As the world of Android app development constantly changes, coders must stay updated to keep up with trends. A good example is that modern mobile app development favors small apps rather than large ones. This makes apps easier to use on entry-level devices, “internet of things” devices, and more. Smaller apps also download, install and run faster, which can help every business gain a competitive edge. But the trends don’t stop here.
To gain clarity on the ever-growing list of emerging app development trends, we spoke to Kolin Sturt, member of the Ray Wenderlich Tutorial Team and contributing author to the recently released Real-World Android by Tutorials (available as both eBook and paperback). Throughout this discussion, you will learn key tips and methods of Android app development, such as how to prepare a build for release, perform optimizations with ProGuard, and secure your app through obfuscation, encryption and runtime application self-protection (RASP).
With the trend around Agile and Extreme Programming, one of the disadvantages is that there can be pressure to deliver on the fly without much planning and documentation –sometimes teams defer to using "the simplest thing that could possibly work." Often, that equates to finding a Swiss Army knife; a third-party library that does the trick. The setback is that usually you only need one small aspect of the library’s functionality, so this can cause your app to end up in the category of bloatware.
There’s also a recent increase in popularity of the Internet of Things, DIY boards and entry-level devices with limited memory. So, it's important to go back to writing smaller apps.
Developers usually focus on the assets of a project, thinking about compression or downloading content on demand. An often overlooked area of development is the number of dependencies an app requires. Sometimes writing a smaller piece of functionality yourself rather than importing a large library has the advantage that you know what all the code does. Knowing your own code can also help you debug problems when you apply optimizations.
The APK Analyzer is a very useful tool for inspecting your finalized app and understanding what contributes to its size. It's bundled with Android Studio and presents a view with a breakdown of your app’s file size. You can see what’s taking up the most space, as well as the total method and reference counts. It's important for app developers to use the APK Analyzer as they add code to their app. It really gives you a sense of how the size is building up as you code.
At first, R8 seems easier to enable without as many errors, but the trade-off is that it has fewer optimizations. R8 is relatively new, while ProGuard has been around for 15 years, resulting in ProGuard having more optimizations under its belt and better support for backporting.
The good news is that like Java, Kotlin is a JVM language. While Kotlin has its own syntax, the Kotlinc compiler transforms the code into a DEX file that contains Java bytecode. Because Kotlinc compiles Kotlin to the same bytecode as Java, most of the obfuscation tools are the same as for apps built in Java.
Kotlin is a safer language than Java, from minimizing pointer use to null safety and mutability checks. However, there is a downside. Junior app developers can get started with Kotlin quickly without understanding core concepts that tutorials address for Java. That means it’s tempting to forget about security altogether. Kotlin still has vulnerabilities that you need to protect your app against.
The most common problems have to do with compile errors and some runtime crashes.
If the problem is inside a third-party dependency, it's helpful to take a look at the website of the library, as they often post their ProGuard and R8 rules. When ProGuard finishes running, it produces four output files. If the problem is in your own code, you can use the output files – specifically the mapping file – to find the culprit of your crash. To get a full, in-depth explanation on how to fix these problems, read the full chapter from the Real-World Android by Tutorials.
Since the pandemic, there’s been an increase in cybercrime. As network communications and OSs become more secure, attackers have shifted their focus from basic eavesdropping to attacking devices and apps. The makers of ProGuard have a commercial solution called DexGuard that offers more protection than obfuscation alone. DexGuard encrypts the classes and strings as well as assets and resource files. It also provides app and device integrity checking at runtime, which is essential for keeping spammers out of your app.
Attackers often try to utilize an app for malicious purposes. For example, they may figure out how to automate it to spam other users. Sometimes attackers also reverse engineer apps in hopes of patching or hooking security checks out of the code. Obfuscation is often used to hide or obscure proprietary logic or a secret algorithm.
However, obfuscation is not encryption; it’s not a substitute for general security measures. If you're looking to secure sensitive API keys, tokens, or passwords, you'd want to implement encryption and take a look at DexGuard's encryption capabilities.
Security and data privacy should be at the top of every developer’s to-do list. The flurry of new privacy laws, such as the CCPA, PIPEDA, and GDPR, focus on requiring developers to build an app with security from the ground up. Some laws are trying to make private companies more liable if there's been a disregard for data security.
Becoming a security-conscious app developer can make you stand out in your profession, and it also helps the entire community. With working from home during the pandemic causing more and more people to turn to apps to work, users expect you to protect their data from prying eyes. A software company’s stance towards security is essential to its survival.
ProGuard provides an advanced optimization profile. It’s not used as the default because it can cause initial build and runtime errors. But really understanding how “don't warn” and “keep” rules work can get you efficient, deploy optimized code in the long run.
Static and runtime tools are getting better each day. One problem in the past has been that the time required to implement certain measures deters developers from trying them. Immediate visualization can really motivate developers to enable important features and focus on the product without spending so much time on the build process.
Over the years, we've compiled a list of topics that seem to be missing from the Android developer community. Some of them are niche or advanced, such as NDK and JNI topics, but a common trend that kept coming up was app security. We compiled our list and looked at what questions the developer community kept asking on forums to create a book to help fill the void.
While other books are for beginners to get started, this book covers many of the fundamentals you'd need in a professional setting. There's a lot of focus on pragmatic programming, real-world solutions to problems, and addressing each problem domain with professionalism.
Security is an important part of development. Almost every app communicates over a network. You can keep your user’s information private by ensuring that your app uses obfuscation, encryption and RASP best practices. With all the recent data breaches, your app’s credibility depends on how you manage your user’s data. Powerful security tools such as DexGuard and app optimizers like ProGuard, offer security solutions that are sometimes overlooked when beginning a project. You can put them to great use and think of security from the ground up.