Under the Radar

Under the Radar 16: Designing for Misuse


  welcome to under the radar a show but

  independent iOS app development I'm

  Marco Arment and I'm David Smith under

  the radar is never longer than 30

  minutes so let's get started so today I

  wanted to talk about designing for

  misuse and and maybe abuse - and maybe

  some malicious use but you know just

  general categories of misuse of people

  trying to use your apps either

  maliciously or in ways that you didn't

  intend or consider when you design them

  and kind of how you can deal with that

  and how you can mitigate or minimize the

  the negative effects of that I mean so

  you you have a number of apps I'm

  thinking of things like my recipe book

  or audiobooks even where like somebody

  could potentially get a ton of data in

  there like a ton of Records or like a

  ton of audiobooks or stuff like that

  like like do you when you design things

  do you account for like very very heavy

  users who might be using the app to do

  or store way more than you designed it

  for I it's something i've definitely

  didn't do or what initially and had

  since have to had to learn a lot of

  lessons about doing like in preparation

  of this episode i took a look in my

  recipe sink system and i found I was

  like wonder how many recipes the biggest

  users have and the biggest user has 13

  thousand recipes like god in their in

  their sink account and they use the app

  how I also checked how often like are

  they actually still using it and it's

  like their last their the data their

  last one yesterday so they are still

  using it with 13 thousand recipes and I

  did not in any way design the app to

  scale for two thirteen thousand recipes

  so it's something that I've had to learn

  and I'll get the support requests from

  people who are like why won't it just

  like you know the sink seems really slow

  and I go and check their account and

  they have even if not the 13 thousand

  but even like two or three thousand

  recipes and I'm like yeah that's that's

  gonna be tough on an iPad 2 - so just

  move that amount of data around and

  quickly search it and things that I mean

  the numbers aren't massive in and of

  themselves but I think like you're

  saying it's you have to design your app

  and be adaptive to it

  in that way or otherwise the things just

  fall down horribly because like your apt

  if your app doesn't you know sort of

  scale well or gracefully it's gonna kind

  of fall apart and so now when I'm doing

  these kinds of things I always have to

  think in the back of my mind like how

  this it's not even how many how many

  records or how many entries could

  someone reasonably have it's like how

  many records could someone unreasonably

  have what is what like what's the limit

  here beyond which it would be completely

  impractical for them to even get there

  and it's also probably worth saying like

  that person who has 13 thousand recipes

  like they've been at inter entering into

  the system into the system for the think

  three years now like they've been using

  the app for three years and so even like

  you have to keep in mind that you things

  will just gradually grow and extend over

  time that it's not even just oh

  someone's being silly and just like

  creating a million entries in my system

  it's like no they could just use it a

  lot and over the course of several years

  because hopefully your app will be

  around for several years it'll get to a

  point that things are way beyond what

  you may have originally thought or

  expected oh yeah I mean like you know

  and this isn't that unreasonable of a

  thing to I could from the user point of

  view like you might you might think as a

  user oh I'm using everything as design

  but like there there's probably like one

  or two things in your in your setup

  either the apps you use or maybe like a

  giant folder on your computer or some

  giant database you have like oh I happen

  to have I happen to be a Musical actor

  and have like a hundred thousand mp3s or

  happen to have a lot of photos or

  whatever else like almost everybody has

  the extremes of something you know like

  like we like I our friend Merlin man

  over it back to work has often talked

  about his trouble finding Dropbox text

  file markdown editors because like that

  whole category of app so there's a

  million of on the app store to edit

  Dropbox note text files because he has

  like thousands of them because he uses

  them in all sorts of ways that a lot of

  people don't consider or don't think of

  and a lot of times like he try out a new

  app and it'll just crash or it'll be a

  searching will be impossibly slow or

  something you know this this happens a

  lot like almost everybody has like one

  thing where they are pushing the bounds

  on like I have

  with overcast I have users that first

  started reporting like slow sync issues

  and I would get I dig in with them and I

  find out that they would have like 150

  podcast subscriptions and so most people

  have trouble keeping up with 3 to 5

  podcasts every week and this guy has 150

  but he's using them you know he's using

  the app like I'm not gonna like that's

  that's that's the you know that's these

  people's prerogative if they want to use

  the app that way if it's not like

  malicious against you in any way what's

  the problem so you know you have to

  design for these kind of extremes and

  yet to test for them like you'd be

  surprised like how how how quickly

  either your app or your server the

  server side process if you're syncing

  them to a server or dealing with server

  anyway how quickly you can hit memory

  limits because like a lot of these like

  like you know my back-end is all PHP and

  yes make fun of it as much as you want

  but almost every language that has on

  the server side some kind of memory

  limit that you can configure often it's

  set by default to something you know

  right in like the hundreds of megabytes

  usually at most so you know you might

  have like a PHP process might be able to

  max out it like 32 Meg's or 128 Meg's

  something in that range well if somebody

  has like 10,000 items that you're trying

  to sync and the server is trying to deal

  with that you actually might hit that

  like depending on the design of your


  similarly on I on iOS like if you're

  trying to read all those records into

  memory to do some kind of batch

  operation or some kind of inefficient

  counting or something like that if

  you're if you have your own custom data

  interaction layer here and you are

  dealing with 10,000 records 100,000

  records and an app that you designed to

  have a few hundred records you might

  blow the memory limit on the iOS device

  and the app might get killed or crash so

  this is you know this is pretty pretty

  important stuff to at least deal with

  gracefully or as gracefully as you can

  you know your app should at least not

  crash you know if a heavy user uses it

  and so you should be as much as much as

  it's possible to you should be testing

  for this like if you have an app with

  any kind of user login system have a

  user that has you know way more content

  or data or records then you think is

  normal or that you even think anybody

  would ever have you know like I like

  during the velopment of breadth of

  vesper our friend Brent Simmons was was

  blogging here and there about how like

  they had

  they had a test data that was like

  thousands of notes and they knew that

  almost nobody would ever take thousands

  and thousands of notes but they wanted

  to make sure the app worked well and

  didn't crash and hopefully was fast and

  was still actually good and functional

  with way more data than they expected so

  like you know first first priority don't

  break you know don't crash don't make

  the UI like break in weird ways like

  it's like something overflowing it's

  bound or rendering in the wrong spot

  because like some assumption was broken

  but how long something would be and and

  try to not slow down

  noticeably so there's many strategies

  for this that it you know beyond the

  scope of this episode but you know

  generally you want to you know you want

  to have some kind of database back in

  you know not like a P list with 10,000

  entries in it like you want to have some

  kind of database if you use core data it

  will do a lot of this for you especially

  if you use like the the fetch results

  controller is right because it you use

  those here and there right yeah and then

  they handle that's how most of this gets

  done in my ABS it's like rely on

  problems that were solved at a different

  level like because core data was

  designed to scale from like 10 records

  to ten thousand or ten million records

  like it's intended to be able to do that

  and so if you use it that way you know

  it does all the nice batching for you

  and only pulling in like pointers to

  things rather than to hold their whole

  contents initially and all that kind of

  stuff like if you do it thoughtfully in

  that way then you know a lot of this

  work can sort of be done for you or at

  least the first pass at this kind of

  work can be done for you exactly so you

  know generally you know don't break

  under heavy usage like this if you can

  help it and then try it to slow down and

  so you know use this as appropriate make

  sure you know watch your memory limits

  it helps to like you know if you can run

  some testing where you can go into

  instruments and watch memory usage of

  your app and like see how it changes if

  somebody has ten rows versus ten

  thousand rows and you know the it should

  not be going up linearly with the amount

  of data that's being stored in your app

  you know your your your in memory set

  should not be scaling up your you know

  your on disk set obviously could but you

  know in memory should not so you know

  beyond the technical side of making sure

  it works

  and you know again that's not a small

  thing but if you be on the technical

  side of things there are things you can

  do in the design of the app to kind of

  help make this manageable for people and

  help help yourself out too with like the

  amount of load that you're placing on

  various parts of it and you know how

  something might break so well I think

  one of the one of the staples of iOS app

  usability and design is the table view

  you know the table view first of all

  it's designed in such a way especially

  when paired with core data or an

  intelligent other layer it's designed in

  such a way that it can scale

  ridiculously well we know when you

  combine the the way the cells are reused

  and only certain amounts of data or page

  in at once

  combine that with like the the

  estimations of cell Heights and the

  estimations of sections and numbers of

  things in sections and then you have

  like the the like first letter on the

  right side like and like in the phone

  contacts app you have like the letter

  jumping on the side where you can sort

  and that's also by the way helpful in

  different languages that you don't

  support use apples please just use

  apples thing and you'll be mostly okay

  you know stuff like that having like

  easy navigation intelligent sorting of

  long lists like you know you might have

  a list in your app that's sorted

  chronologically if there's no way to

  sort it alphabetically and somebody

  might have 10,000 items that might be

  problematic you know if it likes think

  about like how you're how you're sorting

  in your app works and if there's

  anything you can do in the design the UI

  design of the app to make it less

  cumbersome or impossible to use for

  somebody who is in your opinion grossly

  over using it or grossly over filling it

  because that will happen there will be

  good reasons for it and you know if

  possible don't break under that right

  and so other things also in that and in

  that category would involve Search

  Search is a big one here you know any

  kind of local search you can offer that

  doesn't use a server is is easy first of

  all almost every database supports

  sequel Lite supports it you know you can

  just write your own dumb one if you

  really want to but please use a search

  index it's much easier like using stuff

  like that can really help people who

  have tons and tons of of entries can

  really help them find their data and use

  your app and with search like you know

  the way it works with like basically a

  whole bunch of binary tree

  and everything like you can you could

  make a vast number of Records accessible

  via search without a ton of work and

  without a ton of CPU time being spent so

  you know if there's any possibility of

  somebody having a ton of data in your

  app offer a search if it makes sense to

  because it really does its ski it lets

  your apps scale well because all of this

  was really talking about app scaling

  it's like you know in kind of in the in

  the way that you know website scaling is

  really talking about like number of

  users or amount of traffic AB scaling

  for one person in this case is like

  talking about the amount of data they

  might store in your app and what kind of

  technical and organizational challenges

  that will present exactly and the nice

  thing too is that most of these changes

  these improvements these ways of like

  looking at your app at high usage

  whatever that might need mean for your

  app will almost always make it better

  for the typical case that like you avoid

  the like if your app does get Linney

  linearly worse every time the user adds

  a record like that's incredibly

  problematic when you have 10,000 records

  but it means that every single time the

  user is using the app they're making it

  slightly worse for themselves like

  that's your discouraging use yeah like

  what you want is to make sure that you

  know your app scales gracefully in this

  way but mostly because then that means

  that it's probably gonna be a lot better

  for you know your typical user like and

  obviously that's nothing you want to

  keep in the back of your mind that you

  don't want to be making changes that are

  only beneficial if you have 10,000 users

  or 10,000 records because very few users

  are gonna have that and so if it makes

  your app way more complicated then

  that's probably not good but looking at

  it in these ways you get these benefits

  I mean it's like you were saying with

  like UI tableview is really efficient

  and UI tableview is designed like for

  the original iPhone like as far as I

  know it's like that was built into you

  know iPhone OS 1 when things were

  incredibly constrained and tight and it

  made the an OS you know where a lot of

  things are just scrolling lists really

  perform it in powerful and so then as

  devices got more capable it got even

  better and in the same way it's like if


  you are designing things so that they

  work when things are constrained in this

  case when they were constrained by

  having large numbers of things when you

  aren't constrained in that way suddenly

  everything's just better and faster and

  in the a--probably instantaneous for

  most of your users like if things only

  take a few seconds for your extreme

  users they're probably gonna be if you

  know instantaneous or you know momentary

  for your typical user and that's what

  you want and like that this exercise is

  helpful in that way of looking at your

  app and saying well where could I make

  this better like an easy obvious case

  it's just to say like well let me throw

  way more things into it than I need and

  see where I can make it better as a

  result exactly and you know and you're

  like you mentioned like you know trying

  to optimize for typical use you know

  versus versus the the kind of extremes

  and the fact is like when you're when

  you're talking about adding any kind of

  organizational system something like I'm

  thinking like you know like like one

  level of folders or tags which are

  basically folders like you know one

  level of organization to like abstract

  something away that can go a long way

  like if you have an app where people

  might often have more than about you

  know 20 to 50 records like they might

  want some kind of way to organize that

  and like having just one level of folder

  hierarchy could also scale to 10,000

  items fairly well like you don't have

  like a little goes a long way here you

  don't really have to go overboard with a

  cup with accommodating for these things

  in the UI because you know the the high

  end users any little bit will help them

  tremendously and it won't put too much

  of a burden on regular users exactly and

  obviously these are all like these are

  the kinds of things we're talking about

  are in the good case where things are

  people are using your app in the way

  that you intended it and just using it a

  lot but obviously they also they could

  talk use there could be problems that

  you could run into on the malicious side

  and we're about to talk about that

  before we do could you tell me about

  something that's awesome we are

  sponsored this week by dev mate go to

  dev mate dot-com slash radar to learn

  more dev mate is a single SDK with a set

  of advanced back-end features for Mac

  developers that allows them to easily

  integrate in app purchasing software

  licensing auto-updates crash reports

  user feedback and more

  all four Mac apps without being in the

  Mac App Store this is very useful stuff

  if you're a Mac developer because you

  don't have to handle all these things

  for you know all manually for yourself

  plus all the analytics for your app with

  sales and downloads are all available

  real time in dev mate's dashboard that's

  real-time sales analytics data Mac paw

  are very excited to announce that dev

  mates of rich functionality is now free

  for all and is instantly accessible

  after integration magpie use these tools

  themselves to help them build their own

  apps include and CleanMyMac and you

  can't and you can take a look at on

  their site to see examples than many

  other developers that also rely on dev

  mate there's some big names there these

  days more and more developers are eager

  to sell outside the Mac App Store having

  dev mate as an ultimate solution for

  independent OS 10 development is a great

  place to start you can find out more

  right now by going to dev mate comm

  slash radar once again that's dev mate

  comm slash radar if you're a Mac

  developer you got to check this out

  thank you very much to dev mate for


  under-the-radar and all of real EFM all

  right so obviously if you you know

  people are just putting lots of data in

  your app like that's not really

  problematic it could be problematic if

  rep distance and a lit well but there's

  also cases where rather than just your

  users using the app and a positive like

  they just love it you know like this

  person just really loves baking and

  wants to put 13,000 recipes in their

  city and there's in in my sink system

  there can also be taking cases

  especially as your hep cats

  attention or popular or you get

  attention or become popular where people

  might want to misuse your application

  for whatever reason or in whatever way

  and so it's kind of important that you

  also think about it from those

  perspectives of what's the worst that

  people could do what could people be

  doing with my app with my back-end you

  know if someone ran like a Wireshark

  application and looked at all the

  network traffic between my app and my

  server are there things that I wouldn't

  want them to know or be able operations

  that they could do that would really

  hurt me and you kind of have to start

  thinking through these basic security

  things in order to make sure that your

  app is going to be stable and worthwhile

  and and also like in the same kind of

  way we were saying before

  if you do these things it can prevent

  misuse but it also will probably make

  basic use better because then your app

  is more secure your users data is more

  secure things are more reliable and so

  it does take a bit of work and a bit of

  thoughtfulness but these are things that

  are kind of basic things that are

  probably important if you want to get

  into any kind of thing that you stores

  or uses users data oh yeah and you know

  like when you have any kind of you know

  if you just have a local app that has no

  web component that you at least that you

  run but you know it if you just have a

  local app there's only so much user can

  do to to hurt anyone else or you using

  the app but as soon as you have a

  service behind it or especially like a

  web interface there there are so much

  that people can do that you know the

  good thing is that web security is a

  pretty well-known field at this point I

  mean it's not solved it's not flawless

  but you know the the major categories of

  danger are well-known and many of them

  can be avoided you know without too much

  work these days because we you know

  we've had a long time to work on web

  security and so like you know like one

  of the basics is obviously to use SSL

  you know if you have any kind of API the

  running over HTTP use SSL this is not

  difficult these days in fact one tip

  I've come across recently is so I host

  all my stuff on Linode and they have

  these things called node balancers we're

  just like their own like kind of managed

  to load balancing things for 20 bucks a

  month and so I use I use node balance

  here is not only for load balancing but

  even when I only have one server behind

  them I use the node bouncer for SSL

  decryption and also to be kind of a

  front-end because then the actual IP of

  the machine is not you know being

  directly exposed to the users and also

  that is handling all the SSL decryption

  for me so that and and Linode keeps

  these maintaining keep C's updated so

  that whenever SSL changes whenever like

  people discover oh this old ciphers

  actually actually has a weakness that we

  did that we just learned about so nobody

  should use that everyone should upgrade

  to TLS one point whatever or do you know

  disabled a certain cipher or anything

  they do all that for you so you are

  always kept on top of it you just paste

  it in your certificate in your key into

  their admin panel and then your server

  talks regular

  HTTP to the load balancer and the load

  balancer to the node balancer excuse me

  the node balancer then is handling all

  security for you so that's I highly

  recommend if you're on Linode and you

  can spare another 20 bucks a month

  outsource your your SSL dealing with to

  a node balancer it's a lot easier and

  you know but even if you do it yourself

  you know just keep on top of it there's

  a there's a Qualis SSL test that you can

  you can kind of test your site and see

  how it does on the security thing just

  you know go test it every few months or

  whenever you hear any news about it just

  make sure you're on top of things but or

  you can just outsource it like I do

  excuse me

  or you just outsource it and it's a no

  big deal also for web pages consider

  using content security policy this is a

  relatively young web thing it's it's a

  header you put on on repot on responses

  CSP or content security policy it's a

  thing that it's basically a declaration

  you make in the headers that tells the

  browser where from what domains and what

  types of JavaScript and CSS and assets

  are permitted to be loaded by this page

  and what this is mostly useful for is to

  eliminate a whole category of

  vulnerabilities like cross-site

  scripting then there's tons of

  vulnerabilities that this just

  completely negates for browsers that

  support it and almost every modern

  browser will enforce it as far as I know

  so you know using content security

  policy with SSL and with HSTs strict

  Transport Security which will enforce

  SSL for basically everything for all

  modern browsers like using those things

  you are way more secure than the average

  service and you know Plus you know basic

  server security as we talked about last

  week or two weeks ago rather so that is

  that will get you a huge huge part of

  the way there and and I mean heck I even

  in my podcast app I even have SSL

  certificate pinning which is complete

  overkill for a podcast app but what that

  means is it makes it a lot harder for

  anybody to not only snoop my traffic and

  break the app that way but also for like

  for you know creepy middlemen like like

  when you get on airplane Wi-Fi and it

  injects ads into everything you see now

  or you know like it it makes it

  impossible for those kind of things to

  interfere with my app and will protect

  me and it protects my users so it's it

  these kind

  things like they seem like overkill if

  you're just making an app for something

  basically playing podcasts but in in the

  modern era this really isn't overkill

  and it really isn't that hard I think

  that's the important thing to like a lot

  of these things like a little goes a

  long way like just does all these you

  know best practices and things you're

  talking about if like the different

  types of security and the different

  approaches you can take

  but doing anything is going to do a lot

  just to get started with and like if

  you're gonna do it fair enough do it

  properly but all of these things like

  any sigh if you just like you do there's

  no reason to be sending anything in

  plain text in like a modern app it's

  just it just doesn't make sense like

  maybe media maybe but in general like

  you missed you just may as well like

  things are it doesn't make your things

  slower or a little more expensive or

  those types of things like it just makes

  the app better and so if you can do it

  because you're just trying to minimize

  the things the directions that people

  can could you know be mischievous with

  your application exactly so moving on

  from now like direct security attacks I

  want to talk a little bit about spam if

  your app has any kind of user-generated

  content that could potentially be

  exposed to other users of the app or to

  the public on your website and it's some

  kind of like top ranked list or most

  popular content or anything like that

  that is a potential vector for spam for

  people to span your site of your service

  or your app in order to promote their

  own stuff or deface stuff or make people

  look at porn or whatever else there's

  you know so anything where

  user-generated content could be shown to

  a larger audience of your apps users you

  have to be very very careful about these

  kind of things that become possible it's

  you know it's one thing to just think oh

  well I'm gonna make you know suppose

  suppose you have like in overcast to

  have a recommendations thing suppose I

  would I was gonna show on the website

  top recommended things which I kind of

  do in the app but I'll get to that you

  have to think like how could somebody

  spam this in order to promote their own

  thing or show inappropriate content or

  something you know so somehow break it

  in a way that would be valuable to them

  or would you know deface the the whole

  thing and make everyone look bad

  and you might think oh I can just keep

  on top I'll just check it every day

  and I'll delete anything that looks

  wrong and it'll be fine the fact is you

  can't and you won't police it yourself

  like you you that is unless you have a

  very large dedicated staff doing this

  around the clock and you know and every

  different language around the world

  you're probably not gonna be able to

  police spam yourself hey you know you

  can you can look at the big services

  like like Twitter for instance where

  spam is a thing and it is not a small

  deal for a company like Twitter to to

  try to prevent and eliminate spam as it

  comes it that takes a huge staff so you

  probably won't have that luxury

  so my solution to this is to generally

  just avoid creating mechanisms that can

  be spammed so avoid creating global top

  lists you know any kind of like global

  rankings most popular lists I don't even

  have like you can't even review podcasts

  and overcast you can't like write

  written user reviews that are shown to

  anybody else because that's also spam

  you know promotional problems like

  defacing and everything legal problems

  so like just if you can avoid any area

  that can be spammed if you can't avoid

  it try to outsource the control that

  spam or the decision on whether

  something is spam try to outsource that

  to some other larger authority so and

  I'm not I'm not talking about other spam

  filters I'm not talking about like you

  know a kismet or anything like that I'm

  talking about outsourcing it to some

  other authority that themselves would

  need to have spam get through in a

  significant way for it to be a problem

  for you so an overcast case I use iTunes

  IDs because iTunes reviews every podcast

  that goes in and I have never seen spam

  in the iTunes podcast directory I've

  seen bad podcast but I've never actually

  seen like you know what most people

  consider blatant spam in there and it

  also helps control like adult content

  and you know stuff like that because

  they also look for that so in overcast I

  won't show a podcast in search results

  unless I can match it to something in

  the iTunes directory and if I can't

  it stays private like you can still

  enter it by URL but it's not going to be

  shown to people who weren't looking for

  it so that basically eliminates any of

  any problems with spam or poor content

  and then also for the recommendations

  side of it I use your Twitter following


  so the only recommendations you will

  ever see an overcast are either from

  people you follow on Twitter so if

  they're spamming you can unfollow them

  and it's you know that's that's that's

  your choice

  you know so it's either from people you

  have chosen to follow on Twitter or it's

  from people if you don't have enough

  people who you follow on Twitter it's

  from people who are very popular on

  Twitter who have tons and tons of

  followers so the point where it would it

  would be very very unlikely for any spam

  to get in that way but for the most part

  it's based on people you follow only and

  so that way you know the combination of

  that plus the iTunes ID filtering means

  that it's basically impossible for this

  mechanism to to show spam in a

  meaningful way and so really the best

  thing you can do if you have something

  like this is like design it so that it

  can't be spammed and if it can be

  spammed outsource the authority over

  what a spam to somebody big exactly and

  I think it's probably a good way to like

  I personally just avoid situations that

  user-generated data would ever be shown

  to someone else like I can't think of an

  example in any of my my products where I

  do that like I look at that problem and

  I'm like that is big scary yes not

  something I want to touch I just don't

  and maybe there that means that there

  are some features in my apps that I

  could have that would be really cool but

  I don't but I just decided that you know

  what it's I'm one person I'm never going

  to be able to or it's gonna be really

  hard to stay on top of it so I just

  don't and that's okay and I think the

  important thing with like this whole

  episodes discussion is when you're

  thinking of that feature like when I've

  December I'm deciding not to add

  features that show user-generated

  content to someone else like the

  fundamental underlying thing that you

  have to be thoughtful of is when you're

  building it you have to be building it

  with like what's the worst-case scenario

  in mind yep that it's so easy when

  you're building something to think of it

  only from like the cool obvious like the

  way you would use it perspective but in

  order for you to have an app that is

  going to be go with like good for

  performance for your extreme users or

  have good security and avoid kind of

  user you know user-generated content

  problems you have to always be building

  it sort of with the worst case in mind

  and that can be the worst case person

  the worst case user the worst case

  device the worst case Network whatever

  it is

  if you build something with the worst

  case in mind its overall going to be

  better as a result exactly that's all

  the time we have this week thank you

  very much for listening and we will see

  you next week bye