Budget Android Phone Security Considerations

The market for Android phones and tablets (plus other devices) is huge, Android is dominating the market at almost 90%, followed by iOS around 10% and rest together less than 1%. Google claimed in May 2017 there are 2 billion active devices worldwide.
IT security for mobile devices is a huge topic and we face similar threats as in the desktop OS landscape with virus, trojan horses, backdoor apps and other malware. Some remarks about this at the end of the article.

The mobile phone manufacturer segment is still dominated by Samsung, followed by Huawei, LG, Motorola, to name a few. A medium range device with decent specs costs around $200 to $400.

Apart from the known brands there is wide range of china produced phones at a partially much lower price. Remark: The famous brands might produce as well in China but you pay a higher price for the brand in some sense.

Wouldn’t it be great to get a phone with good specs for less than $100,- ? Some of the brands are HOMTOM, Cubot, OUKITEL, Jesy, DOOGEE and other never-heard-of names.

The temptation is great to buy one of these phones, but it comes at a price. How do you value privacy and security ? Already end of 2016 these devices made it into the news because of sending user data over to servers in China.

A7_Connections_1

Android Phone connections

Lets get some hands-on and investigate with a current phone. I bought a phone for the sole purpose of development testing, not to use for calls or storing sensitive data. I decided to get a BLACKVIEW A7 PRO, available at U$ 70,- from various online stores.

Blackview A7 Pro Android Phone

The phone casing and screen makes a good first impression, the specs do not need to hide behind other medium range phones:

  • Android 7.0
  • MTK6737 1.3GHz, Quad Core
  • 2GB RAM
  • 16GB ROM
  • 4G/LTE with 2 sim card slots
  • 5″ HD screen

Out-of-the-box it comes with the default Android apps, access to the Google Playstore and without any visible bloatware.

Before getting too much excited lets take a look at the communication this device tries to establish after connecting to the internet. I installed a connection and communication inspection tool, these tools are available on the Playstore too. I do not recommend any specific tools here as some of these tools have questionable permission requests.

It does not take too much time before the device starts communicating with a server based in China.

2017-11-07 17_07_05-Screenshot_20171105-132835.png - Windows Photo Viewer2017-11-07 17_07_26-Screenshot_20171105-122804.png - Windows Photo Viewer

Both domains are registered with a hosting company, but you find plenty of news and forum entries if you google for them.

Most interesting is the pre-installed Beau _t_ ySnap application that is not only invisible as app to the user but permanently running in the background. You can find it with a package inspector. Looking at the permissions the application is not only hidden but also very generous with system access.

2017-11-07 17_12_34-Screenshot_20171106-082101.png - Windows Photo Viewer

Bea_u_tySnap permissions

Needless to say you cant restrict the permissions because it is not visible as app but part of the firmware. It also seem to request for hardware specific permissions.

2017-11-07 17_15_12-Screenshot_20171106-082133.png - Windows Photo Viewer

Lets look at the traffic and the data exchanged, seems the app tries to call home a few time per hour.

traffic2

 

Quite obviously they transmit some basic data un-encrypted, like version, current internet connection (wifi), the phone (A7Pro), timezone, screensize and they created a user id to identify the device (aka its user). IMSI and IMEI are not used, though the fields exist. There are some extra fields with encrypted info, I suspect the soc, scc, noc,.. fields might store the celltower info, which serves the coarse geoloaction even if you have GPS disabled.

The least I could do with this phone without rooting it, is to disable the Be_a_utySnap application. Do this by going to Setttings – Apps, enable the display of system apps, select Be_a_utySnap and disable it.

Besides this app, there is still the A_dU_ps FO_TA app and the M_T_K_Logger which are worth looking at. They cant be disabled. I have not caught them yet transferring data out.

Lessons learned

  • Cheap comes at a price. If you are concerned about privacy and security do not buy or use such a phone as your main device to access sensitive personal data or sites like online banking, etc. If you dont want to be tracked and data sold or given to other unknown parties this phone is not for you either. Though there is no guarantee expensive branded devices are protected or cannot be affected too.
    You can use the phone when you know how to disable the spyware elements (and still be careful) or root the phone and install another OS like LineageOS (which comes with separate risks).
  • Do not download applications (apk files) from outside the Google Playstore as the minimum protection and be careful even you download apps from the Playstore by looking at the permissions of the app. You dont need to get a malware infection if you allow a regular app do retrieve your contacts, phone identity and location without knowing what the company behind the app does with the data. GDPR might be irrelevant and impossible to enforce if the app is provided by a company in some non-EU country and has no proper business entity.

Comments on the Android threats landscape

Unlike in the Windows world where we learned the hard way to deal with virus and malware, pretty much securing the OS after treats materialized. Though the first viruses made their first public appearance in the 1980’s, only in 1990/91 the first serious antivirus products were established.
When Android was born some safe concepts were integrated, and with the newer releases more and more security measures were taken (please refer to the below links). Some key elements:

  • Apps run in a sandbox and cant access the OS.
  • Apps are deployed through a central repository (Playstore)
  • User can can control system access via permissions
  • Controlled inter-app communication

Certainly some user still break this by downloading apk files from outside the store, rooting the device, allowing all permissions, etc.

Recommended Reading

Advertisements

Build an Async Restful Webservice Client in Android in 5min and read BA flight data

In an earlier blog post we build a Restful WS running on Wildfly, now lets build the client part for Android. Thanks to the okHttp, an Apache 2.0 licensed java and Android library, this becomes a very easy challenge. In a mobile application we definitely want to implement a async call as we cannot rely on the response time being fast and a blocked application is not a pleasant user experience.

To make it a bit more interesting for the aviation context of my blog, we will take a real airline webservice and show operational flight data  in the second step.

Step 1: The Basic Webservice Client

Lets get started, I skip the project creation steps, you can create any basic empty Android application.

Add the dependency

..
dependencies {
    compile fileTree(include: ['*.jar'], dir: 'libs')
    androidTestCompile('com.android.support.test.espresso:espresso-core:2.2.2', {
        exclude group: 'com.android.support', module: 'support-annotations'
    })
    compile 'com.android.support:appcompat-v7:24.1.1'
    testCompile 'junit:junit:4.12'
compile 'com.squareup.okhttp3:okhttp:3.9.0'
}

Implement the WS call with a call back

(we use the serverside we implemented previously with 2 parameters)

    private void testOKHttp() {

        OkHttpClient httpClient = new OkHttpClient();
        String callURL = "http://www.yourservername.com/DemoRandomizer/randomservice/random/numberrange";

        HttpUrl.Builder urlBuilder = HttpUrl.parse(callURL).newBuilder();
        urlBuilder.addQueryParameter("min", "10");
        urlBuilder.addQueryParameter("max", "100");
        callURL = urlBuilder.build().toString();

        Request request = new Request.Builder().url(callURL).build();
        httpClient.newCall(request).enqueue(new Callback() {

            @Override
            public void onFailure(Call call, IOException e) {
                System.out.println(e.getMessage());
            }
            @Override
            public void onResponse(Call call, Response response) throws IOException {
                ResponseBody responseBody = response.body();
                if (!response.isSuccessful()) {
                    throw new IOException("Error response " + response);
                } else {
                    String str = new String(responseBody.bytes());
                    System.out.println(str);
                }
            }
        });

    }

It is good practice to block UI features (buttons, etc) that rely on the WS response or use a progress dialogm which is in some way blocking but the user is aware of the ongoing request.

 

// Set progress dialog befor the call
        prgDialog = new ProgressDialog(this);
        prgDialog.setMessage("Please wait...");
        prgDialog.setCancelable(false);
        prgDialog.show();

// remove the call after successful response or error
        prgDialog.dismiss();

Step 2: Client to read British Airways data

device-2017-10-14-092750

Lets gets our hand on some real data and tap into one of the open API’s offered by some airlines and airports, though I have to say that only very few players offer their data for public consumption. I will list some API’s in another blog post. Today we will make use of the British Airways API running on the Tibco Mashery platform. BA offers a variety of flight related data and we look at the flight status webservice. We can use the service for evaluation purpose up to 1 call a second and 500 calls a day, good enough to play with their data. We will collect the status of outbound flights from LHR (London Heathrow) for +/- 2hours. Before jumping into sourcode I recommend using a tool to test the webservice manually, eg. the Chrome Browser Rest Web Service Client extension.

2017-10-14 09_24_58-Rest Web Service Client

Using Chrome extension to get data from BA Webservice

One of the challenges, every API offering might support JSON and XML as WS GET, but the attributes and response format is different, we have to implement for every airline or airport we want to use the data, or add some kind of mapping layer.

For the BA service we have to change to call from step 1 above because we need to add the API key that you apply for under your account, also the parameter are not handled as query parameters but as parameter matrix.

The first code block only lists the relevant parts and the complete code block below adds some extras to handle GUI access, exception handling and the parameter creation.

 private void testWSCall() {

        OkHttpClient httpClient = new OkHttpClient();
        String callURL = "https://api.ba.com/rest-v1/v1/flights;departureLocation=LHR;startTime=12:00;endTime=18:00;";

        Request request = new Request.Builder().url(callURL)
                .addHeader("Content-Type", "application/json")
                .addHeader("client-key", "YOUR_KEY_HERE")
                .build();

        httpClient.newCall(request).enqueue(new Callback() {

            @Override
            public void onFailure(Call call, IOException e) {
                System.out.println("WS Call failed (1):" + e.getMessage());
            }

            @Override
            public void onResponse(Call call, Response response) {
                ResponseBody responseBody = response.body();
                if (!response.isSuccessful()) {
                    final String errRep = "WS Call failed (2):" + response.toString();
		    System.out.println(errRep);
                } else {
                    String str = new String(responseBody.bytes());
		    System.out.println(str);
                }
            }
        });

}
 private void testOKHttp() {

        OkHttpClient httpClient = new OkHttpClient();

        DateFormat dateFormatShort = new SimpleDateFormat("HH:mm");
        Date date = new Date();
        long timeNow = date.getTime();
        long timePlus = timeNow + 120 * 60 * 1000;
        long timeMinus = timeNow - 120 * 60 * 1000;
        Date datePlus = new Date(timePlus);
        Date dateMinus = new Date(timeMinus);

        String callURL = "https://api.ba.com/rest-v1/v1/flights;departureLocation=LHR;startTime=" + dateFormatShort.format(dateMinus) +";endTime=" + dateFormatShort.format(datePlus) +";";
        System.out.println(callURL);

        Request request = new Request.Builder().url(callURL)
                .addHeader("Content-Type", "application/json")
                .addHeader("client-key", "YOUR_KEY_HERE<span 				data-mce-type="bookmark" 				id="mce_SELREST_start" 				data-mce-style="overflow:hidden;line-height:0" 				style="overflow:hidden;line-height:0" 			></span>")
                .build();

        httpClient.newCall(request).enqueue(new Callback() {

            @Override
            public void onFailure(Call call, IOException e) {
                System.out.println("WS Call failed (1):" + e.getMessage());
                prgDialog.dismiss();
            }

            @Override
            public void onResponse(Call call, Response response) {
                ResponseBody responseBody = response.body();
                if (!response.isSuccessful()) {
                    final String errRep = "WS Call failed (2):" + response.toString();
                    mHandler.post(new Runnable() {
                        @Override
                        public void run() {
                            editTextResult.setText(errRep);
                        }
                    });
                    prgDialog.dismiss();
                } else {
                    try {
                        System.out.println("Response " + response.toString());
                        String str = new String(responseBody.bytes());
                        prgDialog.dismiss();

                        final JSONObject svcresponse = new JSONObject(str);
                        int spacesToIndentEachLevel = 2;
                        final String prettyPrintString = svcresponse.toString(spacesToIndentEachLevel);
                        mHandler.post(new Runnable() {
                            @Override
                            public void run() {
                                editTextResult.setText(prettyPrintString);
                            }
                        });

                    } catch (Exception e) {
                        e.printStackTrace();
                        final String errStr = e.getMessage();
                        mHandler.post(new Runnable() {
                            @Override
                            public void run() {
                                editTextResult.setText(errStr);
                            }
                        });
                        prgDialog.dismiss();
                    }
                }
            }
        });

    }

Read My Boarding Pass App

In the previous blog post I discussed the underlying standards of the BCBP (Bar Coded Boarding Pass) following IATA Reso 792. Today I will built an Android mobile app that scans the PDF417 barcode and shows the raw content as well the decoded fields.

The are 3 main challenges for building the app, scanning/reading the barcode and decoding the text to individual attributes and as last, not to use any internet connection (to assure the user the users privacy and avoid any potential identity theft discussions)

As we build a native Android app we can rely on third party libraries to scan and decode barcodes. There is a number of commercial libraries in the market, but as I build a free app I will use the zxing-android-embedded library, which is a port of the ZXing (“Zebra Crossing”) barcode scanning library for Android with added embedding features, ZXing only provides the decoding logic. Both are licensed under Apache 2.0, ZXing can decode all the common types, such as EAN-8, EAN-13, UPC, ITF, PDF417, QRCode, Aztec, Data Matrix and a few more.

Integration Barcode Library ZXing

With the library the integration becomes as simple as adding a few lines of code only.

Add the dependency to the build gradle file

dependencies {
    compile fileTree(dir: 'libs', include: ['*.jar'])
    androidTestCompile('com.android.support.test.espresso:espresso-core:2.2.2', {
        exclude group: 'com.android.support', module: 'support-annotations'
    })
    compile 'com.android.support:appcompat-v7:25.3.1'
    compile 'com.android.support.constraint:constraint-layout:1.0.2'
    testCompile 'junit:junit:4.12'

    compile 'com.journeyapps:zxing-android-embedded:3.5.0'
}

Trigger the scan and read the result

public void scanCode(View view){
        new IntentIntegrator(this).initiateScan();
    }

    @Override
    protected void onActivityResult(int requestCode, int resultCode, Intent data) {
        IntentResult result = IntentIntegrator.parseActivityResult(requestCode, resultCode, data);
        if(result != null) {
            if(result.getContents() == null) {
                System.out.println("Scan failed or cancelled.");
            } else {
                System.out.println(result.getContents());
            }
        } else {
            super.onActivityResult(requestCode, resultCode, data);
        }
    }

For now, the app (“ReadMyBoP – Read My Boarding Pass”) does nothing but scan the barcode, identify if it is a valid boarding pass barcode, display the raw content and makes the content more human-readable. You can download from Google Playstore. It works with Android 4.1 and above.
There is one extra feature for now, it decodes the IATA fare codes (First, business, economy classes and the various discounted codes, it follows IATA Reso 728 if you want to look for the complete codeset.

Decoding the Raw Text

Given the fact, this is a fixed-length field text, it is no big deal to split the relevant info by substring’ing it using the decoding table that we started in the previous post. As basic validation we can use the mandatory “M” on position 1 and a length of not less than 59 characters (mandatory fields).

# Element Mandatory Size Sample Remark
1 Format Code M 1 M Always “M”
2 Number of legs encoded M 1
3 Passenger Name M 20
4 Electronic Ticket Indicator M 2 E
5 Operating carrier PNR Code M 7
6 Origin IATA Code M 3 FRA Airport Code
7 Destination IATA Code M 3 SIN Airport Code
8 Operating carrier IATA Code M 3 LH Airline
9 Flight Number M 5 3456
10 Date of Flight M 3 280 Julian Date
11 Compartment Code M 1 B First, Business, Economy
12 Seat Number M 4 25A
13 Check-in Sequence Number M 5 0012
14 Passenger Status M 1 00
15 Size of optional Block M 2 5D hexadecimal
16 Start Version Number 1 > Always “>”
17 Version Number 1 5
18 Field Size of follow ing structured message 2
19 Passenger Description 1
20 Source of check-in 1
21 Source of Boarding Pass Issuance 1
22 Date of Issue of Boarding Pass (Julian Date) 4
23 Document Type 1
24 Airline Designator of boarding pass issuer 3
25 Baggage Tag Licence Plate Number 1 13
26 Baggage Tag Licence Plate Number 2 13
27 Baggage Tag Licence Plate Number 3 13
28 Field Size of follow ing structured message 2
29 Airline Numeric Code 3
30 Document Form/Serial Number 10

Is there a roadmap ? For sure, if I find the time I will add the optional fields, an airline and airport code dictionary (must check the size of a local sqllite db if we want to stay offline). Maybe add baggage tag reader feature and local barcode image storage for boarding. Stay tuned !

readmybop1.2

Application Disclaimer: The application is for educational and research purpose. It is provided as-is, no warranty included. It does not transmit data over the internet and does not store any data upon exiting the app.

What’s in my boarding pass barcode ?

Since more than 10 years passengers are used to the barcode imprinted on the traditional ticket boarding pass slip, the home printed boarding pass or the boarding pass displayed in the mobile app provided by the airline. To be more precise the 2004 IATA Passenger Service Conference approved Resolution 792 setting the BCBP (Bar Coded Boarding Pass) standard as part of the STB (Simplify The Business) program.

The barcode simplifies passenger handling as the barcode can be read automatically by barcode readers along the passenger journey for bag-drop, security check area access and boarding. It significantly reduces the error rate to the time before barcode and eventually saved millions of Euros/Dollars due to mishandling and delays. Today we see self-boarding gates that remove the need for an agent, though business and first class passenger are still welcomed by a human gate agent. Btw, the magnetic stripe on the back of the old tickets expired in 2010.

Old Passenger Ticket without barcode (Image Public Domain)

The BCBP standard defines PDF417 (public domain standard, no fees or licenses) as the barcode symbol format as well defines the encoded content. The content in the barcode contains the same information as printed on the standard boarding pass, though some airlines omit information on the self-printed version in favor of simplicity, some extra info is optionally encoded.

2017-10-07 06_47_41-Boarding-Pass Barcode Aztec QR Generator

Sample PDF 417 barcode

M1SMITH/JOHN          EHJK345 FRASINLH 3456 280C015A0001 100

The standard covers 3 additional barcodes that are not used for printing, but used for mobile apps, these are Aztec and QR Code.

The encoding is straight foward using fix-length fields and the code can carry up to 4 legs of a journey.

Element Size Sample Remark
Format Code 1 M Always “M”
Number of legs encoded 1 1
Passenger Name 20
Electronic Ticket Indicator 2 E
Operating carrier PNR Code 7
Origin IATA Code 3 FRA Airport Code
Destination IATA Code 3 SIN Airport Code
Operating carrier IATA Code 3 LH Airline
Flight Number 5 3456
Date of Flight 3 280 Julian Date
Compartment Code 1 B First, Business, Economy
Seat Number 4 25A
Check-in Sequence Number 5 0012
Passenger Status 1 00

These are the mandatory fields, there are additional optional fields and blocks for baggage info, document info, frequent flyer number or security data.

To be noted, the IATA PADIS XML message standard shall be used for the exchange of BCBP data between systems, defined in Resolution 783 – Passenger and Airport Data Interchange Standards.

I like to add also, the printed barcode is the current common nominator for international travel, but there are initiatives on the way to simplify the passenger journey even further with newer technology such as biometric ID’s and identity management, eg. IATA OneIdentity Initiative.

In the next post we will assemble a simple Android application to read the boarding pass barcode. Stay tuned.

Disclaimer: The information provided here might not be correct or complete. It is for educational purpose only. For reliable information please refer to the IATA manuals.

IATA Type B Bag Messages and Baggage Messaging Refresher

There is quite some movement in baggage handling and its associated messaging needs and requirements at the moment.  Though the IATA recommended practices RP 1745 and RP 1800 are around for quite a while, the IATA Resolution 753 (baggage tracking and custody) has to be implemented by June 2018 and the new BAG XML message standard is shaping up and will most likely released first time in 2017. Traditionally any handling of baggage requires a type-B message to be sent to the relevant parties. This is a push-based approach and due to the nature of type-B messages prone to errors (format) and accumulate costs by the distributing network operators and its transaction based charges. According to a IATA study/business case in the year 2012 26 million of bags have been mishandled, mostly for transfer bag handling and a good share of this is caused by missing or wrong messages.

This article is meant to provide an overview or general introduction, aka baggage messaging for starters. Baggage Handling is very complex process with dependencies and actors, including airlines, airport, handling agent and eventually the passenger and his baggage.

Main Systems involved in the process of baggage handling

DCS Departure Control System
BHS Baggage Handling System
BRS Baggage Reconciliation System

DCS
The Departure Control System is the operational backbone of every airline. It supports the check-in, baggage acceptance, boarding process and other related activities like load control, immigration.

BHS
The Baggage Handling System (usually owned by the airport) is a complex system of conveyor belts, chutes and bag drops that transports and buffers any checked-in luggage. It ensures that luggage that is checked-in, transferred or received from arriving flights is tracked, counted, scanned, screened and transported to the right bag chute or belt.

BRS
The Baggage Reconciliation System, usually used by the handling agent, helps to match passenger, bag, flight and container.

Traditional Type-B Messages for Baggage Handling (defined in IATA RP 1745)
RP 1745 defines the formats of the messages exchanged between the systems for automated baggage and passenger reconciliation, baggage sortation and other baggage services.

BTM Baggage Transfer Message
BSM Baggage Source Message
BPM Baggage Processed Message
BUM Baggage Unload Message
BNS Baggage Not Seen Message
BCM Baggage Control Message
BMM Baggage Manifest Message
BRQ Baggage Request

Baggage Tag Number or License Plate Code
A unique 10 digit number as reference for each piece of baggage, defined in IATA RP 740.
The bag tag number is part of the baggage messages.
According to resolution 751, effective June 1st 2013, the format contains only numbers.
Sample: 0220208212 (0-220-208212)

1 1 digit Leading digit 0
2 3 digit Airline code 220 Lufthansa
3 6 digit Bag number 208212

The printed barcode is a regular ITF-14 code, any smartphone can read the barcode. The number is also printed on the bag tag.

KLM is printing a “KL” in between but the barcode only contains numbers. “074” for KLM.

BTM
The Transfer Message contains bag information for the outbound carrier of incoming transfer passengers. Part of a through check-in transaction.

BSM
The Source Message is sent from the DCS to the baggage handling system upon checkin at the airport or bag drop.

BPM
The Processed Message is an status update sent locally, eg. baggage handling to carrier. BPM’s are often batched.

BUM
The Unload Message is the instruction to unload (or not to load) a specific bag, eg. no-show PAX at the gate.

BNS
The Not Seen Message contains bag info for baggage that could not been transported together with the passenger.

BCM
The Control Message serves secondary level information, such as
BAM Baggage Acknowledgement
FOM Flight Open
FMM Final Match
DBM Delete Baggage

BMM
The Baggage Manifest contains baggage details for down line stations.

BRQ
The Baggage Request asks for bag info from a baggage handling system.

Sample Message
A very simple sample of a transfer message

BTM
.V/1TOFRA
.I/LH123/14OCT/CPH
.F/LH234/14OCT/SIN
.N/0220588615021
.P/SMITH/JOHN   
.L/7FABC
ENDBTM
1 .V Version and suppl. data Transfer Station FRA (Frankfurt)
2 .I Inbound Flight Number and date CPH (Copenhagen)
3 .F Outbound Flight Number and date SIN (Singapore)
4 .N Baggage Details 10 digit bag tag id 0220588615021
5 .P Passenger Name John Smith
6 .L PNR Passenger Name Record 7FABC

Message Flow for interline flight

The below is rather simplistic view (sunshine scenario) of the messaging that happens around bag management for a 2 segment interline flight with through-check-in of bags.

Message Flow for interline flight
A passenger is flying on LH 401 from JFK to FRA and SQ 025 from FRA to SIN. An interline flight with baggage checked through Singapore.

Relevant Documentation or References

IATA RP 1745 Baggage Service Messages
IATA RP 1796
Baggage System Interface
IATA RP 1701f
Self Service Baggage Process
IATA RP 1800
Baggage Process Description for Self-Service Check-in
IATA RES 753
Baggage Tracking

Online References
Remark: Most of the IATA documents are not available freely and have to be purchased, here only links to public documents or pages.

IATA RES 753 https://www.iata.org/whatwedo/stb/Documents/baggage-tracking-res753.pdf
IATA BAG XML Initiative
http://www.iata.org/whatwedo/ops-infra/baggage/Pages/baggage-xml.aspx

Disclaimer: The information provided here might not be correct or complete. It is for educational purpose only. For reliable information please refer to the IATA manuals.

MOOC – E-Learning on Steroids

Hardly any industry is moving as fast as the IT industry. While your operational experience and knowledge of the vertical domain you are working in, is growing naturally along your career, it is not the same for IT. For example the airport environment, the underlying basics and physics of handling aircrafts, planning flights, etc. are exposed to changes, innovations and challenges, look at the A-CDM program, it took quite some years to take off and become main-stream, that is a much slower than any new general IT technology or platform soaring. Though this industry is picking up speed too and the boundaries between the digital and physical world start to blur more and more, airports are running digital transformation programs, though passengers still flying in the physical world.

But on the IT side of things, the speed is way beyond breath-taking and it is hard to keep a minimal overview over many areas of IT concerns as well dive into specific topics. How to stay up-to-date and tune into relevant topics ? Books (ink and electronic versions) and forums are certainly the traditional approach, on top of that you join conferences and in-persons seminars and training (which comes at a cost and time spent).

Since the 2000’s online courses came into the picture, as the successor for e-learning, and allow a much bigger audience to learn new technologies, skills and more. The very positive part, there are lots and lots of free courses, most platforms offer free and commercial courses, sometimes free to participate and only charge a fee if you want to get an official certificate (one can argue about the value of such certs) but most important, you can learn and move forward and update your knowledge with the click of a button.

The big challenge though is to identify what you need or interested in, find the right courses and, most important, manage your time. Using your spare time you have to choose wisely, you can’t run for every course out there, even they are so many you are interested in and you are temped to sign up for a dozen of courses, only not to finish any of them.

Todays key-/buzzword for this is MOOC or Massive Open Online Courses. This is like e-learning on steroids, in the past you had to look at dull corporate slides pretty much by yourself, now we look at videos, reading material online and offline, interactions with the organizer, mentor, trainer or your virtual peers at various levels.

Not only the organizations that started online learning, like schools and universities, are into the game, as well companies operating specific online course platforms and now book publishing companies offering courses and finally professional social platforms like LinkedIn.

I attended online courses at Coursera and Udacity, which offer a broad range of topics, and now started with some specific courses on HCI and UX at Interaction Design Foundation which solely offers courses on UX, HCI, Visualization and related topics. Though the courses are unattended (except the rating of your text answers or comments) but repeating, you still have a motivation to participate and go though the lessons because you pay money and they help you pacing the whole course by releasing the lesson packages over time.

Stay tuned for the results.

Build a RESTful Webservice in less than 5 minutes

There are quite some tutorials around about building and exposing a RESTful Webservice, but some of them are outdated and make you wade through complex dependencies and tinkering with deployment descriptors and web.xml files. But using RESTeasy, the JBoss implementation that is fully compliant with the JAX-RS 2.0 JCP specification, and Eclipse you can build a simple webservice (“hello world”) with less than 10 lines of sourceode with annotations and no web.xml used in a few minutes and run it on Wildfly.

Lets build a webservice that creates random numbers.

Continue reading