Eric Maxwell, profile picture
Uploaded byEric Maxwell
PDF, PPTX7,606 views

Data Synchronization Patterns in Mobile Application Design

The document provides an overview of data synchronization patterns in mobile application design, focusing on data formats, protocols, security, and privacy. It discusses the efficiency of synchronization methods, examples of ecosystems (open vs. closed), and the importance of security measures like authentication and authorization, including OAuth 2.0 flows. Additionally, it offers practical implementation insights through API examples and security practices.

Embed presentation

Download as PDF, PPTX
Data Synchronization Patterns in Mobile Application Design Eric Maxwell Credible Software
What to Expect Synchronizing Data Data Format & Protocol Efficiency Security • Privacy • Integrity & Trust • Authentication • Authorization
Example App • Paid subscription application • Ohio’s Premier Events • Users can see events but not update • Admin can update events
Android Client Login Register Find Events
iOS Client Login Register Find Events
Data Format & Protocol Choice Synchronizing Data Data Format & Protocol
Open Ecosystem • Exposing resources to public 3rd party clients (ex. Facebook)
Closed Ecosystem • Exposing resources to clients that you also control
Which approach is best?
Key Questions • What do existing systems & data look like in my organization? • Is it vitally important that I have transaction management across various service calls? • Do I have any other security, service discovery, delivery reliability requirements? • How important is bandwidth? • Are most of my clients & servers speaking the same language?
RPC vs SOAP vs REST https://dzone.com/articles/api-best-practices-plan-your
Examples https://myrestservice.com/api/events/37/registrations/128
Examples https://myrestservice.com/api/events/37/registrations/128 URI
Examples https://myrestservice.com/api/events/37/registrations/128 Nouns
Examples https://myrestservice.com/api/events/37/registrations/128 Nouns Verbs tell what we are doing
Examples https://myrestservice.com/api/events/37/registrations/128 Depends on the verb HTTP METHOD (verb) ACTION GET Get registration 128 that belongs to event 37 POST Create a new registration for event 37 (in this case the 128 would be omitted) PUT Update registration 128 with new data DELETE Delete registration 128
Searching /api/events HTTP GET /api/events?type=conference Find All Find All Events of type ‘conference’
What we’ve Covered Synchronizing Data Data Format & Protocol
Efficiency Synchronizing Data Data Format & Protocol Efficiency
Always use compression As simple as adding the following to your application.yml server:
 tomcat:
 compression: on
 compressableMimeTypes: application/json,application/xml,text/html,text/xml,text/plain And saves you exponentially in data transfer with JSON.
Searching /api/events HTTP GET /api/events?type=conference Find All Find All Events of type ‘conference’ What if we want only want new Events since the last fetch?
Synchronization Tokens /api/events?after=b72cef Find All Events after this ‘token’ Sync tokens act as a bookmark for new fetches
Synchronization Tokens in Action 1. HTTP GET /api/events?after=
Synchronization Tokens in Action 1. HTTP GET /api/events?after= 2. Server Responds with all events & token
Synchronization Tokens in Action 1. HTTP GET /api/events?after= 2. Server Responds with all events & token 3. HTTP GET /api/events?after=MToxN
Synchronization Tokens in Action 1. HTTP GET /api/events?after= 4. Server Responds with events after token 2. Server Responds with all events & token 3. HTTP GET /api/events?after=MToxN
Client Perspective • Unaware of Token Meaning • Knows how to use the token
Client Perspective • Unaware of Token Meaning • Knows how to use the token
Server Perspective • Stateless & Client Agnostic • If Client Sends Token • I know how to interpret • I know how to create tokens
Server Perspective • Stateless & Client Agnostic • If Client Sends Token • I know how to interpret • I know how to create tokens
Token Creation (our example) 1:1449354972621 base 64 encoded to MToxNDQ5MzU0OTcyNjIx Token Version Last Event Result Creation Date id summary other columns date_created 123 Codemash … 2016-01-05T08:00:00Z
What we’ve covered Synchronizing Data Data Format & Protocol Efficiency
Security Synchronizing Data Data Format & Protocol Efficiency Security • Privacy • Integrity & Trust
HTTPS - Server SSL Scenario Goals • Clients want to know they’re talking to the real server • Data transferred must be kept secret
HTTPS Overview 1. Client requests protected resource 2. Server presents certificate 3. Is this certificate valid, do I trust it? 5. Subsequent messages are encrypted/decrypted at 
 each end using an agreed symmetric algorithm and key. 4. Client & Server complete SSL handshaking process
HTTPS - Mutual SSL Scenario Goals • Clients want to know they’re talking to the real server • Data transferred must be kept secret • Server wants to know they’re talking to a valid client and user.
HTTPS Overview 1. Client requests protected resource 2. Server presents certificate 3. Is this certificate valid, do I trust it? 5. Subsequent messages are encrypted/decrypted at 
 each end using an agreed symmetric algorithm and key. 4. Client & Server complete SSL handshaking process
HTTPS - Mutual SSL Overview 1. Client requests protected resource 2. Server presents certificate 3. Is this certificate valid, do I trust it? 7. Subsequent messages are encrypted/decrypted at 
 each end using an agreed symmetric algorithm and key. 6. Client & Server complete SSL handshaking process 5. Is this certificate valid, do I trust it? 4. Client presents certificate
What we Covered Synchronizing Data Data Format & Protocol Efficiency Security • Privacy • Integrity & Trust • Authentication • Authorization
Authentication Basic Auth • Username:Password concatenated with a :
 Base 64 Encoded and put into Header like this…
 
 Authorization: Basic dGVzdFVzZXI6bXlQYXNz
Authentication Client Certificate • Client issued an SSL Certificates which can contain user identifiable information. • Clients send this certificate information to the server which then validates it against a list of trusted client certs.
Authorization • User - What does the user have access to do. • Application - What information does the user want to share with us or allow us to do on their behalf
User Authorization w/ Roles Users mapped to Roles @RolesAllowed(["ROLE_CLIENT"])
 class EventController { ... @RolesAllowed([“ROLE_ADMIN"]) void save() {} ... } Resources Secured by Role
Authorization • User - What does the user have access to do. • Application - What information does the user want to share with us or allow us to do on their behalf
Application Authorization w/ OAuth 2.0 OAUTH 2.0 3rd Party Application (e.g. Shutterfly) Facebook 1. User signs up with Shutterfly 2. Shutterfly gives user option to load their FB photos. 3. May also offer option to use FB to login to Shutterfly, thereby not needing a separate Shutterfly login. 4. User decides to do this, so they click a button during Shutterfly registration. 5. User is sent to FB to authenticate and authorize Shutterfly to access their photos. 6. User is sent back to Shutterfly and Shutterfly can now access those photos. User
Application Authorization w/ OAuth 2.0 OAUTH 2.0 3rd Party Application (e.g. Shutterfly) Facebook 1. User signs up with Shutterfly 2. Shutterfly gives user option to load their FB photos. 3. May also offer option to use FB to login to Shutterfly, thereby not needing a separate Shutterfly login. 4. User decides to do this, so they click a button during Shutterfly registration. 5. User is sent to FB to authenticate and authorize Shutterfly to access their photos. 6. User is sent back to Shutterfly and Shutterfly can now access those photos. User
Application Authorization w/ OAuth 2.0 OAUTH 2.0 3rd Party Application (e.g. Shutterfly) Facebook 1. User signs up with Shutterfly 2. Shutterfly gives user option to load their FB photos. 3. May also offer option to use FB to login to Shutterfly, thereby not needing a separate Shutterfly login. 4. User decides to do this, so they click a button during Shutterfly registration. 5. User is sent to FB to authenticate and authorize Shutterfly to access their photos. 6. User is sent back to Shutterfly and Shutterfly can now access those photos. User
Application Authorization w/ OAuth 2.0 OAUTH 2.0 3rd Party Application (e.g. Shutterfly) Facebook 1. User signs up with Shutterfly 2. Shutterfly gives user option to load their FB photos. 3. May also offer option to use FB to login to Shutterfly, thereby not needing a separate Shutterfly login. 4. User decides to do this, so they click a button during Shutterfly registration. 5. User is sent to FB to authenticate and authorize Shutterfly to access their photos. 6. User is sent back to Shutterfly and Shutterfly can now access those photos. User
Actor Roles • Resource Owner - Owner of the data (e.g. user) • Resource Server - Server which has the resource owners data. • Client - The application or service which wants to access the resource owners data. • Authorization Server - The server which authorizes access to the protected resources after the owner has authenticated given consent. • Identity Provider (IDP) - When OAuth 2 is used for authentication, the identity provider validates user credentials
Shutterfly Example Actors Client ex Shutterfly Resource Server Authorization Server Identity Provider ex. Facebook Resource Owner ex. User
Shutterfly Example - Registration Client ex Shutterfly Resource Server Authorization Server Identity Provider ex. Facebook1. Register 2. Client Id & Secret sent to client
Key Terms • Client Id & Client Secret - Given to the client upon registering with the authorization server • Access Token - Created by the authorization server after the resource owner has authenticated and given permission for the client to access their data • Scope - Defined by the resource server, it indicates what the client is authorized to do on the users behalf. It’s associated with an access token
 (ex: public_profile, publish_actions) • Grant Type - Different ways to get an access token. This will often guide the flow or interaction between the actors
Grant Types • Authorization Code - Optimized for web clients which can maintain the confidentiality of their client secret • Implicit - Optimized for public clients that cannot secure their client secret. Common to JavaScript apps, running in a browser. • Client Credentials - Provides application level (non user specific) access to the resource server. • Resource Owner Password Credentials - Optimized for cases where there is a trust relationship between the authorization server and the client. A thick client on a smart phone or desktop for example.
Grant Types • Authorization Code - Optimized for web clients which can maintain the confidentiality of their client secret • Implicit - Optimized for public clients that cannot secure their client secret. Common to JavaScript apps, running in a browser. • Client Credentials - Provides application level (non user specific) access to the resource server. • Resource Owner Password Credentials - Optimized for cases where there is a trust relationship between the authorization server and the client. A thick client on a smart phone or desktop for example.
Grant Types • Authorization Code - Optimized for web clients which can maintain the confidentiality of their client secret • Implicit - Optimized for public clients that cannot secure their client secret. Common to JavaScript apps, running in a browser. • Client Credentials - Provides application level (non user specific) access to the resource server. • Resource Owner Password Credentials - Optimized for cases where there is a trust relationship between the authorization server and the client. A thick client on a smart phone or desktop for example.
Grant Types • Authorization Code - Optimized for web clients which can maintain the confidentiality of their client secret • Implicit - Optimized for public clients that cannot secure their client secret. Common to JavaScript apps, running in a browser. • Client Credentials - Provides application level (non user specific) access to the resource server. • Resource Owner Password Credentials - Optimized for cases where there is a trust relationship between the authorization server and the client. A thick client on a smart phone or desktop for example.
Resource Owner Password Credentials Grant Authorization Server Identity Provider Resource Server ex Facebookex Shutterfly 1. Request access token for user with: 1. client_id / secret 2. username, password 2. Access token 4. Access token 5. Resources Client
Example Application
Android Client Login Register Find Events
Resource Owner Password Credentials Grant Authorization Server Identity Provider Resource Server ex Facebookex Shutterfly 1. Request access token for user with: 1. client_id / secret 2. username, password 2. Access token 4. Access token 5. Resources Client
Resource Owner Password Credentials Grant Authorization Server Identity Provider Resource Server Client Event ServiceEvent Client App Authenticate Access Resources w/ Token
Event API URI Method Body (JSON) Response /register POST Registration Cmd Registration Cmd /login POST Login Cmd OAuth Token /events/{id} GET n/a Event /events POST Event n/a /events[?syncToken=token] GET n/a List<Event>
Event API URI Method Body (JSON) Response /register POST Registration Cmd Registration Cmd /login POST Login Cmd OAuth Token /events/{id} GET n/a Event /events POST Event n/a /events[?syncToken=token] GET n/a List<Event>
Login • User login to get a token POST https://localhost:8443/login Content-Type: application/json { "username": "joec123", "password": “secretPassword” } 1. Send an /oauth/token request with the appropriate information for a grant_type of password
Token Via Resource Owner Password Credentials • User Specific Access Token { "access_token": "54642d51-1fea-4309-a245-dcc43ffd57ac", "token_type": "bearer", "expires_in": 25222, "scope": "read write" } Success Failure { "timestamp": 1449367453794, "status": 401, "error": "Unauthorized", "message": "Bad credentials", "path": "/oauth/token" } POST https://localhost:8443/oauth/token Authorization: Basic MDgyNDBiNGQtMDlmOS00NGZiLTg4ZjUtM2Q2ODIxZmUyOTIzOjZmMjMxMTA1LWZhZDQtNGFhNC05NTgxLTE4ZDVmNDhlYzgxMA== Accept: application/json Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded username=joec123 password=secretPassword grant_type=password scope=read+write Where the Basic Auth token is comprised of the client_id <== Username client_secret <== Password
Login • User login to get a token HTTP 200 - Ok { "access_token": "54642d51-1fea-4309-a245-dcc43ffd57ac", "token_type": "bearer", "expires_in": 25222, "scope": "read write" } POST https://localhost:8443/login Content-Type: application/json { "username": "joec123", "password": “secretPassword” } • Successful Response 1. Send an /oauth/token request with the appropriate information for a grant_type of password 2. Return response to user
Event API URI Method Body (JSON) Response /register POST Registration Cmd Registration Cmd /login POST Login Cmd OAuth Token /events/{id} GET n/a Event /events POST Event n/a /events[?syncToken=token] GET n/a List<Event>
Securing Resources • Resources secured by url pattern match class OAuth2ServerConfiguration { public void configure(ResourceServerSecurityConfigurer resources) {
 resources
 .resourceId('event-api')
 }
 
 public void configure(HttpSecurity http) throws Exception {
 http
 .authorizeRequests()
 .antMatchers("/register", "/login").permitAll()
 .anyRequest().authenticated()
 }
 } @RolesAllowed(["ROLE_CLIENT"])
 class EventController { ... } • Authorization based on role
Database Schema
On First Install 1. Add the event api to the oauth_client_details table. 2. Add ROLE_ADMIN, ROLE_CLIENT to the 
 security_role table. 3. Add an admin user and associate with all roles.
What we Covered Synchronizing Data Data Format & Protocol Efficiency Security • Privacy • Integrity & Trust • Authentication • Authorization
Resources • Sample Code • Server - https://github.com/ericmaxwell2003/grailsEventService • Android - https://github.com/ericmaxwell2003/ androidEventClientApp • iOS - https://github.com/ericmaxwell2003/iosEventClientApp • OAuth Grant Types & Flows - http://oauthlib.readthedocs.org/ en/latest/oauth2/grants/grants.html • Credible Software - http://credible.software
Questions

More Related Content

PPTX
AppSync.org: open-source patterns and code for data synchronization in mobile...
byNiko Nelissen
 
PDF
mdevcon - A Primer to SyncAdapters
byKiana Tennyson
 
PPTX
Building Your First App with MongoDB Stitch
byMongoDB
 
ODP
Event sourcing with Eventuate
byKnoldus Inc.
 
PPTX
Asp.net server control
bySireesh K
 
PDF
Async
byjonathanfmills
 
PDF
CQRS and Event Sourcing with MongoDB and PHP
byDavide Bellettini
 
PDF
Amazon Cognito + Lambda + S3 + IAM
byAndriy Samilyak
 
AppSync.org: open-source patterns and code for data synchronization in mobile...
byNiko Nelissen
 
mdevcon - A Primer to SyncAdapters
byKiana Tennyson
 
Building Your First App with MongoDB Stitch
byMongoDB
 
Event sourcing with Eventuate
byKnoldus Inc.
 
Asp.net server control
bySireesh K
 
Async
byjonathanfmills
 
CQRS and Event Sourcing with MongoDB and PHP
byDavide Bellettini
 
Amazon Cognito + Lambda + S3 + IAM
byAndriy Samilyak
 

What's hot

PPTX
MongoDB World 2018: Ch-Ch-Ch-Ch-Changes: Taking Your Stitch Application to th...
byMongoDB
 
PDF
Parse: A Mobile Backend as a Service (MBaaS)
byVille Seppänen
 
PPTX
Orion Context Broker 20220301
byFermin Galan
 
PPT
Itemscript, a specification for RESTful JSON integration
by{item:foo}
 
DOCX
Scalable Google Cloud Payroll Project - Paper
byJoseph Mogannam
 
PPTX
FIWARE: Managing Context Information at Large Scale (NGSIv1)
byFermin Galan
 
PPTX
Orion Context Broker 20210907
byFermin Galan
 
PPTX
Orion Context Broker 20220127
byFermin Galan
 
PDF
Firebase Realtime Database and Remote Config in Practice - DroidCon Moscow 2016
bySergey Smetanin
 
PPTX
Orion Context Broker 20210412
byFermin Galan
 
PPTX
WP7 HUB_Consuming Data Services
byMICTT Palma
 
PDF
When and Why Would I use Oauth2?
byDave Syer
 
PDF
Serverless Microservices Communication with Amazon EventBridge
bySheenBrisals
 
MongoDB World 2018: Ch-Ch-Ch-Ch-Changes: Taking Your Stitch Application to th...
byMongoDB
 
Parse: A Mobile Backend as a Service (MBaaS)
byVille Seppänen
 
Orion Context Broker 20220301
byFermin Galan
 
Itemscript, a specification for RESTful JSON integration
by{item:foo}
 
Scalable Google Cloud Payroll Project - Paper
byJoseph Mogannam
 
FIWARE: Managing Context Information at Large Scale (NGSIv1)
byFermin Galan
 
Orion Context Broker 20210907
byFermin Galan
 
Orion Context Broker 20220127
byFermin Galan
 
Firebase Realtime Database and Remote Config in Practice - DroidCon Moscow 2016
bySergey Smetanin
 
Orion Context Broker 20210412
byFermin Galan
 
WP7 HUB_Consuming Data Services
byMICTT Palma
 
When and Why Would I use Oauth2?
byDave Syer
 
Serverless Microservices Communication with Amazon EventBridge
bySheenBrisals
 

Similar to Data Synchronization Patterns in Mobile Application Design

PDF
New Trends in Web Security
byOliver Pfaff
 
PPTX
API Management and Mobile App Enablement
byCA API Management
 
PPTX
Api security
byteodorcotruta
 
PPTX
O auth2 with angular js
byBixlabs
 
PPTX
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
byBrian Campbell
 
PDF
Draft Ietf Oauth V2 12
byVishal Shah
 
PPTX
OAuth2 Implementation Presentation (Java)
byKnoldus Inc.
 
PDF
JDD2015: Security in the era of modern applications and services - Bolesław D...
byPROIDEA
 
PDF
Api security with OAuth
bythariyarox
 
PDF
CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)
bySam Bowne
 
PDF
Analyzing OAuth
byOliver Pfaff
 
PDF
Securing Your API
byJason Austin
 
PPT
No Silverlight Application Is an Island of Richness
byukdpe
 
PPTX
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
byGood Dog Labs, Inc.
 
PPT
O auth 2
byNisha Baswal
 
PDF
Draft Hammer Oauth 10
byVishal Shah
 
PDF
Layer 7: 2010 RSA Presentation on REST and Oauth Security
byCA API Management
 
PDF
oauth-for-credentials-security-in-rest-api-access
byidsecconf
 
KEY
Message in a Bottle
byZohar Arad
 
PDF
Spring4 security oauth2
byaxykim00
 
New Trends in Web Security
byOliver Pfaff
 
API Management and Mobile App Enablement
byCA API Management
 
Api security
byteodorcotruta
 
O auth2 with angular js
byBixlabs
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
byBrian Campbell
 
Draft Ietf Oauth V2 12
byVishal Shah
 
OAuth2 Implementation Presentation (Java)
byKnoldus Inc.
 
JDD2015: Security in the era of modern applications and services - Bolesław D...
byPROIDEA
 
Api security with OAuth
bythariyarox
 
CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)
bySam Bowne
 
Analyzing OAuth
byOliver Pfaff
 
Securing Your API
byJason Austin
 
No Silverlight Application Is an Island of Richness
byukdpe
 
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
byGood Dog Labs, Inc.
 
O auth 2
byNisha Baswal
 
Draft Hammer Oauth 10
byVishal Shah
 
Layer 7: 2010 RSA Presentation on REST and Oauth Security
byCA API Management
 
oauth-for-credentials-security-in-rest-api-access
byidsecconf
 
Message in a Bottle
byZohar Arad
 
Spring4 security oauth2
byaxykim00
 

Recently uploaded

PPTX
Instrumentation.Instrumentation.Instrumentation.pptx
byDavid Kurtz
 
PDF
Cybernetic Global Intelligence Securing Businesses in a Digital-First World.pdf
byCybernetic Global Intelligence
 
PPTX
EMR Software for Gynaecology Clinics How EasyClinic Supports Continuity, Priv...
byEasy Clinic
 
PDF
Inside An AI Powered ERP System for Process Manufacturers
byBatchMaster Software Pvt. Ltd.
 
PDF
Incident Management Roles & Responsibilities.pdf
byTaskCall
 
PDF
DSD-INT 2025 Large scale unsaturated zone modelling - Sequential Steady State...
byDeltares
 
PDF
DSD-INT 2025 Groundwater table lowering due to surface water lowering - Reusen
byDeltares
 
PDF
Latest Courier Management Software 2026 | Complete Courier & Logistics Solution
byCourier Softwares
 
PDF
From Sound Workflow Nets to LTLf Declarative Specifications
byLucaBarbaro3
 
PDF
Driving Finance Growth with Business Central ERP
byNavision India
 
PDF
CodeFulcrum Company Profile - Engineering Scalable Software for High-Growth E...
byCodeFulcrum
 
PPTX
Dreamforce ‘25 Tour: Boost Productivity with AI-Assisted API Development
byPriya Shaw
 
PPTX
Feasibility Analysis in System Development Using Data Flow Diagrams
byM Munim
 
PPTX
Performance Engineering: New and Conflicting Trends
byAlexander Podelko
 
PPTX
How MathCo Solved Enterprise AI Validation Challenges
byIT IDOL Technologies
 
PDF
Navigating Product Evolution: When MVPs Mature Beyond Their Initial Scope
byCadabra Studio
 
PPTX
Inside An AI Powered ERP System for Process Manufacturers
byBatchMaster Software Pvt. Ltd.
 
PPTX
Online Contractor Safety Induction Training Software
bySHEQ Network Limited
 
PDF
Python Core Interview Cheat Sheet for a Senior Interview
byStanislav Lazarenko
 
PPTX
Best Way to Convert PST File to MBOX Format
bykyla142000
 
Instrumentation.Instrumentation.Instrumentation.pptx
byDavid Kurtz
 
Cybernetic Global Intelligence Securing Businesses in a Digital-First World.pdf
byCybernetic Global Intelligence
 
EMR Software for Gynaecology Clinics How EasyClinic Supports Continuity, Priv...
byEasy Clinic
 
Inside An AI Powered ERP System for Process Manufacturers
byBatchMaster Software Pvt. Ltd.
 
Incident Management Roles & Responsibilities.pdf
byTaskCall
 
DSD-INT 2025 Large scale unsaturated zone modelling - Sequential Steady State...
byDeltares
 
DSD-INT 2025 Groundwater table lowering due to surface water lowering - Reusen
byDeltares
 
Latest Courier Management Software 2026 | Complete Courier & Logistics Solution
byCourier Softwares
 
From Sound Workflow Nets to LTLf Declarative Specifications
byLucaBarbaro3
 
Driving Finance Growth with Business Central ERP
byNavision India
 
CodeFulcrum Company Profile - Engineering Scalable Software for High-Growth E...
byCodeFulcrum
 
Dreamforce ‘25 Tour: Boost Productivity with AI-Assisted API Development
byPriya Shaw
 
Feasibility Analysis in System Development Using Data Flow Diagrams
byM Munim
 
Performance Engineering: New and Conflicting Trends
byAlexander Podelko
 
How MathCo Solved Enterprise AI Validation Challenges
byIT IDOL Technologies
 
Navigating Product Evolution: When MVPs Mature Beyond Their Initial Scope
byCadabra Studio
 
Inside An AI Powered ERP System for Process Manufacturers
byBatchMaster Software Pvt. Ltd.
 
Online Contractor Safety Induction Training Software
bySHEQ Network Limited
 
Python Core Interview Cheat Sheet for a Senior Interview
byStanislav Lazarenko
 
Best Way to Convert PST File to MBOX Format
bykyla142000
 

Data Synchronization Patterns in Mobile Application Design

  • 1.
    Data Synchronization Patternsin Mobile Application Design Eric Maxwell Credible Software
  • 2.
    What to Expect Synchronizing Data DataFormat & Protocol Efficiency Security • Privacy • Integrity & Trust • Authentication • Authorization
  • 3.
    Example App • Paidsubscription application • Ohio’s Premier Events • Users can see events but not update • Admin can update events
  • 4.
  • 5.
  • 6.
    Data Format &Protocol Choice Synchronizing Data Data Format & Protocol
  • 7.
    Open Ecosystem • Exposingresources to public 3rd party clients (ex. Facebook)
  • 8.
    Closed Ecosystem • Exposingresources to clients that you also control
  • 9.
  • 10.
    Key Questions • Whatdo existing systems & data look like in my organization? • Is it vitally important that I have transaction management across various service calls? • Do I have any other security, service discovery, delivery reliability requirements? • How important is bandwidth? • Are most of my clients & servers speaking the same language?
  • 11.
    RPC vs SOAPvs REST https://dzone.com/articles/api-best-practices-plan-your
  • 12.
  • 13.
  • 14.
  • 15.
  • 16.
    Examples https://myrestservice.com/api/events/37/registrations/128 Depends on theverb HTTP METHOD (verb) ACTION GET Get registration 128 that belongs to event 37 POST Create a new registration for event 37 (in this case the 128 would be omitted) PUT Update registration 128 with new data DELETE Delete registration 128
  • 17.
  • 18.
  • 19.
  • 20.
    Always use compression Assimple as adding the following to your application.yml server:
 tomcat:
 compression: on
 compressableMimeTypes: application/json,application/xml,text/html,text/xml,text/plain And saves you exponentially in data transfer with JSON.
  • 21.
    Searching /api/events HTTP GET /api/events?type=conference Find All FindAll Events of type ‘conference’ What if we want only want new Events since the last fetch?
  • 22.
    Synchronization Tokens /api/events?after=b72cef FindAll Events after this ‘token’ Sync tokens act as a bookmark for new fetches
  • 23.
    Synchronization Tokens inAction 1. HTTP GET /api/events?after=
  • 24.
    Synchronization Tokens inAction 1. HTTP GET /api/events?after= 2. Server Responds with all events & token
  • 25.
    Synchronization Tokens inAction 1. HTTP GET /api/events?after= 2. Server Responds with all events & token 3. HTTP GET /api/events?after=MToxN
  • 26.
    Synchronization Tokens inAction 1. HTTP GET /api/events?after= 4. Server Responds with events after token 2. Server Responds with all events & token 3. HTTP GET /api/events?after=MToxN
  • 27.
    Client Perspective • Unawareof Token Meaning • Knows how to use the token
  • 28.
    Client Perspective • Unawareof Token Meaning • Knows how to use the token
  • 29.
    Server Perspective • Stateless& Client Agnostic • If Client Sends Token • I know how to interpret • I know how to create tokens
  • 30.
    Server Perspective • Stateless& Client Agnostic • If Client Sends Token • I know how to interpret • I know how to create tokens
  • 31.
    Token Creation (ourexample) 1:1449354972621 base 64 encoded to MToxNDQ5MzU0OTcyNjIx Token Version Last Event Result Creation Date id summary other columns date_created 123 Codemash … 2016-01-05T08:00:00Z
  • 32.
    What we’ve covered Synchronizing Data DataFormat & Protocol Efficiency
  • 33.
    Security Synchronizing Data Data Format &Protocol Efficiency Security • Privacy • Integrity & Trust
  • 34.
    HTTPS - ServerSSL Scenario Goals • Clients want to know they’re talking to the real server • Data transferred must be kept secret
  • 35.
    HTTPS Overview 1. Clientrequests protected resource 2. Server presents certificate 3. Is this certificate valid, do I trust it? 5. Subsequent messages are encrypted/decrypted at 
 each end using an agreed symmetric algorithm and key. 4. Client & Server complete SSL handshaking process
  • 36.
    HTTPS - MutualSSL Scenario Goals • Clients want to know they’re talking to the real server • Data transferred must be kept secret • Server wants to know they’re talking to a valid client and user.
  • 37.
    HTTPS Overview 1. Clientrequests protected resource 2. Server presents certificate 3. Is this certificate valid, do I trust it? 5. Subsequent messages are encrypted/decrypted at 
 each end using an agreed symmetric algorithm and key. 4. Client & Server complete SSL handshaking process
  • 38.
    HTTPS - MutualSSL Overview 1. Client requests protected resource 2. Server presents certificate 3. Is this certificate valid, do I trust it? 7. Subsequent messages are encrypted/decrypted at 
 each end using an agreed symmetric algorithm and key. 6. Client & Server complete SSL handshaking process 5. Is this certificate valid, do I trust it? 4. Client presents certificate
  • 39.
    What we Covered Synchronizing Data DataFormat & Protocol Efficiency Security • Privacy • Integrity & Trust • Authentication • Authorization
  • 40.
    Authentication Basic Auth • Username:Passwordconcatenated with a :
 Base 64 Encoded and put into Header like this…
 
 Authorization: Basic dGVzdFVzZXI6bXlQYXNz
  • 41.
    Authentication Client Certificate • Clientissued an SSL Certificates which can contain user identifiable information. • Clients send this certificate information to the server which then validates it against a list of trusted client certs.
  • 42.
    Authorization • User -What does the user have access to do. • Application - What information does the user want to share with us or allow us to do on their behalf
  • 43.
    User Authorization w/Roles Users mapped to Roles @RolesAllowed(["ROLE_CLIENT"])
 class EventController { ... @RolesAllowed([“ROLE_ADMIN"]) void save() {} ... } Resources Secured by Role
  • 44.
    Authorization • User -What does the user have access to do. • Application - What information does the user want to share with us or allow us to do on their behalf
  • 45.
    Application Authorization w/OAuth 2.0 OAUTH 2.0 3rd Party Application (e.g. Shutterfly) Facebook 1. User signs up with Shutterfly 2. Shutterfly gives user option to load their FB photos. 3. May also offer option to use FB to login to Shutterfly, thereby not needing a separate Shutterfly login. 4. User decides to do this, so they click a button during Shutterfly registration. 5. User is sent to FB to authenticate and authorize Shutterfly to access their photos. 6. User is sent back to Shutterfly and Shutterfly can now access those photos. User
  • 46.
    Application Authorization w/OAuth 2.0 OAUTH 2.0 3rd Party Application (e.g. Shutterfly) Facebook 1. User signs up with Shutterfly 2. Shutterfly gives user option to load their FB photos. 3. May also offer option to use FB to login to Shutterfly, thereby not needing a separate Shutterfly login. 4. User decides to do this, so they click a button during Shutterfly registration. 5. User is sent to FB to authenticate and authorize Shutterfly to access their photos. 6. User is sent back to Shutterfly and Shutterfly can now access those photos. User
  • 47.
    Application Authorization w/OAuth 2.0 OAUTH 2.0 3rd Party Application (e.g. Shutterfly) Facebook 1. User signs up with Shutterfly 2. Shutterfly gives user option to load their FB photos. 3. May also offer option to use FB to login to Shutterfly, thereby not needing a separate Shutterfly login. 4. User decides to do this, so they click a button during Shutterfly registration. 5. User is sent to FB to authenticate and authorize Shutterfly to access their photos. 6. User is sent back to Shutterfly and Shutterfly can now access those photos. User
  • 48.
    Application Authorization w/OAuth 2.0 OAUTH 2.0 3rd Party Application (e.g. Shutterfly) Facebook 1. User signs up with Shutterfly 2. Shutterfly gives user option to load their FB photos. 3. May also offer option to use FB to login to Shutterfly, thereby not needing a separate Shutterfly login. 4. User decides to do this, so they click a button during Shutterfly registration. 5. User is sent to FB to authenticate and authorize Shutterfly to access their photos. 6. User is sent back to Shutterfly and Shutterfly can now access those photos. User
  • 49.
    Actor Roles • ResourceOwner - Owner of the data (e.g. user) • Resource Server - Server which has the resource owners data. • Client - The application or service which wants to access the resource owners data. • Authorization Server - The server which authorizes access to the protected resources after the owner has authenticated given consent. • Identity Provider (IDP) - When OAuth 2 is used for authentication, the identity provider validates user credentials
  • 50.
    Shutterfly Example Actors Client exShutterfly Resource Server Authorization Server Identity Provider ex. Facebook Resource Owner ex. User
  • 51.
    Shutterfly Example -Registration Client ex Shutterfly Resource Server Authorization Server Identity Provider ex. Facebook1. Register 2. Client Id & Secret sent to client
  • 52.
    Key Terms • ClientId & Client Secret - Given to the client upon registering with the authorization server • Access Token - Created by the authorization server after the resource owner has authenticated and given permission for the client to access their data • Scope - Defined by the resource server, it indicates what the client is authorized to do on the users behalf. It’s associated with an access token
 (ex: public_profile, publish_actions) • Grant Type - Different ways to get an access token. This will often guide the flow or interaction between the actors
  • 53.
    Grant Types • AuthorizationCode - Optimized for web clients which can maintain the confidentiality of their client secret • Implicit - Optimized for public clients that cannot secure their client secret. Common to JavaScript apps, running in a browser. • Client Credentials - Provides application level (non user specific) access to the resource server. • Resource Owner Password Credentials - Optimized for cases where there is a trust relationship between the authorization server and the client. A thick client on a smart phone or desktop for example.
  • 54.
    Grant Types • AuthorizationCode - Optimized for web clients which can maintain the confidentiality of their client secret • Implicit - Optimized for public clients that cannot secure their client secret. Common to JavaScript apps, running in a browser. • Client Credentials - Provides application level (non user specific) access to the resource server. • Resource Owner Password Credentials - Optimized for cases where there is a trust relationship between the authorization server and the client. A thick client on a smart phone or desktop for example.
  • 55.
    Grant Types • AuthorizationCode - Optimized for web clients which can maintain the confidentiality of their client secret • Implicit - Optimized for public clients that cannot secure their client secret. Common to JavaScript apps, running in a browser. • Client Credentials - Provides application level (non user specific) access to the resource server. • Resource Owner Password Credentials - Optimized for cases where there is a trust relationship between the authorization server and the client. A thick client on a smart phone or desktop for example.
  • 56.
    Grant Types • AuthorizationCode - Optimized for web clients which can maintain the confidentiality of their client secret • Implicit - Optimized for public clients that cannot secure their client secret. Common to JavaScript apps, running in a browser. • Client Credentials - Provides application level (non user specific) access to the resource server. • Resource Owner Password Credentials - Optimized for cases where there is a trust relationship between the authorization server and the client. A thick client on a smart phone or desktop for example.
  • 57.
    Resource Owner PasswordCredentials Grant Authorization Server Identity Provider Resource Server ex Facebookex Shutterfly 1. Request access token for user with: 1. client_id / secret 2. username, password 2. Access token 4. Access token 5. Resources Client
  • 58.
  • 59.
  • 60.
    Resource Owner PasswordCredentials Grant Authorization Server Identity Provider Resource Server ex Facebookex Shutterfly 1. Request access token for user with: 1. client_id / secret 2. username, password 2. Access token 4. Access token 5. Resources Client
  • 61.
    Resource Owner PasswordCredentials Grant Authorization Server Identity Provider Resource Server Client Event ServiceEvent Client App Authenticate Access Resources w/ Token
  • 62.
    Event API URI MethodBody (JSON) Response /register POST Registration Cmd Registration Cmd /login POST Login Cmd OAuth Token /events/{id} GET n/a Event /events POST Event n/a /events[?syncToken=token] GET n/a List<Event>
  • 63.
    Event API URI MethodBody (JSON) Response /register POST Registration Cmd Registration Cmd /login POST Login Cmd OAuth Token /events/{id} GET n/a Event /events POST Event n/a /events[?syncToken=token] GET n/a List<Event>
  • 64.
    Login • User loginto get a token POST https://localhost:8443/login Content-Type: application/json { "username": "joec123", "password": “secretPassword” } 1. Send an /oauth/token request with the appropriate information for a grant_type of password
  • 65.
    Token Via ResourceOwner Password Credentials • User Specific Access Token { "access_token": "54642d51-1fea-4309-a245-dcc43ffd57ac", "token_type": "bearer", "expires_in": 25222, "scope": "read write" } Success Failure { "timestamp": 1449367453794, "status": 401, "error": "Unauthorized", "message": "Bad credentials", "path": "/oauth/token" } POST https://localhost:8443/oauth/token Authorization: Basic MDgyNDBiNGQtMDlmOS00NGZiLTg4ZjUtM2Q2ODIxZmUyOTIzOjZmMjMxMTA1LWZhZDQtNGFhNC05NTgxLTE4ZDVmNDhlYzgxMA== Accept: application/json Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded username=joec123 password=secretPassword grant_type=password scope=read+write Where the Basic Auth token is comprised of the client_id <== Username client_secret <== Password
  • 66.
    Login • User loginto get a token HTTP 200 - Ok { "access_token": "54642d51-1fea-4309-a245-dcc43ffd57ac", "token_type": "bearer", "expires_in": 25222, "scope": "read write" } POST https://localhost:8443/login Content-Type: application/json { "username": "joec123", "password": “secretPassword” } • Successful Response 1. Send an /oauth/token request with the appropriate information for a grant_type of password 2. Return response to user
  • 67.
    Event API URI MethodBody (JSON) Response /register POST Registration Cmd Registration Cmd /login POST Login Cmd OAuth Token /events/{id} GET n/a Event /events POST Event n/a /events[?syncToken=token] GET n/a List<Event>
  • 68.
    Securing Resources • Resourcessecured by url pattern match class OAuth2ServerConfiguration { public void configure(ResourceServerSecurityConfigurer resources) {
 resources
 .resourceId('event-api')
 }
 
 public void configure(HttpSecurity http) throws Exception {
 http
 .authorizeRequests()
 .antMatchers("/register", "/login").permitAll()
 .anyRequest().authenticated()
 }
 } @RolesAllowed(["ROLE_CLIENT"])
 class EventController { ... } • Authorization based on role
  • 69.
  • 70.
    On First Install 1.Add the event api to the oauth_client_details table. 2. Add ROLE_ADMIN, ROLE_CLIENT to the 
 security_role table. 3. Add an admin user and associate with all roles.
  • 71.
    What we Covered Synchronizing Data DataFormat & Protocol Efficiency Security • Privacy • Integrity & Trust • Authentication • Authorization
  • 72.
    Resources • Sample Code •Server - https://github.com/ericmaxwell2003/grailsEventService • Android - https://github.com/ericmaxwell2003/ androidEventClientApp • iOS - https://github.com/ericmaxwell2003/iosEventClientApp • OAuth Grant Types & Flows - http://oauthlib.readthedocs.org/ en/latest/oauth2/grants/grants.html • Credible Software - http://credible.software
  • 73.