SwiftUI is the future

SwiftUI is Apple’s UI framework, which is quite similar to React. It lives on top of their other UI frameworks: you declare components, state, and some callbacks, and the system will figure out how to render everything. It was announced last year. This year Apple improved it, added many missing features, and began using it for new widgets, Apple Watch complications, etc.

SwiftUI code sample from Apple.

What’s interesting is that Apple is clearly going for the ease of cross-platform development. With the same UI code base, the same components adjust their behavior according to the target platform: watchOS, iOS, iPadOS, macOS, and tvOS. (glassOS in the future?)

In The WWDC 2020 Talk Show Craig Federighi said that they are not declaring a single framework a winner for the future, everyone can continue using UIKit and AppKit. This makes sense — for now — since you can do things with them that are not yet possible to do with SwiftUI (and vise versa since iOS 14). But to me, SwiftUI seems like the future of development for Apple’s platforms. It’s easier to write and understand, it can be more performant, and more importantly, Apple has more control of the final result due to its declarative nature.

I don’t expect them to abandon everything else quickly, but this day may come.

What do you think?


Firefox for Android allows websites to use camera even when the screen is locked

Interesting Firefox for Android bug: Camera remains active when the app is in background or the phone is locked. That is, when the camera is on and streaming via WebRTC, if the user locks their phone, the camera continues streaming.

kbrosnan on Hacker News adds:

For a user to be affected by this they woul need to:They would need to visit a website using webrtc

* Grant Firefox the Android camera/microphone permissions

* They would then be prompted to allow the website access to the camera and microphone

* For this to be a persistent problem the user would need to check a box that says “Remember my decision for this site” this is unchecked by default in the above dialog

This, of course, what everyone does when trying to use a web video chat.

What surprises me more about the bug is that Android allows apps to record video when the phone is locked. I didn’t know that. As far as I know, iOS doesn’t allow this. More than that, an app can’t even use camera if it’s not the front-most app — the frame just freezes until the app is back (I suspect we’ll see this change in the future versions, given that iOS/iPadOS 14 add an indicator).


Platform authenticators for Web Authentication in Safari 14

Safari 14 will support platform authenticators for Web Authentication API (also known as WebAuthn). Current versions of Safari already support WebAuthn for security keys, such as YubiKey, which are called roaming authenticators, but soon you will be able to authenticate using Touch or Face ID on supported devices without any external keys; this is called a platform authenticator.

This is already supported by Chrome on Macs, but the importance of the new development is that millions of iOS and iPadOS users will be able to use WebAuthn without dongles.


Does salt need to be random for password hashing?

You probably know that salting is needed to make each password hash unique so that an attacker couldn’t crack multiple hashes at once.

This was already known to the Unix creators, according to the paper written by Robert Morris and Ken Thompson in 1979:


My book on password authentication is now in the Kindle Store

Password Authentication for Web and Mobile Apps is now available in Amazon Kindle Store. If you like the convenience of buying your ebooks there, go get a copy! Don’t forget to leave a review after reading it.


🇺🇸 Amazon US (and the rest of the world)
🇬🇧 Amazon UK
🇨🇦 Amazon CA
🇦🇺 Amazon AU
🇮🇳 Amazon IN
🇩🇪 Amazon DE
🇫🇷 Amazon FR
🇪🇸 Amazon ES
🇮🇹 Amazon IT
🇳🇱 Amazon NL
🇯🇵 Amazon JP
🇧🇷 Amazon BR
🇲🇽 Amazon MX

The book continues to be available from my website. In fact, you and I get better value if you buy it directly from me: in addition to the MOBI version for Kindle, you’ll also get an EPUB that you can read on any device and a nicely formatted PDF version. You can pay with a credit card, PayPal, or even with your Amazon account (in some countries). And I get a bigger cut of what you paid 🙂


Improving storage of password-encrypted secrets in end-to-end encrypted apps

Many apps with client-side encryption that use passwords derive both encryption and server authentication keys from them.

One such example is Bitwarden, a cross-platform password manager. It uses PBKDF2-HMAC-SHA-256 with 100,000 rounds to derive an encryption key from a user’s master password, and an additional 1-round PBKDF2 to derive a server authentication key from that key. Bitwarden additionally hashes the authentication key on the server with 100,000-iteration PBKDF2 “for a total of 200,001 iterations by default”. In this post I’ll show you that these additional iterations for the server-side hashing are useless if the database is leaked, and the actual strength of the hashing is only as good as the client-side PBKDF2 iterations plus an AES decryption and one HMAC. I will also show you how to fix this.


Why password peppering in Devise library for Rails is not secure

Devise is a popular authentication solution for Ruby on Rails. Most web apps need some kind of authentication system for user accounts and Devise allows adding one with just a few lines of code. This is great for security — if all the developers need to do is to plug a third-party library, there are fewer chances to make a mistake. This, however, requires that the library itself is implemented correctly, which is, unfortunately, not the case for many of them.


My book on password authentication is out

I’m super excited to announce that my book, Password authentication for web and mobile apps, is out! I have a lot more to say about why I decided to write it and what the writing and publishing process was in future blog posts. Meanwhile, if you’re a developer who wants to understand password authentication and implement it for your web site or your app, please check it out:

Security Tools

How to use Chrome securely

  1. Install uBlock Origin extension. (If you’re not from US, check its options to turn on ad block lists for your country)
  2. Do not install any other extensions ever! (exceptions: 1Password, Google Arts & Culture).
  3. Create separate “people” for different activities: e.g. home, work, browsing sketchy websites. (Click on avatar → Manage People.)
  4. If you want to turn on sync, set up encryption passphrase. It’s a separate passphrase from your Google account — your sync data will be encrypted locally with it before hitting Google servers.
  5. Disable saving/auto fill of passwords, payment, and addresses. (

That is all (for now).


Copywriting gems from a hundred-year-old Sears catalog

Sears, Roebuck & Company, which filed for bankruptcy last year, started its life as a mail-order firm in 1892, the Amazon of its time.

The early success of the company is often attributed to its co-founder’s copywriting skills. Richard Warren Sears was a railroad station agent in Minnesota when in 1886 his station received an unsolicited shipment of gold watches for a local jeweler, who refused it. Sears saw an opportunity and agreed with the wholesaler to sell them himself, in six months making a profit larger than his railroad salary. He then founded the company to sell watches and jewelry via advertisements in publications and by mailing flyers, and later started a catalog, for which Sears wrote every line of copy. He retired in 1908, but the tradition of good copywriting continued, helping the company become the largest retailer in the world.