Day 4 for me consisted of a workshop, watching a keynote in the afternoon and watching a quick 15 minute talk from Scott Hanselman.

#Data to Go: Mobile API Design Three principles for mobile api design

  • Reduce round trips to the server
  • Control verbosity
  • Restrict access

Learned something new, Genymotion, faster android emulator

##Reduce round trips to the server Resource constrained environment

  • CPU
  • Memory
  • Bandwidth
  • Battery

Users are impatient

  • Reduce network overhead
  • Brevity trumps discoverability
  • RESTful vs. RESTish

In mobile when activity starts the modem needs to power up into full power mode. When this occurs you should try to take advantage of this time as much as possible. This allows for much data transfer during this peak time.

Show me the cache, should you just cache?

  • Memory, uses up memory
  • Disk, uses up disk
  • Invalidation, when is cache dirty?

Cache strategies are hard, you cant always simply cache responses

Control Verbosity

  • Remove empty data
  • Remove irrelevant data
  • GZIP compression

Sip, don’t chug.

  • Less data is faster
  • Less data is less expensive

Knobs and dials

  • Pagination
  • Sort
  • Search
  • Filter

Object Expansion Specifying verbosity level on per request basis

  • Abstract verbosity level, making levels to return how much data you want returned
  • Custom media type, applicaiton/cat.simple+json (small cat) application/cat.large+json (full cat)
  • Specifying response fields in the request, [list of fields you want returned]
  • Collection vs. resource, respond with a subset for collection groups, resource has all details

Authorization

  • Invalid credentials
  • Rate limit
  • Unsupported operation system
  • Obsolete application version
  • Blacklisted IP address

Do

  • HTTPS/SSL
  • Access token header
  • 2-step verification

Don’t

  • Session
  • Cookies
  • CSRF tokens
  • Oath* (unless api is public)
  • HMAC*

Wait.. I thought OAuth was good?

  • Which implementation?
  • Ok for public
  • Designed for 3-legged communication over un-encrypted connections
  • Apps can be decompiled to determine basing algorithm if done client-side.
  • Introduces significant overhead.
  • OAuth2 = Security Sadness

The Future

  • SPDY
  • Binary Transfer Formats
  • Protobuf
  • BSON
  • Thrift
  • Websockets
  • HTTP 2.0

#Tomorrow is the close of the interactive conference and when I learn about hardware! 😀