All posts in News


After a long hard day, it looks like I am all restored now. I was waiting to get some time on my hand to switch servers. My time with the AWS has been bittersweet. Thanks for the sweet deal I was able to keep my website up for free for a good time (10 months?).

Although I won’t really recommend using anyone to go with their base EC2 server which is obviously the only server that you can get for free. I was constantly running out of RAM and server would just shut down. There’s even to SWAP partition which really makes the server run on fumes!

I am getting much better pings now. Have no outage and the resource utilization is average as well. This for now looks to be the better choice now.

Finally added the much-needed SSL certs to the site and we are running exclusively on HTTPS. Yay!


Ironed out a lot of CSS issues. Although there are still some issues I would like to fix but I’m happy with the day’s worth of effort!

Better pings, here I come!

This article was published on Microsoft and was quickly taken down. I thought you guys might like it.

At Connect(); in November, Microsoft is launching a preview of Visual Studio for Mac. This is an exciting development, evolving the mobile-centric Xamarin Studio IDE into a true mobile-first, cloud-first development tool for .NET and C#, and bringing the Visual Studio development experience to the Mac.

A New Member of the Visual Studio Family

At its heart, Visual Studio for Mac is a macOS counterpart of the Windows version of Visual Studio. If you enjoy the Visual Studio development experience, but need or want to use macOS, you should feel right at home. Its UX is inspired by Visual Studio, yet designed to look and feel like a native citizen of macOS. And like Visual Studio for Windows, it’s complemented by Visual Studio Code for times when you don’t need a full IDE, but want a lightweight yet rich standalone source editor.

Below the surface, Visual Studio for Mac also has a lot in common with its siblings in the Visual Studio family. Its IntelliSense and refactoring use the Roslyn Compiler Platform; its project system and build engine use MSBuild; and its source editor supports TextMate bundles. It uses the same debugger engines for Xamarin and .NET Core apps, and the same designers for Xamarin.iOS and Xamarin.Android.

Compatibility is a key focus of Visual Studio for Mac. Although it’s a new product and doesn’t support all of the Visual Studio project types, for those it does have in common it uses the same MSBuild solution and project format. If you have team members on macOS and Windows, or switch between the two OSes yourself, you can seamlessly share your projects across platforms. There’s no need for any conversion or migration.

Mobile-First, Cloud-First Development

The primary workloads supported by Visual Studio for Mac are native iOS, Android and Mac development via Xamarin, and server development via .NET Core with Azure integration. It gives you all the tools you need to develop the rich, native mobile app experiences that users expect today, and the cloud-based server back ends to power them.

It’s all powered by the C# language you know and love, with the latest C# 7 productivity enhancements. You get the performance of compiled code, the productivity of a modern type-safe language, access to the unique features of each platform, and a rich ecosystem of libraries and tools. You can use your existing experience across the mobile and cloud domains, sharing code between client and server. And with all your projects in one solution, you can take advantage of solution-wide cross-project refactoring and code navigation.

C# isn’t the only language supported in the Visual Studio for Mac preview. For the functional programmers among you, it includes excellent F# support, powered by the same F# compiler used in Visual Studio.

iOS, Android and Mac

With the fragmented mobile market today it’s important to be able to target a wide range of devices. Because it’s based on Xamarin Studio, Visual Studio for Mac has mature support for C#-based iOS, Android and Mac development with the Xamarin Platform. You can take advantage of your existing C# experience and libraries, and share common code across platforms, with full access to the native APIs so you can build a fast, polished native app experience.

For even greater code sharing, you can use the cross-platform Xamarin.Forms UI library, which provides a familiar XAML-based development environment that can target multiple platforms, including iOS, Android, macOS and the Universal Windows Platform (UWP)—though UWP development is currently only supported in Visual Studio—and maps to the native UI on each platform. When you need more control, you can mix and match Xamarin.Forms with direct access to the native toolkits. There’s a huge ecosystem of libraries available for Xamarin via NuGet, too, including platform-specific libraries, bindings to native code and portable .NET Standard libraries.

Like Visual Studio, Visual Studio for Mac has drag-and-drop designers for iOS and Android development that let you rapidly assemble and fine-tune your UI. For Xamarin.Forms, it has rich XAML IntelliSense and a side-by-side live preview, as Figure 1 shows. Both the designer and the live preview use a simulator to render your app exactly how it will appear on the device, and this even works for your custom controls.

The Xamarin.Forms XAML Live Preview
Figure 1 The Xamarin.Forms XAML Live Preview

Cutting-Edge Cloud

Almost every mobile app is backed by a service, and Visual Studio for Mac makes it easy to develop your app’s service with its support for the latest ASP.NET Core Web development platform. ASP.NET Core runs on .NET Core, the latest evolution of the .NET Framework and runtime. It’s been tuned for blazingly fast performance, factored for small install sizes, and reimagined to run on Linux and macOS, as well as Windows.

.NET Core gives you a huge degree of flexibility in how and where you develop and deploy your server application, whether in your own datacenter or on a cloud platform such as Microsoft Azure. Because both .NET Core and Xamarin Platform are open source, you won’t have to worry about vendor lock-in.

The Visual Studio for Mac support for .NET Core projects also allows you to write .NET Standard libraries, the new way to share code across .NET platforms going forward. .NET Standard libraries replace Portable Class Libraries (PCLs) and offer a much broader API surface area. Because .NET Core and Xamarin Platform are .NET Standard-compliant, they’re a great way to share code, both within your solution and via the NuGet Package Manager.

A Familiar Workspace

The Visual Studio for Mac workspace should be familiar to existing Visual Studio developers. When you first open it, you see a Welcome Page with a list of recently opened solutions, a feed of developer news and other information to help you get started.

To create a new solution, go to the File menu and select New Project, and you’ll see the workspace containing your new solution. As you can see in Figure 2, there’s a central tabbed source editor with a number of other docked windows or “pads” around it, such as Solution, Output, Properties, Document Outline and Toolbox. Like Visual Studio, this layout is highly customizable and switches automatically, depending on whether you’re coding, debugging or using the drag-and-drop designer.

The Visual Studio for Mac Workspace
Figure 2 The Visual Studio for Mac Workspace

The toolbar is familiar, too, but has a few notable differences:

On the left is the Run button, a dropdown to select the Active Configuration, as well as dropdowns to select the Run Configuration and Target Device. For cross-platform mobile development, it’s important to be able to easily switch the device or simulator on which you’re testing or debugging your app. The Run Configuration is like the startup project in Visual Studio, except that in addition to switching which project runs, you can also create custom-named sets of run options.

In the center of the toolbar is a notification area, which shows messages about various operations, such as building or restoring NuGet packages. When there’s a running operation, a cancel button shows up in the notification area. This is also where notifications about software updates are displayed. You can click on some notifications, such as build errors, and they’ll bring up a pad with more information.

At the right of the toolbar is the global search. In addition to helping you find things like commands and files in your solution, its camelCase filtering system makes it an excellent way to quickly activate commands, or jump to files or types in your solution. It can even kick off a Find in Files search in your solution, or open the NuGet Package Manager to search for a package.

The Solution pad works much the same as the Solution Explorer in Visual Studio, letting you explore and manage the structure of your solution, your project and the files in it. The context menu gives you a range of context-specific commands on the items in the solution tree, such as adding or removing files from projects, editing project references, opening Terminal windows in folders, and building or debugging specific projects.

The Errors pad shows any build warnings and errors, and is also where you can find the build log output in a split view. Unlike Visual Studio, there isn’t a single unified pad for all kinds of output. For example, an Application Output pad shows the output from your app when you run or debug it, and logs from NuGet operations are shown in a NuGet Console pad. The Properties pad contextually shows properties of whatever is currently focused and selected, and can be used to view and change the build action of files in the solution pad.

In the center is the heart of the IDE, the source editor, which has all the features you’d expect from a member of the Visual Studio family. Figure 3 shows C# IntelliSense and syntax highlighting in a .NET Core project. There’s also code folding, live underlining of errors and suggestions as you type, configurable automatic formatting, code navigation commands and an array of powerful refactoring tools.

IntelliSense in a .NET Core Project
Figure 3 IntelliSense in a .NET Core Project

Not all of the editor’s functionality is enabled by default. You can tweak the Visual Studio for Mac settings in the Preferences dialog, which is accessible from its Mac application menu. This is equivalent to the Options dialog in the Visual Studio Tools menu, and contains plenty of options to help you customize the IDE to work the way you want.

Unit testing is supported using NUnit, and other test runners can be plugged in via extensions. The tests discovered in your assembly are shown in a Unit Tests pad that can be accessed from the View | Pads menu. There’s also git version control integrated right into the source editor, with a row of tabs along the bottom of the editor to access the current file’s log, diff and blame view.

If you’d like to get up to speed quickly with some more tips and tricks, I encourage you to watch my “Become a Xamarin Studio Expert” session from Xamarin Evolve 2016 ( as its content applies directly to Visual Studio for Mac.

Open Source Core

Like Xamarin Studio, Visual Studio for Mac is based on the open source MonoDevelop IDE, which is actively developed by Microsoft. It’s written entirely in C#, and has a rich extensibility model that you can use to add functionality ranging from simple editor commands to entirely new languages and project types. Even core features such as C# editing, Xamarin.iOS, Xamarin.Android and ASP.NET Core are implemented as extensions.

Like Visual Studio and Visual Studio Code, the C# support in Visual Studio for Mac is powered by the open source Roslyn Compiler Platform. You get the exact same IntelliSense experience you’re familiar with from Visual Studio, as well as support for in-editor live Analyzers and Code Fixes. Visual Studio for Mac even includes the Refactoring Essentials collection of Analyzers and Code Fixes by default.

Visual Studio for Mac supports editing a wide range of languages though the use of TextMate bundles, which provide syntax highlighting and simple IntelliSense. It includes a number of open source TextMate bundles from Visual Studio Code.

Creating an ASP.NET Core App

To show you how easy it is to get up to speed with Visual Studio for Mac, I’m going to walk though creating a simple ASP.NET Core back end. It’s for a hypothetical “Shared To-do List” mobile app, which allows multiple users to add items, and all users see the items that any of them post.

Please note that I’m writing this article using a pre-release version of Visual Studio for Mac, and some details of the UI may change in the release. However, the approaches and concepts discussed in this article will still apply.

After installing and opening Visual Studio for Mac, I start by clicking on the New Solution button on the welcome page, which opens the New Project dialog. I navigate into the Cloud section, choose the ASP.NET Core Web Application template, and click Next, then choose the Web API template. The Web API template creates a RESTful Web service which is perfect for a mobile back end, though you can add views to the project later to create a Web front end.

Finally, I name my project HelloVSMac and click Create. Visual Studio for Mac creates the projects using the dotnet templating engine, opens it and starts restoring the NuGet packages on which it depends. If you open the project file in the editor using the Tools | Edit File context menu on the project in the solution pad, you can see that it’s a minimalistic MSBuild-based project file that’s intended to be easy to understand. If you edit it directly and save it, the IDE will automatically reload your modified version.

Looking at the project in the solution pad, the key items are:

Packages: Your project’s NuGet package dependencies. ASP.NET Core, the .NET Core framework and the MSBuild targets that build the project are all installed via NuGet packages.

Program.cs: The entry point of your Web app. ASP.NET Core apps are programs, so there’s a Main method entry point that creates, builds and runs the WebHost at the heart of your app.

Startup.cs: Which defines a Startup class that was passed to the WebHost. This class contains your application’s initialization methods.

appsettings.json: Your app’s configuration settings. This is the ASP.NET Core equivalent of the ASP.NET web.config.

For the purposes of this walk-through, I’ll leave these all as is, and look at the ValuesController.cs file in the Views folder. This contains a ValuesController class registered on the [Route(“api/[controller]”)] route. The [controller] is a placeholder for the class name, so this is really the api/values route.

I’ll start by defining a very simple ToDoItem class and a ToDoList storage class. ToDoList is static so it can be shared among requests. In a real app you’d use a database for this, but it will do for now. I also rename the controller class to ToDoController (which makes the route api/todo), connect the Get and Post methods to the store, and clear out the other unused controller methods. The result can be seen in Figure 4.

Figure 4 The Controller and Its Simple Shared To-Do List Storage

This is now a complete, but very small, RESTful Web service. Let’s try it out.

I place a breakpoint in the Post method, and start debugging the app. The Output pad starts to show the output from the ASP.NET Core built-in kestrel Web server as the app starts up, by default on port 5000, but it won’t do anything else until it receives a request. You can open your Web browser and check, but it’ll just be an empty array.

Debugging a .NET Core Project
Figure 5  Debugging a .NET Core Project

Because there isn’t a mobile client for this service yet, it’s time to open the macOS Terminal app and use curl to send a POST request to the app:

This triggers the breakpoint in the debugger. You can inspect the value that has automatically been parsed from the JSON body of the request and converted into the ToDoItem object. You can see that Visual Studio for Mac automatically entered the debugging layout, and has all the debugger pads you’d expect: Stack, Locals, Threads, Breakpoints and so on.

Now, go back to the terminal and use curl to access the Get method, and you’ll see the JSON array containing the item that was added:

The next step is to build the mobile app, but I’ll let you explore that yourself. For more in-depth information on ASP.NET Core, I recommend checking out, and if you’d like to learn more about Xamarin development, there’s plenty of great material at Although there isn’t much documentation on Visual Studio for Mac yet, the Xamarin Studio documentation applies directly in most cases, and Visual Studio documentation is often applicable, too.

Wrapping Up

I hope this brief overview has whetted your appetite to try Visual Studio for Mac and make it your macOS IDE of choice for cloud and mobile development! If you have a Mac I encourage you to download the preview from, give it a spin, and let us know how you like it. We’re excited to hear your feedback to help guide it through the preview and beyond.



Have you ever had a reference book that you HAD to keep near you? This list of must-have books are required reading and should always be within your reach.

Top 10 Books Every .NET Developer Should Own

Everyone at one time or another reached for that specific book to find out how that one design pattern works or just needed it as a refresher on how to do that one routine better.

When you grow in your career, you start to notice that tutorial books don’t line your bookshelf anymore. Nor do you own “how to code in ASP.NET in 5 minutes.” Coding becomes easier. As I’ve said before, a language is a language is a language.

These books are a testament to the authors experience. It just goes to show you that these books I list below are exceptional in every way and have stood the test of time in the lines of development and design.

My post about What Books are Within Your Reach? was dated in 2010 and you know what?

To this day, a majority of those books are still within my reach and quite valuable. They never accumulate dust.

Now I know what some people are saying. You have the Internet at your fingertips, why not use that? While the Internet is a great resource, there is something to be said for a solid book that I KNOW has the answers (and sometimes more) within arms reach. I’m not saying all material on the Internet is bad, but it does take time to research that topic. When I’ve gone through these books and trust the material, I would feel more comfortable reaching for one of these following books/authors.

My preference of book publishers are Wesley-Addison Signature Series, APress, and O’Reilly. In That Order.

On with the list!

  1. Patterns of Enterprise Application Architecture By Martin Fowler

    It’s true that this book is a little pricey, but Mr. Fowler has put his experience and knowledge into enterprise application development and this book is an exceptional mark of that programming experience.

    On the inside cover of the book, they provide you with a list of programming thoughts and then provide you with a pattern to apply to that thought. It’s kind of like trying to remember the name of that song and all you have is a lyric.

    A quarter of the book gives an intro on layering, organizing domain logic, sessions, concurrency, and mapping to databases. During each of these sections they discuss a topic and use a number to refer to the pattern used in the book. These pattern numbers are in the remaining 3/4 of the book and I’ve used this strictly as reference when needed.

    Most of the Wesley-Addison Signature series books have this format which I absolutely love. This is what sets Wesley-Addison Signature Series apart from the other publishers. The book provides you with an intro, a description of a pattern, and a reference number to the pattern in the book. When finished reading it, you have the black tabs on the book to use when you have a particular pattern in question.

    A number of patterns are listed in the inside front cover. Most of the patterns are used today in the corporate world. On the back inside cover is a cheat sheet that helps with picking the right pattern for your particular approach.

  2. Refactoring: Improving the Design of Existing Code By Martin Fowler, Kent Beck, John Brant, Williams Opdyke, and Don Roberts

    The functionality of ReSharper is based on this book. For those not knowing about ReSharper, it’s a Visual Studio extension that gives developers a significant boost in productivity by assisting with refactoring their code with confidence.

    Just like Patterns of Enterprise Application Architecture, this book goes over the basics of taking your code from spaghetti to lasagna (wait…is that better?). The first part of the book discusses “bad code smells”, how to identify bad code, and ways to fix it. Such refactorings include Long Methods, Large Class, Long Parameter List, Duplicated Code, and Switch statements to name a few.

    The code examples in the book are either Java or .NET or both and are extremely clear to understand each refactoring concept.

  3. Refactoring to Patterns By Joshua Kerievsky

    After you read the two books above, make sure you add this one to the list as well. If you thought both books were extremely valuable, then I highly recommend this book because it combines enterprise patterns with refactoring.

    For example, let’s say you have a huge if..then..else from hell. One refactoring called Replace Conditional Logic with Strategy Pattern takes the if..then..else and makes classes out of them while creating an abstract pattern to handle the heavy lifting.

    This is just one of the many great refactorings in this book.

  4. The Design of Sites: Patterns for Creating Winning Web Sites (2nd Edition) by Douglas K. van Duyne, James A. Landay, and Jason I. Hong

    You may be wondering why I’m recommending this “design” book to developers. I’ve always been of the mindset that designers are developers and vice-versa. You always need a good understanding of CSS and JavaScript/jQuery/Angular to build websites along with knowing what happens on the backend when someone clicks Submit.

    This book provides a catalog of “design patterns” for building websites. If you are looking for an ecommerce site, here are the components you need to make it successful to your audience.

    It’s basically a catalog of website standards that I use as a basic checklist for building sites from scratch and I also use it as a reference for evaluating the design of existing websites.

  5. Microsoft .NET – Architecting Applications for the Enterprise (2nd Edition) (Developer Reference) BY Dino Esposito and Andrea Saltarello

    I know I’ve discussed enterprise patterns with the Patterns of Enterprise Application Architecture book above, but this is geared more towards a .NET readership.

    The book is broken down into the following categories: Design Patterns and what is a design pattern; The Business Layer; The Service Layer; The Data Access Layer; and the Presentation Layer.

    If you’ve been coding with .NET in a corporate environment for a while, this may be the only book in the list that I suggest you pass on and purchase any one of the other books.

  6. Don’t Make Me Think, Revisited: A Common Sense Approach to Web Usability (3rd Edition) (Voices That Matter) By Steve Krug

    This is another design book that every developer should read. It includes a number of different ways of look at things when it comes to usability. When I was reading this book, each chapter gave me a different perspective of how to design a web page to get the most efficient use for my audience.

    Also, the book is doing extremely well because they are on the 3rd edition.

  7. Information Dashboard Design: The Effective Visual Communication of Data By Stephen Few

    If you’ve ever built dashboards in your experience, you’ll find this book very helpful. I’ve used it to develop 3 dashboards in my career and they seem to be getting easier and easier. 😉

    If you would like a better review of this book, check the post titled Book Review: Information Dashboard Design.

  8. Design Patterns in C# By Steven John Metsker

    Just as the Design Patterns book from the gang of four was a masterpiece, this book focuses on design patterns from the viewpoint of C# developers. It covers the original 23 patterns including Singleton, Strategy, Flyweight, Factory, and others.

    This is one of those fundamental books that should be used in colleges.

  9. Any O’Reilly Pocket References

    The O’Reilly Pocket References books provide a lot of critical information in one small package. I currently have and use the following pocket reference books: jQuery, JavaScript, SQL Pocket Guide, and Regular Expression.

    The funny thing about these pocket references is that I’ve had web professionals come over and borrow them for a couple of days when the Internet was at their fingertips.

    That tells me how much these pocket references are worth.

  10. The Clean Coder: A Code of Conduct for Professional Programmers (Robert C. Martin Series)By Robert C. Martin

    Everyone knows “Uncle Bob.” His coding experience is also apparent in this book. He covers Saying Yes, Saying No, TDD, Professionalism, Tooling, Craftsmanship, Mentoring, and Pressure just to mention a couple of chapters.

    It’s more of a combination of programming philosophies, how to handle your programming career, and how to write code properly.

So I have been meaning to write this up about using rro vs cm’s theme engine so let’s provide some back history and then explain how both systems work.
Overlays have been supported in android for a very long time.
Actually all the device trees in the android source code works by overlays (now know as static overlays), developers are very familiar with these because we use them all the time.

Overlays work on the concept of changing out resources of android for the purpose of making things specific to a device, runtime resource overlays have actually been in android since about the gingerbread days and is actually what the theme engine is based on.

Cm uses the overlays to provide themes but at the time of the inception of the theme engine, there was a not a simple way to have overlays be swappable so what did cm do, they decided to port aapt (android asset packaging tool) onto the device so they modify app’s assets (resources) in real time but at the cost of modifying that actual app. (This is a major security hole in itself)

Sony decided to go about replicating this behavior for their xperia themes and submitted it to aosp and they got shot down because of using aapt on device because of the possible security implementations.

So with Sony intent on having swappabale themes worked with google to devise the current implementation of rro that provides a much more secure way of going about it.

They modified the asset manager to accept apks with just resources and map out the id of each resource in android and then overlay the modified resources at just runtime so those resources can map out to rro’s changed or new resources to act like they were always part of those resources but only as long as that apk is there and loaded into the system.

With this system, it provides security because the system is already given permission but still confined in all of android but it is also powerful because new resources can made to add features, translations and so forth very quickly (OEMS are actually using it now to prototype )

With this system in place, the code was merged into aosp for lollipop, unfortunately with google keeping lollipop source mostly hidden, nobody realized that it broke in the process until 5.0 was already out and Sony quickly patched it in aosp for the next release (the 5 commits that need to be cherry picked for rro to properly work)

This means that future stock builds of android has this native theme engine built into it and Sony and Samsung and HTC are actually already using it (rumor is this works already in gpe Sony and Samsung lollipop builds) so it makes sense for the community to embrace it and build on it as our own project.

Cm though decided instead of embracing RRO (maybe they didn’t know about it) ported their legacy code up for the theme engine with so much effort instead of looking for a new way with 13,000+ lines of code instead of probably about 200 lines of code to adapt the theme engine into was was already there so there is a ton of redundant code that is completely ridiculous.

Now unfortunately because cm completely disregard the native theme engine, they caused conflicts with it and aosp code.

Now the problem we are seeing is that since rro and our own project here to work with it and make it more extensible is a infant project just starting out, it is a bit unknown about how powerful it is and that it does the same exact thing as the theme engine is the downfall while we are still tuning it.

This is causing a bit of a split in the community because most people know the cm theme engine because it has been around for years so everyone in the community knows it so Roms (even ones that are supposed to be purely aosp based) are at a crossroads because the demand for themes is very high and the pressure to add the cm theme engine is high for them even though it caused issues in kit kat.

I discovered rro while I was looking for ways to add code without hard coding it into my source code for frank and started discussing it with brian gill, Reinhard/bitstra and aldy about implementing this and the benefit it would have for the community not just for Roms but for stock android firmware so this project was born.

The goal is still for adding features without hard coding tons of fragile code but we saw the demand for themes are high so we have been focusing on that.

The overlay manager and methods that we are creating will become open source once we fine tune it and create simple ways for users and themers/developers to work with it easily so it feels like native functions and something the community can adopted and be proud of.


Apps for mobile devices, like tablets and smartphones replace more and more the traditional desktops and notebooks for internet-based services. For a solid number of apps in the various App Stores it is nearly every time mandatory for the users to authenticate against the App (for using the services the App provides). This often raises the question how to store the username and the password on the device securely. The easy answer to this is: unfortunately not possible. A Keychain to store sensitive data securely has been offered by iOS since version 2.0 and by Android since version 4.0, but you should keep in mind that it is still possible to read all those values stored there.

The problem:

Since the Keychain on Android was established in version 4.0 and apps often have to support older versions, the only possibility is to use the integrated AccountManager or the Shared Preferences folder, which every app has included. On iOS you can use the Keychain without hesitation. It is also possible to save informations within the app folder structure (preferences files or SQLite database).
The Keychain on both systems has a prevention against unauthorized access, but both systems are Linux/Unix-based and they share a user who has access to everything: root. By using a root exploit it is possible to read all stored secrets on a mobile device. Since Android is suffering from a complicated update policy it is much easier to achieve this: regarding the current statistics [1] still 9.6% of Android devices are using the old versions Froyo and Gingerbead (2.2 – 2.3.7). 33.9% are using KitKat (4.4) and the newest version Lollipop (5.0) isn’t even mentioned. Especially the devices with Gingerbead and Froyo won’t get any new updates to fix security vulnerabilities. On iOS it is often argued that there are no root expoits, but the Jailbreak community has found one for every single version and has published it. Currently team TaiG has found one for the newest iOS version 8.1.1. For iOS 8.0 team Pangu published it and for iOS 7 it was the Evasi0n team. A root exploit for iOS is sold on the black market for 500.000$ to 1.000.000$ [2]. Public authorities like the NSA are willing to pay such an amount. Nevertheless, this does not necessarily mean that there are no exploits if they aren’t publicly available.
Let’s have a quick look at the Keychains:



The Keychain file itself (keychain-2.db) is protected with the device key, which can be obtained through jailbreaking / root exploit. Every entry is encrypted with the passcode key. When unlocked the users passcode is encrypted many times using a modified PBKDF2 (Password-Based Key Derivation Function 2) algortihm (AES with the UID key) to generate the passcode key. This key is hold in memory till the device is locked. A lot of users are using just a 4 digits pin which makes it easy to brute-force (average time is about 15 minutes). Hopefully this get’s better with the new Touch ID feature, introduced with the iPhone 5S.



Each Keychain Entry is encrypted with the 128-bit AES master key in CBC mode. The master key is a 128-bit key created by reading from /dev/urandom. It is encrypted with a hash of the users lockscreen password created with the PBKDF2 function from the SSL library (till Android version 4.3.x). Since Android 4.4 (KitKat) the PBKDF2 key derivation function (KDF) is replaced with scrypt [3].

The solution:

The question for an app developer now is: How can you make sure that the customers can use the app with all features without storing the password on the device? The solution: a token-based approach like OAuth 2.0 [4]. During the first start-up of my app, the customer has to provide his username and  password once. Afterwards, the app receives a token from the server which is going to be used as authentication. This token can be stored encrypted in the Keychain. The advantage of this  approach is that if an invader gets access to the device or records the token via a Man-in- the-Middle attack, he only receives a restrictive token which is only usable for certain use-cases (like viewing only some content, synchronising contacts and so on). He won’t receive the password for an email account or maybe a bank account and so on. Tokens also have the advantage that they can be  revoked and only are valid for a certain time.


Currently there is no practical way to store a password safely on a mobile device. Only the token-based approach is helpful here.