iOS and Game Center: Tips to Avoid Sad Times

So, you’ve just written your first mediocre iPhone game. You’re getting literally tens of downloads per day. You’re raking in upwards of fifty cents per day in ad revenue. Life doesn’t get much sweeter than that.

Unfortunately, while you were reading that last paragraph, ten other developers each launched a new game and the same fickle users that downloaded your game solely because it was free are going to leave your game behind in search of other entertainment.

In an increasingly competitive App Store, it’s important to update your app semi-regularly. This serves a dual purpose: giving your users new features that provide a better experience and reminding your users that they already have an app on their phone that is worth opening.

At Palomino Labs, we’ve found that it can sometimes be difficult to find a nice bite-size chunk of functionality that makes sense as an app update. When we recently re-evaluated our game Tumble Jump in preparation for an update, we came up with several ideas, but the one that I want to focus on in this post is Game Center integration.

Read on

The Internet Reacts to the New Mac Pro

With our incubation project SpottingSession (and our upcoming addition to the platform ProSpotting) we’ve gotten to know the post-production community quite well. It turns out, a lot of TV and feature work gets done on Macs, but Apple’s refresh pace has not kept up with professional appetites (or even other Apple products). This is compounded by some pro users’ aversion to change. With the professional audio and video community “time is money”, so requiring users to relearn how to do something they’ve done a million times before is a tough sell, particularly if not coupled with significant other improvements. As a short but illustrative history of Apple’s somewhat contentious relationship with pro customers:

May 2010Rumors that next version of Final Cut Pro will broaden it’s target beyond pros.

July 2010Last significant Mac Pro rev until yesterday.

Read on

Intent Spoofing on Android

Most competent web developers have learned a thing or two about how to handle cross-site scripting and cross-site request forgery, the two main attack vectors for compromising the front end of a web application. These attacks take advantage of the complexity of modern web browsers and some of the idiosyncracies of how they function in the presence of content and scripts from a multitude of mutually mistrustful origins. Likewise, smartphone platforms are complex and must handle the safe coexistence of many apps with varying levels of trust and permissions, and they have some quirks of their own that present challenges for security. But since smartphones are a newer and younger technology, the kinds of security vulnerabilities present on them are much less well understood than the analogous web vulnerabilities. In this post we’ll take a look at an attack vector that often comes up on Android, namely intent spoofing, and discuss how to write apps that are secure from it.

Read on

Ruby Testing and External Dependencies

We’re strong believers in testing of all sorts. Unit testing ensures that each of your classes and functions does what you expect, in particular at edge cases. Functional tests provide a check that entire systems work from a user point of view. Thanks to test frameworks like RSpec, JUnit, and Jasmine, unit tests are usually easy to create and run, since they depend upon nothing beyond the component being tested. While there are similar tools for creating functional tests (namely, Selenium for testing webapps), running the test can be much more complicated if you have multiple parts to your application.

At Palomino Labs, we recently completed a project that involved two main pieces: a webapp written in Rails and a data storage application in Java. In our scenario, a portion of the webapp’s functionality depended upon being able to communicate with the running Java app. In the development environment, this is a minor nuisance, requiring the developer to have the Java application running. Running the test automatically using Jenkins was a bigger problem, and since we know that automated testing is integral to catching regressions quickly, the problem needed to be solved. One option would be to have a long-running version of the Java service available to the Jenkins box, but that would far from ideal because we want to make sure that the versions of the Java and Rails projects that are used for testing stay in sync with each other. Instead, we have Jenkins start and stop a fresh, up-to-date instance of the Java service for every test run.

Read on

Using to Optimize EC2 Costs

We created a while ago to make it easier to decide which EC2 pricing option to use. Since then, we’ve gotten some questions on how to use it most effectively. To clarify its usage, I’ll walk through a couple of examples.

First generation Standard Medium instance, 100% utilization, 8 months

Hypothetical scenario: continuous integration box for a medium-term project (8 months). Since it’s a CI box for your hardworking global team, it needs to be running 24/7.

Read on

Practical XML Parsing With Java and StaxMate

Java has no shortage of XML libraries and APIs: common ones like DOM, SAX, StAX, and JAXB, plus more esoteric ones like XOM, VTD-XML, Castor, etc. Of the more low-level XML tools (as opposed to data binding or other high-level functionality), the most common ones are DOM, SAX, and StAX, and this article explains how to use StAX effectively with StaxMate.

Between DOM, SAX, and StAX, why would one use StAX? DOM loads the entire document into memory and constructs a tree. It’s easy to navigate the tree however you wish, but having the whole document be RAM-resident is impractical with larger documents. SAX is a streaming parser, so it doesn’t have the memory usage problems that DOM does, but it’s awkward to use for many XML parsing tasks. StAX is a newer API that provides a more convenient API than SAX while delivering competitive performance.

Though StAX is easier to use than SAX, it could be better, which is where StaxMate fits in. StaxMate is a library that uses a StAX parser under the hood to get closer to the goal of DOM-like ease of use.

Contrived Example

There’s a sample project on GitHub. We’ll walk through the xml and the code step by step to show what’s going on. Try running the unit tests (with mvn clean install) and make sure everything passes.

The XML this code parses describes animals and vegetables and the various ways in which one may eat them. The XML is rather strange, but this is intentional so that different types of parsing tasks can be demonstrated.

Read on

Symmetric Encryption in Java

Encryption is one of the more obtuse things that we do as programmers, perhaps appropriately so. Regardless of the language, search results are guaranteed to provide a myriad of different strategies, each describing different methods, many of which are subtly flawed, subverting their security goals. As is Java’s nature, performing encryption requires more programmatic steps than higher level languages, increasing the difficulty for those using encryption in their application.

Security Context

First, let’s take a look at what we’re going to do here. This post covers symmetric encryption, wherein a single key is used for encryption and decryption. In such a system there is a single thing, the encryption key, that must be kept secret and shared between anyone wanting to encrypt or decrypt data. In our example, we are also using a message authentication code (MAC), which requires its own key that must be secret & shared. Pieces of information like these are appropriately called shared secrets.

The MAC ensures that the outputs of our encryption (namely the ciphertext and initialization vector) have not been altered. It is theoretically possible to alter the initialization vector (IV) and ciphertext in concert to change the message without knowing the secret key. Additionally, either of those pieces could be manipulated so as to cause a fault when they are fed into the decryption system, causing an unexpected exception in your decryption system.

Read on

Introducing Our First Incubation Project: SpottingSession

Palomino Labs is proud to officially launch our first incubation project, SpottingSession.


SpottingSession is an app for TV and movie post-production that automates creation and organization of everyone’s spotting notes. It’s already been used on several major shows and motion pictures, and our users have reported back that it’s helped them save a ton of time, money, and effort. We’re using our initial success as a launching pad to get SpottingSession into the hands of post-production experts around the world. Development continues actively, and we plan on improving on an already impressive multi-platform technological achievement.

If you work in post-production and have a use for something like SpottingSession, or you know someone who does, either download a free trial version of the app or email us at and we can help you get set up.

Read on