Decrypting JSON Web Encrypted tokens in PCL

This week I worked on a feature for a Xamarin app I’m building that gave me quite some headaches because it involved a good amount of yak shaving to get it working correctly. My main reason for blogging this is for my own reference in the future, but maybe it can help someone else too 🙂

yak shaving
Yak shaving, gotta love it…

Our team is building a cross platform Xamarin app that has a good amount of shared code in an MVVM architecture. Most of the app is implemented in PCL libraries with a front end project per platform.

For communicating with a backend API, the app requires a token obtained from an Identity Provider. In addition to the API access token, we’re also getting an OpenId token that is crucial for the app. Using Xamarin.Auth for example, it’s pretty easy to setup an OAuth flow that lets the user login and the app obtain that token.

So far so good.

There’s a lot to be said about which OAuth flow is suitable in which scenario. For us, embedding a client secret in the app was a no go, since this can’t be kept secret if it’s embedded in the source code of the app (reverse engineering!). We chose a PCKE approach. Without going into too much detail around the flow, I want to focus on one aspect: securing the OpenID token. This blogpost is mostly about what I learned about token encryption and decryption.


Our requirement was to have asymmetric encryption in place, where the app provides a public key to the server, which it uses to encrypt the JWT. The app can then decrypt the data using its private key, so we could mitigate a token interception attack. The public key was to be transferred in an X509 certificate (PEM encoded). The idea was to have the app generate a private/public keypair on-the-fly as we don’t want to hard code a private key into the app. That would lead us to the same situation as the hard coded Client Secret. All we want is to make sure that the requesting app is the only one able to decrypt the token it requested.

There’s a nice standard for encrypting tokens using a variety of algorithms: JWE – JSON Web Encryption. The original token is in a JSON structure, encrypted and packaged into a standardized format. In our case, these were the specs:

Algorithm: RSA_OAEP – RSAES using Optimal Asymmetric Encryption Padding (OAEP) (RFC 3447), with the default parameters specified by RFC 3447 in section A.2.1

Encryption method A256GCM – AES in Galois/Counter Mode (GCM) (NIST.800-38D) using a 256-bit key

Basically what happens is: the token payload is encrypted using a random Content Encryption Key (CEK) provided by the server. This is an authenticated encryption mode, where data is added to prove authenticity. In addition to the key, an Initialization Vector (IV) is added, and also an Authentication Tag (authTag) and Additional Authenticated Data, basically consisting of a Base64 representation of the JWE header. All this together provides a symmetric encryption through which we can decrypt the token. This is the A256CGM – AES step.

All the information I mentioned – the CEK, IV, cipherText (the encrypted token), AAD and authTag – are present in the JWE package. To add the final layer of security, the CEK has to be encrypted, otherwise anyone would be able to read the token. This is the RSA_OAEP – RSAES step mentioned earlier. In plain English, the CEK is encrypted using asymmetric encryption. The server uses the app’s public key for this, obtained from the X509 certificate in the request.

So the way back to obtain the token plain text is to decrypt the CEK using the private key, and then decrypt the token payload using the CEK together with the IV, AAD and authTag, as illustrated in the diagram below:


That looks pretty daunting, but luckily there are libraries that help us handle this scenario, or the many other combinations of algorithms and encodings. One popular example is the JOSE-JWT library for .NET. You can feed it the complete JWE package and the CEK decryption key, and it does all the heavy lifting. JOSE-JWT can also handle our scenario, with our combination of algorithms and encodings.

Here’s the catch…

This won’t fly in a PCL. JOSE-JWT is built on System.Security.Cryptography, which isn’t available in PCL code. There have been some attempts to make JOSE-JWT available for Xamarin, but this won’t work fully cross platform. So ideally, we’d want a library that solves this using PCL compatible API’s. And sadly, there is no JOSE-JWT implementation available for PCL yet.

Now what?!

JWE just uses standard encryption algorithms, so it should be possible to implement these on top of a crypto API that is available cross platform (in PCL). I have tried two options:

  • PCLCrypto: this library mimics the WinRTCrypto API’s but relies on native, platform specific crypto-engines to perform the encryption. This results in the fastest encryption engine but is limited in terms of supported scenario’s or algorithms.
  • BouncyCastle-PCL: a cross platform crypto library that supports all sorts of cryptographic algorithms.

Since PCLCrypto mimics the WinRTCrypto API, it seemed pretty easy to implement our JOSE-JWT port on top of PCLCrypto, by stealing borrowing from the experimental JOSE-RT port. (Thanks Dmitriy Vsekhvalnov for the tip!) And indeed, if you look at the AesGcmEncryptor class, it looks rather straight forward. Alas, it turns out our GCM authenticated mode isn’t supported by PCLCrypto. It threw a NotSupportedException at me.

So the other option was to use BouncyCastle-PCL. We ended up with a solution that does the following:

  • Generation of the public/private keypair
  • Generation of the X509 certificate containing the public key
  • Unpacking the JWE package
  • Decrypting (or unwrapping) the CEK using the private key
  • Decrypting the token payload

Mind you, I only had to support our specific scenario, but it’s a small step towards a full JOSE-PCL implementation. Maybe someday I’ll make an attempt 🙂

Without further ado, here is the code I ended up with:

using System;
using System.IO;
using System.Text;
using Org.BouncyCastle.Asn1.Pkcs;
using Org.BouncyCastle.Asn1.X509;
using Org.BouncyCastle.Crypto;
using Org.BouncyCastle.Crypto.Encodings;
using Org.BouncyCastle.Crypto.Engines;
using Org.BouncyCastle.Crypto.Generators;
using Org.BouncyCastle.Crypto.Modes;
using Org.BouncyCastle.Crypto.Operators;
using Org.BouncyCastle.Crypto.Parameters;
using Org.BouncyCastle.Math;
using Org.BouncyCastle.Pkcs;
using Org.BouncyCastle.Security;
using Org.BouncyCastle.Utilities;
using Org.BouncyCastle.Utilities.IO.Pem;
using Org.BouncyCastle.X509;
using System.Linq;

namespace JoseJWE
	public class CryptoService
		public AsymmetricCipherKeyPair GenerateKeyPair()
			var random = new SecureRandom();
			var keyGenerationParameters = new KeyGenerationParameters(random, 1024);
			var keyPairGenerator = new RsaKeyPairGenerator();
			var keyPair = keyPairGenerator.GenerateKeyPair();
			return keyPair;

		public string GeneratePemEncodedCertificate(AsymmetricCipherKeyPair keyPair)
				var random = new SecureRandom();
				var signatureFactory = new Asn1SignatureFactory("SHA256WithRSA", keyPair.Private, random);

				var gen = new X509V3CertificateGenerator();

				BigInteger serialNumber = BigIntegers.CreateRandomInRange(BigInteger.One, BigInteger.ValueOf(long.MaxValue), random);

				var x509Name = new X509Name("CN=MyCertificate,O=RoyCornelissen,OU=CryptoService");


				var x509 = gen.Generate(signatureFactory);

				using (var stringWriter = new StringWriter())
					var writer = new PemWriter(stringWriter);
					var pog = new PemObject("CERTIFICATE", x509.GetEncoded());
					return stringWriter.ToString();

		public string DecodeJwt(string tokenData, AsymmetricKeyParameter privateKey)
			var token = Parse(tokenData);
			return DecodeAndDecrypt(token, privateKey);

		private string DecodeAndDecrypt(byte[][] parts, AsymmetricKeyParameter key)
			byte[] header = parts[0];
			byte[] encryptedCek = parts[1];
			byte[] iv = parts[2];
			byte[] cipherText = parts[3];
			byte[] authTag = parts[4];

			var cek = Unwrap(encryptedCek, key);
			var aad = Encoding.UTF8.GetBytes(Serialize(header));

			return Decrypt(cek, iv, aad, cipherText, authTag);

		private string Serialize(params byte[][] parts)
			var builder = new StringBuilder();

			foreach (var part in parts)

			builder.Remove(builder.Length - 1, 1);

			return builder.ToString();

		private byte[][] Parse(string token)
			string[] parts = token.Split('.');

			var result = new byte[parts.Length][];

			for (int i = 0; i < parts.Length; i++)
				result[i] = Base64UrlDecode(parts[i]);

			return result;

		private byte[] Unwrap(byte[] encryptedCek, AsymmetricKeyParameter key)
			var decryptEngine = new OaepEncoding(new RsaEngine());
			decryptEngine.Init(false, key);
			var deciphered = decryptEngine.ProcessBlock(encryptedCek, 0, encryptedCek.Length);
			return deciphered;

		//Preconfigured Encryption Parameters
		private static readonly int MacBitSize = 128;

		/// <summary>
		/// Performs AES decryption in GCM chaining mode over cipher text
		/// </summary>
		/// <param name="cek">aes key</param>
		/// <param name="iv">initialization vector</param>
		/// <param name="aad">additional authn data</param>
		/// <param name="cipherText">cipher text message to be decrypted</param>
		/// <param name="authTag">authentication tag</param>
		/// <returns>decrypted plain text messages</returns>
		private string Decrypt(byte[] cek, byte[] iv, byte[] aad, byte[] cipherText, byte[] authTag)
				var keyParameter = new KeyParameter(cek);
				var gcmParameters = new AeadParameters(

				var gcmMode = new GcmBlockCipher(new AesFastEngine());
				gcmMode.Init(false, gcmParameters);
				gcmMode.ProcessAadBytes(aad, 0, aad.Length);

				var cipherBuffer = cipherText.Concat(authTag).ToArray();
				var plainBytes = new byte[gcmMode.GetOutputSize(cipherBuffer.Length)];
				var res = gcmMode.ProcessBytes(cipherBuffer, 0, cipherBuffer.Length, plainBytes, 0);
				gcmMode.DoFinal(plainBytes, res);

				var plain = Encoding.UTF8.GetString(plainBytes, 0, plainBytes.Length);
				return plain;

		// from JWT spec
		public byte[] FromBase64Url(string base64Url)
			string padded = base64Url.Length % 4 == 0
				? base64Url : base64Url + "====".Substring(base64Url.Length % 4);
			string base64 = padded.Replace("_", "/")
									.Replace("-", "+");
			return Convert.FromBase64String(base64);

		// from JWT spec
		public string Base64UrlEncode(byte[] input)
			var output = Convert.ToBase64String(input);
			output = output.Split('=')[0]; // Remove any trailing '='s
			output = output.Replace('+', '-'); // 62nd char of encoding
			output = output.Replace('/', '_'); // 63rd char of encoding
			return output;

		// from JWT spec
		private byte[] Base64UrlDecode(string input)
			var output = input;
			output = output.Replace('-', '+'); // 62nd char of encoding
			output = output.Replace('_', '/'); // 63rd char of encoding
			switch (output.Length % 4) // Pad with trailing '='s
				case 0: break; // No pad chars in this case
				case 1: output += "==="; break; // Three pad chars
				case 2: output += "=="; break; // Two pad chars
				case 3: output += "="; break; // One pad char
				default: throw new Exception("Illegal base64url string!");
			var converted = Convert.FromBase64String(output); // Standard base64 decoder
			return converted;

Its usage is demonstrated by the following unit tests:

<pre>using System;
using System.Net.Http;
using System.Text;
using System.Threading.Tasks;
using FluentAssertions;
using Jose;
using NUnit.Framework;
using Org.BouncyCastle.Crypto.Parameters;

namespace JoseJWE.Tests
	public class CryptoServiceTests
		private const string TokenPlainText = "{\"sub\":\"roycornelissen\",\"aud\":\"sample app\",\"nbf\":136424444,\"iss\":\"\",\"preferred_username\":\"Roy Cornelissen\",\"exp\":1364293137,\"given_name\":\"Roy\",\"iat\":13642555,\"family_name\":\"Cornelissen\",\"preferred_language\":\"nl-NL\"}";

		public void GenerateCertificate_Generates_Valid_X509Certificate()
			var g = new CryptoService();
			var keyPair = g.GenerateKeyPair();

			var pemEncodedCertificate = g.GeneratePemEncodedCertificate(keyPair).ToString();

			var p = new Org.BouncyCastle.X509.X509CertificateParser();
			var certDecoded = p.ReadCertificate(Encoding.UTF8.GetBytes(pemEncodedCertificate));


		public void Certificate_Used_For_JWT_Encryption_JWE_Can_Be_Decrypted()
			var g = new CryptoService();
			var keypair = g.GenerateKeyPair();

			var cert = g.GeneratePemEncodedCertificate(keypair);
			var base64Certificate = g.Base64UrlEncode(Encoding.UTF8.GetBytes(cert));

			// try to perform local encryption and decryption for reference
			var p = new Org.BouncyCastle.X509.X509CertificateParser();
			var certDecoded = p.ReadCertificate(g.FromBase64Url(base64Certificate));

      // use 3rd party library JOSE-JWT to encode the JWT (only works in .NET, not from PCL!)
			var publicRsaKey = ToRSA((RsaKeyParameters)certDecoded.GetPublicKey());
			var encrypted = JWT.Encode(TokenPlainText, publicRsaKey, JweAlgorithm.RSA_OAEP, JweEncryption.A256GCM);

			// now attempt to decode it using our own cryptoService
			var plainText = g.DecodeJwt(encrypted, keypair.Private);
    public static RSA ToRSA(RsaKeyParameters rsaKey)
        RSAParameters rp = ToRSAParameters(rsaKey);
        RSACryptoServiceProvider rsaCsp = new RSACryptoServiceProvider();
        return rsaCsp;

    private static RSAParameters ToRSAParameters(RsaKeyParameters rsaKey)
        RSAParameters rp = new RSAParameters();
        rp.Modulus = rsaKey.Modulus.ToByteArrayUnsigned();
        if (rsaKey.IsPrivate)
            rp.D = rsaKey.Exponent.ToByteArrayUnsigned();
            rp.Exponent = rsaKey.Exponent.ToByteArrayUnsigned();
        return rp;

The entire Gist is here on GitHub.

There is no app! – LevelUp Mobile slides


On September 22nd, 2016 I presented a session called “There is no app!” at the LevelUp Mobile 2016 event in Leusden. Here are the slides and video of that presentation:

[The video will be placed here shortly]

Mobile platforms are evolving and getting richer and richer in features with every new release. The OS itself is becoming the primary interface for users to interact with, as are a new category of (wearable) devices.

What does this mean for us as app developers? Are the days of the traditional “mobile app” numbered? How do we serve our end users and optimize their mobile moment as much as possible?

The average smartphone owner has installed over 100 apps on their phone while they only use between 3 and 5 apps a day. By integrating your app more deeply into the mobile operating system can greatly increase the usage of the app. During this session we will show what you can do to integrate your apps in the Windows, iOS and Android platforms to keep your app top of mind. We’ll look at spotlight search, universal links, app indexing, Cortana integration and other APIs provided by iOS and Google Play services to engage your users in your apps. We’ll also look at new interaction models that are closer to the mobile platform: widgets, 3D-Touch, etc.

Ceci n’est pas une app

LevelUpMobile_logoRGBCall to action: join us at LevelUp Mobile on September 22nd in Leusden for a FREE inspirational evening on the future of Mobility and Devices.


The mobile platform war has been raging for almost ten years now. For now, it seems that Google (Android) and Apple (iOS) have won. (link) Microsoft, though still pushing Windows 10 for mobile as well, has accepted this and started providing high quality mobile apps for both Android and iOS.

Apple and Google have invested a lot in making their platforms richer and richer to attract and retain users. Apple’s advantage of 100% vertical integration of software and hardware has allowed them to create experiences like Apple Pay, 3D-Touch and Touch-ID that are very appealing to users and developers alike. At the same time, both Apple and Google have been putting features into the OS and stock apps that are competing with 3rd party offerings in the App Store. Furthermore, users have come to expect the same experience they get from their OS from 3rd party apps. Though some platform features might seem alike between iOS, Android and Windows, the way they are implemented can vastly differ and require access to core platform API’s.

As a strong proponent of Xamarin, I’ve been working in the world of cross platform mobile app development for almost 6 years now. The reason we chose to go with Xamarin was – first of all – of course the ability to share code amongst platforms, but – equally important – full access to the native platform API’s and the ability to create 100% native experiences. Given the trend of ever innovating mobile platforms, this puts us at a huge advantage over cross platform solutions that go for the lowest common denominator, both in UI (the same UI across all platforms) and UX (most of the time just the common superficial feature set across platforms).

With iOS 10, Apple is showing us a trend where apps can be integrated even deeper in the core OS experience. Of course we already had widgets in Android, but what to think about interactive widgets in iOS’s Today view, enriched with Siri’s AI capabilities? Interactive notifications are becoming more popular. Where a notification used to be a way to alert the user and allow them to open the accompanying app by tapping on it, notifications are becoming a User Interface by themselves, allowing the user to deal with the app’s functionality right from the lock screen.

Deal with a notification right away from the Home screen. No need to open the app!
The boundaries of apps are blurring even more with advanced features like 3D-touch on the Home screen, and the ability to interact with apps from the Siri screen:

Direct access to an app’s features through 3D-Touch. No need to open the app!

Siri knows how to invoke your app and show it as a widget right inside its own interface. No need to open the app!

iMessage can invoke your app right from its own interface. No need to open your app!
These are all iOS examples, by the way, but similar features can be found in Android and Windows 10, with its Live Tiles, Cortana integration, etcetera.

In general, user interaction with their mobile devices is becoming more and more streamlined, and to stay ahead as developers, we need to start thinking about these micro-interactions, these Mobile Moments, and offer the most efficient experience with our apps.

Mobile is not a neutral platform (link). The philosophy of web applications (built for browsers, available everywhere, with a consistent user experience everywhere) doesn’t apply here. We don’t build for the web, we build for the OS. Yay for native development! 🙂

There is no spoon.
If we follow this train of thought, it leads us to an existential question: is there actually an app?

I would argue: not anymore – at least not in the traditional sense where we have an icon sitting on the home screen that launches into an application that comes into the foreground and occupies the whole screen. It seems like the days of the mobile “app” are numbered and we have to start thinking about apps as a set of autonomous micro-interactions that work together with the OS and/or other apps.

Luckily for us, as developers, there are plenty of new API’s and frameworks that help us build these interactions and I think it will only become more exciting from a technical perspective to build mobile experiences.


On September 22nd, I’m joining Brechtje de Leij (mobile strategist and expert), Jorn de Vries of Flitsmeister fame, Johan Gorter & Rick Hoving from AFAS Software and the ever brilliant Laurent Bugnion to speak at a one-off inspiring event about the future of Mobile and Devices: LevelUp Mobile. Together with my colleague Geert, our talk is going to be about the exact topic of this blogpost and we’ll show some real life examples of how to implement these Mobile Moments using Xamarin.

If you have not registered yet, you can do it here:! It’s free and it’s going to be fun!

To get more inspired, read Laurent’s teaser blog post about his upcoming talk: A world of devices.

Xamarin Evolve 16 – Conference Day 2

If you want to read the first 3 instalments, go here:

  1. Training Day 1
  2. Training Day 2
  3. Conference Day 1

This blogpost marks the end of Xamarin Evolve 2016 already. Wow, time flies, but this was another great Evolve. I didn’t expect that the same vibe of Evolve 2013 could be recreated but Xamarin has some special fairy dust and made it happen again, only bigger. Much bigger.

Today was a bit of a roller coaster ride for me – and I wasn’t even at the Wizarding World of Harry Potter anymore! But more on that later…

I attended the Xamarin MVP breakfast at 7:00am, bright and early. A nice bunch of people from the MVP community showed up and we got to chat with some of the Xamarin folks about the Microsoft acquisition and the way forward.


The main Evolve event continued with the Day 2 Keynote session with special guest Grant Imahara from Mythbusters. Grant had an inspirational story about his time as a Mythbusters team member, doing all these crazy things for the sake of science (and fun). The way he had to solve problems and challenges has parallels with how we approach software development. It comes down to fostering creativity and using failure as a design tool.

Innovation starts with Creativity. LEGO is a great tool for kids to boost creativity. #XamarinEvolve @grantimahara

A post shared by Roy Cornelissen (@roycornelissen) on

Sessions like these always work great for inspiration.

Breakout sessions

Designing for TouchJosh Clark
I planned on attending the 2 hour ‘Designing for Touch’ seminar by Josh Clark. Josh is an engaging speaker and his presentation covered a lot of great tips about how people hold and operate their mobile devices using Touch.

Depending on the size of the phone, there are roughly three different types of grips: one-handed, cradled grip + 1 finger, the so called “BlackBerry prayer” grip. As it turns out, the thumb is the most important input “device” a user has, so it makes sense to optimize for input and/or manipulation via thumbs.

The preferred placement of controls on Android differs from iOS. Android has a fixed “soft button” navigation bar at the bottom of the screen, and putting controls just above that bar is tricky. On iOS it makes sense to put tab-navigation at the very bottom of the screen. Per platform native UI’s have very specific needs, so if you want to build a quality app, you must keep this in mind.

FullSizeRender 15

Josh put his slides up for download. They’re worth checking out:

Unfortunately I had to leave the second part – just when Josh started to talk about gestures – because I had a special invite for…

Lunch with Woz?!

Wow! I was privileged to join a party of Xamarins and customers in a small lunch setting together with Apple co-founder and inventor of the Apple I and II computers, Steve Wozniak! It was mind blowing to meet and greet such an icon of our industry.

I guess it was overwhelming to most of us because we sat there most of the time just marvelling at his amazing stories. Woz told us that he doesn’t eat lunch, he sticks with just one meal per day, which gave him plenty of room to talk. It was great to hear about his first endeavours in making computer hardware, soldering the circuits for arcade games, his favourite apps and the Apple Watch.

FullSizeRender 19.jpg
Three industry legends!

What struck me most was that he has a sincere passion for software development and software developers. He is definitely a tech geek for life and a genuinely nice guy. I got my picture taken with Woz, but I’m still awaiting the pic from the photographer… Exciting!

Xammy and Closing keynote

Xammy AwardsStephanie Schatz
At the end of the day, it was time for the Xammy Awards, an award for outstanding apps built with Xamarin technology. The finalists are listed on the Xamarin Blog. One of them, in the Enterprise App category, was NS / Dutch Railways.

Marco and Patrick from Info Support are members in the team building this app. I worked at Info Support for 16 years and my last project before I left the company for Xpirit was: this very project! I was the solution architect during the startup and first iterations of development of this app and the team did a fantastic job building these apps on top of that architecture. So I was pretty proud when this happened:

Congratulations Marco and team, great job!

Closing panel discussionSteve Wozniak & Miguel de Icaza
Steve Wozniak and Miguel de Icaza joined on stage for a panel discussion about the history and future of apps. The same way as during lunch, Woz passionately told his fantastic stories and shared his vision on where computing might go in the future. Woz believes strongly in personal assistants like Siri and/or Amazon Echo.

FullSizeRender 18

Unfortunately we didn’t get to hear much from Miguel in this session, but Woz was an inspiration. Another thing that stood out was his dedication to educating young children to do programming. In his heart, Woz always stayed an engineer and a teacher.

Closing thoughts

We ended the conference at a closing party over at the Dragonfly restaurant. This was another great location with fantastic Japanese food.

Closing thoughts: Evolve 2016 was a fantastic conference. I’m amazed how Xamarin managed to keep the vibe of the original Evolve in 2013, and just made it bigger and more awesome. All Xamarins were very approachable and close to their community members. I found this in my bedroom after the keynote, for participating in the DevOps panel yesterday:

FullSizeRender 16

It says: Thank You! From Xamarin. I say: Thank YOU, Xamarin! See you next year at Evolve 2017. Let’s make this happen!

FullSizeRender 17
The band of brothers with whom I spent this week.

Still here? What’s that? Food posts? Ok, here are some…

  • IMG_1087FullSizeRender 21FullSizeRender 22

Time for the Future of Apps!


Xamarin Evolve 16 – Conference Day 1

Day 1 of the Xamarin Evolve 2016 conference is a wrap! It was a full day for me… It started at 6:15am for the Mini-Hack 5k run, organised by Craig Dunn. A bunch of Evolve attendees went for a leisurely run in the area, thereby unlocking the first Evolve Mini-Hack.


After a refreshing shower and some breakfast, it was finally time for the keynote. The one impression I had after this keynote is: Xamarin is on fire! The keynote was huge. A big stage, an enormous screen and 1700+ excited people in the room anticipating what Xamarin would be announcing.

I made a sketch note out of my personal highlights:

FullSizeRender 10

A lot of topics were covered. I want to share the ones that stood out to me:
The Xamarin team has been working hard to release the Xamarin platform and its surrounding frameworks as Open Source Software on Github. This morning it was released to the public. You can find it via, or directly on GitHub. This must be a breakthrough moment for Miguel! Congratulations to the whole team for this achievement, and thank you for being such strong believers in OSS.

FullSizeRender 11

It made sense that Xamarin was closed source when it was their bread & butter. But now at Microsoft, with their fresh new attitude towards open source, it’s great to see Xamarin added to that array of OSS products and frameworks.

FullSizeRender 13

Xamarin Studio 6 Release Candidate
The Release Candidate for the latest version of Xamarin Studio is available now in the Beta channel. This is a very nice release, which features a Dark Theme, a complete visual overhaul to fit with the UX guidelines for OS X El Capitan and built-in Roslyn support. I’ve been working with the preview version on and off and it has matured a lot. I really like the new polished look and the more stable code editor thanks to Roslyn. One of the most notable changes is the Broken State Support, so that IntelliSense doesn’t blow up if there’s a syntax error a few lines above.

iOS Simulator for Windows
The new iOS Simulator was already presented briefly in the //build/ keynote by Miguel. However today Miguel showed how pen pressure input on a Surface Pro running the simulator is passed through to the iOS Simulator which runs on a Mac somewhere in the network.

The cross platform UI framework, Xamarin.Forms, is becoming more and more mature. This update brings support for so-called DataPages: a ready built and styled set of views that you can feed Azure Mobile Services data or local storage of JSON data. This is a higher level abstraction that lets you set up data driven pages very quickly, but I’m not sure how suited this is for production scenario’s. There is no MVVM in play – at least not for the developer, maybe behind the scenes – to tweak the behaviour. And you know me when it comes to abstractions… 🙂

A feature I did like *a lot* is the ability to drop in a native UI control directly into a Forms layout hierarchy. It’s called Xamarin.Forms Native Embedding. So you can now add a native Floating Action Button to your Android app without the hassle of writing a Renderer, etc.

And then…

The Xamarin Forms Previewer is a built in player for your Xamarin.Forms markup code that gives you Gorilla Player like direct feedback inside Xamarin Studio while you’re editing your pages. This is so awesome, because it speeds up the development cycle tremendously! Definitely one of my favourite announcements from the keynote and Nina Vyedin did a great job presenting it.

Xamarin Workbooks
Miguel already talked about Xamarin Workbooks at //build/ and he showed us how the tool is progressing. Workbooks is a fantastic tool for teaching and communicating about code. My pal Marco already alluded to this in his blog: it’s a nice visual way to teach children to code for example. I’ve been doing some classes for the Dutch “hour of code” initiative called and I’m thinking about using Workbooks as a tool for that. In any case, it’s clear from the keynote that Workbooks is Miguel’s favourite project at the moment. And rightfully so.

HockeyApp, Insights and Test Cloud Live!
After the Microsoft acquisition, the mobile DevOps toolset at Microsoft is pretty complete. As became clear in the Keynote, Xamarin Insights will merge into HockeyApp to become a compelling tool for deploying and monitoring apps. Donovan Brown from Microsoft came on to rub some DevOps on all of this and walked us through those tools.

The keynote ended with a sweet “one more thing” moment: the announcement of Test Cloud Live. Wow! Ever had your app crash on some obscure device and had a hard time tracking down that bug? Well, now you can attach your debugger to that device in the Xamarin Test Cloud and start debugging your app! Mind blown!


Bear in mind that you’re debugging over a network connection to a device that sits in the Xamarin Test Cloud device center in Denmark, and the technology is early preview, but this is so promising!

I was amazed by all the announcements, especially how fast Xamarin was able to open source all of their stuff and release the new goodies.

Breakout sessions

For the breakout sessions, I mainly looked for sessions that were not so much technical, but more inspirational to get some nice new ideas.

Contextual CommunicationBrent Schooley
Brent is from Twilio, who are experts in communication technology, but he did a great job not making this talk about Twilio. Instead, I found this an inspiring talk about improving and modernising business communication.

FullSizeRender 7

The main 4 tenets he highlighted are that communications should be:

  • Contextual: what do you already know about the user/customer? Context matters to make communication more personal and …
  • Streamlined: if you can leverage context, you can get down to the point quickly and make conversations as short as possible
  • Secure: again, if you leverage context and what you already know about a user, you don’t have to communicate that information again every time. This saves you from exposing security or privacy sensitive information.
  • Medium of Choice: the customer must be able to choose his/her medium of choice. So an app cannot be the only option. Some people prefer to call or use chat.

Brent demonstrated this with an inspiring demo-app where he started a call from inside a fictitious airline app, and had information (context) exchanged automatically into the app during the conversation to get through a transaction in a streamlined manner. He then used TouchID to verify the customer’s identity to finalize the transaction (secure).

He also covered the new “Bots” trend. With Microsoft’s new Bot Framework and Cognitive Services, we can build interesting things to make these conversations as contextual, streamlined and secure as possible and reuse that across different media. It remains to be seen if 2016 will indeed be the year of the Bot.

I really enjoyed Brent’s talk; he definitely made me think about interesting use cases to improve communications by looking beyond “an app for one single process”. This is what I will focus on at Xpirit for our Mobile strategy.

Clicking on the Real World with iBeacon – Jim Bob Bennett
Similar to the previous session, this session also worked as an inspirator for me to look beyond that one app on the device that your user interacts with. iBeacons are a great way to make the physical world your interface. For example: as I walk into a Starbucks, using iBeacon, they can recognise that I’m entering the shop and know which coffee they have to make so I can walk right up to the counter and pick up my double espresso and pay with my credit card linked to my Starbucks account. Cool. Jim Bob showed how to do this with the iOS CoreLocation API’s.

Unfortunately I had to leave the iBeacon session early, to be in time for my DevOps discussion panel at the Mobile Leaders Summit.

The Future of Connected Devices with Philips hue – Eric Shapiro, Sait Izmit, Mike James
To be honest, I was a bit disappointed with this session, as it was mainly a product placement session for Philips hue, driven by videos instead of much substance. The interesting part for me was Mike’s part in this case, where he showed how to develop against the hue bulb using the Q42.HueApi SDK.

FullSizeRender 6

Adventures in PerformanceMark Probst
This session was a deep dive on the way Xamarin does their performance benchmarking. It was a little bit different than I had expected, but interesting and entertaining nonetheless. I really appreciated Xamarin’s transparency: Mark spoke about some of the challenges they had in the Garbage Collector and the experimental ways they are trying to improve performance and bringing down GC pauses. Really some clever stuff!

FullSizeRender 14.jpg

No big lessons here, except appreciation of Xamarin’s transparency and respect for the smart guys working on the Mono runtime.

Xamarin Party!

In the evening, we celebrated Xamarin Evolve 16 at the Wizarding World of Harry Potter theme park. We took all the rides, including the crazy intense roller coaster and the big splash over in Jurassic Park. The food and the vibe were awesome!

I didn’t get to take many pictures, but there’s a lot of that going around on the #XamarinEvolve Twitter feed.

I’ll leave you with some inevitable food pics and some from the party 🙂

Dumplings #food #xamarinevolve

A post shared by Roy Cornelissen (@roycornelissen) on

Golden Snitch popsicles #food #xamarinevolve

A post shared by Roy Cornelissen (@roycornelissen) on

Jurassic Park! #XamarinEvolve

A post shared by Roy Cornelissen (@roycornelissen) on

T-Rex #xamarinevolve

A post shared by Roy Cornelissen (@roycornelissen) on

Xamarin Evolve 16 – Training Day 2

Time flies! The second day of training at Xamarin Evolve is over already and I just came back from the awesome opening party in the Darwin Lounge.

The main conference starts tomorrow. I’m honored to be on stage with some industry giants at the Evolve Mobile Leaders Summit track in a panel discussion about The Unique Challenges of Mobile DevOps. But that’s tomorrow!

About today: before the training, the day started at 6:15am (!) with a 5k test run with for the first Mini-Hack tomorrow morning. I spot an orange Xpirit T-shirt 🙂

The training part was another intense day from 9am-6pm, but it was a good day. I’d say the content of today was a bit better and deeper than what we learned yesterday, at least for me personally. We covered three major topics:

Securing local data
This part was all about dealing with data locally on the device, especially sensitive data in terms of privacy and security. We had a look at what the Xamarin.Auth component has to offer for local storage of sensitive data. This component (you can find it on GitHub and on Nuget) uses the platform specific facilities for storing data in a secure container, i.e. the KeyChain on iOS and a secure KeyStore inside the app’s sandbox on Android.

Be sure to get the latest 1.3.0 version of the Xamarin.Auth component though, as this is a bait-and-switch PCL library that also offers support for the Windows platform, whereas the older 1.2.x version doesn’t.


There’s one caveat with the Xamarin.Auth component though… The KeyStore file on Android is locked with a hard coded password. The Android app in one of my previous projects was actually flagged in a security audit because they extracted the Xamarin.Auth DLL, decompiled it and found the hard coded key. Pretty iffy, because this means that the KeyStore data in every app that uses this library can be easily opened and read by extracting the file from the sandbox and using the key that’s publicly available on GitHub!

I made a pull request about 2 years ago that fixes this problem, at least in a way that you can provide your own key. But somehow Xamarin didn’t get around to merge it yet, so the vulnerability was still there, also in the 1.3.x version. The funny thing was that as we were doing the training, one of the Xamarin developers was actively working on this component. We pulled him into the training, explained the problem and he immediately went to work to see if he could merge my fix. How awesome!

FullSizeRender 4.jpg
How awesome is this: Xamarin Developer DNA… everyone could add their own string, picking the pegs that fit with their preference. The result is this awesome, unique “Xamarin DNA” sequence. A work of art!

The other part of this chapter was about the awesome PCL.Crypto component. This component is also a bait-and-switch PCL library, which means that the PCL portion contains nothing more than the API definitions for your shared code to compile against (the bait), but uses the actual device specific implementation at runtime (the switch). This means that PCL.Crypto can use the platform specific crypto API’s developed by Google, Apple and Microsoft themselves instead of relying on its own security implementation. Much the same as the Xamarin.Auth component solves its local storage issues. For developers familiar with the WinRT crypt API’s for example, there is a special WinRTCrypto API that you can program against, but PCL.Crypto will map this to the underlying native API’s. Pretty clever. For example: a method for encrypting some data could look like this:

public static byte[] Encrypt (byte[] plainText, byte[] keyMaterial)
  var provider = WinRTCrypto.SymmetricKeyAlgorithmProvider

  var key = provider.CreateSymmetricKey(keyMaterial);
  var IV = WinRTCrypto.CryptographicBuffer.GenerateRandom(16);
  var cipher = WinRTCrypto.CryptographicEngine.Encrypt(key, plainText, IV);

  var cipherText = new byte[IV.Length + cipher.Length];
  IV.CopyTo(cipherText, 0);
  cipher.CopyTo(cipherText, IV.Length);

  return cipherText;

PCL.Crypto can be used quite easily in combination with Xamarin.Auth to encrypt or hash data before storing it. At least as long as your app is using the not-so-secure version of Xamarin.Auth – with the hard coded key – using something like PCL.Crypto to secure the values that go into the secure storage is a real necessity! But it’s good practice to do it anyway.

Next we went into OAuth for authorizing access to an API from a mobile app. OAuth in itself is a pretty broad topic and enough to fill tens of blogposts. One of the important points here is that for mobile apps, basically there are only two OAuth flows that are really usable:

Screen Shot 2016-04-26 at 22.50.26

The Implicit flow or the Authorization Code flow. The other flows aren’t really suitable for mobile apps (or browser apps involving JavaScript code), since this means that there will be client secrets hidden inside the app, and they involve dealing with a user’s password in the app itself instead of handing that off to an Identity Provider. The Client Credentials flow is typically used for service-to-service communication, usually on behalf of the user.

Xamarin.Auth provides some nice API’s to easily initiate a login sequence, using a web view that follows all the redirects that are part of the OAuth flow, to obtain an access token (or authorization code).

Memory Management Issues
The most interesting part of today was about diagnosing and dealing with Memory Management Issues. I actually learned a lot about how both the Xamarin.iOS and Xamarin.Android frameworks work in terms of memory allocation. It’s important to understand that in both cases, you are always dealing with native objects, managed peers and a binding layer in between, provided by Xamarin. At least, for those objects that are actual native platform classes.

Under the hood, there are some intricacies to be aware of. For example: in order for iOS’s reference counting mechanism to work, you have to be very careful to release references to native objects, for example by making sure to always unsubscribe from event handlers. For Android, it’s important to realise that you’re working with two Garbage Collectors: the Mono one and the one in the Android Java VM. There are a lot of details, but there is some nice guidance up on the Xamarin Developer site about this [iOS] [Android].

You can prevent a lot of memory issues by following a couple of important guidelines. Also the Xamarin Profiler is a great tool for diagnosing possible memory leaks.

Lots of excitement for the opening of the Darwin Lounge at #XamarinEvolve

A post shared by Roy Cornelissen (@roycornelissen) on


Darwin Lounge
As for the (other) fun part of Evolve: the Darwin Lounge was opened this evening, accompanied by a huge buffet and a nice range of tasting stands for artisanal chocolate, local beers and hipster coffee 🙂 This tweet sums up how I felt this evening:

It’s no secret that I’m an avid foodie, so suffice to say that I was in seventh heaven when it comes to the food that was served here. This means that you have to sit through my Instagram food porn pictures now:

Excellent chocolate. The Phillipines one is a clear winner #food #XamarinEvolve

A post shared by Roy Cornelissen (@roycornelissen) on


I expected to visit a mobile dev conference but instead I've come into food discovery heaven. #XamarinEvolve #coffee

A post shared by Roy Cornelissen (@roycornelissen) on


Great hipster pour-over coffee at #XamarinEvolve

A post shared by Roy Cornelissen (@roycornelissen) on


Hmm, macarons #XamarinEvolve #food

A post shared by Roy Cornelissen (@roycornelissen) on


Beer tasting at #XamarinEvolve. Local beer from Orlando Brewery. Good stuff.

A post shared by Roy Cornelissen (@roycornelissen) on



So… Xamarin sure knows how to throw a party 🙂 Of course, the Darwin Lounge at Evolve is mainly about cool geek stuff and tech inspiration. There’s lots of that going on as well. Lots of IoT stuff, drones flying around, etcetera. Check out the Twitter timeline for #XamarinEvolve for a great impression of the fun things out there.

Great buzz and lots of hacking going on in the Darwin Lounge
These robot spiders are pretty creepy!
LEGO Mindstorms, totally cool! Their official iPad app for programming the Mindstorms robot was built with Xamarin

Be sure to tune into the Evolve keynote tomorrow at 9am EST. Rumours are that it’ll be spectacular! 😉

Xamarin Evolve 16 – Training day 1

Hi there from Orlando, FL! Yesterday was the first day of the Xamarin Evolve 16 pre-conference training. And man, we’re already having a blast here. Evolve 16 is even bigger than the previous one, and on the pre-conf training alone, there are more people than there were at the original, legendary Evolve 2013; in total! Impressive.

Finally it's happening! #XamarinEvolve

A post shared by Roy Cornelissen (@roycornelissen) on

My mobile peer at Xpirit, Geert and I arrived on Saturday, together with a bunch of fellow Dutchies including some of my former colleagues from Info Support. It’s nice to catch up and hang out.

In the training, we’re doing the Intermediate track, which offers some more advanced topics. I have to say that most of the topics are already familiar, but for us this is also a great opportunity to get to know the Xamarin University material. We’re working towards certifying ourselves for delivering the official Xamarin University training curriculum at Xpirit to be the first Dutch Xamarin Training Partner! How awesome is that? Stay tuned for more news!

The main topics we covered were:

Asynchronous programming with async/await
For this module we dove into the mechanics behind the Task Parallel Library in .NET and the async/await keywords. This stuff is so important to get right as it’s crucial for quality apps to make sure that you’re not wasting the main UI thread by doing expensive work like heavy CPU-bound work or (network) I/O. The course went into some of the mechanics of async/await – with the compiler generated state machine that ends up in the generated IL.

The problem with async/await is that the syntactic sugar makes it almost too easy to make work inside your app asynchronous. The point is that making things asynchronous isn’t always necessary and using async/await the wrong way may actually hurt the app in the sense of complexity and possibly performance more than it helps. Understanding the state machine that the compiler generates, the effects of ConfigureAwait(false), working with the Dispatcher, etcetera is crucial if you want your apps to be responsive.

Patterns for reuse
A topic that’s dear to my heart. Marcel and I actually did a pretty popular talk about it at Evolve 2013. IMO, this stuff all still holds true, however we have progressed a bit when it comes to the maturity of the Xamarin platform. With the advent of Xamarin.Forms, more and more code sharing techniques are possible and go right up to the top UI level. On the other hand, Xamarin.Forms already takes away a lot of the hard work of bridging platforms. Very nice, but – my pet peeve – beware of the abstractions! 🙂

It all comes down to keeping things as simple as possible. In the training, we talked through using the Factory and Service Locator patterns, but our common conclusion was that they involve a fair amount of Yak Shaving.


In the end, Dependency Injection is a relatively clean way of dealing with dependencies that have per platform implementations. In my experience, using a light weight DI container like SimpleIoC is sufficient for most apps. Let’s be honest, in an average app, you don’t really need much sophisticated lifetime management or other things. You just want to be able to swap in per platform implementations of some components to use them from shared code. But before you start building your own components, head over to Xamarin’s plugin repo on GitHub because a lot of plugins are already available. And they generally use DI to set up.

We talked about the techniques that are at our disposal for validating the quality of your app. Of course using unit tests should be a no-brainer to developers, and there are actually some nice scenarios for testing the behaviour of your ViewModels and other logic in your app. These unit tests, being independent and mostly having their dependencies stubbed (another advantage of using DI is that it makes stubbing a bit easier), can give you the quickest feedback during your development cycle.

But an important part of your app will be the UI and that actually runs on the device. This has always been hard to test and we had a look at what Xamarin Test Cloud has to offer and the UITest API’s that you use to drive those tests. In a recent talk, I used this test pyramid diagram to show the stack I like to use for testing mobile apps:


Note that I still think that there will always be a certain amount of manual testing involved for the more complex cases. And specifically those cases where you want to check the behaviour of your app under different circumstances, such as actually being on the move through tunnels or other low connection situations, or being out in the field to make actual pictures with the camera. Manual field tests by the team and beta test platforms like HockeyApp, Apple TestFlight and Google Play Beta are excellent tools for this.

Xamarin sure knows how to throw a party… #XamarinEvolve

A post shared by Roy Cornelissen (@roycornelissen) on

After the training it was time for some relaxation at LaFayette’s. Excellent food and great Southern style live music, and all the familiar faces from the Xamarin community there. Great to see everyone again! Really looking forward to the next few days!

To infinity, and beyond!
On Sunday, we had some spare time, so we spent the day at the NASA Kennedy Space Center. Wow what an amazing trip! It was incredible to see the huge rockets, it’s impossible to fathom how big they are until you see them. The same goes for the Space Shuttle. The Atlantis Space Shuttle is on display and you can see it up close. Super cool!

Awesome, the Atlantis Space Shuttle #nasa

A post shared by Roy Cornelissen (@roycornelissen) on

Rocket science

A post shared by Roy Cornelissen (@roycornelissen) on

The biggest surprise came when we went on the bus tour to the actual launch site. Again, it’s impossible to fathom the scale of the site and the equipment there that’s used for space travel. At the end we got a great show about the Apollo missions. The actual control center used for the Apollo mission is there on display. And then there’s the overwhelming and HUGE replica of the Apollo rocket.

Appollo Control Center #nasa

A post shared by Roy Cornelissen (@roycornelissen) on

And the coolest thing was: our Uber driver who took us back to the hotel was an engineer on the Space Shuttles for 30 years! So he could give us some fun behind-the-scenes insights. Did you know for example that there was an actual Coca Cola machine installed in one of the shuttles? That was to test the effects of carbonation in space. But since Coca Cola is a commercial company, NASA was not allowed to talk about that 😉

Oh and don’t you just love these vintage posters?

Love these vintage graphic posters #nasa

A post shared by Roy Cornelissen (@roycornelissen) on

NASA is recruiting #nasa

A post shared by Roy Cornelissen (@roycornelissen) on