Looking for a Podcast Co-Host

I’ve been spending more time with my kids recently; 13 hours a day, 7 days a week to be precise. Consequently I’ve been spending lots of time thinking about kids, parenting, and family life.

Would anyone out there like to join me to co-host a podcast on these themes? It seems like it would be a fun endeavor, and there would never be any shortage of topics. Contact me if you’re interested.

iPhone Remote Control

This video shows some work I did back in the iOS 6 era. It demonstrates full remote control of an unjailbroken iPhone. I used undocumented private APIs and other trickery to achieve this. Note that it even allows control of the physical buttons.

No, this was never shipped to the App Store.

Apple Pay for In-App Purchases

In Tuesday’s keynote, Apple announced Apple Pay, an NFC based payment solution for the iPhone and WATCH. From what I saw in the keynote, it looked to be just for retail POS transactions.

However, the first sentence in Getting Started with Apple Pay indicates otherwise.

Apple Pay provides an easy and secure way for users to buy physical goods and services in your app

So this would mean that I could use Apple Pay, via PassKit, for credit card purchases in Hipstamail, and I would not incur the fee currently charged by Stripe. Hooray?

But after considering the following, I’ve decided to stick with Stripe.

  • PassKit is not available on OS X, so I couldn’t use it in Hipstamail for the Mac.
  • To use Apple Pay via PassKit, you have to sign up for a payment processor and register a merchant identifier, which looks to be a hassle.

Password-Less User Authentication

I’m what you might call a client-side iOS programmer, but for my latest project I’ve decided to roll my own backend. I’ve been thinking about the authentication flow will be needed. I don’t want users to remember usernames/passwords, and I don’t really want to have to keep track of them.

Currently, for development, the backend just checks for a single unique token that the client must send with all requests. (Assume that I’m using SSL Pinning to ensure that I’m not connecting to a man in the middle.) This is okay when the app is just on my phone, but I can’t very well ship the app with the token embedded. Even if it’s obfuscated, there’s no guaranteed way to prevent someone from unearthing the token and making rogue API requests. And by rogue API request, I mean any API request that’s not a result of normal use of the app.

It really wouldn’t be the end of the world if this happened. The only consequences I can think of is my database filling up with junk, or maybe someone could try to brute force their way into getting some semi-sensitive data out of the API.

So anyway, I’d like to have some per-user, or per-device, token that I can use to authenticate API requests. I’m thinking of trying the following password-less approach:

  • User is prompted to enter an email to sign up for an account. At this time, a unique token is generated and sent to the API along with the email address. Token is stored in the keychain on the device.
  • User is prompted to check his email to continue. Offer a button to open Mail.app, GMail.app, or another mail app that’s been detected.
  • Meanwhile, at the backend, an email is generated with a unique URL and sent to the user. Tapping this link will whitelist the token generated in (1), and kick the user back into the app.
  • From now on, whenever the app becomes active, it queries the API to test if the token is whitelisted. If a good token is not found in the keychain, then the app can go through the flow again to generate one. And this would give me a mechanism for blocking a token or email address that is acting suspiciously.

So this would let the app authenticate with the API without the need for a password. The downside is that the user will have to go through this flow on every new device. Perhaps I could store the token in iCloud to avoid that problem.

Questions:

  • Is this a horrible idea? Could I somehow achieve this with OAuth?
  • Does it matter if the token is generated client-side or server-side?

Worth It

It’s 8pm. The kids are asleep, and I just sat down at my desk to begin my day’s “work.” But I am so physically and mentally exhausted that instead I’m going to write this post and then go to sleep.

Where did my energy go? Well, today I cooked three meals for four people, taught “preschool” for two hours, took the kids for their annual doctor’s checkup, washed and put away two loads of laundry, played kickball in the street with the neighborhood kids, cleaned the kitchen three times, read stories for half the afternoon, bath time, bed time, Lego time, nap time, dinner time…

Being a stay-at-home parent is hard work. I have to actually listen to my kids and stay engaged. I have to put away my phone and interact with them. If I can’t keep up, challenging and stimulating them with new activities and experiences, then they get bored and ask to watch TV.

Today I calmly and quickly diffused a tantrum that, only two months ago, would have probably thrown me for a loop. I might even have gotten mad and raised my voice. Instead, I now have the mental and emotional energy to do better.

Oh, and it’s been several days since the kids have even asked to watch TV.

So what’s my response when asked about my decision to quit my job and become a full-time dad?

“Worth It.”

Ancient Photo from My First Job

Last night I was prepping my Aperture library for the upcoming move to Yosemite. I ran across this photo from my first Job.

PET/SPECT in Amsterdam

I was in Amsterdam at Vrije Universiteit, helping install this PET/SPECT camera. I wrote the gantry control software and the UI pictured on that screen.

Cass Scenic Railroad

DSC_9403

Last weekend I took my family to Cass Railroad to ride some steam engines.

Cass is a small town in the mountains of West Virginia. Formerly a company logging town, Cass offers a chance for a relaxing weekend getaway. And free from the burdens of broadband and cellular reception, you can be sure that your enjoyment of the trains will never be interrupted by blips and boops from your smartphone.

If you have a young child that loves trains, I highly recommend it.

Riding the #11

Click through for the full album.

A New Chapter

A few weeks ago I announced that I have departed Bomgar to work on my own projects and to spend more time with my family.

It was my privilege to work with the great team at Bomgar for almost 7 years. The job was challenging and rewarding, and I’m very proud of what we accomplished. Leaving is very bittersweet.

However, I’m excited about the future. I have a new product in the works that will launch on iPhone, iPad, and OS X, and I’m already writing a work estimate for what could be my first contract as a freelancer.

Most importantly, I believe that providing my children with a full-time parent will yield benefits in every corner of our lives for years to come. I expect to look back on this period of our lives and say with certitude that it was all worth it.

Building a Web Backend from Scratch

I built the backend for my last project on Heroku using Sinatra. It was great; I got to learn about Ruby and a new web framework and it was a very stable and fast API.

I’ve been thinking about what to use for my next project when I saw Marco’s Web Hosting for App Developers and the ensuing discussions among developers on Twitter. After giving it some thought I came to the conclusion that I could probably learn alot by self-hosting the backend myself. Maybe I can even build something as stable and reliable as what I built on Heroku?

Rebuild, Rebuild, Rebuild

I made the decision up-front to script the entire process of building the server. This way, in the event of a network outage at Linode or in the unlikely event that my app comes under heavy load, I can add new servers in a matter of minutes.

My current scripts do the following:

  • Setup SSH keys and disable SSH password authentication
  • Setup firewall, leaving only ports for my application open.
  • Install git, postgres, golang, and other software used by my application.
  • Configure postgres and golang
  • Checkout the application code from my repository
  • Configure it so that it automatically starts when the system reboots.

Did I miss anything?

Another thing that I do to make sure that my scripts are always in working order is to rebuild the server every time I make a substantial change to the script. Also, I completely rebuild the server every evening I sit down to work on it. This leaves me feeling pretty confident that I can quickly recover from a serious outage.

Now, you might have noticed that I mentioned golang above. I’d originally planned to use Flask, but as I already have some experience with Python, I chose Golang so that I can learn something new. The dowside of this will be that Go isn’t as widely used, and I will be navigating uncharted water without the usual wealth of online sample code and SO Q&A. Still, my early impressions of Martini + Golang are very positive. I’m hopeful that I can get everything working withough too much headache.

Next:

I need to setup automatic database backups. I’ll probably use a cron job that automatically sends raw backups to Amazon S3. Also, I’d like to support HTTPS for all API calls. Since I’m just building a web API for my own app, I can just be my own Certificate Authority and issue my own SSL certificates and keys. Any problem with that?

Have any comments or suggestions? Let me know.

Charting Dividend Reinvestment: AAPL

I recently wanted to see a graph of a particular stock assuming dividend reinvestment. This seems like it would be a common thing to do, but neither Google nor Yahoo’s finance sites appear to have the capability. After a bit of searching, I found a way to do it.

aapl-div-2

So here, I’ve plotted $AAPL over the past two years with and without dividend reinvestment. Note that $AAPL first paid a divident in Augustof 2012, so it’s logical that the graph begins to diverge shortly after that. Currently the difference in return is about 4.3% over the two years.

You can fiddle with this graph yourself. Or, starting from scratch, do the following:

  1. Create a chart for AAPL
  2. Set the range (above I used 2 years)
  3. Set “Type” to Thin Line (optional)
  4. In both the Overlays and Indicators sections, click “Clear All”
  5. Under Indicators, create a Price/Performance indicator with parameter_AAPL and set “Position” to “Behind Price”.
  6. Click “Update”

Interestingly, stockcharts.com appears to assume dividend reinvestment by default, while Google Finance and Yahoo Finance do not.