Monthly Archives: October 2012

Analyze the performance of your JavaScript Windows Store app

Applications published in the Windows Store must be fast and fluid, otherwise they won’t pass the certification because of the following requirement:

3.8 Your app must meet the basic performance criteria on a low-power computer
The app must launch in 5 seconds or less
The app must suspend in 2 seconds or less

Unfortunately the Windows Application Certification Kit is not enough the thoroughly test this requirement, because that tool runs only a few performance test. To test your JavaScript app, you can use the Performance Analyzer for HTML5 Apps tool from the Windows 8 SDK. After you install Visual Studio, this tool will be installed as well, but it won’t appear on the Start screen, so you have to start appperfanalyzer_js.exe manually from the C:\Program Files\Windows Kits\8.0\bin\<platform>\AppPerfAnalyzer folder.

This is the beautiful (?), modern (?) UI of the app (to get the full experience, click the image to see it in the original size):


Use the Please select an app to analyze to select your (or Microsoft’s Mosolygó arc) app, then click Let’s get started to start the analysis. By clicking the Advanced button, you can customize which tests you want to run:


The tool guides you through an 8-step wizard, giving you detailed instructions in every step:


You should take the given times seriously, otherwise the Analyzer won’t be able to collect enough data to analyze your app. The result is a HTML report with numbers and charts, which you can find in the C:\Users\<username>\AppData\Local\Microsoft\HTML5AppAnalyzer\Traces folder.

The following features of your app are analyzed:

  • Activation time
  • UI responsivemess
  • Layout passes
  • Synchronous XMLHttpRequest on UI thread
  • Image scaling
  • Memory footprint
  • Runtimer broker memory reference set
  • Memory leaks
  • Idle state CPU usage
  • Successful suspend
  • Memory reduction when suspended
  • App memory growth
  • Runtime broker memory growth

By using the HTML5 App Analyzer, you can learn a lot about the performance of your app, so you can occasionally run his tool regardless of the certification process. You can find performance best practices for JavaScript Windows Store apps here:


Age rating in the Windows Store

There are at least two sections in the Windows 8 app certification requirements, that are related to the content and the age rating of your app, and which provided good bases to reject some applications:

5.1 Your app must not contain adult content, and metadata must be appropriate for everyone

Apps with a rating over PEGI 16, ESRB MATURE, or that contain content that would warrant such a rating, are not allowed. […]

6.2 Your app must have a Windows age rating […]

[… ] If your app provides a user with uncontrolled: (i) access to online social networks, or (ii) sharing of personal information with third parties, including other gamers or online acquaintances, then you must assign it a Windows Store rating of at least 12+. […]

In other words:

  • You must not have any adult content in your app (Windows Store does not support that).
  • If you app connects to any data source that provides content from other users, you should select 12+ age rating. So if your app is a Twitter client (like WallOfSilver), then it must have 12+ age rating because anyone can write anything to Twitter, and it can be displayed by your app. According to community experiences, it’s better to select 16+ rating.

If you need, you can even try to filter the content, using for example the List of Dirty, Naughty, Obscene or Otherwise Bad Words dictionary. Do you know any other source or service for that?


Technorati-címkék: ,

WinJS Tricks Series: Custom MessageDialog buttons

In the last episode of the WinJS Tricks Series I showed you how you can create a simple message box in JavaScript in your Windows Store applications. In today’s episode we dive deeper and customize the buttons on the dialog, and you will learn how you can set the text, the keyboard hotkeys and the event handlers for your buttons.

Just like with message boxes, that are called message dialogs in Windows Store apps, buttons are not buttons any more, and button parameters are also have different names. Check the video to learn the new concepts:

(720p, full-screen view recommended)

Please rate or like the video if you are interested in the next episodes. Thanks!


Technorati-címkék: ,,,,

Cryptographic improvements in ASP.NET 4.5

Several features of ASP.NET were designed with security in mind –  see the ViewState protection for example –  from the early days of the platform, although those days were quite a while ago. The latest complex changes were introduced in version 2, but that happened about 7 years ago, and the world of cryptography, which serves as the basis of many security feature, can change a lot in so many years. The other problem with cryptography is that you have to use it correctly, which is sometimes absolutely not obvious, and misuse can lead to serious security vulnerabilities (see MS10-070).

Guided by these principles, ASP.NET 4.5 introduces important security changes and features. Some days ago Levi Broderick published an excellent 3-part article titled Cryptographic Improvements in ASP.NET 4.5 on the .NET Web Development and Tools Blog:

  1. Background regarding the use of cryptography in ASP.NET 4.
  2. Changes that were introduced in ASP.NET 4.5.
  3. Usage notes and miscellaneous Q&A.

I strongly recommend reading all three parts to everyone, especially to architects who design the security features of web applications. To quickly summarize:

  • The machine key has higher entropy, it is more secure to use, and new application isolation features are introduced.
  • The usage of machine key is separated by “purpose”, so a vulnerability in one usage area (eg. ScriptResource.axd) hopefully will not affect other areas (such as ViewState).
  • New MachineKey.Protect and MachineKey.Unprotect functions, where you can specify the “purpose”. These functions are “just protect”, you don’t have to worry about MAC and encryption. With the new functions the old Encode and Decode methods became deprecated.

As you may guess, these changes have effect in several areas of the framework, and sometimes they can even lead to compatibility issues as well. To minimize the effect, the ASP.NET team determined where they use the new system by default, and where they stay with the old one for compatibility reasons. These are all detailed beautifully in second and third part of the above series including the corresponding web.config settings, so they are definitely worth to read.

Please keep in mind that Windows Azure Web Sites are running on ASP.NET 4.5, which is an in-place upgrade!


Technorati-címkék: ,

Every non-free app has a trial in the Windows Store?

Here is a part of a page of Scott Dorman’s Flash Cards Sight Words app in the Windows Store. I made this screenshot from the Windows Store app on Windows 8:


It clearly shows that the app is available for purchase, but it also has a trial version.

Let’s see the same app on the web interface of the Store:


The web interface also shows that you should pay for the app, but nothing about the trial version. It turned out, that the webstore web store assumes that all paid apps have a trial version and only shows that it is free or paid.

If the visitor uses Metro style IE, she will see an additional button, and if she clicks on it, the Store app will show all the details:


Did you notice the two “if”s?

As a developer all you can do now is to provide some info about the trial version in the description of your app. What do you think, the users will learn that they have to look for it there?


Technorati-címkék: ,

Developing apps on Windows RT tablets

Now, that Windows 8 is globally available and you can buy Windows RT tablets, finally you can test your apps not only in the simulator but also on a real hardware. The question is, how can you develop on a tablet?

The first thing you have to know is, that Visual Studio doesn’t run on ARM, but only on x86/x64 platforms. Instead you have to download, install and run Remote Tools for Visual Studio 2012 on the tablet device. Although it doesn’t look like a real Metro style application, don’t worry, it will run on the tablet.

Now, go back to Visual Studio, and select Remote Machine when you start your app:


From here on, everything is quite obvious: specify the remote machine, request a developer licence etc.

Remote testing and remote profiling works similarly easy, and you can read more about it in Jason Zaner’s article.


Technorati-címkék: ,,

ASP.NET Medium trust is dead

About 11 years ago, one of the great new features of the .NET Framework was, that you could use code access security (CAS) to control applications: now not only the permissions of the user matter, but thanks to CAS, the code can also have permissions, and in the end they both define what an app can do and what not.

This architecture seemed really promising, but only very few people started using it, although you could use CAS to isolate server applications. For example, according to a Patterns & Practices guidance from 2005, setting Medium trust for ASP.NET is good way to isolate applications from each other on the same server and within the same process.

Since then, many things happened, but CAS has not evolved since version 1.1. No surprise that Jeroen Frijters could find a weak spot in the system, which made Microsoft to update the previous guidance.

According to the KB2698981 knowledge base article, ASP.NET Medium trust is not suitable to isolate apps any more within the same process. The new guidance drops the same process option, and recommends running your web apps in separate application pools, which essentially means separate processes. This is reasonable, because that’s what application pools are originally made for in IIS 6.

I strongly recommend reading KB2698981 for sysadmins as well as developers, because it describes:

  • How to put sites in separate application pools
  • How to configure application pools for isolation
  • How to configure DACLs
  • How to configure a Temporary ASP.NET Files folder location and how to set DACLs per site
  • How to remove sensitive configuration data from root configuration files

Please take application pools seriously and use them, especially with ApplicationPoolIdentity. It can help you sleep better.


Technorati-címkék: ,