Fix Mac boot hanging due to missing var/folders

Although /var/folders" (or "/private/var/folders") is "per-user temporary files and caches", and its content can be cleaned by system at any time, but the var/folders itself cannot be deleted. After I accidentally deleted var/folders fold from my mac, and the box could not reboot successfully.  

By restarting the mac in single user mode (pressing Command+S) in unix shell, I tried to add the var/folders back, however, the mkdir failed as the folder is mounted as readonly. Unfortunately, chflags does not work in this case.

The rescue is
mount -uw

which will mount the folder as read-write. After that, mkdir can successfully create the var/folders again, and the mac can reboot properly. The strange thing is you can delete var/folders using Finder, but you cannot put it back or create a new var/folders folder using Finder.

Android studio build issues- gradle proxy, file path size, etc

1. When running android studio on Windows, the gradle build may get an error of "No Resource found that matches ..." or "unable to open file ...". 

One possible reason of the error is due to the limitation of the maximal length of the file path. To fix the issue, move the project close to a root folder of the current drive, instead of staying in a deep nested subfolder on the current drive.


2. The android studio only build armv7 apk when running the app on emulator
In Build.gradle, locate productFlavors item and remove the "armv7" element


3. set proxy for gradle
create a text file with name of gradle.properties and put the file under the project's root folder with the content of:

systemProp.http.proxyHost=proxy.phl.sap.corp
systemProp.http.proxyPort=8080
systemProp.https.proxyHost=proxy.phl.sap.corp
systemProp.https.proxyPort=8080


4. for the error of "Unable to execute dex: method ID not in [0, 0xffff]"

You need to enable multiDex with the below steps:
First, update android defaultConfig
android {
   defaultConfig {
      ...
      multiDexEnabled = true
   }
}

Then, add multiple dependency
dependencies {
  ...
  compile 'com.android.support:multidex:1.0.0'
} 

5. for the out of memory GC error
Add the below options in Android block
dexOptions {
    incremental true
    javaMaxHeapSize "4g"
}

Show and copy android screen from device to mac

1.download droidAtScreen-1.2.jar from http://droid-at-screen.org/
2.connect the android device with mac and Configure your device to allow USB Debugging from (Settings-> Developer options -> USB debugging)
3.from command line, run
java -jar droidAtScreen-a.b.c.jar

How to move android emulator screen on Windows 8

1. select android emulator screen by mouse
2. press ALT+SPACE
3. while the mouse is shown as + sign, select Move menu
4. release mouse button, and use up, down or left, right key to move emulator screen
5. after press any direction key, then you can also use mouse to move the emulator screen

Exclude items from iOS backup and restore

1. File and folder
application can apply property NSURLIsExcludedFromBackupKey to exclude file or folder item from itune/icloud backup and restore.

 NSURL* URL= [NSURL fileURLWithPath: filePathString];

 NSError *error = nil;
 BOOL success = [URL setResourceValue: [NSNumber numberWithBool: YES]
                                  forKey: NSURLIsExcludedFromBackupKey error: &error];


2. NSUserDefault
NSUserDefault items are always included in the backup and restore and cannot be excluded.


3. KeyChain
The following three attributes can be used to prevent the keychain items be restored to other devices. The values can be set as kSecAttrAccessible attribute in the secItemAdd method

Sample:
[dict setObject:kSecAttrAccessibleAlwaysThisDeviceOnly forKey:kSecAttrAccessible];

kSecAttrAccessibleWhenUnlockedThisDeviceOnly
Keychain item is accessible only after the device is unlocked and the item cannot be migrated between devices.
kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly
Keychain item is accessible after the first unlock of the device and the item cannot be migrated between devices.
kSecAttrAccessibleAlwaysThisDeviceOnly
Keychain item is accessible even the device is locked and the item cannot be migrated between devices.

Share and record ios screen on mac with QuickTime Player

1. connect ios device with mac using usb cable
2. open QuickTime Player app from mac, click done button on the dialog prompted by QuickTime player.
3 click QuickTime Player's File->"New Movie Recording" menu, it should show you a recording config screen.
4 Move the cursor into the config screen, and select the down arrow on left of the red dot and select your device

5.The device screen should show on mac screen, you can also record the device screen by clicking on the red dot to start. Click it again will stop the recording.

Cross-Site Request forgery (CSRF) and Corss-origin-Resource-Share (CORS)

As mentioned in http://jonathanblog2000.blogspot.ca/2015/09/http-cross-origin-request-and-http.html, CORS is for preventing malicious javascript code to access response returned from a different domain, so even if user are tricked to open a malicious web page, it cannot load the response returned from user's real server. This is mostly implemented by enforcing the "Access-Control-Allow-Origin" header on client side.

Cross Site Request Forgery (CSRF), on other hand, is for a different kind of attack, it leverages the fact that browser automatically sends the cookie including authentication cookie with the request to the same server, so if the server based on the authentication cookie to validate the request, then the server will accept the malicious request as a valid one. In this case, the malicious request is sent from the same browser instance triggered by a link in an email or a different web page, CORS will not prevent this kind of attack, as the attacker does not need to get the response for his purpose. As long as the request is processed by server, then the attach is achieved.

To avoid the CSRF attack, the server needs to use something to validate the client request other than session cookie, for example, a http header for CSRF token returned from server will be a good choice. The idea is when the app sends any update (POST, PATCH) request to server, this CSRF header needs to be included by javascript code, so the server can valid the request by checking this particular header.  The request will be executed only if the header is correct.

Note, although malicious code can trick user to send a Get requests to the real server, but it cannot get or parse the server response to find the CSRF token from the response, as the malicious js code is loaded from a different domain, and CORS limitation will block it to load the response returned from the real server. So the malicious code can never send a post request with the CSRF token in it to pass the server side check.