Friday, December 9, 2016

Android Signature scheme v2

What's new in Android security N...
DroidCon London 2016 conference video

In Android Studio 2.2+ and gradle 2.2.0+ Google adds APK signature scheme v2 to combat unauthorized modifications to apk files. It improves apk’s verification speed and detects unauthorized changes.

More info jira:

To enable add flag v2SigningEnabled true in build.gradle (Module: app)

 android {
    ...
    defaultConfig { ... }
    signingConfigs {
      release {
        storeFile file("myreleasekey.keystore")
        storePassword "password"
        keyAlias "MyReleaseKey"
        keyPassword "password"
        v2SigningEnabled true
      }
    }
  }

To verified that the apk is sign with scheme v2 you need an android device running "Android N". Use below command, if output is =1 it was sign with signature v1 and if output is =2 means it was sign with signature v2.

$ adb shell pm dump myPackageName | grep apkSigningVersion

Security feature it's only supported in Android N. Once Android N becomes popular it will be good to turn on the flag to enable signature scheme v2.

"Google signature PR commit":

(scrrenshot below)

Make signapk sign using APK Signature Scheme v2.

APKs are now signed with the usual JAR signature scheme and then
with the APK Signature Scheme v2.

APK Signature Scheme v2 is a whole-file signature scheme which aims
to protect every single bit of the APK as opposed to the JAR signature
scheme which protects only the names and uncompressed contents of ZIP
entries.

The two main goals of APK Signature Scheme v2 are:
1. Detect any unauthorized modifications to the APK. This is achieved
   by making the signature cover every byte of the APK being signed.
2. Enable much faster signature and integrity verification. This is
   achieved by requiring only a minimal amount of APK parsing before
   the signature is verified, thus completely bypassing ZIP entry
   decompression and by making integrity verification parallelizable
   by employing a hash tree.

Android Source code explain

Read this http://elinux.org/Master-android :)

Thursday, July 28, 2016

Android Debugging

Two great ways to debug better. Happy testing.

1. In Android Studio add font color to logcat.

How to add color font to logcat follow the below steps:

Open Android Studio
Preferences -> Editor -> Colors & Fonts -> Android Logcat.
Click button ‘Save As’, and name your new Scheme. (uncheck ‘Use inherited attributes’)
In the right side select a color for each component: Assert, Debug, Error, Info, Verbose, Warning.

2. Add color to terminal adb logcat.

Take a look at this tool from Jake Wharton pidcast:

Easy to use.

Install: $brew install pidcat

Use: $adb logcat -v brief | pidcat com.myPackage.Name

Third party tool optioon: Mac tool LogRabbit http://lograbbit.com $10

Let me know if you have any questions.

Thursday, July 21, 2016

Update Android SDK and Tools from terminal

1. Open Terminal and type below commands.

Opens Android SDK Manager UI. (same as
$android

Software available to update
$android list sdk -a

Install software
$android update sdk -a -u -t #
$enter 'y' to accept license

-----------------------------------------
Example
$android list sdk -a

outputs:
140- GPU Debugging tools, revision 3.1
141- GPU Debugging tools, revision 1.0.3
142- Android Support Repository, revision 34

We want to update "Android Support Repository, revision 34".
we need to use below command:
$android update sdk -a -u -t 142
$enter 'y' to accept license
Done command installs Android Support Repository, revision 34 :)

Wednesday, July 20, 2016

In Android Studio 2.2 gradlew command can donwload android.sdk dependencies

For more info watch video from GoogleIO 2016 What's new in Android Development tools (min 11:55-12:15)

Gradle Build System release notes

Add to gradle.properties:
android.builder.sdkDownload=true

According to this post:
Command will only download android sdk, it will not download google service, repository etc..

Saturday, May 21, 2016

Firebase - Android

First of all: Thank you Google for improving Firebase!!!

Great examples every android developer must do:
https://github.com/firebase/quickstart-android
Firebase Documentation
https://firebase.google.com/docs/android/setup#prerequisites

Videos to watch:
Google io 2016 https://events.google.com/io2016/schedule#day1
Firebase videos https://events.google.com/io2016/schedule?filters=Firebase%2CSessions

To use Firebase:
1. You need to register here
2. Create a new App
3. Download and move google.services,json to /AndroidProject/app/google.services,json
4. Run demo apps provided by google.
5. Have fun learning.

Espresso UI testing
https://events.google.com/io2016/schedule?sid=1ac924f1-0bef-e511-a517-00155d5066d7#day2/1ac924f1-0bef-e511-a517-00155d5066d7

Add ads
https://firebase.google.com/docs/admob/android/quick-start#load_the_ad_in_the_mainactivity_class

Firebase code samples
https://firebase.google.com/docs/samples/

Whats new in AS 2.2 Preview
http://thenextweb.com/google/2016/05/20/android-studio-new-layout-editor-ui-test-recorder-firebase-integration/#gref

Sunday, May 15, 2016

Android Best Pratices - useful Libraries

Best Practices:

Building Android Apps — 30 things that experience made me learn the hard way
https://medium.com/@cesarmcferreira/building-android-apps-30-things-that-experience-made-me-learn-the-hard-way-313680430bf9#.ouwdjf99u

https://laanayabdrzak.github.io/2016/03/22/android-developement-best-practices.html

Android Shell commands
https://github.com/AndreSand/AndroidShell

Third party Libraries
https://guides.codepath.com/android/Must-Have-Libraries

Debug Library(Faceboook)
http://facebook.github.io/stetho/

RxJava
https://github.com/ReactiveX/RxAndroid
https://github.com/codepath/android_guides/wiki/RxJava
https://vimeo.com/144812843

Medium
Architecting Modern Mobile Applications
https://medium.com/@laanayabdrzak/architecting-modern-mobile-applications-bf896120f0c2#.yoe82u7v5

Wednesday, April 6, 2016

Kotlin Tutorials

Kotlin could be the future of Android Development :)

Todo App in Kotlin: https://lordraydenmk.github.io/2016/converting-a-todo-app-to-kotlin-part-1/

Book writer: http://antonioleiva.com/api-request-kotlin/
Book: https://leanpub.com/kotlin-for-android-developers/
ebook sample: file:///Users/andres/Downloads/kotlin-for-android-developers-sample.pdf

Testing:
*** read http://blog.wittchen.biz.pl/hello-kotlin/
It’s also worth mentioning that there is a project created in Kotlin by JetBrains called Spek which is a specification framework for the JVM and you can use it for writing unit tests in the JVM projects in order to get human readable output.

Build
Kotlin Meets Gradle I was lucky to attend this talk by the creator of Gradle.

Friday, April 1, 2016

About Me

Info:

LinkedIn: https://www.linkedin.com/in/andres-sandoval-08404627

Twitter: https://twitter.com/Andre__Sand

Blog: http://andressjsu.blogspot.com/
GitHub: https://github.com/AndreSand

Apps I have created:

https://play.google.com/store/apps/developer?id=Andres_SJSU

"My Important Dates"
iOS: https://itunes.apple.com/us/app/my-important-dates/id826277117?ls=1&mt=8
Android: https://play.google.com/store/apps/details?id=com.myimportantdates

"San Jose Happy Hours"
iOS: https://itunes.apple.com/us/app/happy-hour-san-jose/id869630202?mt=8
Android: https://play.google.com/store/apps/details?id=my.happyhourssanjose

Lean libros! Coman frutas y verduras.
Read! Eat fruits and vegatables.
-Andres

Wednesday, March 30, 2016

Sign Android apk using gradle.

1. With Android Studio create a new release key.

***Save android.kesytore in a safe place and don't forget the password.

2. Put this into ~/.gradle/gradle.properties

RELEASE_STORE_FILE=/../PathToYour/keystore
RELEASE_STORE_PASSWORD=*****
RELEASE_KEY_ALIAS=*****
RELEASE_KEY_PASSWORD=*****

Modify your build.gradle like this:

...

signingConfigs {

   release {
       storeFile file(RELEASE_STORE_FILE)
       storePassword RELEASE_STORE_PASSWORD
       keyAlias RELEASE_KEY_ALIAS
       keyPassword RELEASE_KEY_PASSWORD
   }
}

buildTypes {
        release {
            signingConfig signingConfigs.release
        }
}
....

3. Then in terminal run: $./gradlew assembleRelease

4. Done. Now you have a signed apk that is ready to publish to the android play store.
$cd MyApp/app/build/outputs/apk/app-release.apk

Check who sign the apk with keystone info:
$jarsigner -verify -verbose -certs myApp.apk

Resources:

Good tutorial: http://stackoverflow.com/questions/18328730/how-to-create-a-release-signed-apk-file-using-gradle
http://developer.android.com/intl/ja/tools/publishing/app-signing.html

Friday, March 25, 2016

Android Gradle: How to rename apk depending on build type

1. Add the code below to your project app/build.gradle:

android {
    signingConfigs {
        release {
           .....
        }
    }
    def jenkinsBuild = System.getenv("BUILD_NUMBER") ?: "10"   
    defaultConfig {
        .....
        versionCode jenkinsBuild.toInteger()
        versionName "2.0.0."+ versionCode    }
    buildTypes {
        release {
           ...
        }
        qa {
            ..
        }
        debug {
           ...
        }
    }
    applicationVariants.all { variant ->
        if (variant.buildType.name == 'release') {
            variant.mergedFlavor.versionName = android.defaultConfig.versionName;
        }
        if (variant.buildType.name == 'qa') {
            variant.mergedFlavor.versionName = android.defaultConfig.versionName;
        }
        if (variant.buildType.name == 'debug') {
            variant.mergedFlavor.versionName = android.defaultConfig.versionName;
        }
    }
    applicationVariants.all { variant ->
        variant.outputs.each { output ->
            output.outputFile = new File( output.outputFile.parent,output.outputFile.name.replace(".apk", "-${variant.versionName}.apk"))
        }
    }
   ..
}

2. $gradlew build
It will generate all the apk's for build types (shown below).

Now when you push apps from Jenkins to HockeyApp the 'apk name' will help you identify the build of the apk :)

Friday, March 18, 2016

Cool Android Libraries

MVP

Design Patter: Model View Controller
Good tutorial
uncle bob clean architecture
tutorial

Renderers

Useful to reduce boilerplate code in ListView and RecyclerView
Renderers
code

ORM

ActiveAndroid

ActiveAndroid is an active record style ORM ( object relational mapper). What does that mean exactly? Well, ActiveAndroid allows you to save and retrieve SQLite database records without ever writing a single SQL statement. Each database record is wrapped neatly into a class with methods like save() anddelete().

ActiveAndroid does so much more than this though. Accessing the database is a hassle, to say the least, in Android. ActiveAndroid takes care of all the setup and messy stuff, and all with just a few simple steps of configuration.

Cool Android Studio trick, wifi adb

AndroidWiFiADB

adb wifi

connect

$adb tcpip 555

$adb connect #.#.#.# (device I.P.)

Monday, March 14, 2016

Android Versioning your App

Every time you submit your app to the Google Play Market you have to increment android:versionCode by 1, this field is located in your Android Studio project app/build.gradle. If you don't increment the versionCode you can't update your app in the Market. This is the value the app checks to perform an app update. Also in app/build.gradle we have android:versionName this is the string user sees for app version, it can be any String that specifies your app version.

1. Edit app/build.gradle:

android {
    compileSdkVersion 23    
    buildToolsVersion "23.0.1"
    def jenkinsBuild = System.getenv("BUILD_NUMBER") ?: "10"
    defaultConfig {
        applicationId "andres_sjsu.notegit"        
        minSdkVersion 16        
        targetSdkVersion 23        
        versionCode jenkinsBuild.toInteger()
        versionName "1."+ versionCode    
}

2. Commit your code to Github.
3. Kick a build from Jenkins.
4. Now the apk will have the versionCode injected by Jenkins build #. Example is your Jenkins project build is number 118 the versionCode will be 118 (Jenkins build number increments by one, which is perfect since every time you publish to Google Play Market the developer needs to increment the versionCode by one, otherwise the Play Market will not let you update your apk).
5. To verify the versionCode was incremented correctly, you can use the buid-tool aapt
$./aapt dump badging /Users/andres/Downloads/app-debug2.apk
It will output info about Android package, example below:

You can see the results are as expected:
versionCode: 118 (Jenkins project build #)
versionName: 1.118

TODO: add versionName to apk name, this will help to easier see the app user(QA, Dev,..) installs.
Example of app Name: qa-go90_1.0.12.apk, release-go90_1.0.12.apk, etc...

FYI:
aapt location is in your android/build-tools

ex:

$cd /Applications/adt-bundle-mac-x86_64-20131030/sdk/build-tools/android-4.4

$./aapt d badging myapk.apk | grep package

Output

TUSCA09TMLVT029:23.0.2 v644084$ ./aapt d badging /Users/Desktop/base.apk | grep package

package: name='com.myPackageName.release'

versionCode='97040'

versionName='1.7.0'

platformBuildVersionName='6.0-2166767'

Resources:
http://developer.android.com/intl/es/tools/publishing/versioning.html
Configure gradle: https://developer.android.com/intl/es/tools/building/configuring-gradle.html
good read:* http://www.androidshortcuts.com/tags/gradle/
http://eric-liang.com/category/android-app-development/

Wednesday, March 9, 2016

Fix Jenkins error for Android build, missing sdk #.#.#

Error: failed to find Build Tools revision 23.0.2

FAILURE: Build failed with an exception.

* What went wrong:
A problem occurred configuring project ':app'.
> failed to find Build Tools revision 23.0.2

* Try:
Run with --stacktrace option to get the stack trace. Run with --info or --debug option to get more log output.

BUILD FAILED

Solution:

$android list sdk -a

Which showed me the following list:

1- Android SDK Tools, revision 24.0.2
2- Android SDK Platform-tools, revision 23.0.2
... and a great many more

Followed by the command:

$android update sdk -a -u -t 2

It will install the 23.0.2 SDK Platform-tools components. DONE. Run Build again in Jenkins.

Example below:

Andress-MacBook-Pro:tools andres$ pwd

/Users/Shared/Jenkins/Home/tools/android-sdk/tools

Andress-MacBook-Pro:tools andres$ ls

android .... .....

.... ... ...

Andress-MacBook-Pro:tools andres$ ./android list sdk -a

Refresh Sources:

Fetching https://dl.google.com/android/repository/addons_list-2.xml

Fetched Add-ons List successfully

Refresh Sources

...

Parse XML: https://s3.amazonaws.com/android-sdk-manager/redist/addon.xml

Packages available for installation or update: 170

1- Android SDK Tools, revision 24.4.1

2- Android SDK Tools, revision 25.0.9 rc10

3- Android SDK Platform-tools, revision 24 rc1

4- Android SDK Build-tools, revision 24 rc1

5- Android SDK Build-tools, revision 23.0.2

6- Android SDK Build-tools, revision 23.0.1

Andress-MacBook-Pro:tools andres$ sudo ./android update sdk -a -u -t 5

Reference:
http://stackoverflow.com/questions/27272605/failed-to-find-build-tools-revision-21-1-1-sdk-up-to-date

Tuesday, February 23, 2016

info Android Continous Integration

Continuous Integration

Goal is that every time you commit your code, your code automatically goes thru some Junit testing (iOS/Android) and also builds the apps (ipa/apk). CI helps improves the quality of the app. Ideally is nice to have one system when you can kick a build and also run your unit and integration tests. CI is key to have a great app :)

Good read: Tools used by other companies:
Android Jenkins aws
Read to learn about CI Jenkins vs. Circle CI vs Travis

http://mtdevuk.com/2015/04/27/setting-up-a-jenkins-continuous-integration-environment-for-android/

***Good read Android and Jenkins

------------------------------------------------------------------------------------------------------------
My Opinion:
Most enterprise companies use Jenkins. For small companies I would suggest CircleCI($) or Travis($$$).

------------------------------------------------------------------------------------------------------------
Jenkins:

What is Jenkins?

Jenkins Plugin info (BUILD_NUMBER..)
Jenkins is an open source continuous integration tool which aims to automate certain tasks that developers find themselves repeating. It runs as a local server on a host machine

Tutorial by codepath
Setup:
1. Create Jenkins account.
2. Configure Jenkins:
Install Plugins: Manage Jenkins -> Manage Plugins -> Available

Gradle Plugin (build system)
Git Plugin (use git to link to your projects repos)
Android Emulator
AWS device farm (test apps with real devices using AWS Device farm)
HockeyApp (distribute apps)
Android lint plugin - Lint is a great tool created by Google to analyze the code for Android. It comes with the SDK of Android and it is useful to have good quality code.

3. Configure Git repo, ssh key.

4. Create new job to generate APK.

Enterprise Notes:
1. Create Jenkins account.
2. Install Android SDK in jenkins machine(node)
3. Install Plugins.
4. Configure Git Enterprise repo(master).
5. Test run to generate apk.

Tips
Jacoco Reporting

------------------------------------------------------------------------------------------------------------

Circleci:
Proof of Concept - Android Continuous Integration with gradlew and Circleci

Circleci uses the build file: circle.yml, you need to create and add this file to your project root.
Circleci builds apk and runs Espresso UI test(click button change text).
GitHub Project
Circleci Dashboard
Reference
Circleci iOS

------------------------------------------------------------------------------------------------------------

Travis:
Proof of Concept - Android Continuous Integration with gradlew and Travis

Monday, February 1, 2016

info Android Material

Good read about Material Design

Components:
snackbar

Drawables tutorial

info Android Testing (and iOS)

Wednesday, January 27, 2016

info Android Security

WIP. work in progress, I'm writing this post to help others interested in Android Security :) enjoy!

Good read:
http://strazzere.com/papers/AAP-QPSI.pdf

Pretty cool tool to find potential security vulnerabilities :)
http://android-arsenal.com/details/1/2769

other: http://android-arsenal.com/details/1/3046

Android Security Code:
https://www.airpair.com/android/posts/adding-tampering-detection-to-your-android-app
https://manifestsecurity.com/android-application-security-part-21/

Android Code:
http://www.codota.com/android/methods/android.widget.ImageView/setVisibility

Must Watch videos:
https://www.youtube.com/watch?v=18tn_mF4XRg&feature=youtu.be

**Hacking Android eBook (good info)
https://library.oreilly.com/book/9781785883149/hacking-android/toc

Thursday, January 7, 2016

SharedPreferences in Android [ put string and get string ]

PUT

private SharedPreferences sharedPreferences;

sharedPreferences.edit()
        .putString("KEY_NAME", name)
        .apply();

GET

String NameURL= getPref("KEY_NAME", getContext());

public static String getPref(String key, Context context) {
    SharedPreferences preferences = PreferenceManager.getDefaultSharedPreferences(context);

  return preferences.getString(key, null);

Resources:

https://medium.com/google-developers/sharedpreferences-is-your-answer-to-simple-storage-a7c8499ea8ff#.7eoyjrjgi