WiFi configuration profile for various platforms

iOS & MAC

We can use the .mobileconfig provisioning file for managing the profile which includes 

Android devices 

Based on some searches, the way the Android profile management work is using the Profile management APIs mainly

There are few apps which does this in combination with the server. 

The APIs are http://developer.android.com/reference/android/net/wifi/WifiConfiguration.html

Almost all classes for Management is available from API level 1 onwards (or tow be safe we can assume API level 10 onwards with all its functionality).  Except the WiFiEnterpriseConfig (which is from 18 and above). 

Many of the well known apps which employ the remote management of the WIFI profile utilises an app on the device. For e.g. TeamViewer https://play.google.com/store/apps/details?id=com.teamviewer.quicksupport.market

Also there are a set of apps in the store which takes input from user for the one time configuration of WIFI and auto connect to it when it comes in range. Much similar to how our WFF Android app do. 

Also, we can use the QR code mechanism to generate the WiFI settings. We can encode the WIFI settings in a QR code and distribute. There are a set of QR code generator SDKs available too. Once the WiFi Details are obtained from the QR code, we can provide option to connect to the WiFi using the available APIs. Barcode scanner app for Android already does this. http://www.addictivetips.com/mobile/connect-to-wifi-networks-by-scanning-qr-codes-with-barcode-scanner-android/

Google Drive API

Google drive is Google's File storage and synchronisation service. This service allows user to have cloud based file storage, collaborative editing, synchronization. the files can be stored publically and Google search engine picks it up for search indexing.

Google provides a client software for most of the famous platforms so that the files are syncrhonized periodically. the space available to user on cloud storage is distributed among various applications such as gmail, picasa, docs etc.

a note aside, it was interesting to read that Googles famous web app Google Doc was from a 4 man army company called writely which was acquired by Google. Also, the Google spreadsheet also from another acquired firm 2Web Technologies.

Now getting on to the programming aspects of it. Below are few notes after going through the samples and articles inorder to fully utilize the API features.

For enabling the API, had to go to the Google API console and enable the Drive API. Saw another permission for Drive SDK. enabled that too, but this is not really required unless creating web apps that require Google Drive access.

the below are main APIs availalble in this SDK

GTLQueryDrive => This class is a common query class for various Google drive SDK. 

for e.g. inorder to get the list of files already available, below is the code segment 

GTLQueryDrive *queryDrive = [GTLQueryDrive queryForFilesList];

The Query needs to be sent with the GTLServiceDrive classes's executeQuery Method. This method is a block one which returns the GTLServiceTicket and list of files in GTLDriveFileList parameters. Applications can list the files iterating the GTLDriveFileList APIs. 

Inorder to save contents into a drive file in cloud, below is the procedure. 

[GTLUploadParameters uploadParametersWithData:fileContent MIMEType:@"text/plain"];

GTLQueryDrive *query  = [QTLQueryDrive queryFilesInsertWithObject: self.driveFile uploadParameters:uploadParameters];

 [self.driveService executeQuery:query completionHandler:^(GTLServiceTicket *ticket,

                                                            GTLDriveFile *updatedFile,

                                                            NSError *error) 

This is going to pretty useful feature with the wide variety of APIs available. 

References:

https://developers.google.com/drive/ios/

iOS working with Layers

What is a CALayer?

CALayer manages image based content and allows a developer to perform animations on that content. Layers are often backing store for views but also can be used without views to  display content. Layers main job is to draw the contents that we provide but layer itself is having some attributes that can be set such as background color, corner radius etc. Layer itself contain information about the geometry of its contents. This helps to provide transformation,

A Layer can be created by a UIView object or can be explicitly created using [CALayer layer] method. If former, the UIView itself is the delegate and we should not change this relationship. But if it is explicitly created, then we can set a delegate object.

To access the CALayer from a view, the below method can be used

 CALayer *mylayer = myview.layer;

The above is mainly used to draw shadow around an imageview or something like this.

If using CALayer by its own, i.e. do not take from a UIView, we can use any of the subclasses such as CAGradientLayer, CATextLayer, CAShapeLayer, etc.

The below code sets the background frame and the color and the corner radius

self.view.layer.backgroundColor = [UIColor orangeColor].CGColor;

self.view.layer.cornerRadius = 20.0;

self.view.layer.frame = CGRectInset(self.view.layer.frame, 20, 20);

It is also possible to create sub layers for layers. The code is as below for this

CALayer *sublayer = [CALayer layer];

sublayer.backgroundColor = [UIColor blueColor].CGColor;

sublayer.shadowOffset = CGSizeMake(0,3);

sublayer.shadowRadius = 0.3;

sublayer.shadowColor = [UIColor blackColor].CGColor;

sublayer.shadowOpacity = 0.8;

sublayer.frame = CGRectMake(30,30,128,128);

[self.view.layer addSubLayer:sublayer];

It is also possible to give an image to a sublayer. The code is like below. 
sublayer.contents = [UIImage imagenamed:@"myimage.png"].CGImage;
sublayer.borderColor = [UIColor blackColor].CGColor;
sublayer.borderWidth = 2.0

There is also ways to draw custom content inside a CALayer instead of giving the image content to it. the concept is much simiar to drawing in view. We need to declare a delegate and implement the drawLayer:InContext method.  

iBeacon a bird's eye view

iBeacon as apple mentions it is a class of low powered, low cost transmitters that can notify near by iOS devices of their presence. iBeacon can also be used in Android. This technology allows an iOS device or another hardware to send iOS push notifications to the device in close proximity

iBeacon works on the BLE (or known as Bluetooth Smart). iOs apps can use region monitoring for apps to get notified when it reaches in vicinity of a beacon.

Below link gives more details of the iBeacon programming in iOS

https://developer.apple.com/library/ios/documentation/userexperience/conceptual/LocationAwarenessPG/RegionMonitoring/RegionMonitoring.html#//apple_ref/doc/uid/TP40009497-CH9-SW1

Apache Tomcat SSL certificate installation

the first step to install a self signed certificate is to create a private and public key pair. This can be done by the below command 

%JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA

This first asks for the keystore password. This password we need to also specify in the server.xml file

Then asks for the credentials to be incldued in the certificate. This step basically asks for organization name, first name, last name, state. province

as a last step, this asks for the key password for the certificate itself. Note that the first password was for the keystore itself.There can be many certificates in a key store btw. 

When creating the keystore, the RSA algorithm is preferred which provides general compatibility with other servers and components. 

The above command will create a file with extension .keystore in the home directory of the user. 

The next step mainly is to edit the apache tomcat configuration file. This one i could not get it working in the first shot.

There looks to be two implementation of SSL on tomcat

1. JSSE implementation which comes with Java 1.4 as default 

2. APR implementation which uses the openSSL engine by default. 

As per the SSL guide, it was described to configure any of the bwloe 

<-- --="" 8443="" a="" blocking="" connector="" coyote="" define="" http="" java="" on="" port="" ssl="">


<-- --="" 8443="" a="" connector="" coyote="" define="" http="" java="" non-blocking="" on="" port="" ssl="">

OR

<-- --="" 8443="" a="" apr="" connector="" coyote="" define="" http="" on="" port="" ssl="">

But i could not really find any of these two, so i did not do anything specific here. 

The final step is to configure the connector in the server.xml file. I already had something like below without the keystore file

and the keystorePass entries in the xml. So it looked like below after the configuraton.  

<-- --="" 8443="" a="" connector="" coyote="" define="" http="" on="" port="" ssl="">
<!--

 

After the above configurations, restarted the server. But it was throwing below error at the console. 

SEVERE: Error starting endpoint
java.lang.IllegalStateException: Unable to initialise endpoint. A previous call
to init() failed. See previous log messages for details.
        at org.apache.tomcat.util.net.AprEndpoint.init(AprEndpoint.java:638)
        at org.apache.tomcat.util.net.AprEndpoint.start(AprEndpoint.java:865)
        at org.apache.coyote.http11.Http11AprProtocol.start(Http11AprProtocol.ja
va:139)
        at org.apache.catalina.connector.Connector.start(Connector.java:1197)
        at org.apache.catalina.core.StandardService.start(StandardService.java:5
40)
        at org.apache.catalina.core.StandardServer.start(StandardServer.java:754
)
        at org.apache.catalina.startup.Catalina.start(Catalina.java:595)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.
java:39)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
sorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:597)
        at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
Mar 19, 2014 1:08:34 AM org.apache.catalina.core.StandardService start
SEVERE: Failed to start connector [Connector[HTTP/1.1-8443]]
LifecycleException:  service.getName(): "Catalina";  Protocol handler start fail
ed: java.lang.IllegalStateException: Unable to initialise endpoint. A previous c
all to init() failed. See previous log messages for details.

CocoaPods what is it?

Happend to know about CocoaPods recently and thought to do some investigation around it. Below are my few notes about what is it and how does it work.

CocoaPods as it is advertised is a best (?) tool to manage library dependancies in Objective C projects. Instead of copying some code from Github and updating the project with the latest version etc, CocoaPods will do this for a developer.

CocoaPods runs on Ruby and that is the only dependancy one need for making the CocoaPods up and running.  This makes it lot more easier because all versions of MacOS ships with Ruby. The only task needed is to update to RubyGems. To do, so below command can be entered in Terminal.

sudo gem update --system


To have the dependency created, below commands can be given in the pod file

platform : ios
pod: 'AFNetworking', '0.9.1'

The above installs the dependency AFNetworking classes with version 0.9.1

To install the dependancies, the below command needs to be given

pod install

Once after the dependancies are downloaded, it will generate a workspace and from then on use the workspace instead of the project file.

Below example downlaods the Nimbus dependancy first and then installs the NSAttributedLabel classes

pod Nimbus/NSAttributesLabel

This is a good tool infact. Below given is what is happening behind the scenes

- Creates or updates a workspace
- Adds one's project into workspace if needed
- Adds Cocopods static library into project space
- Adds cocopods static library to the project
- Adds Cocoapods xcode configuration file to the project
- Changes app's target configurations to be based on Cocoapods
- Adds a build phase to copy resources from any pods you installed in your app bundle.

Anyway, this is cool. This triggers me to think to do some custom script file that is based on Ruby to write soemthing for my project anyway!!

References:
http://guides.cocoapods.org/using/using-cocoapods.html
http://www.raywenderlich.com/12139/introduction-to-cocoapods

Certificates and PKI

In Public Key Cryptography (PKI) the system works by encrypting the information using the public key. The information can be only decrypted by private key. The common use of PK encryption is to encrypt the traffic using SSL or TLS connection.

A certificate is a method to distribute the public key and other information about a server and the Organization who is responsible for it. A certificate can be digitally signed by a certification authority or CA. A CA is a trusted 3rd party that has confirmed that the information contained in the certificate is accurate.

Below is the process for getting a certificate from certification Authority.

- Create a private and public encryption key pair
- Create a Certificate request based on the public key. the certificate request contains information about the server and the company hosting it.
- Send the Certificate Request along with the necessary document that proves the identity
- Once the CA is satisfied with the identity, they provide the digital certificate
- Install the certificate on the server and configure the application to use the certificate.

As listed above, the first phase of the process is to generate the encryption key pair. And this step is required whether one is creating the certificate own or trying to get from a CA. When generating the key, we can give a passphrase, which makes it more secure. However, if we do so, the services such as apache server etc would require manual interruption to enter the key as it starts up.

To Generate the key for CSR, the below command is the one required.

openssl genrsa -des3 -out server.key 2048

To create a new CSR, below is the command to be given

openssl req -new -key server.key -out request.csr

This command will ask to enter the passphrase and followed by the company details, Site Id, email id etc. Once enter the details, certificate will be created.

It is also possible to create a self signed certificate

openssl x509 -req days 365 -in server.csr -signkey server.key -out server.crt

The above command will prompt to enter the passphrase and after this the certificate will be stored in the server.crt file.

Installing the certificate is fairly easy.

sudo cp server.crt /etc/ssl/certs
sudo cp server.key /etc/ssl/private


References:
https://help.ubuntu.com/12.04/serverguide/certificates-and-security.html

PEAP Authentication in WiFI

PEAP provides a TLS channel for EAP protocol such as EAP-MS-CHAP (Microsoft Challenge Handshake Authentication protocol)

To Enhance both EAP protocols and Network security, PEAP provides the below

1. A TLS channel during client and server EAP method negotiation. The TLS channel helps to prevent an attacker from injecting packets between the client and network access server to cause the negotiation of a less secure EAP type. The encrypted channel also prevents to have the denial of service attack to occur.

2. Support for fragmentation and reassembly of messages which is by default not available in EAP types those don't have this facility

3. Protection against deployment of unauthorised access point at the moment when the EAP client authenticates the certificate provided by the server. In addition, the TLS master secret created between the client and the server is not shared with the Access point, because of this access point cannot decrypt the message flowing through the access point.

4. PEAP allows fast reconnect, especially useful when doing WiFi roaming. With fast reconnect, the delay incurred in the authentication with the RaADIUS server or similar backend is avoided when moving between access points that are configured as RADIUS clients to the same RADIUS backend server. This is achieved because fast reconnect doesn't require authentication in such a scenario.

PEAP authentication has mainly two steps:

1. Establishment of secure TLS channel
2. on the secure channel, do the EAP authenticated communication

Below are the steps in creating the secure TLS channel

1. The PEAP client associates to a wireless access point that is a client to a RADIUS server. An IEEE 802.11 association gives an open system or shared authentication before a secure association is made between client and wireless access point

2. After the associatoin is done, a TLS session is established between the client and the access point, a TLS session is negotiated.

3. After the computer level authentication is successfully completed between the PEAP client and the RADIUS server, a TLS session is negotiated between them. The key that is derived during this negotiation is used to encrypt all subsequent communication.


References:
http://technet.microsoft.com/library/cc754179.aspx
http://stackoverflow.com/questions/12503057/profiles-installed-by-mdm-service-are-showing-as-not-verified-after-upgrading
https://www.youtube.com/watch?v=pPfwemHBblk

What is X.509?

Having heard lot of times about the X.509, thought to do some study on what it is. Here are some notes from attempts to understand the concepts

X.509 is and ITU-T standard for PKI (Public Key infrastructure) and PMI (Privilege Management Infrastructure). It defines formats for public key certificates, certification revoke lists, attribute certificates, and certification path verification algorithm

This standard assumes strict hierarchical system of Certificate Authorities (CAs) for issuing certificates. In X.509 system, a CA issues a certificate binding a public key to a distinguished name or a email address or a DNS entry.

The main parts of a certificate are: Version, Serial number, Algorithm ID, Issuer, Validity, Subject, Subject Public Key Info, Issuer Unique Identifier, Subject Unique Identifier, Extensions, Certificate Signature algorithm, Certificate Signature.

The below is how the X.505 PKI works

- When an entity say www.test.com wants to have a certificate, it requests a CA such as Verisign to issue a certificate

- CA checks the background of the company who is owner of www.test.com, and after this, the certificate is issued.

- www.test.com then places the certificate into the web page

- when a user downloads the www.test.com pages, the browser checks if the certificate is issued in the name of test and the webpage is test.

- It also checks whether the Digital Signature of the certificate. The digital signature of a certificate is generated by using the private key of the certificate and the computed hash of  the certificate. This is added to the certificate which is later used to verify. The digital signature is decoded to get the hash value using the public key of the certificate at the certificate user end. The hash if changed, then it means that the certificate is tampered.

- As part of the OS installation, a certain CA certificates would have been installed in the computer/device. when a certificate is downloaded, the local certificate is used to verify whether the certificate is trusted by the CA.

Common file extensions for the X.509 certificates are: .pem (privacy-enhanced electronic email, which is a Base64 encoded DER file, having -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----, .cer, .der, .crt  OR .p7b, .p7c which is SignedData structure without data, but only certificates and CRLs optionally. .p12 (PKCS#12) may contain certificate, public and private keys OR .pfx, predecessor of PKCS#12.

Creating WiFi Profile for iOS devices

As part of a project at workplace, i had to investigate on how to create the WiFi profile and have the app installed with the profile.

The main requirement was, client had deployed hotspots across the country and using the username and password a user registered with the customers backend, the user should be able to auto connect and authenticated to the WiFi hotspot.

There were two parts of the puzzle.

1. How to have the WiFi hotspot automatically appear on the WiFi list without user worrying about the username, password and SSID details.

2. How to request iOS to auto connect to a particular secure hotspot, how to get authenticated for connecting to it.

#1, is achieved using WiFi profiles. An iOS WiFi profile is a file that can specify the SSID, connection authentication information, whether to auto join or not etc. A WiFi profile can be created using tools like iPhone Configuration utility.

#2. Having the profile is created using the iPhone configuration utility, which is an xml file, it can be deployed on a web server and have the safari browser point to this location to download and have it installed.

Once the profile is installed, when the device get in vicinity of the hotspot, it get auto connected and the user will be able to start using the hotspot.

This approach allows user to be unaware of the complexity of connection, authentication steps involved.