Last year we attended DroidCon London and it was my first Android conference ever. Before that I attended CocoaConf in Las Vegas, as I mostly did iOS back then. DroidCon London 2015 was exciting because at that point I had been doing Android exclusively for a long time - and a lot of interesting speakers were attending. Chet Haase, Google employee, and Jake Wharton to name a few. Overall I liked it very much and the travel time back to Denmark weren’t as long, heh.
This year Jake and Chet were attending again and the overall program looked more interesting than last year. Security and patterns seems to be the craze this year, and it’s really some of the things that has been a focus area internally here at Nodes as well.
DroidCon London is located super close to our new London office at St. John Street, so we had the pleasure to see our Android developer Mario attending as a volunteer this year! Awesome!
What’s NNNNNNNNew in Android Security? by Scott Alexander-Bown
Turned out to be a great talk! Very obvious that Scott have spent some time with the nitpicks and dark corners of implementing security and encryption on Android. Followed him on twitter after this talk(@scottyab)! Also the first time I heard about the SafetyNet API. A Google API that checks for a device’s security state and whether it’s rooted or not.
Scott created a helper around that: https://github.com/scottyab/safetynethelper
Further info: Android Training docs
In Android 7.0 Google introduced Network Security Configuration, which is a way to describe what protocols and endpoints are allowed to connect to. Google has excellent info here. Commonsguy have backported this tool to Android 4.2 here, which is super awesome:
Scaling Android @Facebook by Marco Cova & Balazs Balazs
Impressive talk about the insane numbers behind the Facebook app and what kind of process it takes to support that. If I remember correctly Facebook commits up to 3500 times a week, and due to the massive codebase - everything is split into modules to avoid unnecessary recompiles. To further improve on that, Facebook has created a custom build tool called Buck around the module structure they depend on for fast deployment.
Going over all the tools Facebook uses, Infer got a mention as well. I head about this a year or so ago, but now that we at Nodes are beginning to integrate CI on client apps, this is super relevant. Infer is a static code analyzer and will correct and point out issues and possible runtime crashes. Definitely something we want in our CI toolchain.
Fun side story at the lunch tables: Facebook apparently had so many commits on their repo that they had a hash collision between two commits.
What’s New in Android by Chet Haase
(Chet Haase is one of the main public facing Google employees and Lead on the Android UI Toolkit team)
This talk was kind of funny, not because Chet is a funny guy - but because Chet was really pitching the Google Pixel phone. It almost felt like too much. I also got the feeling he was told to do it. Nevertheless, the Android 7.1 walk through was pretty good and it was good with some context around the different new features.
Android Application Security, The Right Way by Dario Incalza
I didn’t really intend to watch this one, I wanted to see the Spotify talk “Breaking Spotify’s release cycle by using the backend to drive the UI and feature releases”. I’m glad I did though, because it turned out to be the best talk around security this year. The talk was marked as a beginner talk, but gave so much info and reflection on every library, really valuable info.
I’ve been reading a lot of documentation on encryption via the KeyStore, but Dario gave a lot pros and cons about every API level and what it gives us. In short (if I remember correctly):
- Android 7: iOS level security (on the Google Pixel at least)
- Android 6: Almost iOS level, but you cant besure that encryption keys are protected in hardware. Also new API’s for file encryption/device protected storage are not available.
- Android 5: First fingerprint authentication API and KeyStore API supporting user authentication.
Radical RecyclerView by Lisa Wray
Most of the time we implement basic RecyclerViews as simple ListViews - and that tends to be a bit annoying. So it was kind of fun to see all the nifty stuff you can do with RecyclerViews. We were also shown a few patterns around common use cases. Really surprised by this talk.
Android Architecture Blueprints by David Gonzalez & Jose Alcerreca
MVP is all the craze and having the perfect architecture is the target these days. The guys have implemented a simple To Do-app in 7 different ways: https://github.com/googlesamples/android-architecture
The actual talk was kind of quick, because David and Jose wanted to focus on questions and having a discussion around patterns in general - perfect. Strong opinions were voiced and since David and Jose are funny guys, the talk ended up being the perfect closing for the conference for us.
Side note: Chet Haase were attending this talk, and the guys received a couple of very Google specific questions - like “Is the platform team considering any of the new patterns?” - and everytime they were going to answer, they looked at Chet for confirmation. You probably had to be there.
Great talks this year, and since it was located so close to our London office, we walked over there and watched the Apple MacBook keynote!
All the security talks kind of gave me the impression that we need a wrapper or a framework around the encryption/decryption on Android. We see more and more demand for it on client apps, and having all that code floating around on different projects is annoying.
I looked into facebook’s conceal library - but it seems to priotize speed too much over security. We’ll see, maybe material for another blog post 🔥