Monday, March 30, 2015

Book Review: Phonegap for Enterprise, by Kerri Shotts

Kerri Shotts is a member of the Phonegap mailing list, who quite frequently posts helpful advice. I appreciate her contribution to Cordova/Phonegap community. She's even written a few books, such as PhoneGap 3.x Mobile Application Development Hotshot which I have. So a few weeks back, I jumped at the opportunity to get a free copy of Phonegap for Enterprise, on condition that I review it.

One of the best parts about reading someone else's perspectives on programming, is that they have different angles and use different tools. As a result, I may not use their techniques but will learn about some tool that fits a need better than my current tool. And as far as I'm concerned, every "Oh, I didn't know that!" moment is a gem. And this book had plenty of those.

Super Short Summary


A good book, including an overview of technology choices and general and specific notes about how to make your application more secure... but also more likeable. It's definitely not a cookbook nor a how-to, as much as considerations and options which may apply to your application.

It's full of outside-the-box ideas, and full of options and links to other resources so you can take those ideas and run with them in your own direction. Phonegap for Enterprise is a worthwhile read regardless of your Cordova skill level.


Openings


The book opens with the usual What is Phonegap? sort of introduction. It then moves quickly into a discussion of how to store your backend data and options for where to put your business logic, and an overview of what goes into an application. This isn't novel stuff, if you've written web services before... until she brings up some alternative angles on business logic and on database storage.

She mentions a database-in-cloud service called Parse, and considers doing business logic in the database (PL/SQL) as opposed to in external code (PHP or Node). Leveraging you're database server's PL instead of using a second-layer language? It's certainly an interesting approach, and she does describe the balance of the two approaches. Definitely food for thought here.

She wraps up this introductory chapter with discussion of planning out the application: what fields do a Task and a Person have, and what Persons can view and edit what Tasks? If you're new to web services then thinking this stuff out beforehand is something that really helps a lot, and yet it's a phase often skipped - it's good to see someone advocating for that.

Security


Chapter 3 puts the carriage before the horse a bit, to touch on security. It's rare that anyone discusses security in the opening, and I appreciate that she does.

This chapter touches on security, considering the usual concepts such as using SSL but then worse-case scenarios such as man-in-the-middle attacks, and forged copies of your app. She touches on novel ideas such as hardcoding a certificate fingerprint into the app for better security, and even really-crazy stuff like calculating HMACs for your requests so the server can ensure that they requests are likely to be from your app instead of an AJAX trawlbot or a session replay. She points out the impossibilities of protecting your source code, the possibilities of someone falsifying your app and hijacking your user's network, and more.

Individually you can take or leave each idea, and some you can't really do anything about. But as a whole they present a rich and thought-provoking set of considerations which a busy developer often skips over until the end... when they forget to do it at all!


Building Foundations


Chapters 4 and 5 proceeds to the building of your web service. Kerri describes the basics of REST and also some of the realities of how we do things instead of true REST, then gets into some code bites to get started on setting up your URL routing and authentication.

This part I found somewhat baffling and dense. It jumps around a bit, and leaves out details of authentication beyond mentioning the benefits of using a third-party service such as OAuth yet stating that we had settled on using a local password hash using PBKDF2

But getting past that, Kerri does illustrate the beauty of Passport. The details of session.createSession() are implemented inside Passport and you could just as easily be using an OAuth service to generate those tokens which you're later validating with Passport. And again with considerations as being a theme here, the benefits of a dedicated OAuth service over a local password database are discussed.

Now, her specific take on REST as following the HATEOAS concept feels a bit overwrought to me, as if she's trying to reinvent SOAP. Given that any API change would implicitly come with app changes to both the UI and the programming, it's not the case that the app could auto-configure itself if endpoints change anyway. So ultimately I'm not convinced that this is the way I would do things.

But though HATEOAS is over-the-top for this application, Kerri's coverage of it is still food for thought, if we intended to construct web services which are subject to change and intended to be consumed by something other than an app which we control. You don't even need a mobile app in the works for this to have interesting possibilities.


Cordova Considerations and UI Considerations



Chapters 5, 6, and 7 get really into the Cordova-specific considerations and techniques for your app. And this is some good stuff.

The device can lose and regain its network status. Your device could be backgrounded and then terminated before you had a chance to save state to LocalStorage. You can store stuff in SQLite and encrypt it. There are freemium services to both act as Push Notification gateways and Push Notification SDKs. And she covers these expertly: succinct and yet thorough with good advice.

Mobile UIs have different expectations than desktop UIs, and Chapter 8 really tries to cover it all.  It includes a tutorial on MVC, and observer-based data-binding frameworks. She points out UI considerations and modern HTML5 tags, and mentions a few options for charting. (she forgot to mention Highcharts, my favorite.) It's a bit scattered since a complete discussion of options could fill a lifetime, but as usual rich in provocative thoughts and in options to find your own way.

This set of chapters was my favorite of the whole book (as was Chapter 3), in terms of gems of wisdom.  The brevity of my review of this whole one third of the book, really doesn't do it justice. There's way too much for me to summarize, so buy the book and read it yourself. ;)

All In All


It's a bit dense at the start, but it's not meant to be a cookbook. It's about ideas and considerations you that may not have crossed your mind when you did your first apps. It's so rich with "Other Resources", that if you think her specific ideas aren't for you, give thought to the considerations she brings up, then read those other resources and do it your way.

Phonegap for Enterprise a worthwhile and educational read, for people of any skill level with Cordova.

No comments:

Post a Comment