DEV Community: Genevieve McAllister

Test-Driven-Development, Put Plainly

Genevieve McAllister — Thu, 31 Oct 2019 20:34:22 +0000

Every industry has its buzz-word jargon that is meant to make your resume search-engine-optimized and your speeches TEDx worthy. These phrases often point to an idea with merit, but the packaging makes me want to projectile vomit. If a man in a suit starts talking about “synergy” or being a “thought partner,” all I see is Jack Donaghy filling in his Six Sigma Wheel of Domination, and all I feel is the bile rising.

My weak stomach aside, it is important to know what tech’s keywords are and—if they’re worthwhile—how to implement the ideas. Test-Drive-Development, or TDD, is worthwhile. So, what is it, why does it matter, and how do you do it?

What is TDD?

TDD is the practice of building and running tests for your program before you write the code that you want to test. That means that the first time you run the tests, they will fail. This process ensures that you think about the purpose of all the code you write, which should cut out redundant or unnecessary code and make what you do write clearer.

As a side note, when researching TDD you are bound to come across Agile Software Development. In short, Agile is a group of protocols that help tech businesses run smoothly. Other Agile practices include User Stories, Retrospectives, Scrum, and Stand-ups.

Why does TDD matter?

Frankly, it matters because people think it matters, which means you probably need it to get a job. The only data I found to support TDD was on a blog post by Hillel Wayne who quotes a study that suggests “TDD projects had roughly a 60% decrease in defect density.” So TDD may lead to a decrease in bugs and an increase in quality.

However, even Agile Alliance’s website says, “although empirical research has so far failed to confirm this, veteran practitioners report that TDD leads to improved design qualities in the code…” When your lead evangelist says, “I can’t prove it, but listen to what these people have to say!” you’re as good as an as-seen-on-tv product no one asked for.

How to use TDD

The framework you write your tests in depends on the language you use; some frameworks include Mocha, Capybara, Cucumber, Konacha, and Poltergeist. Deciding which to use and how to write the tests is another topic in and of itself. Regardless of which language you write in, there are five steps to TDD:

Write a test for your program. In order to write tests, you have to know what data types you will pass into methods, as well as what type of data you expect it to return.
Run (and fail) the tests. If the tests don’t fail, they’re not checking what you wanted them to check. If they do fail, you are able to observe how your program behaves when it fails.
Write the code in your program needed to pass the first test. Write as little as possible to get it to pass.
Keep coding until all of the tests pass.
Refactor as needed.

While the evidence for the efficacy of TDD is not strong, it is important to be comfortable with the protocol, and hey, maybe you’ll avoid writing buggy code this way, too.

The Quick and Dirty Guide to Pull Requests

Genevieve McAllister — Mon, 21 Oct 2019 19:06:24 +0000

As a beginner to programming, I’ve struggled to understand the complexities of GitHub. While I appreciate the basic concept of Git, the actual workflow can feel overwhelming at times.

My purpose here is not to give a deep or theoretical understanding of GitHub, but rather to document the commands you need to merge a branch into the master on a shared repository. (Note: this is different from making a Pull Request from a forked repository.)

If you do want a deeper understanding, I’ve linked to some good resources at the bottom of the post.

Steps

1. Create your branch

   git checkout -B your-branch-name

This command will both create and move you to a new branch.

2. Push your branch to GitHub
Your branch will not automatically show up on GitHub. To push it up, run:

   git push origin [name_of_your_new_branch]

3. Do your work

4. Push your changes up to your branch on GitHub

   git add .
   git commit -m “Message”
   git push

5. Open a Pull Request
Opening a pull request is you asking the repository’s maintainer, “Please pull my changes to master.”

On GitHub, make sure you’re on the branch you were working on.
Click “New Pull Request”
Make sure the “base” is what you want to merge into; in this case, I want to merge into master.
Write a title and description.
Click “Create Pull Request”

6. Approve a Pull Request
Approving the Pull Request will probably be done by someone else on the team.

Click “Merge Pull Request”
Add a comment if desired.
Click “Confirm Merge”

What if there are conflicts?

When you open the pull request, it will let you know. You may continue to make the request anyway.

Click “Resolve Conflicts” This will show you the conflicts in the document. Edit whatever needs to be edited.
Click “Mark as Resolved”
Click “Commit Merge”

Resources

A high-level overview of the GitHub workflow: link
GitHub's two-page cheatsheet: link
Details on how to create a Pull Request: link
GitHub Tutorial: link

Compromising User Data via Push Notification Services

Genevieve McAllister — Wed, 18 Sep 2019 00:07:37 +0000

On September 3, 2019, I looked at my phone to find a surprising notification:

The message was sent from UVLens, a niche app with a small user base. Typically, UVLens displays the current UV Index in your region and provides recommendations on sun protection for your skin type. As a Very Pale Person, this has been a really useful way for me to decide if I need to wear sunscreen (yes) and a hat (most likely) when I go out of the house (rarely). It has never sent me a push notification before, and certainly never one so salacious.

UVLens followed up quickly with an apology via push notification and explained on social media that their “3rd party push notification service [had] been compromised.”

This message piqued my curiosity much more than the former. What is a push service and how can it be compromised?

Push Service

A push service is a company that manages an API that applications use to automate messaging their users. They provide easy ways to query for groups of users based on their data, such as time of last login, whether they’ve made a purchase through the app, or device type (iOS, Android, Chrome, etc.).

I reached out to UVLens about their service provider, and they said that they used OneSignal when the offending notification was sent, but they have since switched to the Google-run Firebase Cloud Messaging. According to OneSignal, they are used by companies like Verizon, Virgin Mobile, and HQ.

Push Notifications

Push Notifications are a topic unto themselves, but in short, it is a three-way conversation between an application’s server, the push service, and the user.

A user downloads your app and agrees to receive push notifications.
Your app’s server receives that information and...
passes it to your push service.
The push service responds with a unique ID for that user.
When you’re ready to send a message, you query the push service’s API for the user id’s that you need, then pass the information to the push service.
The push service sends the message to users you indicated.

In order for the push notifications to go through, you typically need two passwords that the push service provides: your application’s ID and an API Rest Key.

How Push Service Can Be Compromised

OneSignal has not made any public statements on the event or how this could happen. However, their API documentation provides clues on simple methods someone could use to access an application’s data.

First, the codes used to query the API are readily available, including instructions to quickly download a CVS file of all your user information. You do need the two authentication keys, though.

However, in researching this topic, I found that many people had actually posted their keys online. Usually, they only gave the REST API Key or the application ID, but a few gave both. (One programmer even posted an image of his user’s IDs.) Using that information, hypothetically, one would be able to download the application’s user information CVS. Hypothetically.

Of course, there are other ways in which passwords become open to the public, but this is a unique instance where user error is leading to compromised data.

The Vulnerability of Small Applications

If this is the method that was used to send the rogue notification, then UVLens was already particularly vulnerable. OneSignal has a simple query that will download all of an app’s user information if they have fewer than 100,000 users.

It’s impossible to know how many downloads an app has, but we can use a general estimate based on ratings. If we assume that a free app, like UVLens, will receive one rating for every 100 downloads, they likely have a total user base of about 88,000.

Platform	Reviews	Estimated Downloads
Apple Store	170	17,000
Play Store	713	71,300
Total	883	88,300

It’s possible that all of their users’ information was downloaded with one command in the terminal.

UVLens says that their data and servers were not compromised and that users’ information is safe. Luckily for them, the most personal information users input is their skin tone and zip code, so even if that data was released, it’s unlikely to have far-reaching effects.

Sources Consulted

Creating Technology to Continue or Disrupt Systemic Oppression

Genevieve McAllister — Mon, 26 Aug 2019 20:04:46 +0000

From the time I was old enough to be asked, “What do you want to be when you grow up?”, I have answered with a community-oriented job. I value work that leverages a person’s skills to do the most good for the most people; that’s why I went into teaching. I wanted to help others to be stronger communicators and have the tools to think critically about the world.

So when I decided it was time to leave my job as a high school English teacher, my strong convictions about community engagement gave me pause. When I had chosen my first career, I had quickly dismissed anything at a for-profit company, certain that it meant selling out. I overlooked how the ubiquity of technology means that it can be used to give agency to people who are oppressed.

Because of my early misunderstandings and doubts about technology, I’m going to highlight three apps that exacerbate current issues in regard to class, gender, and race, and three apps that work against systemic oppression.

Class

In November 2015, Seattle called a state of emergency on homelessness. As of January 2018, over 12,000 King County residents were homeless. It is a contentious issue; there are always disagreements about how homelessness should be handled, but Seattle has received a rise in backlash after promoting its Find It, Fix It app.

The app itself is inoffensive; it provides a convenient way for citizens to report issues around the city. According to the website, you can request service for graffiti, illegal dumping, or dead animals. However, since putting posters around town that encourage people to “See a tent? Report a tent,” people have submitted hundreds of fake alerts.

Hilariously, many of the alerts flag the downtown REI’s many display tents.

On the other end of the spectrum, local startup Samaritan aims to make it easier to directly donate to nearby homeless people. If you are experiencing homelessness, you can apply for a small fob that you keep on yourself. The fob alerts app users that someone nearby is in need. App users can then read your story and decide if they want to donate money.

Using the fob does have limitations that may make people more likely to donate: “To keep their beacon active, beacon holders meet with a counselor monthly to set and follow up on goals.” Additionally, the money they receive may only be used at specific locations, such as Grocery Outlet and Goodwill.

Whether or not people choose to donate, the app is an interesting way to humanize people who are often encouraged to be invisible. Giving app users access to the stories of homeless people could lead to more empathy and understanding. At the very least, it’s encouraging that nearly 13,000 people have downloaded the app.

For more information about technology impacting Seattle’s homeless population, I recommend reading The Atlantic’s article.

Gender

Technology is part of a larger culture, so it’s not surprising that there are so many insidious apps available to help you photoshop yourself skinnier, lighter-skinned, or without acne. But when that technology doesn’t just conform to these expectations but actually helps people to more easily control others, it is especially dangerous.

Absher is a government-supported Saudi Arabian app that allows men to easily give or deny travel permission to those under their guardianship, including adult women. “Specifically, male users can register women’s names and passport numbers, select how many journeys she can take and how long she can travel for” (Time). The app also alerts users when one of their dependents leaves the country, giving them further reach and control.

Some have made cases for why the app is actually an improvement. One example given is of a college student who studies abroad in Australia; the app allows her father to sign off on her travel without being in the same city. Clearly, the app is not the problem, but the underlying restrictive, sexist laws. Regardless, the app implicitly violates human rights.

While I’m no longer a teacher, I still believe that education is one of the best ways to empower people. One easy way for people to be empowered is for them to have an understanding of their own bodies. However, a small 2010 study revealed that “74 percent of men and 46 percent of women questioned were unable to identify the cervix” on a diagram (Vice). While we wait for public schools to provide comprehensive sex ed, we can turn to Clue for help.

On the surface, Clue is a period tracker app that allows people to determine when they are likely to menstruate, have symptoms of PMS, or be most fertile. While these are great functions, I am most impressed by Clue’s commitment to providing research and articles on subjects that are often stigmatized. By packaging them with a functional app and a smooth interface, more women have access to information about their bodies.

Race

A number of explicitly racist apps have made headlines in the past few years, but I would like to highlight the ways in which crowdsourcing information can lead to a misuse of technology.

RedZone offers some useful functions for people traveling to a new city. The navigation app uses crime reports to draw their routes and take users through statistically safer areas.

Objective data is useful, however, the crowdsource feature is where issues can come into play. Just as Nextdoor revealed which of your neighbors are racist, RedZone allows people to comment on their perceived safety at different locations. While that seems reasonable, we need to remember that we live in a country where the police get called because people of color are taking naps in their dorm’s common area.

Because of America’s long history of oppressing people of color, it’s hard to imagine that RedZone’s ratings will be anything but racist Yelp reviews.

Technology is also being used to actively combat some issues that immigrants face. Notifica allows users “to plan, learn and act if you are at risk of being detained by deportation agents.” In addition to providing resources and information on immigrant rights, the Notifica app lets users preprogram phone numbers and a message. If the user is about to be detained, they only need to press a button that sends the message and their location to their contacts.

At a time when children return from the first day of school to find that ICE has raided and their parents have been detained, this technology can help families stay in contact with each other and legal representatives.

From the bad to the good, the technology we create comes from the values we hold. While we can create apps that deliver food to our doors, we can also use technology to provide education, resources, and agency to people who experience oppression.