iOS-factor: A methodology for building high-quality iOS apps

iOS-factor was inspired by the famous twelve-factor app framework, a methodology to write high-quality web services. iOS-factor uses the same structure and similar principles, re-written and applied to the iOS app development processes.


Over the past 10 years, the iOS development process has shifted drastically:

  • from supporting a single device to a wide range of available iOS-powered iPhones and iPads and various platforms like tvOS and watchOS
  • from manually including git submodules to using dependency managers
  • from iOS apps mostly running locally on-device, to iOS apps heavily relying on backend services
  • from iOS app review times of more than 2 weeks to less than a day
  • from installing an app on your phone using iTunes to distributing apps through the official TestFlight channel
  • from uploading 5 screenshots per language to iTunes Connect to 110 per language, as well as app previews
  • from plain Objective-C/C++ apps to a mix of languages including JavaScript
  • from slow releases whenever something is ready, to shipping every single week
  • from full releases to A/B testing, slow rollouts and automatic regression detection

What’s iOS-factor?

iOS-factor is a project I started in May 2018. It aims to provide a collection of best practices for building high-end iOS applications. Each topic is covered by a factor, which describes an ideal state of how a certain category of the iOS app development process could look like.

Due to certain limitations (like Xcode running only on macOS) not all requirements can be fulfilled. This project aims to define goals, as well as the best current approaches to solve some of the challenges we’re facing.

iOS-factor is all about the bigger-picture iOS app development processes and architecture decisions and will not cover any language specific challenges.

This is a living project, maintained by the iOS development community. You can find the full source on GitHub and update existing pages or add new factors.


Unless otherwise mentioned in the post, those projects are side projects which I work on on weekends and evenings, and are not affiliated with my work or employer.

Tags: ios   |   Edit on GitHub

iOS apps should be inside a network sandbox


With my recent publications, most importantly “Trusting SDKs” it became clear that hijacked or malicious iOS apps cause major security and privacy risks for users, and allow attackers to reach a high number of users through a single point of failure.

Most of the times, the consequences of those attacks are about data:

  • Usernames and passwords
  • Location data
  • Facial data
  • Advertising data
  • Address book entries
  • Payment information (e.g. credit cards)
  • Other personal information

Notice how sandboxes in software are designed to keep data inside that box (in the form of a filesystem), but for some reason they stop when it comes to network requests.

If an attacker manages to hijack an iOS app, the first thing they would do is sent the collected data to some server in their control.


Initially just tweeting my shower thoughts and reaching 300 likes & 50 RTs, this idea grew more and more:

App Transport Security

At WWDC 2016 Apple announced ATS, an iOS 9 feature to enforce the use of HTTPs across all iOS apps. It was said to be made mandatory by end of 2016, however the deadline was moved to an undefined date. The idea makes perfect sense: All the infrastructure and tools around HTTPs encryption people already have with their web browsers to verify the security on websites, don’t work on the iOS platform. If you use your banking or dating app, how can you as a user be sure the company didn’t mess things up? It’s not like it happened before.

Web vs iOS

On the web, browsers started marking HTTP websites as “Not Secure”, HSTS is built into browsers to force HTTPs for certain hosts, people use HTTPSEverywhere to enforce HTTPs connection across more hosts and people use uBlock to block certain tracking and ad widgets that slow down websites.

On iOS, you install and use an app, and hope that the app developer uses proper encryption, securely stores your personal information, and doesn’t use any sketchy SDKs that you wouldn’t trust yourself. If you don’t agree with something (e.g. an Analytics SDK), there is nothing you can do about it.


Step 1:

Finish the ATS plans. It’s been 2 years now, enough time for app developers to update their apps. Allow developers to file for an exception, and mark them accordingly on the App Store page with a badge of shame (similar to how Chrome marks all non HTTPs websites nowadays)

Step 2:

Introduce the concept of network sandboxes. Each app should define a list of hostnames they are allowed to access.

Imagine a ride-sharing app having access to


This list serves multiple purposes:

  • The app can only access those hosts. Meaning if an SDK is malicious or your app got hijacked in some way, they can’t access the scary internet and leak the user’s data.
  • The app review team will see a list as they approve the app. At the same time, they can see a diff of the hosts between app releases
  • The user should have a way to see that list as part of the App Store page
  • In the future we could even put the user in control by distinguishing between primary hosts (e.g. that are needed to have the app running, and secondary hosts (e.g. This however would come with many implications when it comes to revenue models of the majority of mobile apps.

As always, exceptions should be possible, third party browsers should exist, and some apps might have to support so many hosts that they can’t follow those rules. And that’s okay, those apps will be marked as “Can access any host” as a little warning in the App Store.

While the above doesn’t solve all the problems, it is a good first step into the right direction. We’ll run into problems, and we’ll solve them. It’s a necessary change for the mobile ecosystem, catching up with where we’re already at with web browsers nowadays.

Unless otherwise mentioned in the post, those projects are side projects which I work on on weekends and evenings, and are not affiliated with my work or employer.

Tags: privacy, security   |   Edit on GitHub

Going nomad


I moved to San Francisco summer 2015 to join Twitter. I lived in a furnished apartment for my first year, which I really enjoyed, as I didn’t have to buy all the essentials myself after moving across the globe into a new country.

After my 1 year lease, I decided to do what “grown-ups” are supposed to do: get their own apartment, buy furniture, decorate the place, and make it your home. After living in my little studio for about 1.5 years, I noticed a few things:

  • In 2017 I only spent about 200 nights in my apartment, causing me to still pay about 5 months worth of San Francisco rent without actually living there (the average monthly lease for a studio apartment is about $3,000 + utilities, resulting in about $15,000 of my after tax money being lost)
  • While I enjoy having my own space, I never invested enough time and effort into making it nice: Until the day I moved out after 18 months, I still didn’t have enough closets for all my things and I had my clothes piled up in some corner
  • I didn’t like being bound to one location in the city. In particular, in the common case of getting acquired by another company (#justSFthings), your commute changes, and you can’t just move around
  • I didn’t like the fact that I was always surrounded by the same places and things became routine. Same subway station, same spots you walk by every day, same views, same commute, etc. after a month it gets boring and I need a change.

The idea

Ever since I first started reading @levelsio’s blog in 2014, about living out of just a backpack, and traveling across the world, while working on his own startups, I was fascinated by the idea. However I always assumed it doesn’t work if you have a full-time job at a large company like Twitter or Google.

2014 was also the time I met @orta, who told me about his first year in New York City, where he lived in a different neighborhood in a random Airbnb each month. This allowed him to see what NYC has to offer, and what area he liked the most. I loved the idea, and kind of knew I want to do this at some point in life.

Only in October 2017 I realized that combining those two things might actually just work.

Making the move

After living in San Francisco for 2.5 years, I wanted a change. With my lease ending in October, I decided to reduce my life to just

  • 1 suitcase
  • 1 carry-on luggage
  • 1 backpack

and lived in an Airbnb in San Francisco until the winter holidays, for which I went back home to Austria. I got really lucky with my SF Airbnb, as I got it from Zeus Living a company that rents out apartments for people like me: rent a place per month, all utilities included, and enough space with a desk to get work done.

For the last 6 months I’ve lived the nomad life, with just the things listed above. So far I’ve stayed in 6 different neighborhoods in NYC, 2 areas in SF and spent time with my family in Austria for New Year’s. While I plan flights ahead of time due to costs, I don’t book places longer than a month ahead, something that took some time getting used to.

Spending time in a single city

While being a different city each month might sound like a dream to many people, I learned it comes with many downsides:

  • It’s hard to build up a social circle of close friends
  • It’s hard to really get to know a city, and make use of all the things it has to offer
  • It’s hard to learn more about the culture
  • Cities change with seasons, a summer is usually quite different than a winter
  • It’s stressful changing cities too often

Last year I spoke at conferences in 9 cities. I knew I wanted to fly less in 2018.

In January 2018, we started the new project, which requires us to work closer with other Google teams, that are partially based in New York. I used that opportunity to “move” to NYC. So while I move to a different Airbnb every week, I do so within the same city. I grew up in a village with a population of less than 2,000, with not a single traffic light. Living in New York has been an amazing experience, with almost as many people living here, as in the whole country of Austria.

For now, this seems like the perfect balance for me personally: Not getting bored by day to day routine (e.g. same commute) by moving to a new Airbnb every week, but also being able to hang out with the same friends, and get to know the whole city. Long term, I’ll switch to a monthly cycle for even less overhead.

Frequently asked questions

How do you handle physical mail?

Online orders: I’m lucky that I can use the Google office to order from Amazon, and pick them up at the end of the work day. It’s offered in most major cities, and even allows me to order something for a specific location. For example: When I flew to Amsterdam I ordered an umbrella to the office, ready for me to pick up.

Letters: I use the VirtualPostMail service. They scan your letters, and sends them to you via email. If you need the original, you can tell them to forward them to your current address (or office in my case)


My first thought was: Staying in Airbnbs must be more expensive than having my own place! For multiple reasons:

  • Short term leases have to charge more to account for the vacant nights
  • Airbnbs are furnished, and include some basic services and utilities
  • Airbnb charges a pretty hefty fee for each booking

Circling back to the number of days I’m not at home for about 5 months each year, I realized that I don’t pay my (SF/NYC) rent when:

  • I speak at a conference, and the organizers cover the hotel costs
  • I go on vacation
  • I go back home
  • I crash on a friend’s couch / extra bed
  • Google plans a team-offsite in a different location and covers the accommodation
  • I take a red eye flight (a flight that leaves at about midnight, and lands in the morning)

Every night I don’t need to pay for my own place, I save about $100 after-tax money (NYC/SF)

Do you keep any physical memories

You can either ask your parents nicely to keep your things, or you can rent storage somewhere to keep it. I decided to bring my things back home to Austria, by just having an extra bag with me the first time I flew back.

How did you get rid of so much stuff?

I don’t care about physical things. If I were to lose all my devices, or all my clothes today, I’d buy new ones (probably the same ones). So getting rid of things was rather easy, and I personally never understood why it’s difficult, unless there are certain memories attached.

All I did was: Do I really need this? If the answer wasn’t an immediate yes, it’s a no. If I wanted to keep the “memory”, I made sure to take a picture before giving it away.

I created a spreadsheet with all the things I give away, and shared it with my friends on Facebook, from furniture, to kitchen stuff, to light bulbs, and I got “rid” of everything, as 2 of my friends just moved to a new place, and needed almost everything. The remaining things I donated or threw away if it wasn’t usable any more.

I went from

It is tricky though to buy new stuff, since I need to get rid of something else, for every single new item I buy. While my suitcases still have some space left, the weight limit of 22kg of most airlines is what I have to be careful about.

How do you keep things organized?

Those travel cubes have been pretty useful, I got a lot of them, for shirts, socks, underwear, electronics, etc. and can recommend them to anyone traveling.

Did you buy any travel gear for this?

Yes, there are some really cool things out there, that made my life easier:

Is that “Minimalism Life”?

I’ve read a bit about this topic, including a great blog post of my friend about owning 200 things. I love the concept of owning just the things you really need, and forget the rest.

I also watched the “Minimalism” documentary on Netflix, which covers some of the concepts. Personally I don’t want to count things, or reduce life in areas I don’t want to. For example, I still carry around a rather high number of shoes with me, just because I like having the right shoes for the right occasion.

I’d argue the goal is to live a normal day-to-day life, when going to work or hanging out with friends, while still being very flexible.

Security concerns

That’s something I’ve been thinking more about recently: Breaking into an Airbnb is probably super easy, just stay in a place, copy the key and then steal from the next person, with the next person probably blaming the host or cleaning staff. Unfortunately it’s not common for Airbnbs to have a safe.

  • I generally don’t own anything of real value, besides my MacBook
  • I don’t leave anything valuable in my Airbnb but put them in the Google office instead
  • All of my documents are stored online
  • Hourly backups on different continents, using hard drives and custom cloud backup solutions, all end to end encrypted, on a total of 5 different locations
  • Even if I were to lose 100% of my things including all my devices, I have a clear recovery path where I can recover my complete online identity, documents and everything else within less than 24 hours. For security reasons I can’t share more about this specific topic, but I can recommend everyone to draw a map of dependencies between the services/software/hardware you use, and how you can recover them step by step.

What else is nice about not having a fixed lease?

  • If you stay at a place for just a week, you’ll never have to clean the apartment
  • You learn how other people live day to day, e.g. how they set up their rooms and get a good idea of what you enjoy
  • You learn more about yourself, like what things are important to you when it comes to having a living space
  • When you own a home, you have to deal with maintenance, repairs and other things quite often. When renting an apartment building, at least some things are being taken care of by the owners. If you stay in Airbnb, there is literally nothing you have to worry about, if something doesn’t work, you notify the host and that’s it.

I wrote this post in Taipei, Taiwan, where I work remotely from the Taipei Google office for 2 weeks before heading to San Francisco.

Being able to escape the cold winter feels amazing 😎

Unless otherwise mentioned in the post, those projects are side projects which I work on on weekends and evenings, and are not affiliated with my work or employer.

Tags: twitter   |   Edit on GitHub

How I use Twitter


For most people, using the official Twitter client works fine. It’s optimized to show you new content you might be interested in, makes it easy to follow new users, and shows content that might be most relevant to you first. If you have an engineering mindset, chances are you want to be in control of what you see in your timeline.

I use Twitter to stay up to date with certain people. I want to hear about new projects or new content they published, new blog posts, thoughts of them, etc. I’m not interested in hearing political opinions, sport scores, etc, which I already have Facebook for. If I follow someone, I’ll read every single tweet from them. For the last 5 years, I didn’t miss a tweet in my timeline, so I have to be very careful about who to follow, and what content to see. So I set out to customize Twitter to archive that goal, and to only see about 50-75 tweets per day.


I’ve been using Tweetbot for the last few years, the technique described below might work with other third party Twitter clients also.

Muted Keywords

Very basic list of words, that as soon as a tweet contains one of them, it will be hidden, examples include:

  • headphone jack
  • drake
  • podcast
  • president

Muted users

I stopped using this feature, now that I use secret lists to follow people (see below), and disabled RTs. Muting users for a given time period or forever is useful for a few situations:

  • Some users in your timeline might promote a product, so you can mute that product
  • If a user is at a conference/event you’re not interested in, you can mute them for a few days

Muted Regexes

A very powerful feature of Tweetbot is to define a regex to hide tweet. I use it to hide annoying jokes like

  • remember \w+
  • german word for \w+
  • \w+ is the new \w+

or to hide tweets from people that think we’re interested about their airplane delays or #sports

  • (virgin|Virgin|@United|delta|Delta|JetBlue|jetblue)
  • For every #sports #event there are also custom-made mute filters (truncated): (?#World Cup)(?i)((?# Terms)(Brazil\s*2014|FIFA|World\s*Cup|Soccer|F(oo|u)tbal)|(?# Chants)(go a l |[^\w](ole\s*){2,})|(?# Teams)(#(B....

Hide all mentions

This very much changed my whole timeline (for the better). Turns out, I follow people for their announcements, what they work on, what they’re doing, what they’re thinking about, etc. I actually don’t want to see 2 people communicating publicly using @ mentions, unless it’s a topic I’m interested in. So I started hiding all tweets that start with an @ symbol using a simple Tweetbot regex

  • ^@

If I want to see responses to a tweet, I’d swipe to the left side, and see all replies.

Muted Clients

Muting certain clients has been amazing, very easy to set up and cleans up your timeline a lot. Some of the clients I mute:

  • Buffer (to avoid “content marketing”, so many companies make the mistake of tweeting the same posts every week or so using Buffer)
  • IFTTT (lots of people use that to auto-post not original content)
  • Spotify
  • Foursquare (I follow friends on Swarm already, no need to see it twice)
  • Facebook

Secret Lists

One issue I had was to balance the number of tweets in my timeline, and then also being polite and following friends. To avoid the whole “Why are you not following me?” conversation, I now use a private list to follow about 300 people only. I open sourced the script I used to migrate all the people I used to follow over to a private list.

Disable RTs

This has been a great change: As described above, I follow people for what they do, what they think of, and what they’re working on. Some people have the habit of RTing content that might be interesting, but not relevant to why I want to stay subscribed to their tweets. On Tweetbot, you can.

Muting hashtags

I thank everyone for using hashtags for certain events, making it easy to hide them from my timeline :)

Disadvantages of this approach

Some of the newer Twitter features don’t have an API, and therefore can’t be offered by Tweetbot. This includes Polls, Moments and Group DMs. Since I don’t want to miss group DMs, I set up email notifications for Twitter DMs, and set up a Gmail filter to auto-archive emails that are not from group DMs.


I’ve spent quite some time optimizing that workflow, and it’s very specific, and probably not useful for most people. I try to minimize my time on social media, I only browse my Twitter feed when I have a few minutes to kill on the go. Meaning I work through my timeline only on my iPhone, and reply to mentions and DMs only on my Mac. I don’t want to come across uninterested, I do follow people on Facebook, I do read news and stay up to date. Twitter is a place for very specific content for me, and I want to keep using it as that.

Unless otherwise mentioned in the post, those projects are side projects which I work on on weekends and evenings, and are not affiliated with my work or employer.

Tags: twitter   |   Edit on GitHub