DEV Community: Marcos Placona

How I Built a SaaS in a Weekend That Replaces Google Alerts

Marcos Placona — Sat, 21 Mar 2026 08:40:01 +0000

Google Alerts has been broken for years. It misses most mentions, delivers them days late, and gives you zero context about what was said. I know because I tracked it. Out of 10 real mentions of my brand in a week, Google Alerts caught 2.

The paid alternatives (Mention, Brand24) start at $99+/mo and are built for enterprise marketing teams. There's nothing in between for indie founders, freelancers, or small businesses.

So I built MentionDrop. Real-time web mention monitoring with AI summaries, for $29/mo. Here's how I did it in a weekend.

The Problem I Kept Running Into

Someone trashed one of my products on a niche forum. I found out two weeks later when a friend sent me the link. Google Alerts never picked it up. By then, the thread had 40+ replies, and the narrative was set.

That was the last straw. I needed something that actually monitored the web in real-time and told me what was being said, not just that a keyword appeared on a page somewhere.

The Stack

I optimized for speed-to-launch. Every tool in the stack was chosen because I could go from zero to working in minutes, not days.

Layer	Tool	Why
Frontend	Next.js (App Router)	Fast to ship, great DX
UI	shadcn/ui + Tailwind	Beautiful components without designing from scratch
Auth	Clerk	5 minutes to add login, social auth, user management
Database	Supabase (Postgres)	Free tier is generous, instant API, real-time subscriptions
Payments	Stripe	Checkout, billing portal, webhooks out of the box
AI	Gemini Flash-Lite	Cheap, fast, good enough for summarization
Email	Resend + React Email	Developer-friendly transactional email
Worker hosting	Railway	$2/mo for a background process
Frontend hosting	Vercel	Free tier for Next.js

Total infrastructure cost: under $5/mo to start. That matters when you're validating an idea.

How It Works (High Level)

The architecture is two processes:

Next.js app on Vercel - the landing page, dashboard, and API routes
Background worker on Railway - connects to a real-time data source, matches keywords, runs AI analysis, and stores results

When a user adds a keyword, the worker picks it up within seconds and starts monitoring. When a match is found, the AI processes it, and the user is notified via their preferred channel (email, Slack, or webhook).

The dashboard streams mentions in real-time via Supabase's real-time subscriptions, so you see new mentions appear without refreshing.

The Hardest Problem: Noise

Matching a keyword against web content sounds simple until you realize how noisy it is. One of the first companies to sign up was Box. "Box" matches every page that mentions a cardboard box. "Apple" matches every recipe blog. "Circle" matches geometry tutorials.

This is the problem Google Alerts has and has never solved. They dump everything on you and call it a day.

I spent most of my time on this problem. The solution involves multiple layers of filtering:

Keyword-level rules that understand short generic terms need stricter matching than longer, more specific ones
AI-powered relevance scoring that understands context. "Is this page about Box, the cloud storage company, or a shipping box?" The AI decides.
User-provided context - you can tell MentionDrop "Box is a cloud storage company, competitor to Dropbox," and it uses that to make better decisions

The result: irrelevant matches get filtered out before they ever reach you. When you get an alert, it's because something actually matters.

Each mention comes with:

A plain-English summary (even if the source is in another language)
Sentiment analysis (positive/neutral/negative)
A suggested action (respond, share, monitor, or ignore)

Lessons From Building in a Weekend

Clerk saved me hours. Auth is one of those things that seems simple but has a million edge cases. Clerk handles login, signup, OAuth, user management, and webhooks. I had the auth working in under 10 minutes.

Supabase real-time is magic for dashboards. Instead of polling for new mentions, I use Supabase's real-time subscriptions. When the worker stores a new mention, it appears on the dashboard instantly. Zero extra code on the frontend beyond subscribing to the table.

Railway is perfect for background workers. I needed a long-running process that stays connected to a data stream 24/7. Railway runs it for $2/mo. No Docker config, no Kubernetes, just npx tsx src/worker/consumer.ts.

Start with fewer features. The dashboard has filtering by keyword, sentiment, date range, and live streaming. I could have launched with just an email digest and a simple list page. Ship the minimum, then iterate.

Resend + React Email is the way. I write email templates in JSX with proper TypeScript props. No more wrestling with HTML email tables. The developer experience is a night-and-day difference compared to other email services.

The Numbers

Build time: 1 weekend (with AI assistance for code generation)
Infrastructure cost: ~$5/mo
Pricing: Free (1 keyword), $29/mo (5 keywords), $59/mo (20 keywords)
Tests: 100+ passing

What's Next

I'm working on improving the AI accuracy for multi-language mentions and adding more alert delivery options. The core product is solid, and I'm getting real users finding real mentions that Google Alerts would have missed.

Try It

If you've ever been frustrated by Google Alerts missing mentions of your brand, product, or name, give MentionDrop a try. Free tier, 1 keyword, no credit card needed.

mentiondrop.com

Happy to answer any questions about the build process, stack choices, or business decisions in the comments.

I Built a Tool to Finally Understand What Works on LinkedIn Company Pages

Marcos Placona — Tue, 14 Oct 2025 13:28:00 +0000

If you’ve ever managed a LinkedIn Company Page, you know how frustrating the analytics are.

You get some numbers, but not enough to actually make decisions.

Which posts really drive engagement?
What time works best to post?
Who exactly is following your page?

I got tired of guessing. So I built LinkIntel — a tool that goes beyond LinkedIn’s native analytics to show real insights from your exported data.

Why I built it

I run multiple projects where LinkedIn is our main growth channel.
But every time I wanted to analyze performance, I ended up in Excel hell:
exporting CSVs, merging them, cleaning columns, and still not knowing which content actually worked.

LinkedIn’s built-in analytics dashboard is decent for a quick look — but it hides trends that matter most:

Which post types consistently perform best
When your audience is most active
How your audience demographics evolve over time
How you compare against competitors

I wanted something clearer, faster, and owned by me — no APIs, no permissions, no data sharing.

What LinkIntel does

LinkIntel takes your exported LinkedIn analytics files and turns them into beautiful, interactive dashboards.
It supports four types of exports:

Content Analytics – see which posts drive impressions, engagement, and clicks
Follower Analytics – understand your audience by location, seniority, and job function
Visitor Analytics – learn who’s visiting your page and from which companies
Competitor Analytics – benchmark your performance against others in your space

You upload your files once, and within seconds you get charts, insights, and benchmarks — no setup required.

What makes it different

Unlike other tools, LinkIntel doesn’t rely on LinkedIn’s API.
You stay in control of your data — it’s 100% yours, processed locally and never shared.

It’s built for B2B marketing teams, agencies, and founders who care about making data-driven decisions without losing ownership or privacy.

What’s next

Right now, I’m talking directly to users one-on-one to learn what they need most — from smarter insights to AI recommendations on what to post next.

If you run a LinkedIn Page and want to understand what actually drives results, you can try it for free at getlinkintel.com.

Stop guessing. Start learning what really works on LinkedIn.

Building a video recording application in Android with CameraX

Marcos Placona — Mon, 27 May 2019 10:41:43 +0000

Recording videos in Android used to be a very involved task where it was necessary to write a lot of boilerplate code to initialise the camera and then keep control of the video state and its metadata.

With the introduction of CameraX to Android Jetpack, it only takes a few lines of code to get that going. Let’s build a video recording application.

Setup

You can download the code for this project in this repository if you just want to see it running and not follow along.

In Android Studio create a new project with an empty activity.

On the next screen give your project a name, I called mine Droidagram and made sure to check the Use androidx.* artifacts. I will be using Kotlin here, but you should feel free to use Java if you like typing more code.

Open up your AndroidManifest.xml and add the following just before the <application tag.

<uses-permission android:name="android.permission.CAMERA" />
<uses-permission android:name="android.permission.RECORD_AUDIO" />

This makes sure that we request the correct permissions to open up the camera and record audio on the device.

Open your module level build.gradle and add the following dependencies and sync:

def camerax_version = "1.0.0-alpha01"
implementation "androidx.camera:camera-core:${camerax_version}"
implementation "androidx.camera:camera-camera2:${camerax_version}"

At the time of writing “1.0.0-alpha01” is the latest version of CameraX, so make sure you check here for a more up-to-date version, though keep in mind that it may break the code you see here.

Open activity_main.xml and on the XML view add a TextureView and an ImageButton instead of the existing TextView

<TextureView
            android:id="@+id/view_finder"
            android:layout_width="0dp"
            android:layout_height="0dp"
            app:layout_constraintTop_toTopOf="parent"
            app:layout_constraintBottom_toBottomOf="parent"
            app:layout_constraintStart_toStartOf="parent"
            app:layout_constraintEnd_toEndOf="parent" />

    <ImageButton
            android:layout_width="72dp"
            android:layout_height="72dp" app:srcCompat="@android:drawable/ic_menu_camera"
            android:id="@+id/capture_button" android:layout_marginBottom="24dp"
            app:layout_constraintBottom_toBottomOf="parent"
            app:layout_constraintEnd_toEndOf="parent" android:layout_marginEnd="8dp"
            app:layout_constraintStart_toStartOf="parent" android:layout_marginStart="8dp"
            android:layout_marginTop="8dp" app:layout_constraintTop_toBottomOf="@+id/view_finder"
            app:layout_constraintHorizontal_bias="0.498" app:layout_constraintVertical_bias="0.748"
            android:background="#F44336"/>

If you run this application now you will see something similar to this:

Adding the camera preview

To be able to preview the camera, we need to request the permissions first. We do that going to MainActivity.kt and adding a couple of constants just before our class.

private const val REQUEST_CODE_PERMISSIONS = 10
private val REQUIRED_PERMISSIONS = arrayOf(Manifest.permission.CAMERA, Manifest.permission.RECORD_AUDIO)
private val tag = MainActivity::class.java.simpleName

The number 10 here is just an arbitrary number we are using to keep track of the permission, and then we have an array with our required permissions which matches what we’ve added to our manifest earlier. Just make sure you import Manifest from import android.Manifest.

Now let’s change this class so it also implements LifecycleOwner as we will need to bind our camera to it later.

class MainActivity : AppCompatActivity(), LifecycleOwner {

Inside the class, and before onCreate add the following lateinit variables.

private lateinit var viewFinder: TextureView
private lateinit var captureButton: ImageButton
private lateinit var videoCapture: VideoCapture

Inside onCreate and just after setContentView add the following lines of code to start requesting permissions when this activity starts:

viewFinder = findViewById(R.id.view_finder)
captureButton = findViewById(R.id.capture_button)

// Request camera permissions
if (allPermissionsGranted()) {
    viewFinder.post { startCamera() }
} else {
    ActivityCompat.requestPermissions(
        this, REQUIRED_PERMISSIONS, REQUEST_CODE_PERMISSIONS)
}

Notice that both allPermissionsGranted and startCamera are be showing in red on the IDE.

At the bottom of the class, just after onCreate, add the following three methods, and the error warnings disappear:

override fun onRequestPermissionsResult(
    requestCode: Int, permissions: Array<String>, grantResults: IntArray) {
    if (requestCode == REQUEST_CODE_PERMISSIONS) {
        if (allPermissionsGranted()) {
            viewFinder.post { startCamera() }
        } else {
            Toast.makeText(this,
                "Permissions not granted by the user.",
                Toast.LENGTH_SHORT).show()
            finish()
        }
    }
}

private fun allPermissionsGranted(): Boolean {
    for (permission in REQUIRED_PERMISSIONS) {
        if (ContextCompat.checkSelfPermission(
                this, permission) != PackageManager.PERMISSION_GRANTED) {
            return false
        }
    }
    return true
}

private fun startCamera() {
    TODO("not implemented") //To change body of created functions use File | Settings | File Templates.
}

The first and second methods handle the permission request and the response once the user decides as to whether they accept that we can use the camera within our app. Make sure that if you run the application now, you say “allow” to both.

Lastly, we’re going to add some code to display the camera preview on the screen for when we run the app.

Remove the TODO code from the startCamera method and add the following:

// Create configuration object for the viewfinder use case
val previewConfig = PreviewConfig.Builder().build()
// Build the viewfinder use case
val preview = Preview(previewConfig)

preview.setOnPreviewOutputUpdateListener {
    viewFinder.surfaceTexture = it.surfaceTexture
}

// Bind use cases to lifecycle
CameraX.bindToLifecycle(this, preview)

The code above is all you need to preview the camera. If you run the application now, it turns the camera on for your device or emulator. Now is a good time to try this out and see if everything is configured correctly.

Programming the button

I wanted this button to only record when I held it pressed, and for it to stop recording when released. Let’s add this logic inside the onCreate just before the end of the method.

captureButton.setOnTouchListener { _, event ->
    if (event.action == MotionEvent.ACTION_DOWN) {
        captureButton.setBackgroundColor(Color.GREEN)

    } else if (event.action == MotionEvent.ACTION_UP) {
        captureButton.setBackgroundColor(Color.RED)
    }
    false
}

Holding the button changes the background colour of it, and releasing brings it back to its original colour.

Recording videos

Now we’re ready to record our videos. Just before the logic for the button, add the following variable, so we get a location and a file name to save our recording.

val file = File(externalMediaDirs.first(),
            "${System.currentTimeMillis()}.mp4")

Now we just need to change our button so when pressed, it also starts recording, and when released it stops the recording.

captureButton.setOnTouchListener { _, event ->
    if (event.action == MotionEvent.ACTION_DOWN) {
        captureButton.setBackgroundColor(Color.GREEN)
        videoCapture.startRecording(file, object: VideoCapture.OnVideoSavedListener{
        override fun onVideoSaved(file: File?) {
            Log.i(tag, "Video File : $file")
        }
        override fun onError(useCaseError: VideoCapture.UseCaseError?, message: String?, cause: Throwable?) {
            Log.i(tag, "Video Error: $message")
        }
    })

    } else if (event.action == MotionEvent.ACTION_UP) {
        captureButton.setBackgroundColor(Color.RED)
        videoCapture.stopRecording()
        Log.i(tag, "Video File stopped")
    }
    false
}

If you are running CameraX version 1.0.0-alpha01 you will notice a red squiggly line under the startRecording and stopRecording methods. This is because this functionality is still highly experimental and likely to change and is still restricted.

You can tell the compiler to ignore those by adding the following to the top of this class:

@SuppressLint("RestrictedApi")
class MainActivity : AppCompatActivity(), LifecycleOwner {

The last thing we need to do is initialise the video recorder use-case, so when the camera is started, we tell it to get ready for some recording action. Head to the startCamera method and just after val preview = ... add the following:

// Create a configuration object for the video use case
val videoCaptureConfig = VideoCaptureConfig.Builder().apply {
    setTargetRotation(viewFinder.display.rotation)
}.build()
videoCapture = VideoCapture(videoCaptureConfig)

This creates a new configuration for the video capturing use-case and initialises the last uninitialised lateinit variable we had, which is called videoCapture. Let’s also bind this to the lifecycle by changing it to this:

// Bind use cases to lifecycle
CameraX.bindToLifecycle(this, preview, videoCapture)

Run the application and hold the record button, and your video will get saved to the filesystem as soon as you release it. You can check your recording out by going to /storage/emulated/0/Android/media/[your.package.name].

So this is all it takes to use this great new addition to JetPack. Get recording and let me know what you think by hitting me up @marcos_placona.

Handling your business calls and texts like a... boss!

Marcos Placona — Thu, 28 Mar 2019 12:10:06 +0000

I dread the idea of having ever to change my phone number. Be it because I'm getting spammed, or because someone thinks it's a good idea to call me during the night every night for the...rest...of...my...life. I'd much rather throw away all my business cards with a disposable phone number than to dispose of my real phone number which I had for 15 years now.

To make sure we never have to dispose of our real number, today we are going to look at how to provision new phone numbers that you can give out to people or put on your business cards without leaving the Twilio Console.

Our tools

A Twilio account - you can get one for free here
(optional) A picture frame - because you're going to want to put your picture up looking like a boss when you finish this.

Handling text messages

The first thing we need to do is go to the phone numbers page and buy a phone number.

The beauty of these numbers is that we can release them just as easily as we can get one, which ties well with the idea of never having to "release" the beloved phone numbers we've held for years.

I chose a UK mobile number and then headed to the setup page. In that page and under "Messaging", select "TwiML" and press the "+" button.

On the modal window that the "+" button just opened, enter a name for your TwiML bin. I called mine "Business Card". Add the following code to handle incoming SMS messages.

<?xml version="1.0" encoding="UTF-8"?>
<Response>
    <Message to="YOUR_PHONE_NUMBER">
        {{From}}: {{Body}}
    </Message>
</Response>

Replace the value YOUR_PHONE_NUMBER with your actual mobile number so any incoming messages to your Twilio phone number get redirected to you and then hit save. You're done with this setup and ready to handle phone calls.

Handling text messages

We could do the same thing we did above with phone calls and be done with it, but I like to treat people who call me directly a little better.

Head to Runtime and create a new Twilio Function. On the Management page click the "+", choose "Blank" and click "Create". Give that a name – I called mine "Personal Voicemail" – and set the path to be "/personal-voicemail".

We want to do a couple of things with this function:

Be able to answer calls to our Twilio number on our own number
Block certain numbers

Choose "Incoming Voice Calls" under "Event" and add the following code:

exports.handler = function (context, event, callback) {

        /***** configuration *****/

        const phoneNumber = 'YOUR_PHONE_NUMBER';
        const timeout = event.Timeout || 12;

        const secureRecordingLinks = false;

        const voiceOpts = {
                'voice': 'alice',
                'language': 'en-US'
        };

        const reject = [
                // To block a caller, add the E164 formatted number here
        ];

        let rejectMessage = "You are calling from a restricted number. Goodbye.";

        /***** end configuration *****/


        let thisFunction = 'https://' + context.DOMAIN_NAME + '/personal-voicemail';

        function shouldReject() {
                return reject.length && event.From && reject.includes(event.From);
        }

        function rejectInbound() {
                let twiml = new Twilio.twiml.VoiceResponse();
                if (rejectMessage) {
                        twiml.say(rejectMessage, voiceOpts);
                }
                twiml.hangup();
                return twiml;
        }

        function handleInbound() {
                const dialParams = {
                        'action': thisFunction
                };

                if (event.CallerId) {
                        dialParams.callerId = event.CallerId;
                }

                if (timeout) {
                        dialParams.timeout = timeout;
                }

                const twiml = new Twilio.twiml.VoiceResponse();
                twiml.dial(dialParams, phoneNumber);

                return twiml;
        }

        function redirect() {
                const twiml = new Twilio.twiml.VoiceResponse();
                twiml.redirect(thisFunction);
                return twiml;
        }

        switch (true) {
                case event.CallStatus === 'queued':
                        callback(null, redirect());
                        break;
                case event.CallStatus === 'ringing':
                        callback(null, shouldReject() ? rejectInbound() : handleInbound());
                        break;
                default:
                        callback();
        }
};

The code above check that the number calling your Twilio number is not in the blacklist and in that case will forward the call to your real telephone number.

Make sure you replace the YOUR_PHONE_NUMBER value with your actual mobile number. If you have any numbers you want to add to the blacklist, add them comma-delimited like so:

const reject = [
                "+123456789","+15555555","+44123456789"
        ];

Go back to the phone numbers page. Under "Voice & Fax" choose "Function" for "When a Call Comes in" and then select your new function and hit save.

When someone calls or texts your Twilio phone number, they should get redirected to your real phone number. You will then have the option to answer it or send straight to voicemail as you would normally.

Boss mode: Unlocked!

Now that our number is safe from spam or abuse, we can rest assured knowing that if ever anyone gets hold of our Twilio number and decides to abuse it, we can always release it and get another one using the code we've already written.

Furthermore, we can have several numbers using the same code so we can give them away at different occasions.

I would love to hear about smart ways in which you use Twilio to make your life easier. Hit me up on @marcos_placona or leave a comment below.

What is the one conference you do not want to miss in 2018?

Marcos Placona — Fri, 26 Jan 2018 19:09:45 +0000

More than one event is totally fine
Links to possible CFPs would be useful
Conferences don't always need to be technical

Building a fully featured burner phone with Kotlin

Marcos Placona — Fri, 28 Jul 2017 12:37:09 +0000

You walk into your favourite coffee shop and today they ask you if you’d like to register for a loyalty card. All they need is your name and phone number.

On the way back you stop for groceries and the cashier asks if you’d like to enter a prize draw. All they need is your name and phone number.

It’s finally time to put that lawn mower you’ve not used in years on Craigslist but at the end of the ad, it asks you to enter your phone number so buyers can contact you directly.

You need a burner phone!

Let’s look at how we can use Kotlin and Twilio to build and deploy a burner phone application so that we can use multiple phone numbers for these situations. If you just want to download the code you can have a look at this repo or deploy it to Heroku using the button below.

Our tools

I will be using IntelliJ IDEA for the code but feel free to use your preferred IDE as long as it works well with Gradle.
One or multiple Twilio Phone numbers for creating various burner phones. You can get them here.

The project

Let’s start by creating a new Gradle project in IntelliJ and adding Kotlin (Java) as the library.

I have described the entire process in the first part of Send and Receive SMS messages with Kotlin. You can follow it here. Alternatively, you can just clone the repository as follows.

git clone git@github.com:mplacona/BurnerPhones.git
cd BurnerPhones
git checkout starter-application

With that project open on IntelliJ, start by right clicking on App.kt and choosing “Run”.

In your browser go to http://localhost:8080/sms/ and you will see the default controller displayed.
Let’s change one configuration in App.kt so the application knows where to forward the SMS messages and calls to. Inside the main function add the following:

fun main(args: Array<String>) {
    System.setProperty("MY_NUMBER", System.getenv("MY_NUMBER"))
    SpringApplication.run(App::class.java, *args)
}

I have my telephone number set as an environment variable on my computer. My colleague Dominik wrote a nice article explaining how to set environment variables on Mac, Windows and Linux.

Once you have the “MY_NUMBER variable set correctly for your environment with your own telephone number we’re ready to start building the application.

Forwarding SMS messages

We still want to get every SMS message sent to our burner phones, but we want them redirected to our own number. The beauty of doing this is that if we ever get tired of being spammed from a certain number, we can just discard that number on the Twilio console and be done with it.

Open SMSController.kt and create a new mapping called forwardSMS just below the one that is already there.

import com.twilio.twiml.Body
import com.twilio.twiml.Message
import com.twilio.twiml.MessagingResponse
import org.springframework.web.bind.annotation.RequestMapping
import org.springframework.web.bind.annotation.RequestParam
import org.springframework.web.bind.annotation.RestController

@RequestMapping("/sms")
@RestController class SMSController {
    @RequestMapping(value = "/")
    fun helloSpringBoot() = "A nice looking sms controller"

    @RequestMapping(value = "/forwardSMS", produces = arrayOf("text/xml"))
    fun forwardSMS(@RequestParam(value = "From") from: String, @RequestParam(value = "Body") body: String): String{
        val message = Message.Builder()
                .to(System.getProperty("MY_NUMBER"))
                .body(Body("Message from: $from \n $body")).build()
        return MessagingResponse.Builder().message(message).build().toXml()
    }
}

This new mapping will tell Twilio to forward any inbound SMS to our own number. It will forward the message so we still know whose number originally sent it.

It is useful to know who sent the message so you can respond if you need or just as easily add a condition to the top of the mapping to block any messages from that specific sender.

Restart the application and test it out by sending a POST request to it with cURL for example:

curl -X POST 
  http://localhost:8080/sms/forwardSMS 
  -F From=+1234567890 
  -F 'Body=Checking my TwiML works'

And the result should be the TwiML that will tell Twilio to forward the message.

Before we configure our Twilio numbers let’s add call forwarding to our application.

Forwarding Calls

To forward calls we will use the same principle as above but will have it in a different controller to keep things neat. If you cloned the starter application you should already have that controller.

Create a new Kotlin controller called CallController.kt alongside SMSController.kt if you don’t already have one.

In that controller add the highlighted code or just copy everything if you still have an empty controller.

import com.twilio.twiml.*
import com.twilio.twiml.Number
import org.springframework.web.bind.annotation.RequestMapping
import org.springframework.web.bind.annotation.RequestParam
import org.springframework.web.bind.annotation.RestController

@RequestMapping("/call")
@RestController class CallController {
    @RequestMapping(value = "/")
    fun helloSpringBoot() = "A nice looking call controller"

    @RequestMapping(value = "/forwardCall", produces = arrayOf("text/xml"))
    fun forwardCall(@RequestParam(value = "From") from: String): String{
        val call = Dial.Builder().number(Number.Builder(System.getProperty("MY_NUMBER")).build()).build()
        return VoiceResponse.Builder()
                .dial(call).say(Say.Builder("You have a call from $from").voice(Say.Voice.ALICE).build())
                .build().toXml()
    }
}

Just like before, we are adding information about the caller for when the call is forwarded. So when you get a call to this Twilio number you hear a message that tells you the number that is calling.

You can also test that this is working correctly by making a POST request to it and checking that the TwiML returned looks right.

Before we configure our Twilio numbers to use the application we need to deploy it somewhere. Let’s look at how to do this with Heroku.

Deploying your Kotlin application to Heroku

If you haven’t yet create an account on Heroku. Once you have an account and installed the heroku toolbelt, go to your terminal and log in from there.

heroku login
Enter your Heroku credentials.
Email: me@example.com
Password:

Still in terminal create a new Heroku application.

heroku create

If you haven’t created this application from scratch but cloned the starter-application repository, you will now need to merge it into master as follows:

git commit -am "complete tutorial"
git checkout master
git merge starter-application

You can skip the step above if you created the project from scratch, just make sure you in master and we’re ready to push this to Heroku.

git push heroku master

This will take a few seconds and when it’s complete you should see a message that looks like this on your terminal.

Copy this URL as we will use it later on to configure our Twilio numbers.
Just like in our local environment we need to set a phone number as an environment variable for this deployment. You can do this by running the following on your terminal:

heroku config:set MY_NUMBER=+441234567890

Make sure you use your own telephone number as the value for MY_NUMBER. Now we’re ready to configure our burner numbers.

Creating burner numbers

The beauty of this application is that because we’re not hard-coding anything in the application itself, it can be used for as many Twilio numbers as we want. In our case, we could have one number for loyalty cards, one for prize draws and one for selling things on the internet.

Head to the Twilio console and get as many numbers as you like, then configure and save them all as follows:

Make sure you change the application URL to match what you copied earlier when you deployed your application to Heroku.
Give those numbers away instead of your own number now and just wait for all the messages and calls to start coming in.

Burn it!

Having burner phones that can just be created and disposed of when they’re no longer needed has never been so easy.
I personally have each one of my burner numbers added to my contacts so they display nicely when I get a call or text message and I know roughly what to expect.

A nice addition to this application would be to add a way of blocking senders before messages or calls are forwarded to us, or adding a voicemail system for certain numbers to make sure we never miss any calls.

I would love to see what new features you add to it. Hit me up on twitter @marcos_placona or drop me a note on the comments below to tell me more about it.

Building a fully featured burner phone with Kotlin was originally published on the Twilio blog on July 12, 2017.

Get started with Android Things today!

Marcos Placona — Mon, 19 Jun 2017 13:07:30 +0000

Android Things is a very frictionless Android OS that helps developers build IoT applications using the Android framework and tools. You can read more about it on What really is Android Things. Let's have a look at how to get started with Android Things today.

Our tools

The instructions described here have been tested on a Mac, but should be easily interchangeable with any other operating system.

Android developers will already have most of the necessary tools to get started with Android Things, but here's what we will need.

Android Studio
A Raspberry Pi 3 - You can get one here if you don't already have one lying around.
A micro SD card with at least 8GB and an adapter so you can flash it. I have this one, but anything will do.
A copy of the latest Android things preview image for Raspberry Pi.
SD Card Formatter
An ethernet cable connected to your router.

Flashing the image

The Android Things website has instructions about how to flash the image, but I found that buggy hard to follow so here's what I did.

Open up the zip file you downloaded with Android things preview and there should be a file called iot_rpi3.img inside of it. If you got the file, feel free to skip the next heading.

But I hit a snag!

I hit a snag here where the extracted file was called androidthings_rpi3_devpreview_4.zip.cpgz, and extracting that would give me a file called androidthings_rpi3_devpreview_4 1.zip and this would go on pretty much forever. I found this article partially helpful.

The gist of it is that you need to unzip the file via terminal, but using the methodology described on the website returned something like this:

Archive:  androidthings_rpi3_devpreview_4.zip
warning [androidthings_rpi3_devpreview_4.zip]:  76 extra bytes at beginning or within zipfile
  (attempting to process anyway)
error [androidthings_rpi3_devpreview_4.zip]:  reported length of central directory is
  -76 bytes too long (Atari STZip zipfile?  J.H.Holm ZIPSPLIT 1.1
  zipfile?).  Compensating...
   skipping: iot_rpi3.img            need PK compat. v4.5 (can do v2.1)

note:  didn't find end-of-central-dir signature at end of central dir.
  (please check that you have transferred or created the zipfile in the
  appropriate BINARY mode and that you have compiled UnZip properly)

Our file is in there as you can see, but just using the unzip command does not extract it. 7zip was able to extract it though. You can install it by running:

$ brew install p7zip
$ 7za x androidthings_rpi3_devpreview_4.zip

Formatting the memory card

Insert the memory card on your Computer and you may get a message saying:

The disk you inserted was not readable by this computer.

This means this disk already had another image installed. Don't worry, just hit ignore.

Open up SD Card Formatter, choose the SD Card and hit format.

In your terminal run diskutil and identify the disk number for your memory card.

$ diskutil list
/dev/disk2 (external, physical):
#:                       TYPE NAME                    SIZE       IDENTIFIER
0:     FDisk_partition_scheme                        *8.1 GB     disk2
1:                 DOS_FAT_32 NO NAME                 8.1 GB     disk2s1

Unmount that disk:

$ diskutil unmountDisk /dev/disk2
Unmount of all volumes on disk2 was successful

We're ready to flash the Android Things image to the disk. From the directory where your *.img file is run:

$ sudo dd bs=1m if=iot_rpi3.img of=/dev/rdisk2

Make sure you change the value of /dev/rdisk2 to the number you got from when you run diskutil list. So if you got disk4 for example, you should run the command above with /dev/rdisk4.

This can take some time, so go get yourself some coffee. You are flashing over 4GB into that SD card, and depending on it's speed this can take anywhere from 5 to 15 minutes.

When the flashing is completed, your computer should give you the "The disk you inserted was not readable by this computer." message again. We're done with this bit.

Booting up the image

Get the memory card off your computer and insert it into the Raspberry Pi 3. I prefer to have it connected to a screen at this point as it gives me the confidence everything went ok.

Connect the Pi's micro-usb to your computer and if you connected it to a screen you should see Android things booting up

Great! But as you can see in the screen, we have no connectivity, which means we won't be able to get adb to connect to it. Thus making it impossible for us to upload our first application to our device. And this part of the documentation is not amazingly clear.

After flashing your board, it is strongly recommended to connect it to the internet. This allows your device to deliver crash reports and receive updates.

But then I guess this is what the "I" in IoT means right?

Connecting to the Internet

Disconnect the Pi from your computer to power it down, and connect the ethernet cable on it. Now power it up again, and you should see that this time when it powers up it's assigned an IP Address.

Go back to your terminal an enter the following command:

$ adb connect Android.local
connected to Android.local:5555

Android.local is automatically broadcast by the Raspberry Pi, and should resolve to the IP address assigned to your Pi on port 5555, so in our example the command above is the same as running adb connect 192.168.0.23:5555.

Running adb devices on your terminal should now list your Pi in the devices list. But having a cable always connected is a pain, so let's configure it to connect to our home WiFi.

Connecting to your WiFi

Back in your terminal enter the following:

$ adb shell am startservice \
    -n com.google.wifisetup/.WifiSetupService \
    -a WifiSetupService.Connect \
    -e ssid <Network_SSID> \
    -e passphrase <Network_Passcode>

Make sure you replace <Network_SSID> with your network name and <Network_Passcode> with your network's password. From reading about the Raspberry Pi 3, it seems it's only able to connect to 2.4Ghz networks since it's only got one WiFi antenna.

Running the command above will get your Pi connected to the WiFi. If you still have it up on the screen you will see that it gets an IP address assigned to it soon after you run it. You can now remove the ethernet cable from it. I found that restarting it again is best though as it guarantees the device is not offline.

Running your first Hello Things application

This wouldn't be a complete tutorial if we didn't run an application to make sure Android was actually running on our Raspberry Pi as expected. You can continue following this through or just clone this application's repository here.

In Android Studio, create a new project called Hello Things. Android Things runs on API 24 and above, so make sure you pick Nougat or above and start that with an empty activity.

Head to your application level Gradle file and add a dependency to Android Things.

dependencies {
    ...
    provided 'com.google.android.things:androidthings:0.4-devpreview'
}

Now head to the application's manifest and add an entry to the shared library and modify the intent filters.

<application
    android:label="@string/app_name">
    <uses-library android:name="com.google.android.things"/>
    <activity android:name=".MainActivity">
        <!-- Launch activity as default from Android Studio -->
        <intent-filter>
            <action android:name="android.intent.action.MAIN"/>
            <category android:name="android.intent.category.LAUNCHER"/>
        </intent-filter>

        <!-- Launch activity automatically on boot -->
        <intent-filter>
            <action android:name="android.intent.action.MAIN"/>
            <category android:name="android.intent.category.IOT_LAUNCHER"/>
            <category android:name="android.intent.category.DEFAULT"/>
        </intent-filter>
    </activity>
</application>

Lastly, head to hellothings/MainActivity.java and change the onCreate method to list all the available peripherals on our Raspberry Pi.

@Override
protected void onCreate(Bundle savedInstanceState) {
    super.onCreate(savedInstanceState);

    PeripheralManagerService service = new PeripheralManagerService();
    Log.d(TAG, "Available GPIO: " + service.getGpioList());
}

This will return us with a list of every available General-purpose input/output (GPIO) in our Raspberry Pi.

01-02 19:40:52.589 1636-1636/rocks.androidthings.hellothings D/MainActivity: Available GPIO: [BCM12, BCM13, BCM16, BCM17, BCM18, BCM19, BCM20, BCM21, BCM22, BCM23, BCM24, BCM25, BCM26, BCM27, BCM4, BCM5, BCM6]

Also, if you still have your Pi connected to a screen, you will see that the activity called Hello Things was started.

Now go ahead and play with some of the other samples on the Android Things website.

Certificate Pinning in Android

Marcos Placona — Thu, 12 Jan 2017 17:46:45 +0000

Certificate pinning is a security mechanism which allows HTTPS websites and applications using HTTPS services to resist impersonation by attackers using mis-issued or otherwise fraudulent certificates.

With certificate pinning it is possible to mitigate or severely reduce the effectiveness of MiTM attacks enabled by spoofing a back-end server's SSL certificate.

If you are already using API's or services with OkHTTP or any library that uses it, such as Retrofit or Picasso the good news is that you're already half way there.

Let's look at the following example from the documentation:

private final OkHttpClient client = new OkHttpClient();
public void run(String url) throws Exception {
    Request request = new Request.Builder()
            .url(url)
            .build();

    client.newCall(request).enqueue(new Callback() {
        @Override
        public void onFailure(Call call, IOException e) {
            Log.e(TAG, "onFailure: " + e.getMessage());
        }

        @Override
        public void onResponse(Call call, okhttp3.Response response) throws IOException {
            Log.d(TAG, "onResponse: " + response.body().string());

        }
    });
}

And you'd run it like this:

run("https://publicobject.com/helloworld.txt");

At this point you think:

Great! I'm going though HTTPS, so this must be safe right?

Well... No.

With enough knowledge about proxies (N.B. I have barely just enough), one can intercept that request and see every incoming and outgoing packages... As plain text!

Now if we change our client slightly we can add certificate pinning to it, which will make it way harder for someone to impersonate our certificate and our app will refuse to make requests through that certificate.

private CertificatePinner certificatePinner = new CertificatePinner.Builder()
    .add("publicobject.com", "sha256/0jQVmOH3u5mnMGhGRUCmMKELXOtO9q8i3xfrgq3SfzI")
    .build();

private final OkHttpClient client = new OkHttpClient
    .Builder()
    .certificatePinner(certificatePinner)
    .build();

And your code will error and log a message like this.

sh E/MainActivity: onFailure: Certificate pinning failure! Peer certificate chain: sha256/afwiKY3RxoMmLkuRW1l7QsPZTJPwDS2pdDROQjXw8ig=: CN=publicobject.com,OU=PositiveSSL,OU=Domain Control Validated sha256/klO23nT2ehFDXCfx3eHTDRESMz3asj1muO+4aIdjiuY=: CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB sha256/grX4Ta9HpZx6tSHkmCrvpApTQGo67CYDnvprLg5yRME=: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Pinned certificates for publicobject.com: sha256/0jQVmOH3u5mnMGhGRUCmMKELXOtO9q8i3xfrgq3SfzI=

And this is great! Because it tells us which SHA256 hash we should be using. So now we can change our code to use the keys described on the error as follows:

java private CertificatePinner certificatePinner = new CertificatePinner.Builder() .add("publicobject.com", "sha256/afwiKY3RxoMmLkuRW1l7QsPZTJPwDS2pdDROQjXw8ig=") .add("publicobject.com", "sha256/klO23nT2ehFDXCfx3eHTDRESMz3asj1muO+4aIdjiuY=") .add("publicobject.com", "sha256/grX4Ta9HpZx6tSHkmCrvpApTQGo67CYDnvprLg5yRME=") .build();

And sure enough, if you run your code again everything should work as expected
but with an added bonus. Our code is now checking that the certificate of the
host matches with the one we're expecting. And if it doesn't, it will refuse to make a request.

A proxy would then return a message saying: No request was made. Possibly the SSL certificate was rejected..

And now we've pinned our certificate to our code.