Frank's Blog

The IoT Solution Draft 

While it took me some time, I finally have an IoT section on my homepage: The most prominent content yet is an introduction to the IoT Solution Draft. Basically, an IoT Solution Draft is used for analyzing a prototype or minimum viable product for an interesting IoT idea:

The draft itself captures all the relevant elements for an IoT Solution, including Stakeholders & Roles, the Domain Model, the Asset (or Thing), the Business Processes and Rules, as well as the User Interfaces. A special focus is set on the interplay of the elements - something which is of high importance.

If you are interested, you can find the article here as well as a corresponding slide deck here. I'm happy to receive your feedback or thoughts on the material!
[ view entry ] ( 11628 views ) permalink $star_image$star_image$star_image$star_image$star_image ( 3 / 6913 )
Magic Mimi (on the Apple App Store) 

Dear Reader,

I proudly announce my first mobile app that ever made it to the App Store (Apple this time). While it is actually not the next big thing (this is yet to come), it nevertheless served as a good test on getting an app approved and published in the Apple App Store. But let’s begin step-by-step.

What is Magic Mimi? Well, Magic Mimi is a little language writing practice/primer app for your kid that just entered the school. Actually, my little one asked me for a personal app with some artworks made by her and her (older) sister. So I came up with the idea of creating a practice app that uses Siri to speaks out arbitrary words from a configurable word list. My little one then has to practice typing them in correctly. If she succeeds, she gets a flower. If not, she gets at least a hint. I enhanced the idea a little bit by adding support for multiple word lists as well as English, German, and French words (which are spoken via the corresponding Siri voice). I also internationalized the app into German and English. Take a look yourself:

YouTube Link

If you want to try it out for yourself, just search the App Store for „Magic Mimi“ or go to

The lessons learned from submitting something to the Apple App Store: Be sure to check the review guidelines first - there are written in a very informal style: Actually, I already got hooked by the first four bullet points of the summary:
  • „We have lots of kids downloading lots of Apps. Parental controls work great to protect kids, but you have to do your part too. So know that we're keeping an eye out for the kids.“. Ok, let’s keep this in mind—-Magic Mimi is an App for kids. No advertisement in so far (and I will make sure to keep it out).
  • „We have over a million Apps in the App Store. If your App doesn't do something useful, unique or provide some form of lasting entertainment, or if your app is plain creepy, it may not be accepted.“. Wait a minute, is there really no other primer app in the store (or dozens)? I checked and checked but couldn’t figure the answer so far (from the point of view of a Mathematician ;-)
  • „If your App looks like it was cobbled together in a few days, or you're trying to get your first practice App into the store to impress your friends, please brace yourself for rejection. We have lots of serious developers who don't want their quality Apps to be surrounded by amateur hour.“. Ok. I definitely spend a lot of hours into testing, internationalization, and others things but in the end all the artwork were made by my kids—-for kids. No professional artists for far.
  • „We will reject Apps for any content or behavior that we believe is over the line. What line, you ask? Well, as a Supreme Court Justice once said, "I'll know it when I see it". And we think that you will also know it when you cross it.“. This is a really though one that I think can kill every app.

While all of this seemed very hard to overcome, the most frustrating experience publishing an app in the Apple App Store is the time it needs to get checked. I submitted Magic Mimi on a Sunday and it was in review for a couple of minutes just seven days later! Unfortunately, the review just took a couple of minutes until someone (or maybe just a script) figured that I did not link directly to a privacy statement webpage (which is required for apps for kids). I actually created the privacy statement and linked it on the homepage but only referenced the home page directly. Fixing this error took me three seconds. But then I thought about it a couple of minutes longer: What if every feedback loop involves one week? So I carefully checked every detail of the many meta information fields again.

Finally I held my breath, clicked submit again and prayed that there will not be any issue with the app itself (just see the other bullet points from Apple’s guidelines). Good news: I received the next feedback after just five days instead of seven! And the really good news: Magic Mimi got approved and you can finally download it to your phone!

[ view entry ] ( 8322 views ) permalink related link $star_image$star_image$star_image$star_image$star_image ( 3 / 733 )
Thingbench - A Virtual Device Workbench 

Tired of hooking up an Arduino to test another IoT framework? Or working inside a VM without actual access to hardware? Don't worry anymore, Thingbench helps you get through it.

ThingBench is an interactive, visual device workbench, where you can have multiple boards with different virtual devices attached. As of now, we ship with one virtual device---a lamp! You can switch it on and off, change the color and size or position multiple lamps on the board. (If you really ever need something else, this is all open source---feel free to fork and send a pull request!)

Here's how to browse your things:

GET http://localhost:9099/things

This gives you the list of current boards (shown as tabs in the workbench) and virtual devices attached to it:

<board name="Demo" id="1692623602">
<thing name="Lamp 1" id="1253071236" link=""/>
<thing name="Second Lamp" id="1142253466" link=""/>

To browse the properties of a thing go to one of the shown URLs (here Lamp1):


This gives you the current state of the devices:

<property name="shadow" value="0"/>
<property name="color_background" value="-3355648"/>
<property name="x" value="347"/>
<property name="width" value="100"/>
<property name="y" value="135"/>
<property name="text" value="Lamp 1"/>
<property name="stereotype" value=""/>
<property name="power" value="OFF"/>
<property name="#id" value="1253071236"/>
<property name="#type" value="thingbench.ThingsModel.Lamp"/>
<property name="height" value="140"/>

You can easily PUT one or all properties to set new values (like switching the lamp on):


with the body

<property name="power" value="ON"/>

You can easily integrate the corresponding HTTP calls in any IoT framework you like. If you need anything else than a simple lamp, please feel free to browse the code and add your own virtual devices. The Thingbench is based on Processeditor (, which makes it easy to create your own devices with a visual representation.

If you feel that this is the real thing---or just see the code example in color (sorry for my plain old blogging tool)---go straight to the Github project page:

If you're really interested, either fork or just drop me a mail!
[ view entry ] ( 6043 views ) permalink $star_image$star_image$star_image$star_image$star_image ( 2.9 / 1457 )
It's here: Mobile BPM on iPhone 

Here is something really cool that you should check out: BPM on iPhone (inubit App for mobile BPM).

Executing BPMN 2.0 process (the red frame shows the current task).
[ view entry ] ( 3501 views ) permalink $star_image$star_image$star_image$star_image$star_image ( 3 / 141 )
Chip and PIN is broken 

Today I found an interesting link at regarding a major flaw in the implementation of the EMV framework used for PIN-based payment authorization of bank/credit cards. Four researchers from the University of Cambridge describe how the current system can easily be manipulated (PDF). The results must be a major shock for the banking industry, since it is now evident that a customer is not per se liable if a transaction was authorized by PIN.

The approach is a classical man-in-the-middle attack. At some point in the negotiation phase between the terminal and the card, the customer enters his/her PIN into the terminal, which sends the PIN data to the card for verification. Unfortunately, the card returns a simple, unsecured response (0x9000) in case the PIN was entered correctly. Guess what? You can interrupt this communication and return 0x9000 for any PIN entered! Even worse, the terminal believes you authorized the transaction via PIN (and prints a receipt with "PIN authorization"), whereas the card and bank use a fallback mechanism that is used for signature-based authorization. Even worser, most specific protocol implementations do not even log this fallback. Of course, the dealer doesn't have the customer's signature, just a log with "PIN authorization". Still, this was enough to make judges believe that the customer was careless with his PIN. Now, however, it was enough.

The most important fact, however, is the ignorance of the industry regarding open standards and security issues. Seven years ago, in 2003, I wrote my Diploma thesis about the reconfiguration of Smart Cards via open networks (PDF, in German). An important part of my work was the analysis of the security frameworks that were offered at this point in time (Visa Open Platform). One of my key findings (written down in section 6.6.3) was, that the response code of the Smart Card's operating system application (the Card Manager) was not signed or anyhow secured. I found this to be a major bug for updating the content of a Smart Card via open networks, but unfortunately no card vendor was able to deliver something more secure. Luckily, the flaw did not tampered our main application on the card, a campus card application with digital signature functionality. Remarkable, the very same problem is still existing seven years later.

[ view entry ] ( 5179 views ) permalink $star_image$star_image$star_image$star_image$star_image ( 2.9 / 389 )

| 1 | 2 | 3 | 4 | 5 | Next> Last>>