FillLPG for Android – RIP

So, as per my previous post, I have now removed the FillLPG for Android app from the Google Play Store – and it won’t be coming back.

As promised in that post I have uploaded the installation file (actually ‘files’ – see below) and it can be downloaded at the bottom of this post.

The file has been compressed into a ZIP archive to reduce the file size and to allow my blog to upload it – it gets a little fussy sometimes.

Note that to install the app without using the Play Store you will need to be happy with ‘side-loading’ onto your device.

Continue reading “FillLPG for Android – RIP”

FillLPG for Android: Pulling the Plug

In a previous blog post I announced that the FillLPG for Android application was no longer in active development (which I then updated but let’s not lose focus here) and indicated that a time would come when I would remove it from the Google Play Store.

Well, that time is upon us.

The tipping point came today when I received feedback from two different channels, a review on the Play Store and an email from a fellow developer.

Continue reading “FillLPG for Android: Pulling the Plug”

No Jokes please, we’re Developers

Let’s be honest, jokes are normally funny because they are at somebody’s expense. Whether it’s about a mother-in-law, a profession or ‘an Englishman, Irishman and a Scotsman’ – somebody is always on the end of it and nobody like to be made fun of.

Now, these jokes are all well and good as long and you are not the subject – that said I’m a Cornishman and I get some stick over that but in general it’s just banter and I personally don’t find it offensive or oppressive.

Some of this I do find over the top and some people will find offence in just about anything (including this blog post I expect) but I do understand that we are more enlightened and have more appreciation of how these jokes can have a serious impact on others and we need to be mindful of that.

All that said, I saw a tweet yesterday which made me put my head in my hands;

Continue reading “No Jokes please, we’re Developers”

Help – A Covid-19 Tracker app has been secretly installed on my Phone!

On LinkedIn the other day I noticed a post claiming that Covid-19 tracker apps had been installed on everybody’s smart phone and that we were all being tracked.

Ok, so lets ignore the fact that we can be tracked via our phones anyway and look at what the fuss is about.

If I open up the settings on my OnePlus 6T Android phone I see a new item – ‘COVID-19 exposure notifications’. This is what some people are losing their minds about right now.

I on the other hand am not. Why not?

Well, as a developer (web and mobile) I listen to numerous podcasts with presenters and guests who know what they are talking about and one such episode focused on the collaboration between Google and Apple to create the foundations for Covid-19 tracking app and roll it out to their phones during a standard update cycle.

In this episode, which non-techies will find boring as hell, security expert Steve Gibson analyses the technology and gives it the thumbs up from a security and privacy point of view. This is a man I trust when it comes to these things.

But here’s the thing that you may have missed – this is the foundation for app development, it is NOT a tracking app itself.

If people bothered to tap on the above settings option to open and read the details, instead of taking screenshots, posting them on LinkedIn (and probably Facebook and Twitter) claiming that something underhanded is going on, then they would have seen that this functionality is only activated when a compatible application is installed.

There’s other information there too which may have reassured them (or not) and a link for them to find out even more about this functionality.

In case you are concerned that someone could create an app and secretly access this functionality for nefarious reasons, not just any Tom, Dick or Harry can knock up Covid-19 Tracking App using this API.

Only third party companies affiliated with a public health authority or government can use it and that will be tightly controlled by Apple and Google.

So what do I do now?

Frankly, nothing. There is nothing you can do to remove this nor is there any need for you to do so. If you don’t install a tracking app, this functionality won’t be activated on your phone. Simple as that.

If you don’t trust Google or Apple (or your Government) then you probably want to think about changing your phone to something a bit less “smart”.

As an aside….

Above I linked out to the Security Now podcast with Steve Gibson where he gave the thumbs up to the technology.

A later podcast is entitled “Contact Tracing Apps RIP” where he explains that while the technology is sound, the system will probably not work in the real world.

Why is this?

Well, research suggests that for the system to work effectively it would need at least 80% of the population to install it on their devices – and if the above hysteria is anything to go by, that’s just not going to happen.

I’ll leave it there….

Sending Secure SMS – That’s Crazy Talk!

Many of us know that when we send an SMS (aka text message) it is sent in plain text and can be read by anyone with sufficient access.

This is normally limited to your cell provider but there are hackers out there using readily available hardware to act as a cell tower and initiate a man-in-the-middle attack.

Now I don’t know about you but I seldom send a regular SMS message – I use WhatsApp most of the time. Not only does it allow group chats (very handy for communicating with the family – especially during Covid-19 Lockdown) but it also provides end-to-end encryption. This means that only the intended recipient(s) and myself can read the message content.

It’s not that I’m doing anything illegal of course, it’s all about privacy.

Now, before you start down the ‘what about terrorists and paedophiles’ route I’ve already covered my thoughts about that argument, normally spouted by Government officials when trying to justify an erosion of our privacy and freedoms, in a previous blog post.

The UK Government (and they are not alone by any means) are continually using this argument to attempt to force technology companies to weaken their encrypted messaging systems. They are calling for backdoors to be put in to allow ‘authorised’ agencies to access the data to aid with criminal investigations.

My argument is that should the tech companies relent and add these backdoors then the bad people will just use something else or, crucially, write their own. This would leave the rest of us on hobbled, insecure system with ‘authorised agencies’ trawling around peoples private messages attempting to justify their hard won access.

So what is involved in writing your own secure messaging system? Surely it’s not just an app on the phone. Surely there needs to be servers and things to receive and forward these messages to the correct recipients. How would a regular user set these things up?

Well, yes there does need to be some form of delivery system but that doesn’t mean we need to write it – there’s already one out there, it’s on just about every phone out there and it’s been tried and tested for years. I am of course talking about the humble SMS text message.

Hang on, SMS isn’t secure!

True, the way SMS works doesn’t add any encryption to the process – plain text goes in and plain text comes out.

But this doesn’t mean that we can’t encrypt the message before we send it and for the recipient to decrypt it at the other end.

Now, I consider myself as a pretty competent developer – but I’m not what I would think of as a “rockstar developer”. I won’t have any of the big tech companies banging on my door offering me a massive salary and stock options to work for them. But surely I could write a mobile app which would allow the user to send and receive encrypted messages over SMS. As it happens – I can, and did just that.

As a proof of concept (you’re going to hear that term a lot in this post) I wrote an Android application, using Xamarin, which handles Key Pair generation, Key Exchange via QR code, Encryption, Decryption and integration with the devices SMS functionality.

Encryption is handled by the Open Source Sodium.Core library which is a fork of libsodium.net (also Open Source) which is itself a wrapper around the well regarded libsodium library – yep, Open Source all the way down.

In the image below Bob is sending a message to Alice, they have already exchanged their public keys using the app to display and scan a QR code containing the required data.

Basic flow showing Bob sending an encrypted message to Alice (sequence shortened)

Lets break this down a bit and explain, at a high level, what is happening here;

  1. Inside the Shhh.SMS app Bob selects Alice as the message recipient and enters his message (he can add emojis if he likes – that all works too!)
  2. After clicking Send devices SMS app is opened with the encrypted message ready to send
    • Bob will need to specify the recipient from his contacts
  3. Alice receives the SMS just like any other and uses the SMS apps ‘Share with’ functionality to send the encrypted message content with the Shhh.SMS app
  4. Shhh.SMS opens and if it can verify the message it displays the decrypted text

After passing the message over to the devices SMS application is only exists on Bob’s phone in it’s encrypted form.

When Alice receives the message it is only decrypted for viewing within the Shhh.SMS application.

Moreover, while the message was being sent it was encrypted using keys that only exist, securely, on the sender and recipients devices. The cell carriers involved in the delivery of the message have no way of decrypting it.

So what’s the point?

Let’s get this absolutely straight – I did not write this app so that bad people could communicate with each other about bad things. That’s not the point I’m trying to make here.

The point is that the encryption genie is out of the bottle and it cannot be put back in. It’s just math!

“…it’s a proof of concept and lacks polish but that’s not the point”

If the world Governments think that outlawing the use of encrypted messaging applications is going to stop bad people from using them then they are frankly deluded.

This app took me a couple of weeks of evenings to put together – sure, it’s a proof of concept and lacks polish but that’s not the point. The point is that if I can write this in a couple of weeks as an investigation, what could others with a more sinister mindset achieve?

The general public are, generally, good people. So why should we all be treated as if we are criminals?

When privacy is criminalized, only criminals will have privacy.

Daniel Suarez, Change Agent

Our privacy is being eroded because of a small minority of bad people. Laws are being passed that target a tiny proportion of people but affect us all.

You may be surprised to know who can currently request (demand?) access to your internet browsing history from your Internet Service Provider. Some are obvious, GCHQ and the Home Office, but I’m still at a loss as to why the Welsh Ambulance Services National Health Service Trust would need access to such information. And this is all without considering the security and accessibility of this data – is it just the agencies on this list?

OK, so how do I get the app?

As previously mentioned, this is a proof of concept and nothing more than that.

The user interface is basic and pretty ugly (no attempt has been made to style the app beyond some basic layout). The code could do with refactoring and cleaning up.

It certainly is not ready for the Google Play Store (development was Android only) and I have zero intention of making it so. That is not the purpose of this exercise.

What I have done is to make the source code fully Open Source and available on Github.

If you want to submit pull requests to fix problems or improve the app then please feel free to do so – but do bear in mind that it will never be my intention to release this as a production app via the Google Play Store.

By the way – did I mention that Shhh.SMS is only a Proof of Concept? Good, just checking 🙂

That’s All Folks – I’m Out!

TLDR; I’m another statistic – IR35 and the Covid-19 outbreak have forced me into a position where I have to close down my contracting company and seek alternative employment.

Image Copyright of Warner Brothers

Well, that’s that! Today I instructed my accountant to ‘Pull the Pin’ on my company and start the process of winding it up. A sad but somehow inevitable day for me – I’ve seen it coming for a month or so but it’s not easy being here now.

I’ve been contracting through my limited company for the last 9 years and in the time I have worked on numerous projects across numerous sectors – an experience that has, I believe, left me a better developer that I would otherwise had been. I have no regrets – none!

But a combination of unfair an tax legislation and a worldwide pandemic have left me in an untenable situation – while the company might (just might) survive the Covid-19 Lockdown the specter of IR35 looms large on the horizon and I’d rather take a different fork in the road instead of heading into more uncertainty.

Continue reading “That’s All Folks – I’m Out!”

Online Tool: UnminifyCode

If you’re a web developer, regardless of what programming language you are using, you’ll be familiar with minified CSS, Javascript and HTML files. For the uninitiated these are files which have had unnecessary whitespace, line breaks and formatting removed with variable/function names shortened where applicable.

While this results in files that are difficult for humans to read, browsers are still able to load and parse the data (unless the minification process has been a bit heavy-handed).

These files are normally used in preference over the unminified versions because of the reduced file size – making for quicker page load times.

That’s all well and good, but what happens when all you have is a minified file, from say a third party library, and you want to edit or, in the case of Javascript, add breakpoints to debug one of these files?

Continue reading “Online Tool: UnminifyCode”

Getting stuff done under Lockdown

As we enter week six of the Covid-19 lockdown here in the UK I am still ‘between contracts’. I’ve had a handful of video interviews but these haven’t led anywhere yet – but I’m not sitting around idle.

Notwithstanding the decorating, gardening and spring-cleaning (of office and summerhouse – I’m not trusted to attack the house itself) I have been hitting Pluralsight online tech training hard for the past few weeks.

Taking the time to get up to speed with the most recent changes in .NET Core, Blazor and Xamarin were an initial target for my attention but I’ve subsequently moved on to those courses that I had bookmarked thinking – “that would be interesting/useful to look into if I ever get time”. Well now I have the time.

Continue reading “Getting stuff done under Lockdown”

Covid19 – A Privacy Warning

In these weeks of lockdown in the UK due to Covid-19 there have been a number of incidents of the police overstepping their powers;

The police chief was forced to u-turn in his threat while the forces involved with the other two incidents say that the officers were ‘well intentioned but over zealous’ – but to my mind, that’s not the point.

The point is that there will always be people in a position of authority or power who overstep their remit – and when it come to our privacy that’s not a good thing.

Continue reading “Covid19 – A Privacy Warning”

Covid-19 Support Response – Update

In my previous post I stated that ‘As Directors we are not able to furlough ourselves and therefore would not be eligible for the Governments Covid-19 Job Retention Scheme‘.

I also said ‘the details of these measures are still coming out and there is a great deal of confusion so what I’m about to write may well change going forward‘ – and it has (although a bit quicker than I expected).

If you don’t know who Martin Lewis is then check out the Money Saving Expert website. Basically, when this guy says something, especially it’s all in CAPS then he’s checked and double-checked the facts. He wouldn’t make this kind of statement without being absolutely sure.

If he says that Limited Company Directors CAN furlough themselves – even if they are the sole employee of the company, then that’s good enough for me.

Continue reading “Covid-19 Support Response – Update”

Covid-19 Support Response

Update: 28th March 2020

With the UK in lock-down due to the CoronaVirus (Covid-19) everyone is justifiably concerned about their jobs and their income.

In an unprecedented move the Chancellor, Rishi Sunak, has announced a raft of measures from mortgage holidays, deferment of tax payments as well as packages to pay 80% of people income (or £2500/mth).

As wide reaching as the measures are the contractor community is up in arms because we appear to have been left out in the cold.

Continue reading “Covid-19 Support Response”

IR35 – Delayed; but not forgotten

Yesterday (17th March 2020) the Government announced that they would be postponing the rollout of IR35 changes into the private sector due to the Coronavirus outbreak.

Despite the Minister referring to ‘off roll payroll working rules‘ (maybe indicating that he has no real idea what they are) he confirms that the changes will be tabled again ready for implementation in April 2021.

This comes far too late for many genuine contractors and associated services such as accountants who have had to close their businesses down as clients imposed blanket bans or ‘Inside’ determinations requiring the engagement of Umbrella companies and significant reductions in income.

It also comes the day after HMRC provided evidence to the House of Lords and were found seriously wanting in their response to scrutiny. While the House of Lords cannot force Government to defer the bill we have to hope that this contributed to the decision to pause the rollout (regardless of what they say).

Continue reading “IR35 – Delayed; but not forgotten”

Using Fonts for Icons in Xamarin.Android

I’m currently working on a new privacy application for Android and in a previous post I guided you from the Xamarin.Android Drawer Navigation project template to something that actually worked (as in you could actually use the pretty navigation provided by the template).

Now I wanted to change the menu items to something more relevant with some appropriate icons – I mean, how hard can that be right?

Well, as with everything in development these days – things are not always as easy as they seem to be.

Continue reading “Using Fonts for Icons in Xamarin.Android”

IR35 and the Implosion of the Contracting Market

When I checked Twitter this morning my heart sank – I was watching the new Chancellor (Rishi Sunak) regurgitate the HMRC view of IR35 and the changes to be rolled out into the private sector in April.

He was essentially announcing the Death Knell of Flexible Working as we know it – the contract market will shortly implode even further than it already has.

We, the contracting community had hoped that the fresh faced minister would pause the roll-out and call for the review that was promised ahead of Decembers election.

Instead he stated “it’s not fair to all the people who is employed that someone else who is doing the same job is paying less tax” – the cornerstone of the HMRC argument for making the changes.

On the face of it that may be a reasonable stance to take – but they are not comparing apples with apples here (and they damn well know it).

Continue reading “IR35 and the Implosion of the Contracting Market”

Book Review: Mastering Xamarin.Forms

It may sound odd but from time to time I get approached to review a book which is either due to be or has just been published.

I say odd because I’m just a regular developer – not a podcasting rockstar (or even a blogging one). Why would my option be worth a free copy of a book?

Maybe it’s because I’m just a regular developer – just like most of us.

Some of these I let pass me by, especially if I have no real interest in the content, i.e. a technology that I am not using and have no plans to use – F# for example. I frequently say that ‘you have to pick your fights when it comes to technology – you can’t win them all’.

So, when Packt asked if I would review this book it made me wonder:

“How much of a master can I be after reading a book that’s ‘only’ 200 pages?”.

I’m certainly not belittling the authors efforts, but I have a Microsoft Press book ‘Creating Mobile Apps with Xamarin.Forms‘ which is more than twice that length and that doesn’t claim to be able to make me a ‘Master’.

Continue reading “Book Review: Mastering Xamarin.Forms”