Exclude items from iOS backup and restore

1. File and folder
application can apply property NSURLIsExcludedFromBackupKey to exclude file or folder item from itune/icloud backup and restore.

 NSURL* URL= [NSURL fileURLWithPath: filePathString];

 NSError *error = nil;
 BOOL success = [URL setResourceValue: [NSNumber numberWithBool: YES]
                                  forKey: NSURLIsExcludedFromBackupKey error: &error];


2. NSUserDefault
NSUserDefault items are always included in the backup and restore and cannot be excluded.


3. KeyChain
The following three attributes can be used to prevent the keychain items be restored to other devices. The values can be set as kSecAttrAccessible attribute in the secItemAdd method

Sample:
[dict setObject:kSecAttrAccessibleAlwaysThisDeviceOnly forKey:kSecAttrAccessible];

kSecAttrAccessibleWhenUnlockedThisDeviceOnly
Keychain item is accessible only after the device is unlocked and the item cannot be migrated between devices.
kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly
Keychain item is accessible after the first unlock of the device and the item cannot be migrated between devices.
kSecAttrAccessibleAlwaysThisDeviceOnly
Keychain item is accessible even the device is locked and the item cannot be migrated between devices.

Share and record ios screen on mac with QuickTime Player

1. connect ios device with mac using usb cable
2. open QuickTime Player app from mac, click done button on the dialog prompted by QuickTime player.
3 click QuickTime Player's File->"New Movie Recording" menu, it should show you a recording config screen.
4 Move the cursor into the config screen, and select the down arrow on left of the red dot and select your device

5.The device screen should show on mac screen, you can also record the device screen by clicking on the red dot to start. Click it again will stop the recording.

Cross-Site Request forgery (CSRF) and Corss-origin-Resource-Share (CORS)

As mentioned in http://jonathanblog2000.blogspot.ca/2015/09/http-cross-origin-request-and-http.html, CORS is for preventing malicious javascript code to access response returned from a different domain, so even if user are tricked to open a malicious web page, it cannot load the response returned from user's real server. This is mostly implemented by enforcing the "Access-Control-Allow-Origin" header on client side.

Cross Site Request Forgery (CSRF), on other hand, is for a different kind of attack, it leverages the fact that browser automatically sends the cookie including authentication cookie with the request to the same server, so if the server based on the authentication cookie to validate the request, then the server will accept the malicious request as a valid one. In this case, the malicious request is sent from the same browser instance triggered by a link in an email or a different web page, CORS will not prevent this kind of attack, as the attacker does not need to get the response for his purpose. As long as the request is processed by server, then the attach is achieved.

To avoid the CSRF attack, the server needs to use something to validate the client request other than session cookie, for example, a http header for CSRF token returned from server will be a good choice. The idea is when the app sends any update (POST, PATCH) request to server, this CSRF header needs to be included by javascript code, so the server can valid the request by checking this particular header.  The request will be executed only if the header is correct.

Note, although malicious code can trick user to send a Get requests to the real server, but it cannot get or parse the server response to find the CSRF token from the response, as the malicious js code is loaded from a different domain, and CORS limitation will block it to load the response returned from the real server. So the malicious code can never send a post request with the CSRF token in it to pass the server side check.
  

HTTP Cross Origin request and HTTP access control (CORS)

For http content loaded from one domain (protocol, host, port), it may have link to request from a different domain, such as an image, a css stylesheet or script. This is very common usage.

However, when using a script to send a request to a different domain, it will expose a security risk as unlike web link, malicious script code can inject request to server without user's acknowledge.

To avoid sending cross origin request from script, browser on client side enforces HTTP access control (CORS) based on server response. The server response includes the header of
Access-Control-Allow-Origin: *
which indicates the response can be accessed by which domain in a cross-site manner. The Access-Control-Allow-Origin header should always include the request's Origin header to allow the original web page to access the response, but it can also add another domain into it, or set * to allow all domains to access it.

Note although the server returns the Access-Control-Allow-Origin header to help client to enforce CORS control, it is the browser (not the server) that checks and enforce the restriction. The server will always return the requested resource to client regardless the request data.

Cordova core plugin list

When creating a cordova project, it just adds the core function to bridge the javascript (cordova.js) API to the native API. And you need to add the cordova core plugins to access native operating system functionality such as the accelerometer, camera, compass, the file system and others. The core plugins are developed by the Apache Cordova team, and are updated and improved with each new version.

You can also add other third party plugins registered at http://plugins.cordova.io/npm/index.html to your project, but you need to be careful about the quality of the third party plugins, unless they are developed by yourself. So you should always check the core plugins first before looking at third party plugins or implementing a new plugin by yourself.

When searching at http://plugins.cordova.io/npm/index.html, the core plugins has a blue bar at the left as shown below

To make it easy the full core plugin list is added below:

cordova-plugin-battery-status

cordova-plugin-camera

cordova-plugin-console

cordova-plugin-contacts

cordova-plugin-device

cordova-plugin-device-motion

cordova-plugin-device-orientation

cordova-plugin-dialogs

cordova-plugin-file

cordova-plugin-file-transfer

cordova-plugin-geolocation

cordova-plugin-globalization

cordova-plugin-inappbrowser

cordova-plugin-media

cordova-plugin-media-capture

cordova-plugin-network-information

cordova-plugin-splashscreen

cordova-plugin-statusbar

cordova-plugin-vibration

cordova-plugin-whitelist  

Fail to empty trash folder on mac

Sometimes the trash folder is unable to empty for some reason. If it happens, using the below methods to empty it
1. click opt and shift key and right click the trash icon and then select secure empty trash
2. if that does not work, then open terminal, and type
chflags -R nouchg 
with a space after it. Then open trash folder in Finder and select all files and drag&drop files to the terminal to unlock the files
3. Repeat the step 1 again to empty the trash