Category Archives: iPhone

Stay.com wins Best Utility App at AppWorks

We’re proud to report that the Stay.com app has won the “Best Utility App” award at AppWorks 2012. AppWorks is the biggest conference for mobile apps and services in Norway.

Photo: Eirik Helland Urke.


Working together with Stay.com and Unfold on the app has been lots of fun, and we’re already working hard on making it even better! High five! ;)

Developing Stay.com 2.0 – an app post-mortem

You’re only as good as your last app. And the last one we’ve developed here at Cutehacks is Stay.com for Android and iOS. We developed the Android version and helped finalize the  iOS version. Here is a small write-up of some of our experiences developing and launching Stay.com 2.0. Overall it was a great success, but as you’ll see – we learned a few things along the way.

A short intro to Stay.com

If you don’t already know Stay.com here is a small introduction: Stay.com lets you create your own personal travel guides which you can download to your phone and use while offline. This saves a lot of money as roaming fees are still ridiculously high around the globe. Here are some screenshots:

The app is available for  Android and iOS, and if you want to know more check out this short video explaining the service.

What went wrong

We spent about five and a half months developing Stay.com for Android. We were two full time developers. We learned a lot along the way and I’ve selected three areas where we met problems.

Wrong#1 – Ignoring the Android look

Stay.com was developed for Android and iOS in parallel. At the start of the project we were asked by the designers what kind of modifications were needed to adapt the design, which was iOS focused, to Android. We estimated that no big changes were needed and promised we could make the iOS inspired design work on Android as well. We delivered on the promise, and launched a great looking app that handled the different resolutions of Android and followed the design close to pixel-perfection.

What we, or I guess I should say I, didn’t expect, was the negative reviews this provoked from some of the users downloading and rating the app on Google Play. I honestly didn’t know there were Android fanboys out there that cared. Some excerpts:

  • “…a converted iOS app on Android is an insult…”
  • “…it’s just an iOS app…”
  • “…iOS look on Android is not cool…”

Clear and honest feedback right there. And looking at things as they are now with Ice Cream Sandwich in use, updated fonts and proper design guidelines, I’d say they have a point. In my defense, the guidelines were not published when we started the project.

However, we’ve seen the errors of our ways and have have released several updates of the Android app that fixes most of these issues. Here are a few screenshots that shows some of the design changes:

Wrong#2 – Memory and performance

Another area that took us by surprise was the memory handling on Android. In short: the maximum heap size allowed for each app is limited and device dependent. If you try to allocate memory above this limit, your app is killed – just like that.  This is clearly not the way to do it, and I was surprised to find this behavior on a modern mobile OS like Android. We ended up having to rewrite some of our caching algorithms for  images, databases, and offline maps in order to run Stay.com on inferior Android devices. If you’re wondering how to do memory profiling on Android I recommend you watch this video - several times.

We also experienced performance issues with the default Android database. Every app can easily create a database where it adds, edits and retrieves data in a sensible manner. It turns out that inserts are really slow. If you want any sort of adequate performance you need to pay special attention to how you manipulate the database. For example, when inserting multiple rows in the same table make sure you do bulk inserts and not one row at a time.

Wrong#3 – Facebook SDKs

I’m not a big Facebook fan. In truth, up till we developed Stay.com I didn’t even have an account. Yeah, I know. One of the things we discovered during the implementations of some of the more advanced features of Stay.com and its Facebook integration was: the Facebook APIs suck. For the Android app we use both the official Facebook SDK for Android, as well as some of the REST APIs. We found them poorly documented, unstable, broken, non-compliant and confusing. Especially the REST APIs. Odd! The only tip I can give you are to keep an eye out for changes mentioned on the developer pages and search for tips and tricks on Stack Overflow.

What went right

Right#1 – Crash logger ACRA

A few days before we were ready to launch in Google Play, after we were done with most of the testing and debugging, I came across a post where someone mentioned this crash logger tool called ACRA. And just as an afterthought, we added it to the build. This turned out to be a great idea.

ACRA works in a very simple way. When the application crashes the user is given the chance to report back what just happened. If the user sends a report, a lot of debug data ends up in a Google spreadsheet of our choosing. ACRA is easy to integrate and has helped us expose a lot of bugs in our code. I highly recommend ACRA.

Right#2 – Trello, Git and GitHub

We use a lot of tools, but I’d like to focus on three of the ones we used when developing Stay.com.

Trello is a low-impact collaboration tool. It’s free, simple and online. You create a board for your project, you add some lists to the board, and in each list you add some cards. We used two boards when developing Stay.com – one for the Android client and one for iOS. We’re using Trello for all our projects now. We love it.

Git is a version control system. If you’re still using something like Perforce, Subversion or CVS, you need to get out more. Here are two reasons for using Git:

  • branches cost nothing
  • it works offline

Now, if you like being sysadmin it’s fairly easy to setup and maintain your own server where you can host your repositories. But if you just want something that works, go with GitHub. We’ve now upgraded to their business plan and I have to say that makes administrating different repositories, teams and access control very easy. Thumbs up!

Right#3 – Small teams, small companies

Developing Stay.com 2.0 for iOS and Android involved teams in different companies:

Somehow, this all went great. I think the combination of small teams in small companies really melded well together. Weekly meetings, IRC and Skype, shared source code, Basecamp, Trello and a mishmash of other tools helped collaboration.

Conclusion

Overall the development and launch of Stay.com 2.0 was a great success. The user feedback has been great and we’re proud of what we developed. The app has a 4 star rating on Google Play and 4+ on iTunes. Although the initial launch was in mid-June 2012 – we’re still working full-time on the Android and iOS versions, continuously fixing bugs and adding new features.

Why You Should Always Use SSL for API Calls

We recently had an interesting bug report for a project we’re working on;

“I was going through attractions in Venice and was adding them to ‘my guide’, however when I reopened the App the very next day it shows my guide, but it is empty.”

This was a bit disconcerting to say the least! When your App suddenly start losing data, alarm bells and blinking lights go off and you scramble to fix it. However, the world of hotspots and ‘free’ wireless networks is a menagerie that’s difficult to reproduce in a lab environment.

In this case, the App resumed normal operation once brought back online – which gives a hint to the cause. The fix was somewhat surprising and discovered by coincidence; You should always use SSL for all API calls! You’ll incur increased CPU use for decrypting data, and potentially have to get approval to use it – but it’s worth it! Let me explain;

The real culprit in the scenario above is a neat thing called “Captive Portal”. You’ve probably used when you have been out travelling, and purchased internet hours from an overpriced provider – or received a cupon from your friendly hotel clerk. Typically you open a browser to pass the Captive part of the portal. If your device is unfortunate enough to connect through a non-authenticated portal, your App could be in trouble.

In most cases, the portal will immediately present a login dialog when you try to go online – asking you to accept TOC or give them some money. In this case, the platform will recognize that you are not actually online and prevent your App from making API calls (assuming you’re guarding for this in your implementation).

- (void)reachabilityChanged:(NSNotification *)notification
{
  // using Reachability from Apple: http://tinyurl.com/42mxger
  NSUInteger status = [reachability currentReachabilityStatus];

  BOOL isOnline = (NotReachable != status);
  BOOL isUsingWiFi = (ReachableViaWiFi == status);

  // handle appropriately..
}

Trouble begins when less friendly implementations hijack your DNS queries and present their own content in place of what you’re asking for.

In the case of your App, regular HTTP API calls will appear to succeed, and return… garbage. Actually, they will return HTML content from the captive portal – but to your App it’s highly toxic garbage. In the scenario above, the App happily eats whatever content is served – promptly concludes there is nothing salient returned from the API call, and fails to display anything.

If you use HTTPS however, you will immediately get a certificate failure and you can handle the situation gracefully;

NSError *error; // out parameter from NSUrlConnection::syndSynchronousRequest

switch (error.code)
{
  case NSURLErrorServerCertificateHasBadDate:
  case NSURLErrorServerCertificateUntrusted:
  case NSURLErrorServerCertificateHasUnknownRoot:
  case NSURLErrorServerCertificateNotYetValid:
    // Handle the certificate error
    break;
}

.. and present the user with a clarifying dialog;

While I would have loved to go to Venice to dissect and purge the issue – there’s an easy way to reproduce this environment using only your local network;

1. Set up a Web server and DNS on your localhost.

Personally I used Mac OS X’s Server App to quickly get it up and running, but there are multiple guides out there to do it using a mix of dhcp, dns and apache.

2. After you’ve set up the DNS, add the hostname for the API calls you wish to block.

Set them to point to your own host’s network IP address – and make sure the web server has a 404 page configured.

3. Switch the DNS entry of the wireless network on your device to your host IP address.

4. All calls to the URL will now return your /index.html or alternatively the 404 page you configured.

In the case of using SSL it will provide an untrusted certificate that incorrectly claims to be your API endpoint.

For us, the lesson is that SSL is invaluable in mobile Apps and should be the default when polling data – because it accurately lets you identify that you’re receiving data from the correct source, and that it has not been tampered with on the way.