Keeping Up with Android App Development Trends: Q&A with Kolin Stürt

As the world of Android app development constantly changes, coders must stay updated to keep up with trends. A good example is that modern mobile app development favors small apps rather than large ones. This makes apps easier to use on entry-level devices, “internet of things” devices, and more. Smaller apps also download, install and run faster, which can help every business gain a competitive edge. But the trends don’t stop here.

To gain clarity on the ever-growing list of emerging app development trends, we spoke to Kolin Sturt, member of the Ray Wenderlich Tutorial Team and contributing author to the recently released Real-World Android by Tutorials (available as both eBook and paperback). Throughout this discussion, you will learn key tips and methods of Android app development, such as how to prepare a build for release, perform optimizations with ProGuard, and secure your app through obfuscation, encryption and runtime application self-protection (RASP).

What are some trends you’re seeing in the app development space? Why are release optimizations important?

With the trend around Agile and Extreme Programming, one of the disadvantages is that there can be pressure to deliver on the fly without much planning and documentation –sometimes teams defer to using "the simplest thing that could possibly work." Often, that equates to finding a Swiss Army knife; a third-party library that does the trick. The setback is that usually you only need one small aspect of the library’s functionality, so this can cause your app to end up in the category of bloatware.

There’s also a recent increase in popularity of the Internet of Things, DIY boards and entry-level devices with limited memory. So, it's important to go back to writing smaller apps.

How do app developers typically shrink their apps? Where do they fall short?

Developers usually focus on the assets of a project, thinking about compression or downloading content on demand. An often overlooked area of development is the number of dependencies an app requires. Sometimes writing a smaller piece of functionality yourself rather than importing a large library has the advantage that you know what all the code does. Knowing your own code can also help you debug problems when you apply optimizations.

What is APK Analyzer and why should app developers use it?

The APK Analyzer is a very useful tool for inspecting your finalized app and understanding what contributes to its size. It's bundled with Android Studio and presents a view with a breakdown of your app’s file size. You can see what’s taking up the most space, as well as the total method and reference counts. It's important for app developers to use the APK Analyzer as they add code to their app. It really gives you a sense of how the size is building up as you code.

What are a few key takeaways when you compare ProGuard and R8 app optimizers?

At first, R8 seems easier to enable without as many errors, but the trade-off is that it has fewer optimizations. R8 is relatively new, while ProGuard has been around for 15 years, resulting in ProGuard having more optimizations under its belt and better support for backporting.

How has Android’s switch to Kotlin as a preferred language impacted app developers? Has this impacted app optimization?

The good news is that like Java, Kotlin is a JVM language. While Kotlin has its own syntax, the Kotlinc compiler transforms the code into a DEX file that contains Java bytecode. Because Kotlinc compiles Kotlin to the same bytecode as Java, most of the obfuscation tools are the same as for apps built in Java.

Kotlin is a safer language than Java, from minimizing pointer use to null safety and mutability checks. However, there is a downside. Junior app developers can get started with Kotlin quickly without understanding core concepts that tutorials address for Java. That means it’s tempting to forget about security altogether. Kotlin still has vulnerabilities that you need to protect your app against.

What are some of the common problems users face when using an optimizer? On a high level, how can one solve those problems?

The most common problems have to do with compile errors and some runtime crashes.

If the problem is inside a third-party dependency, it's helpful to take a look at the website of the library, as they often post their ProGuard and R8 rules. When ProGuard finishes running, it produces four output files. If the problem is in your own code, you can use the output files – specifically the mapping file – to find the culprit of your crash. To get a full, in-depth explanation on how to fix these problems, read the full chapter from the Real-World Android by Tutorials.

What are the benefits of applying additional protections to secure your mobile application?

Since the pandemic, there’s been an increase in cybercrime. As network communications and OSs become more secure, attackers have shifted their focus from basic eavesdropping to attacking devices and apps. The makers of ProGuard have a commercial solution called DexGuard that offers more protection than obfuscation alone. DexGuard encrypts the classes and strings as well as assets and resource files. It also provides app and device integrity checking at runtime, which is essential for keeping spammers out of your app.

Why is code obfuscation a critical part of app development?

Attackers often try to utilize an app for malicious purposes. For example, they may figure out how to automate it to spam other users. Sometimes attackers also reverse engineer apps in hopes of patching or hooking security checks out of the code. Obfuscation is often used to hide or obscure proprietary logic or a secret algorithm.

However, obfuscation is not encryption; it’s not a substitute for general security measures. If you're looking to secure sensitive API keys, tokens, or passwords, you'd want to implement encryption and take a look at DexGuard's encryption capabilities.

How high of a priority is security when developing an app?

Security and data privacy should be at the top of every developer’s to-do list. The flurry of new privacy laws, such as the CCPA, PIPEDA, and GDPR, focus on requiring developers to build an app with security from the ground up. Some laws are trying to make private companies more liable if there's been a disregard for data security.

Becoming a security-conscious app developer can make you stand out in your profession, and it also helps the entire community. With working from home during the pandemic causing more and more people to turn to apps to work, users expect you to protect their data from prying eyes. A software company’s stance towards security is essential to its survival.

Is there any additional advice you would give to app developers around optimizations?

ProGuard provides an advanced optimization profile. It’s not used as the default because it can cause initial build and runtime errors. But really understanding how “don't warn” and “keep” rules work can get you efficient, deploy optimized code in the long run.

What impact do you think tools such as -addconfigurationdebugging and ProGuard Playground have on the development cycle?

Static and runtime tools are getting better each day. One problem in the past has been that the time required to implement certain measures deters developers from trying them. Immediate visualization can really motivate developers to enable important features and focus on the product without spending so much time on the build process.

Why were you compelled to write this book?

Over the years, we've compiled a list of topics that seem to be missing from the Android developer community. Some of them are niche or advanced, such as NDK and JNI topics, but a common trend that kept coming up was app security. We compiled our list and looked at what questions the developer community kept asking on forums to create a book to help fill the void.

What are some unique takeaways from this book?

While other books are for beginners to get started, this book covers many of the fundamentals you'd need in a professional setting. There's a lot of focus on pragmatic programming, real-world solutions to problems, and addressing each problem domain with professionalism.

Any closing comments about this book, ProGuard, development, or app security?

Security is an important part of development. Almost every app communicates over a network. You can keep your user’s information private by ensuring that your app uses obfuscation, encryption and RASP best practices. With all the recent data breaches, your app’s credibility depends on how you manage your user’s data. Powerful security tools such as DexGuard and app optimizers like ProGuard, offer security solutions that are sometimes overlooked when beginning a project. You can put them to great use and think of security from the ground up.