- webexpo 2010

57
iPhone developer's view at the mobile web-services Prague, 24 th September 2010 Petr Dvořák iPhone Developer

Upload: petr-dvorak

Post on 22-May-2015

237 views

Category:

Documents


4 download

TRANSCRIPT

Page 1: - Webexpo 2010

iPhone developer's view at the mobile web-services

Prague, 24th September 2010

Petr DvořákiPhone Developer

Page 2: - Webexpo 2010

Well, iPhone might not last forever. Web-services written for it will.

The key message

Page 3: - Webexpo 2010

What we will cover ... Motivation Technical matters Small appeal Q&A

Page 4: - Webexpo 2010

Motivation

Page 5: - Webexpo 2010

Renaissance of the web-services Back in 2005, WAP

was pretty cool Web-services are for

corporations and bussiness applications

Page 6: - Webexpo 2010

Renaissance of the web-services Today, the web-services

are „custommer goods“

Page 7: - Webexpo 2010

Trends today Social apps are on the roll...

Page 8: - Webexpo 2010

Trends today Modern media changes – news are everywhere...

Page 9: - Webexpo 2010

Trends today iPhone is the business phone (sorry...)

Page 10: - Webexpo 2010

Two points to remember for now...

Importance of the web-services rapidly grows

If you didn't start yesterday, it might be too late

Page 11: - Webexpo 2010

Technical matters

Page 12: - Webexpo 2010

XML-RPC/SOAP? Why not... Procedural approach to webservices Libraries already exist

„Cocoa XML-RPC Framework“ used in WordPress Any C/C++ library will work

Page 13: - Webexpo 2010

And the winner is ... RESTful + XML / JSON (YAML , PList …)

REST principles implemented above HTTP protocol HTTP POST, GET, PUT, DELETE

Data oriented – the main unit is resource vs. procedural approach

Popularity originates in comprehensibility

Page 14: - Webexpo 2010

Example of a REST API - Corkbin<nearest lat="50.104571" lon="14.496027" max="2">

<wine hash="w722833d" id="1284919812900_475001_4" recommended="false"

timestamp="1284919812900" userId="475001">

<comment>Pink wine :)</comment>

<img>wineImage/p1284919812900_475001_4</img>

<gps lat="50.129139" lon="14.471089"/>

</wine>

<wine hash="w14a6cb4" id="1284902438029_125008_8" recommended="true"

timestamp="1284902438029" userId="125008">

<comment>Nice wine from France</comment>

<img>wineImage/p1284902438029_125008_8</img>

<gps lat="45.192108" lon="9.208828"/>

</wine>

</nearest>

Page 15: - Webexpo 2010

Little issue to keep in mind ... Not all servers support all HTTP methods, when

you need them „Pure RESTful“ needs all HTTP methods to work

Fix your servers and frameworks

Page 16: - Webexpo 2010

Which API format to choose?

Page 17: - Webexpo 2010

XML vs. JSON – and the winner is ...

Page 18: - Webexpo 2010

XML vs. JSON Choose what fits you best (or just start a flame...) XML

Older, more robust, chatty format with more adult tools TouchXML, KissXML, NSXMLParser, ...

JSON Better suits object serialization abstraction, compact TouchJSON, JSON Framework

Page 19: - Webexpo 2010

Little remark on XML being chatty …

<!-- 76 chars //-->

<person>

<name>Petr</name>

<surname>Dvorak</surname>

<born>1985</born>

</person>

<!-- 50 chars //-->

<person name=”Petr” surname=”Dvorak” born=”1985”/>

Page 20: - Webexpo 2010

Plists You can use plists as a base format for API

Page 21: - Webexpo 2010

Plists (Property List) You can use plists as a base format for API

What the heck is plist? Apple's XML based format with a binary variant

Binary variant is default, and very space efficient Used for object serialization and app properties

Page 22: - Webexpo 2010

Plist - Example<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN"

"http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

<key>Year Of Birth</key>

<integer>1965</integer>

<key>Kids Names</key>

<array>

<string>John</string>

<string>Kyra</string>

</array>

</dict>

</plist>

Page 23: - Webexpo 2010

Optimal granularity?

Page 24: - Webexpo 2010

What is granularity?

„The way you split the complete model stored on the server into individual resources“

Page 25: - Webexpo 2010

What is granularity? Extreme: One huge XML file with all information

vs. Many small files Which direction should you choose?

Page 26: - Webexpo 2010

Choose the right one, dummies! :-)

Page 27: - Webexpo 2010

Practical testing One resource should have no more than 80kB

GPRS: ~20-30 seconds to download (users don't die waiting)

3G: ~6-8 seconds (users don't get bored) Latency is still an issue – try to keep resources as

big as possible

Page 28: - Webexpo 2010

Authentication on iPhone

Page 29: - Webexpo 2010

Basic HTTP authentication Client-side method Almost for free on iPhone

Implement authentication challenge callback … or just add credentials in the URL

Do you really want to consider this method?

Page 30: - Webexpo 2010

Basic HTTP authentication-(void)connection:(NSURLConnection *)connection

didReceiveAuthenticationChallenge:(NSURLAuthenticationChallenge*)challenge {

// you can use [challenge previousFailureCount] here

NSURLCredential *newCredential = [NSURLCredential

credentialWithUser:USERNAME

password:PASSWORD

persistence:NSURLCredentialPersistenceForSession];

[[challenge sender] useCredential:newCredential

forAuthenticationChallenge:challenge];

}

Page 31: - Webexpo 2010

Form-based authentication Long story short: You get it for free...

Page 32: - Webexpo 2010

Form-based authenticationNSURL *url = [NSURL URLWithString:@”https://localhost/login.php”];

NSMutableURLrequest = [NSMutableURLRequest requestWithURL:url];

[request setHTTPMethod:@"POST"];

[request setValue:@"application/x-www-form-urlencoded"

forHTTPHeaderField:@"Content-Type"];

NSData *postData = [@”login=joshis&password=********”

dataUsingEncoding:NSUTF8StringEncoding];

[request setHTTPBody:postData];

[request setValue:[NSString stringWithFormat:@"%d", [postData length]]

forHTTPHeaderField:@"Content-Length"];

self.connection = [NSURLConnection connectionWithRequest:request

delegate:some_delegate];

[self.connection start];

Page 33: - Webexpo 2010

Apparent problem ... Credentials are stored on device

For the purpose of auto-login Does not have to be an issue

Mobile device: Usually, it is... If not on HTTPS, content can be forged Any solution? Yes – let's dance...

Page 34: - Webexpo 2010

OAuth Authentication protocol 3 subjects – user, consumer, provider

Consumer ~ Application at provider 3 stages – request, authorize, access On mobile device: OOB (out-of-brand) version

Page 35: - Webexpo 2010

Step 1: Request token

Consumer Provider

Asks a request token

Grants request token

Page 36: - Webexpo 2010

Step 2: Direct user to provider

Consumer

Points user to providers login page

User re-writes PIN (verifier) in the app

Page 37: - Webexpo 2010

Step 3: Access token

Consumer Provider

Asks an access token (uses PIN)

Grants access token

Page 38: - Webexpo 2010

OAuth – the good thing Access tokens are stored on the device, then used

in OAuth header (HTTP) These are not the username and password

And that's what we wanted Signature prevents content forgery

Page 39: - Webexpo 2010

OAuth in an actuall app

Page 40: - Webexpo 2010

OAuth – the bad thing You display a web page for authentication for your

app Either in app – user writes in untrusted context Or in Safari – workflow is horrible

The best security is achieved only in trusted browser

Page 41: - Webexpo 2010

XAuth XAuth is still OAuth Credentials processed on client during the dance

Username and password are exchanged for the access tokens

Page 42: - Webexpo 2010

OAuth/XAuth – implementation It is a heck of a lot of work to implement

OAuth/XAuth on the iPhone for the first time If you don't/can't use libraries

It is definitely worth it, if you have the patience Users' passwords and communication are safe

Web-service implementors: Do OAuth/XAuth!

Page 43: - Webexpo 2010

Caching

Page 44: - Webexpo 2010

Caching Better feel for user Less data transferred Technologies

PLists SQLite database + nice wrappers (fmdb, TouchSQL, ...)

Page 45: - Webexpo 2010

Cache validation

Asking the server if the resource you have is up to date.

Page 46: - Webexpo 2010

ETag Every resource has a “tag” associated with it on

“CREATE” operation on server (HTTP POST) Tag is updated on “UPDATE” operation on server

(HTTP PUT) ETag is sent in HTTP header with resource

Page 47: - Webexpo 2010

ETag Client caches the ETag with the resource Client sends a “If-none-match” header with eTag

when asking for a resource If the resource is not modified, client receives a

response “304 – Not Modified” from server and cancels the connection

Page 48: - Webexpo 2010

HTTP Responses

Page 49: - Webexpo 2010

Error handling HTTP responses often ignored on the server side

Always returns 200 + XML with <error> elements … Wrong for a mobile clients

Download just to find out error occurred

Page 50: - Webexpo 2010

Error handling- (void) connection:(NSURLConnection *)connection

didReceiveResponse:(NSURLResponse *)response {

int code = [((NSHTTPURLResponse*)response) statusCode];

if (code == 200) { // OK, alt. (code / 100 != 2)

} else if (code == 418) { // I'm a teapot

[self iMaTeaPot];

} else { // assume error here, switch depending on the response code

[self handleError:code];

[connection cancel];

self.connection = nil;

}

}

Page 51: - Webexpo 2010

Little appeal

Page 52: - Webexpo 2010

Little appeal

Machines are people too...

Page 53: - Webexpo 2010

Little appeal Making public data hard to process by machines

does not help anyone And it does not stop anyone

Registration at least enforces some policy

Page 54: - Webexpo 2010

Real-world „web-services“ vs. YAML API after registration

10 API queries per 1 ad query Enforcable

app does not follow rule → BAN

Page 55: - Webexpo 2010

Romanian hydrometeorological institute

vs. Paid XML/CSV exports

Rational pricing Now: ~ 10k EUR/year

Page 56: - Webexpo 2010

Well, iPhone might not last forever. Web-services written for it will.

The key message

Page 57: - Webexpo 2010

Q&A

http://twitter.com/inmite