development with new SDKs for iOS and Android.

“Now, Sawtooth PBFT 1.0 is the preferred consensus for  small-to-medium networks — it’s leader-based, non-forking, and fast. PBFT also provides the safety and liveness guarantees that are necessary for operating a blockchain network with adversarial trust. This makes PBFT an excellent option for smaller consortium-style networks,” the Hyperledger Foundation wrote in a post.

The release also contains transaction family compatibility with Sawtooth Sabre, enhanced performance and stability, improved documentation, better support for consensus algorithms, and overall platform refinements for a better developer experience.  

Accusoft announces Barcode Xpress .NET Core
Accusoft released Barcode Xpress .NET Core, which offers support for 1D and 2D barcodes, recognition of over 30 barcode types and support for damaged and broken barcodes.

“Developers can integrate Barcode Xpress into their application with just a few lines of code,” said Steve Wilson, VP of product at Accusoft. “This new development environment enables developers from a variety of programming backgrounds to integrate leading barcode technology into their applications.”

Barcode Xpress is now available in Node.js, .NET, C/C++, ActiveX, Java, and .NET Core. The full details are available here.

The post SD Times news digest: Microsoft’s AI for Accessibility grants, Hyperledger Sawtooth 1.2, and Accusoft Barcode Xpress .NET Core appeared first on SD Times.

via Click on the link for the full article

SD Times Open-Source Project of the Week: Dapr

Microsoft announced the alpha release of its open-source, portable, event-driven runtime called Dapr. The aim is to make it easier for developers to build microservice applications.

According to the company, microservices benefits of scalability, loose service coupling and independent deployments come at the expense of increased complexity of distributed systems. In addition, writing an application may involve working with multiple languages, developer frameworks and infrastructure platforms. 

Nevertheless, microservices is expected to grow and uphold 90% of all new apps by 2022, according to the consulting firm IDC in a report.

The new project Dapr is set to make it easier to build resilient, microservice stateless and stateful applications that run on the cloud and edge. It consists of building blocks that are accessed by HTTP or gRPC APIs that work with any programming language. It also includes language-specific SDKs. 

“This enables developers to write a combination of stateless and stateful functions and actors all in the language of their choice. And because these SDKs share the Dapr runtime, you even get cross-language actor and functions support,” Microsoft wrote in a post that described the project. 

Dapr consists of a set of building blocks accessed by standard HTTP or gRPC APIs that can be called from any programming language. 

The alpha release includes some prominent building blocks such as:

  • Service invocation – enables method calls, including retries, on remote services wherever they are running in the supported hosting environment
  • State management – with which stateful services can be easily written, alongside stateless services in the same application. The state store is pluggable
  • Publish and subscribe messaging between services – simplifies horizontal scalability and make them resilient to failure
  • Event driven resource bindings – which build further on event-driven architectures for scale and resiliency by receiving and sending events to and from any external resources such as databases, queues, file systems, blob stores, webhooks, etc. 
  • Virtual actors – A pattern for stateless and stateful objects that make concurrency simple with method and state encapsulation.
  • Distributed tracing between services – Easily diagnose and observe inter-service calls in production using the W3C Trace Context standard and push events to tracing and monitoring systems.

 

The post SD Times Open-Source Project of the Week: Dapr appeared first on SD Times.

via Click on the link for the full article

Atlassian acquires Automation for Jira provider Code Barrel

Atlassian has announced it is acquiring the Automation for Jira makers Code Barrel. According to the company, Automation for Jira is a top selling Atlassian Marketplace app with a 6,000 and growing customer base who are executing more than 40 million automation rules a month. 

“We are as ever, committed to our mission to create an easy-to-use team productivity tool that users can feel passionate about. Becoming part of Atlassian will provide an amazing opportunity for us to continue building a solid solution for what our customers need and we’ll now be able to invest in R&D more heavily to further improve Automation for Jira,” Andreas Knecht, founder of Code Barrel, wrote in a post

Automation for Jira is a no-code rules builder designed to automate routine operations such as creating an issue, linking two issues together, and automating onboarding and permissioning. 

“By having computers do more of the time-consuming and error-prone work, teams can win back more of their most precious resource: time. We’re thrilled by the way Automation for Jira brings you more time to focus on deep, meaningful work and unleashes more of your team’s potential,” Noah Wasmer, head of tech teams for Atlassian, wrote in a post

 

The post Atlassian acquires Automation for Jira provider Code Barrel appeared first on SD Times.

via Click on the link for the full article

Zoho launches full-stack serverless developer platform

In an effort to help developers build and deploy serverless applications at scale, Zoho Corporation is launching a new full-stack serverless platform. Catalyst is designed to deploy apps and microservices at scale while reducing time and costs.

According to the company, developers are too often bogged down dealing with provisioning, monitoring, scaling, patching, logging and updating servers. Catalyst handles the operational details while developers build the applications.

RELATED CONTENT:
Evaluating if serverless is right for you
Rethinking the way your build software with serverless
Choosing between serverless and containers

“The best craftsmen make their own tools. To create the comprehensive suite of business apps that we offer today, we had to build tools first. Those tools, along with the infrastructure we built over the years, is now available to developers through Catalyst,” said Raju Vegesna, Zoho’s Chief Evangelist. “With a strong belief in developer productivity, we’ve been offering several serverless capabilities to developers before it was even called serverless. Our commitment to end-to-end solutions has enabled us to offer a comprehensive suite of no-code, low-code, and pro-code tools.”

Catalyst consists of three major components: backend as a service, function as a service, and Catalyst services.

The backend components features things like a relational database, file storage or caching capabilities, allowing developers to store and retrieve data as necessary when building an application, the company explained.

The function as a service piece allows developers to write functions in Java or Node.js without having to deal with provisioning or scaling. Zoho plans to add more support for programming languages soon.

Lastly, Catalyst services are app services such as sign up, authentication, push notifications, search indexing and emailing.

Other features include artificial intelligence and machine learning services such as optical character recognition and object detection; command-line tools; web and mobile SDKs and APIs; and a unified interface.

The post Zoho launches full-stack serverless developer platform appeared first on SD Times.

via Click on the link for the full article