iOS Privacy: What's the user doing?

Modern web browsers give the user more control over what data they’re sharing with websites, for example location services and access to the camera.

However I recently noticed a gap of how websites can determine the activity of the user based on the acceleration and gyro sensor built into modern smartphones, including the iPhone and Android phones.

Using that data, any website can determine if the user is using their phone while

  • sitting
  • standing
  • walking
  • running
  • driving
  • taking a picture
  • taking a selfie
  • lying in bed
  • laying the phone on a table

and probably more, including guesses if the user is actively using their phone at this moment, or even if they’re impaired by alcohol.

Open on GitHub

Live demo

This project is in no way affiliated with my work and employer, it's a hobby of mine I work on during weekends

Tags: ios, privacy, web   |   Fork on GitHub

How to get started contributing to open source projects

Submitting code to an open source project can be a very scary feeling. When I submitted my first pull request I was scared. Scared that I’m doing something wrong. Scared that my patch wasn’t useful. Scared that other developers would make fun of me. 

I slowly worked my way up, from submitting smaller contributions to random open source projects, to then publishing my first open source library TSMessages, to finally building and releasing fastlane, an open source project that is now being used by tens of thousands of companies.

I want to encourage more people to get started contributing to open source projects, this blog post will show you how important open source software is in today’s world, and how it can help you grow as an engineer.

Why developers and companies use open source software

👴 Project stays alive much longer

How often did you use a proprietary software solution, only to discover that the service is discontinued a few months after you’re fully ramped up?

Open source projects can be more robust in regards of maintenance, because there isn’t a single company that can decide to stop working on the project. Instead you have a group of maintainers that invest time and resources into a given software. Even if nobody has access to the code repository, developers can fork the project, and push it forward. This is something that I’ve done myself multiple times for dependencies we have in fastlane.

🔧 Independence: you can fix problems yourself

What happens if you use a commercial software and you run into a blocking issue with it? You’ll have to reach out to the support team, and hope they take your problem seriously and provide a fix for you. If the product was shut down, you’ll probably have no chance of getting any help at all.

With open source projects you are in full control over the software you run: You can dive into the source code, make changes and run those changes in your code base directly, without the original author’s approval. Even if a project is not being maintained any more, you can still not only use the open source software, but also fix issues and extend its feature sets.

🤝 Trust

What closed source binaries do you include in your mobile app? Each of them adds a risk for your app and your users, as it adds multiple attack surfaces. You cannot tell what the binary does, it could be malicious, it could collect data you don’t want to track, it could call home without you knowing, it might have bugs causing other areas of the app to be slowed down or even crash, a man-in-the-middle attack might modify the binary while you download it, or the download server gets hacked as it happened with XcodeGhost just last year. A closed source binary as part of your build phase might even go as far as uploading your app’s source code, secret keys and other data from your local machine. Some of these problems also apply to open source projects, however you do have more control over them. You can fork the project, audit the code, and then periodically merge it with the upstream repository after auditing the changes.

There are multiple approaches to fix man-in-the-middle attacks and future XcodeGhosts, like checking the code signing of the app and comparing the hashes, however you’ll never be able to tell what the binary does under the hood.

📖 Knowledge sharing

Open source code enables every person on the planet with access to a computer and internet to read your code and learn from it. This is extremely powerful and isn’t done in a lot of areas. For example when studying physics, you’ll soon notice how many papers and critical information are hidden behind paywalls or kept secret by the author.

Artsy is a great example: their apps are open source, so when someone asks one of the engineers how they do X, they can just link to the source code.

🛠 Open source build tools

Since I’m working on developer tooling most of the time, I’m thinking a lot about how essential they are for a team to be productive. If they don’t work, you can’t ship to your users. Being in control of your most important infrastructure pieces is crucial to making sure you’re not dependent on third parties when :poo: hits the fan.

No matter if you work on mobile apps or something else, very often there are services that promise to take all the heavy lifting for you by providing a proprietary, hosted software solution. This is great if you are starting out, however, by relying on this kind of solution you accumulate technical debt that you will have to fix in the future.

With your business critical infrastructure pieces (which includes build and deploy tools) you’ll want to have the knowledge of how they work, and ideally the opportunity to fix problems and customize the setup to fit your needs. If something doesn’t work you can dive into the code base, analyze the error, and fix the problem. This might not be as relevant for indie developers, but for bigger companies with dozens or hundred of engineers depending on the build and release process, it is important to be able to fix systems as soon as they break.

Why contribute to open source projects?

Using open source software is awesome, but why would you care about working on one? 

📈 Scale of impact

It’s hard to imagine the impact you can have on developers all around the world when working on open source projects. 

You can have this kind of impact, either by working on an existing open source project, or also by open sourcing some code you wrote. Who knows, it might be the next big thing :)

🤔 How did I get started with open source?

The first time I got into open source, is actually when I open sourced my first project called “TSMessages”. When I was showing my little app to Matthias at CocoaHeads in Vienna, he asked me if I can open source the custom notification bars I built. I didn’t know a lot about open source back then, but Matthias was kind enough to help me with the process.

At the time of release TSMessages had 2 classes and less than 400 lines of code. Within the next months more and more people started using it, resulting in a total of over a million downloads. Currently the project is actively being used by 13,000 apps.

Without me having to put in extra work, I didn’t only use TSMessages for all my personal apps, but helped 13,000 other companies to show better notifications in their apps.

Impact with fastlane

fastlane started as my Bachelor project, where I put the code on GitHub after completing the first tool deliver. One tool led to another, resulting in the fastlane umbrella tool, containing 17 standalone tools, 170 built-in actions, and 180 third party plugins. Today fastlane has saved over 9,000,000 developer hours and is used by tens of thousands of companies around the world.

I never expected the project to grow this big. It started by only solving the problems I had as an iOS developer. No matter how small you think a script or tool is, it will probably help other developers out there who face the same challenges. Only 9 months after releasing the first version, fastlane joined Twitter, and I helped build a team around fastlane. Today, fastlane is a 6 person team based in San Francisco and Boston and is moving faster than ever.

👩‍💻 Career & Jobs

2 years ago, I didn’t know a single person working at one of the big tech companies. All the tech giants were a closed bubble for me coming from Europe, I couldn’t ask someone how it is to work there, I didn’t have anyone to refer me, I didn’t know how the companies are structured. After moving to San Francisco, working for Twitter, and now Google I have a much better sense of how things work. 

If you’re in the same position I was 2 years ago, and you’re thinking about working at Google, Facebook, or similar, one of the best ways to get in touch with someone there is to contribute to one of the company’s open source projects.

Larger companies that own open source projects, not always have the necessary resources to maintain all aspects of them. The organizations are happy about external maintainers, and depending on the team behind it, you might receive an email sooner or later :) 

📃 Resume

Listing open source contributions in your CV is powerful. It shows engagement in the developer community, and that you’re potentially familiar with established tooling and frameworks in your field. Depending on your contribution, it demonstrates that you can navigate around in an existing code base, identify an issue, debug and fix problems, or extend the project’s feature set. The majority of engineers use open source software for their projects, however only a small percentage also contribute. It’s definitely a great plus point for every resume.

👍 To sum up

  • Learn new technology
  • Improve a project you use
  • Pimp your resume
  • Collaborate with people you would otherwise never work with
  • Your code could end up being used by millions of users (literally)
  • Internet points: the maintainers might tweet about your contributions
  • Many projects attribute their contributors on their website, or changelog - this has the nice side effect of boosting your personal search engine visibility also, especially if your name is common

How to get started with open source

Hopefully I got you interested in contributing to open source software, so the next question is, how do you best get started?

📢 Subscribe to a repo you’re interested in

By subscribing to notifications of an open source repo, you’ll get a good sense of what the community is like, what problems the contributors are facing, and where you can jump in to help. After a few weeks of being active, you’ll get a good sense of what the community is working on and how you can help.

🤠 Don’t be discouraged, try contributing, people will help you

It’s scary submitting your first pull request to a new project. Some projects might not be looking for new contributors, so it’s a good idea to subscribe to a project before starting to contribute, so you get a feel on what the community is like. 

With fastlane, we welcome all new contributors, mention every single one in the release notes by name, and after successfully getting multiple PRs merged and helping other people, we promote them to core contributors

🚌 Contribute to projects that are widely used, but have a low bus factor

There is a lot of open source software that’s being used by hundreds of thousands of projects, but only have a single maintainer. Often those projects are so foundational of everything in an ecosystem, that people forget it exists. This is your chance to go through the list of projects with the worst bus factor and jump in and help.

The “bus factor” is the minimum number of team members that have to suddenly disappear from a project before the project stalls due to lack of knowledgeable.

Source: Wikipedia

One example of where things went really wrong was the left-pad project, a tiny JavaScript library that was maintained by a single person, that broke thousands of projects.

👪 How to join the development team of open source projects

Becoming a core contributor of a project very much depends on the size of the project:

  • Hyper-scale open source projects (e.g. Swift, React Native): It’s going to be pretty difficult to stand out, as there are hundreds of active maintainers, and it’s hard to tell how actively the owners of the repo monitor the activity of contributors. Very often, those kinds of projects have mailing lists you can join.
  • Projects that are popular and the go-to solution in its field (e.g. devise, CocoaPods, fastlane): Those projects are a great opportunity to have extremely high impact on other developers, while still having a rather small core development team. 
  • Low bus factor projects (see bus factor list): It’s rather easy and informal to join the development team. It’s usually enough to ping the current maintainer and ask about the plans for the project, and how you can help.

For many developers, the most interesting category is the second one: You can have a lot of impact within a short amount of time, get visibility and you have the chance to join a welcoming community and it’s a great opportunity to learn from fellow developers.

🚀 Getting started

Sometimes it’s not so clear on how to get started, so here are some tips on what you can do in no specific order

  • Helping out with an open source project is usually rather informal, often it’s enough to submit a smaller pull request
  • Look at some older issues and pull requests, and see if you can help get them resolved
  • See if there is a Slack group, Gitter or email group you can join to see what the core team talks about
  • Read through the documentation and guides to see if there are parts that aren’t clear and need updating
  • Most projects at this size will have a file that explains how to get started with contributing code, and helping users
  • There might be additional documentation on how the project is structured and where to get started
  • Many projects will have outdated documentation, it’s a great chance for you to get some “internet points” by improving those
  • Adding more tests to existing projects gives you great visibility on how the project works, while at the same time making the maintainers very happy. Unit tests are often self-contained, making it easy for you to add them.
  • Subscribe to the repo to see how the community members interact with each other, and get a sense of what problems the project is facing
  • Some projects have a “you-can-do-this”, “help-wanted” or “beginner-friendly” GitHub labels, that are usually simpler fixes with some instructions provided by the maintainers.
  • There might be monthly video calls to align the whole development team
  • Onboard the project from a new user’s perspective, and see if there are any rough edges you could improve
  • The core team might be active on social networks like Twitter, make use of them
  • If you have an idea on how you can improve the project, submit an issue first to get feedback from the core team before spending time on building it. This is especially important if it’s a new feature that will need to be maintained in the future. Don’t forget to look if an issue for this specific idea was already created.

The most important piece is to get out there and submit pull requests, the rest will happen automatically.

🎁 Wrapping up

Developers and companies become more and more aware of how important it is for their dependencies to be in open source, not only to see what’s happening under the hood, but also to be able to fix problems themselves or even run their own fork if needed. This is especially relevant for build and deployment tools, but also third party SDKs you ship with your app. 

It has never been easier to get started contributing to open source, all it takes is a computer with internet access. As an engineer, it’s a great move for your career to get involved in open source communities: You have great impact outside of your usual work scope and have the chance to work with people you’d never otherwise work with!

If you’re still unsure, and need help getting started with your first contribution, please send me a private message on Twitter (@KrauseFx), I’m more than happy to help wherever I can 👍

Shoutout to my friends who helped me with this blog post: @orta, @hemal, @schukin, @_caro_n@acrooow, @sebmasterkde and @domysee.

Fork on GitHub

Analyzing your public GitHub contributions using Google Big Query

Do you like those GitHub graphs, but want to know even more about your open source behavior? GitHub has you covered with GitHubArchive offers dumps of all GitHub events of all users and open source projects. New ones are generated every single day, and are instantly accessible. They are very easy to use together with Google Big Query.

If you have a Google Cloud account & project, click this link to give it a try. Use the Run Query button and wait for about 30 seconds, and you’ll get a list of people that comment on any of the fastlane repos most often in the year of 2017 (see screenshot below):

To run this query for your own GitHub organization, just replace the “ fastlane/%” with your own GitHub org. You can also easily extend the query to show more columns (see the list of available events).

Running queries on your own profile

I was wondering of how my GitHub behavior changed over the last few years, now that fastlane is actively being used by tens of thousands of companies, it’s harder to keep the innovation you had in the beginning.

The last 3 years I published a total of

  • 5,550 Pull Requests
  • 907 releases

across a high number of different open source projects, mostly fastlaneTSMessagesdanger and lots of other projects.

Below you can see the last 5 years of open source code contributions:

Over the last 3 years, on average I did the following every single week

  • Post 77 comments on GitHub Issues
  • Submit 28 Pull Requests(the first year of fastlane, I didn’t submit PRs on my own repos)
  • Posted 16 comments on GitHub Pull Requests
  • Published 5 fastlane releases

Wrapping up

You can extend those queries to show you more information that’s relevant to you. I initially wanted to use this to see which of our contributors are the most active, and make sure we promote them to be Core Contributors.

There has been quite some discussion around the GitHub graph (e.g. isaacs/github#627), as many engineers took it far too seriously and tried to have a long streak without any interruptions. GitHub reacted to the feedback and removed the streak count from all profiles, and added an option to show private contributions on the graphs.

Special thanks to @sebmasterkde for coming up with the initial queries.

Note: The data shown above is from May, as that’s when I wrote this blog post, but was kind of distracted with more important things (life and such) and finally found the time to publish this post.

/* GitHub query to get the number of comments, PR, releases, etc. for a given GH org */

  ProjectData AS (SELECT * FROM `*` WHERE LIKE 'fastlane/%'),
  Actors AS (SELECT DISTINCT(actor.login) AS login FROM ProjectData)

    (SELECT COUNT(*) FROM ProjectData WHERE type = 'IssueCommentEvent' AND actor.login = actors.login) AS Comments,
    (SELECT COUNT(*) FROM ProjectData WHERE type = 'PullRequestEvent' AND actor.login = actors.login) AS PRs,
    (SELECT COUNT(*) FROM ProjectData WHERE type = 'PullRequestReviewCommentEvent' AND actor.login = actors.login) AS ReviewComments,
    (SELECT COUNT(*) FROM ProjectData WHERE type = 'ReleaseEvent' AND actor.login = actors.login) AS Releases,
    (SELECT COUNT(*) FROM ProjectData WHERE type = 'IssuesEvent' AND actor.login = actors.login) AS ClosedRenamedAndLabeledIssues
  FROM Actors as actors
WHERE PRs > 0 OR Comments > 0

Tags: open source, github   |   Fork on GitHub

Introducing fastlane precheck

You probably know how time-consuming it is to ensure your app follows the latest app review guidelines. App store rules can be complicated and hard to remember because they are constantly changing, but all developers need to follow them to avoid rejection. 


That’s why today, we’re excited to introduce fastlane precheck to save you the time and hassle of auditing your own app! fastlane precheck reviews your app’s metadata (in seconds) to catch the most common metadata rejection errors, such as mentioning other platforms or having broken URLs.


On a personal note, I’m super thrilled to launch fastlane precheck because it’s the first new iOS tool we built since joining Google.


Read the full announcement on the Fabric blog

Open on GitHub

Tags: fastlane   |   Fork on GitHub