Slatedroid info

Everything about android tablet pc [slatedroid]

Java basics: a tutorial for beginners

Posted by wicked April - 17 - 2015 - Friday Comments Off


If you have ever wanted to write your own Android app, for fun or for profit, you are probably going to need to do some programming. There are lots of different ways to write Android programs but the official language of Android is Java. If you don’t want to try your hand at Java, then I would recommend you read my article: I want to develop Android Apps – What languages should I learn?

Not only is Java the official programming language for app development, Java itself is used by Google for large parts of the Android internals. There are two distinct parts to writing an Android app. One is the Java programming language itself, the other is understanding how to create an app in terms of its user interface, the Android OS, and the Android Software Development Kit (SDK). In this tutorial we will deal with the first of these, the Java programming language.

To start writing Java programs you need a way to compile source code and turn it into an executable for the Java runtime.

Java was first released in the mid-1990s by Sun Microsystems. It was designed to be easy to learn by programmers who already knew C and C++. During 2006 and 2007 Sun released Java as free and open-source software, under the terms of the GNU General Public License (GPL). Sun was bought by Oracle in 2009/2010, and Oracle remains committed to Java.

To start writing Java programs you need a way to compile source code and turn it into an executable for the Java runtime. The normal way to do this is to install the Java Development Kit. At the time of writing the current version of Java is Java 8, however it is relatively new, so Android uses Java 7. If you are unsure about installing the JDK then read this How to Install the Java Software Development Kit tutorial. Oracle also provides a JDK 7 Installation Guide.

However, if you aren’t quite ready to install the JDK, and you want a quick route to trying your first Java program, then I recommend Koding gives you access to a free virtual machine with all the compilers and tools you need to compile and run Java programs as well as develop in other languages like Go, Python, Node, and C. To sign up just visit, type in your email address and a password of your choice, and then click “Sign Up”.

The virtual machine (VM) comes with an IDE and command line access. The web view of the virtual machine is divided into four. On the very left if the Koding control panel with access to your account details, the virtual machines you have created and so on. Next to it is a file manager which shows all the files and folders you have on your VM. Next to that the screen is split into two. The top half is an editor, for writing your code; and the bottom half gives you command line access.

From here in I will assume you are using Koding. However, for those who have installed the JDK the process is almost identical except that you will need to use a text editor on your PC rather than the editor inside the Koding IDE.

Cut and paste the following code into the editor:

public class HelloWorld {
    public static void main(String[] args) {
        System.out.println("Hello, World");

And save it as In Java the filename of the source code and the class name must be the same. The first line of the code declares a class called HelloWorld, so this source code must be saved in

In Koding to save the file, hover the mouse over the tab for the code (probably called Untitled.txt) and click on the little arrow. Then click “Save As…”, enter as the file name and click “Save”.

At the bottom part of the screen is the command line. The virtual machine is running Linux and the terminal is running Bash. If you are unfamiliar with using the Linux command line, try this tutorial: Linux Tutorial for Beginners, especially Tutorial One and Two. So, to compile your first Java program just type:


The compile should only take a second or two. Then to run the program type:

java HelloWorld

Your reward is the text “Hello, World” being displayed in the terminal. Congratulations!


What did I just do?

So let’s take a moment to look at what just happened. First the source code. The file does three things. 1) It declares a class called HelloWorld. 2) It defines a method (a function) in the HelloWorld class called main. 3) The main() method calls System.out.println to output some text.

In Java, and in all object orientated programming languages, a class defines an object. An object is a self contained item that interacts with other objects. In Android such object would include elements in the UI, a network connection, some location data, and so on.

Each Java program must define a method called main in at least one class. It is the entry point, where the program starts executing. In the simple example above the main() method has just one line of code, a call to System.out.println to output “Hello, World”. println() is a method that belongs to the PrintStream class and is included as part of the System class. Oracle has lots of information about the System class and the PrintStream class.

To compile and run the program you first called javac and then java. The first is the Java compiler, hence the letter ‘c’ at the end, and the second is the Java virtual machine. Java is architecture-independent which means that a .java file isn’t compiled for a specific processor on a specific OS, like Windows on an Intel x86 chip, or Android on an ARM Cortex-A processor, but rather it is turned into Java bytecode. The job of the Java virtual machine is to run that bytecode on the specific platform.


When writing computer programs you will need to store some data for temporary use. For example in an Android game you will want to store the score of the current player. These bits of data are stored in variables – a box in which you can put some data and then come back later a retrieve it. Since data comes in different forms a variable needs to be defined with a type, which tells Java what is being stored. Some of Java’s primitive data types include int (for integer), double (for double precision floating point number), and boolean (for a true/false value).

Here is a simple program which sets the value of a variable, prints out the value to the console, changes the variable and then prints it out again:

public class VariableTest {
    public static void main(String[] args) {
        int i = 1;

        System.out.println("The value of i is: " + i);
        i = i + 24;
        System.out.println("The value of i is now: " + i);

Save the file as “”. To compile it type: javac, and to run it use: java VariableTest. The output of the program will be:

The value of i is: 1
The value of i is now: 25

As you can see the program defines a variable called “i” and gives it an initial value of 1. The value of “i” is printed to the console. Then i is set to the new value of i + 24, or 1 + 24, which is 25. The new value is then printed out.

Try modifying the program to use a “double” rather than an “int”. Set “i” to something like 1.3 and increase its value by another decimal number like 24.9.

If you take a look at the println() method you will see an integer being added to a string: “The value of i is: ” + i. What actually happens here is that Java knows that the first part of the expression is a string, so it generates the string value for i, in this case “1” and then concatenates it to the string giving: “The value of i is: 1″.


Strings are an important part of any programming language including Java. Unlike int or boolean, a string isn’t a primitive type it is a class. When you create a string variable you are really creating a String object (notice the capital letter S). As an object it has certain properties like its value (the string itself) and its length. Strings can be manipulated in lots of different ways, including being dissected, concatenated, compared, and searched.

Here is an example program that performs a few simple operations on a String:

public class PlayingWithStrings {
    public static void main(String[] args) {

        String hello = "Hello, World";

        // Add an ! to the end
        hello = hello + "!";

        // Extract the word "Hello" from the String
        // i.e. starting at the beginning (0) for 5 characters
        String justHello = hello.substring(0,5);

        // Add some trailing spaces and then remove them with trim()
        hello = hello + "     ";
        hello = hello.trim();

        // Now output the string all in UPPERCASE and lowercase

Save it as Compile it and run it using javac and java as shown previously.

This is a special method called a constructor. The constructor is called only once, at the moment that the object is created.

The first part of the program creates a String object called “hello” and gives it a value of “Hello, World”. Although this make look similar to how you declare and assign an integer or another primitive type, actually there is a lot more going on here. Java allows simple operators like = and + to be assigned simple tasks. So really String hello = “Hello, World”; is actually some like String hello = new String(“Hello, World”);, in other words, create a new object of type String and pass in the value “Hello, World” to the constructor. But we will talk more about that in the Objects section below.

The next part shows how you can concatenate strings, in this case an exclamation point is added to the end of the string. Since String is an object it can have methods. String.substring() is a method which returns part of a string. In this case the first 5 characters. String.trim() is another method which removes leading and trailing spaces. The last part of the program demonstrates the String.toUpperCase() and String.toLowerCase() methods.

The output from the program will be:

Hello, World
Hello, World!
hello, world!

You can find out more about the String object in Oracle’s String tutorial and from the Java String documentation.


If there is one thing a computer is good at, it is doing repetitive tasks. To perform a repetitive task in a programming language you use a construct called a loop – something that loops around again and again.

Java has three types of simple loop: the for loop, the while loop, and the do while loop. Each loop type follows the same basic idea, you need to repeat something over and over again until a certain condition is met.

Here is an example which shows how to print out the numbers 1 to 10, 11 to 20, and 21 to 30, using the three different types of loop:

public class Loops {
    public static void main(String[] args) {

        // For loop
        for(int i=1; i<=10; i++) {
            System.out.println("i is: " + i);

        // While Loop
        int j = 11;
        while(j<=20) {
            System.out.println("j is: " + j);

        // Do While Loop
        int x = 21;
        do {
            System.out.println("x is: " + x);
        } while (x <=30);

Create a file called with the code from above, then compile it and run as shown previously.


The for loop as three parts. First the initialization (int i=1), which is executed only once. In the example above the initialization is used to declare an integer i and set its value to 1. Then comes the test expression (i<=10). This expression will be tested every time the loop executes. If the result of the test is true then the loop will go around again. In this example the test is to check that i is still less than or equal to 10. After each iteration the third section, the iterator, will be executed. In this example it increases the value of i by one. Note that i = i + 1 is the same as i++.

The while loop is similar to the for loop, except it doesn’t contain the initialization phase and the iterator phase. That means that the initialization needs to be done separately, hence the declaration int j = 11;. The iterator also needs to be coded separately. In our example it is the line j++ which is found inside the loop after the println().

A do… while loop is very similar to a while loop with one big difference, the test to see if the loop should continue is at the end of the loop and not at the start. This means that a do… while is guaranteed to execute at least once, but a while loop doesn’t even need to execute at all, if the conditions aren’t met on the entrance into the loop.

Like the while loop, the initialization needs to happen outside the loop, in this case: int x = 21; and the iterator occurs inside the loop: x++. When x goes over 30 the loop will stop.


As I mentioned before, Java is what is known as an object-orientated (OO) programming language and to really succeed in Java programming and Android programming it is important to understand OO concepts.

At its simplest level an object is a set of methods (functions) that work on a data set. The data and the methods belong to the object, and work for the object.

Here is the source code for a very simple program which creates a counter object:

public class Counter {

    int count;

    public Counter() {
        count = 0;

    public void Increment() {

    public int GetCount() {
        return count;

    public static void main(String[] args) {
        Counter myCounter = new Counter();

        System.out.println("mycounter is " + myCounter.GetCount());
        System.out.println("mycounter is " + myCounter.GetCount());

The Counter object has one piece of data, the integer variable count and three methods (other than main): Counter(), Increment(), and GetCount(). Leaving the first method for the moment, you can see that Increment() and GetCount() are very simple. The first adds one to the internal variable count and the second returns the value of count.

Until now all the methods we have declared started with public void but if you notice the GetCount() method starts with public int. We will talk more about public in a moment, but the difference between void and int is this: void declares that the method doesn’t return anything, there will be no result coming back out of the method. But int tells us that the method will return a number, specifically an integer. You can actually create methods that will return all kinds of data, including objects.

Notice that the first method has the same name as the class itself, i.e. Counter(), and it doesn’t have a return type (not even void). This is a special method called a constructor. The constructor is called only once, at the moment that the object is created. It is used to initialize the object with default values and perform any other necessary initialization tasks. In this example it just sets count to zero.


The great thing about classes is that you can create a general class for an abstract idea and then create specific classes which are derived from the original class. For example, you can create a class called Animal and then derive a new class from it for a specific animal, say an Elk.

Here is an example, I will expand on what is happening here in a moment… You are going to need to create two files for this example, and Here is

public class Animal {
    int NumberOfLegs;

    public Animal(int n) {
        NumberOfLegs = n;

    public int GetNumLegs() {
        return NumberOfLegs;

And here is

public class Elk extends Animal {
    int lengthOfAntlers;

    public Elk(int l) {
        lengthOfAntlers = l;

    public int GetAntlerLength() {
        return lengthOfAntlers;

     public static void main(String[] args) {
        Elk myElk = new Elk(30);

        System.out.println("Antler: " + myElk.GetAntlerLength());
        System.out.println("Legs: " + myElk.GetNumLegs());

To compile the program just type:


The Animal class is what is known as a super class, while the derived class Elk is known as a sub-class, because hierarchically it is below the Animal class. When a class is extended (i.e. you create a sub-class) the new class takes on the data and methods of the super class. That is why the program is able to call myElk.GetNumLegs() even though it is part of the Animal class. The new Elk class has two variables: NumberOfLegs and lengthOfAntlers. It also has two methods: GetAntlerLength and GetNumLegs. If we created another sub-class, say Sheep, it would inherit the NumberOfLegs variable and the GetNumLegs method.

When designing objects you will discover that you want some methods to be exposed to the rest of the program, so that they can be called. But other methods you might want to keep private, so that only the object itself has access to it. This is where that word public comes into play. We have been declaring everything as public which means the method can be called from anywhere else in the code. However you can declare methods as private or protected, which will limit the access to those methods. The same access rules can also be applied to the object’s variables. A deeper discussion is beyond the scope of this tutorial, but if you would like some more information then you should read Controlling Access to Members of a Class and Declaring Member Variables from Oracle’s Java documentation.

One other thing worth mentioning is how the constructors work. The Elk() constructor initializes the lengthOfAntlers variable, in this case to 30, the number passed in when the object was created. But before that, it calls the constructor of the super class (i.e. Animal() ) using the special Java notation super.

There is a lot more that can be said about object-orientated programming (OOP), but this should be enough to give you a taste and get you started.

Wrap up

There are lots of online tutorials for learning more about Java. Here are a few from Oracle:

  • Getting Started — An introduction to Java technology and lessons on installing Java development software and using it to create a simple program.
  • Learning the Java Language — Lessons describing the essential concepts and features of the Java Programming Language.
  • Essential Java Classes — Lessons on exceptions, basic input/output, concurrency, regular expressions, and the platform environment.

You might also want to look at the following tutorials:

For those of you who would like an eBook or a printed book on Java programming then you might want to consider the following:

Also, good books on Android programming include:

Android Developer Newsletter

Do you want to know more? Subscribe to our Android Developer Newsletter. Just type in your email address below to get all the top developer news, tips & links once a week in your inbox:

PS. No spam, ever. Your email address will only ever be used for Android Dev Weekly.

Google announces winning apps from their Google Fit Developer Challenge

Posted by wicked April - 15 - 2015 - Wednesday Comments Off


Google has announced the winners of the Google Fit Developer Challenge that they launched last year. The challenge was designed to help encourage developers to look at the Google Fit platform and figure out unique, fun ways to get users active while using their Android devices. The challenge was launched with the support of adidas, Polar and Withings. Besides having their apps highlighted in Google Play, the winning developers will also be receiving some prizes from the sponsoring companies including:

  • the X_CELL and SPEED_CELL from adidas (sensors for the body and shoes)
  • an Android Wear device
  • a Loop activity tracker and H7 heart rate sensor from Polar
  • Smart Body Analyzer (a smart scale) from Withings.

The following apps were the twelve grand prize winners:

  • 7MinGym: All you need is this app, a chair, and a wall to start benefiting from 7 minute workouts at home. You can play music from your favorite music app and cast your workout to Chromecast or Android TV.
  • Aqualert: This app reminds you to stay hydrated throughout the day and lets you track your water intake.
  • Cinch Weight Loss and Fitness: Cinch helps you with detailed information your steps taken and calories burned. The app also supports heart-rate tracking with compatible Android Wear devices.
  • FitHub: FitHub lets you track your fitness activity from multiple accounts, including Google Fit, and multiple wearable devices, including Android Wear. You can also add your friends to compare your progress!
  • FitSquad: FitSquad turns fitness into a competition. Join your friends in a squad to compare progress, track achievements, and cheer each other on.
  • Instant – Quantified Self: Instant is a lifestyle app that helps you track not only your physical activity but your digital activity too and tells you how much you’re using your phone and apps.other activity. You can also set usage limits and reminders.
  • Jump Rope Wear Counter: This simple app lets you count your jump rope skips with an Android Wear device.
  • Move it!: This app packs one neat feature – it reminds you to get up and move about if you haven’t been active in the last hour.
  • Openrider – GPS Cycling Riding: Track and map your cycle routes with Openrider.
  • Running Buddies: In this run tracking app, runners can choose to share their runs and stats with those around them so that they can find other runners similar to themselves to go running with.
  • Strength: Strength is a workout tracking app that also lets you choose from a number of routines, so you can get to your workout quickly and track it without manual data entry. Schedules and rest timers come included.
  • Walkholic: Walkholic is another way to see your Google Fit walking, cycling, and running data. You can also turn on notifications if you don’t meet your own preset goals.

source: Google Developers Blog

Come comment on this article: Google announces winning apps from their Google Fit Developer Challenge

Android customization – how to make a screen recording, using ADB – root not required

Posted by wicked April - 9 - 2015 - Thursday Comments Off

Last week on our Android customization series, we dove into a deep and involved developer tool called ADB, or Android Debug Bridge. Our purpose last week was pretty simple, we were trying to hunt down apps that were eating up the battery on our Android devices, and we used logcat to do so.

This week, now that you’ve got ADB up and rolling, let’s keep using it. I have a short list of tasks I want to perform with ADB, but we will start off with the most fun of them all, capturing a screen recording on your Android device.

Before we get started

You do not require any special apps or to have root on your device to follow along today, or for any of our upcoming ADB tasks in the coming weeks. You will, however, need to have a connected computer with ADB setup and ready to roll.

Nexus 9 HP Chromebook USB ADB logcat

You will need to at least follow along our previous project to see how ADB is setup and enabled on your connected computer, and be ready to connect with an appropriate USB cable for your Android device.

Warning: The screen record functionality in ADB is for video only, it does not capture the audio of your device, please be prepared to capture audio separately, if required. The recording is limited to about 3 minutes in length, to help prevent copyright violations, I presume. Screen rotation is not supported, pick an orientation and stick with it for the recording.

Capture a screen recording with ADB

First things first, connect your Android device to your PC. Follow any steps required to enable ADB, fire up your command/Terminal window and get ready to rock.

ADB screenrecord sample

In your command or Terminal window, enter adb devices and hit enter.

As mentioned last week, you do not really need to do this, but it is always nice to see that your device is connected and reporting to your computer properly.

Now, enter adb shell and hit enter.

Shell enables a subset of new tools within ADB, and, in a manner of speaking, provides access to the command line controls of your actual device. If that does not make sense, don’t worry about it, we’ll have the chance to explain in more detail at a later date.

Enter screenrecord /sdcard/video.mp4 and hit enter.

You are now recording your Android device display.

To stop the recording, wait for three minutes to expire, or simply press Ctrl+C into the command/Terminal window.

ADB screenrecord Moto G on Chromebook

The video file is saved to your Android device, and will be located where you specified above, which would be on your /sdcard/ if you entered the exact text above. Feel free to specify a new storage location on your device, and a new file name as well, be careful not to run the command again right away, as it may overwrite your previous video.mp4 file.

What’s next

Our implementation above utilizes the bare bones defaults of the screen record tool. There are additional options available that may be of use to you.

First, the default will record the video at your device’s screen resolution, if supported. If you have issues, try specifying a specific screen resolution. The general format is to add –size WIDTHxHEIGHT to your command. For example, screenrecord –size 1280×720 /sdcard/recordings/my720pvideo.mp4. Consult your manufacturer for supported resolutions on your Android device’s AVC encoder.

You can also control the bit-rate and recording time (up to 3 minutes.) Head on over to the ADB help pages for more details – fair warning, our next few Android customization posts will cover our favorite tools on that ADB page, feel free to jump ahead if you wish. For now, the following image has the few supported screen record options for you.

ADB screenshots command options

Next week

Now that you have a screen recording or two saved to your Android device, you may want to get it off the device and onto your computer. We have talked about file transfers before on our Android customization series, but we’ve got ADB at our disposal now, so let’s use it. Next week, we will use ADB to transfer files to and from your computer and Android device.

What do you use a screen recording for? Work, entertainment, send to a friend to show them a problem you are having?

Google introduces new analytics tools to help game developers

Posted by wicked April - 1 - 2015 - Wednesday Comments Off


Following up on an announcement a few weeks ago at the Game Developers Conference, Google is make the new Play Games Player Analytics tool available to all developers through the Google Play Developer Console. The Analytics tool will help developers manage their business to revenue targets, identify hot spots using metrics to develop new game updates, and understand how players are progressing, spending and churning.

Google is making the Analytics tool available for no additional effort for developers who are using Google Play game services in their titles. All they need to do is visit their Google Play Developer Console to access the reports generated by the tool. If a developer is not using Google’s game service, they can add this tool with a few lines of code added to their game, although it appears this will also add Google Play game services to a title.

Besides the basic reports and metrics, developers can also get access to a Sources and Sinks report if they enable Events from Google Play game services.

The revenue target tool gives developers the ability to set a daily goal for revenue. The report will then show Target vs Actual data. A Business Drivers report gives developers benchmark data so they can see how their game stacks up against the competition. Other reports will show player retention statistics and another will help developers identify which parts of a game players are struggling with or where they enjoy spending their time.

The Sources and Sinks report can be used by developers to analyze the in-game economy they have created in their titles. The data will show how players are earning rewards and how they spend them.

For game players, this should mean even better games and game updates hit the market as developers have more information and data to support their development strategy.

source: Android Developers Blog

Come comment on this article: Google introduces new analytics tools to help game developers

Where is the best place to store a password in your Android app

Posted by wicked March - 31 - 2015 - Tuesday Comments Off

Security concept

Typically Android security issues fall into a couple of major categories. Firstly, personal information stored insecurely on a phone and secondly, insecure communication to any back end database or web server.  And while there are lots of other things that can go wrong, the majority of security problems fall into these two areas. In this article we will look at the various options available to secure personal information  in an app, and in the next article we’ll look at network communications.

The best option is to never store a user’s personal information, such as passwords or credit card numbers, on the phone. If getting the user to enter a password each time is not an option then you’re going to have to store the username and password somewhere on the device. There really aren’t a lot of places you can store information on an Android device. The possibilities are to store the information in shared preferences, or in a sqlite database, or in the device’s keystore.

Over the past few years, I have been part of a process that manually audited a couple hundred Android apps. During that time I have seen the same security problems, repeated again and again. And although we do our best to let the developers know about the security issues with their apps, we’ve been a lot more successful at hacking the apps than at getting anyone to fix them.  So in an effort to spread the knowledge, let’s look at some real world authentication patterns we’ve seen as developers try to hide password information.

These are ranked in order of difficulty to break.

  1. Store in cleartext
  2. Store encrypted using a symmetric key
  3. Using the Android Keystore
  4. Store encrypted using asymmetric keys


Plaintext encryption

Using cleartext means there is no protection to a user’s runtime data – assuming the hacker has physical access to the phone, which is a big assumption. But as there are so many phones for sale on eBay and Craigslist you have to assume that your app is going to end up sooner or later on a secondhand device.  You can access all the information in an app’s data folders use the adb backup command and then convert it into a tar format using the Android Backup Extractor or abe.jar. For example:

adb backup
java -jar abe.jar unpack backup.ab
tar -xvf backup.tar

Using cleartext means there is no protection to a user’s runtime data – assuming the hacker has physical access to the phone.

A slightly better option used by a significant number of apps is to set the android:allowBackup flag to false in AndroidManifest.xml and then put whatever you want in the shared preferences or in into an sqlite database. The idea being that if nobody can back it up then nobody should be able to access the passwords. Unfortunately there’s a big flaw in this argument. Android is a Linux based system so root will have access to any files on the phone. If the phone isn’t properly wiped when it’s resold the new owner is going to have all the time in the world to root the phone and recover whatever dynamic user information is stored in the data folders by changing the permissions on the file and then doing an adb pull, instead of the adb backup command. Here is an example shared preferences file with an exposed password:

<?xml version='1.0' encoding='utf-8' standalone='yes' ?>
<string name="password">2secret4me</string>
<boolean name="remember" value="true" />
<string name="username">androidauthority</string>

Symmetric Encryption

Symmetric Encryption

A much better idea is to encrypt the password before you store it. If you are going to take this approach then don’t store the key in the APK code or anywhere else on the phone. It’s never a good idea to use AES, DES or any other symmetric encryption algorithm if you store the key where it can be easily found.  It is a relatively simple process to find the APK and then get a copy off the phone. The command adb shell pm list packages will get a list of the APK’s on your phone. To find where the APK lives on the phone use the command adb shell pm path using your APK name. Then use the following command to get a copy of the APK, adb pull /data/app/ making the appropriate changes for the package name and path or apk name where appropriate.

Use jadx base.apk to decompile the code back into java source code to see if you can find the encryption key in the code. If you are familiar with dex2jar then I suggest switching to jadx. It is an order of magnitude better at decompilation than dex2jar. Lots of apps I audited in the past with dex2jar have only given up their secrets when we starting using jadx.

Developers are a helpful bunch and they often put the encryption keys in easy to find places like

Developers are a helpful bunch and they often put the encryption keys in easy to find places like If that doesn’t work more often than not the code isn’t obfuscated and you can try searching for the class name or phrases like ‘encrypt’ or ‘decrypt’.  To decrypt the password cut and paste the decryption code into a java file and give it the password as an argument.  Some developers make the encryption key device specific by including device information such as the AndroidID as well as make and model information, but it’s mostly worthless if you can already see how the key is put together in the code. If you are going to use some sort of a recipe to generate the encryption key then obfuscate the code properly so that the ingredients are not easy to find. If possible store some piece of information (or even the entire key) remotely on a server, so not all the information can be found on the phone.

And as your app grows and you add more developers, make sure everyone knows how to encrypt and decrypt login information. In one of the dating apps I audited, I found the password encrypted in the shared preferences and another copy of the password was also stored in cleartext in the app’s sqlite database. Someone either didn’t know the rules or simply forgot to remove old code that stored the password in the database.

If you’re writing a healthcare app and you want to see if it’s HIPAA secure then put your device into airplane mode and if you can still log into the app then it’s probably not compliant with the HIPAA regulations.

Android Keystore

The safest option for encrypting passwords is to use asymmetric encryption algorithms such as RSA. Asymmetric means that the key is split into public and private keys where only the private key can decrypt the information.  We’re seeing a lot more developers using the Android Keystore to store public and private asymmetric key information.


In the Android Keystore this public – private key exchange takes place on the device and would seem to be HIPAA compliant. We say ‘seem to be’ as once again if you can root the phone you can gain access to the private keys. Nothing is 100% secure and sooner or later someone will find a way to get at the keys, especially if you put everything in the same place.  I’ve always had a problem with mechanisms like the Android Keystore because app developer’s are relying on the skills of another developer for security, and there is no physical impediment to get at the keys.

Android Keystore public and private keys are stored in the /data/misc/keystore/user_0 directory.  The private key is stored in a file that has <app_id>_USRCERT_<key_alias>.  On a rooted phone you can copy the file to another <app_id_malicious>_USRCERT_<key_alias> and then import it from your malicious app, allowing you to recover the password.

Asymmetric Encryption

A safer asymmetric encryption option is to store the private key remotely. When the password is first entered, it is sent to the server for storage. It’s also encrypted with the public key and stored in the shared preferences.  Every time the password needs to be checked then the public key encrypted password gets sent to the backend server and decrypted by the private key. It is then checked against the password information in the server’s database.  A token is then passed to the Android client to allow access to the app.  At no time is the password visible on the phone.

In Android this usually means using the Spongy Castle libraries or other alternative such as Google’s Keyczar.  Sure there are other security issues that you have to think about like how to ensure that someone isn’t just sending you a publically encrypted key from a different device. But it is a lot easier to add extra ingredients to your asymmetric key recipe to foil these type of attacks when the code is on the server.  We’ll return to this in the next article.

In the future Lollipop device encryption may put an end to many of these types of attack, but until Lollipop gains critical mass then options 1, 2 and 3 are not secure approaches. Our original recommendation is to ask the user to enter their password every time they sign in. If that’s not possible then never store the password in cleartext or leave the key in the code or on the device for someone to find.  Asymmetric encryption keys using Spongy Castle or Google Keyczar are much better alternatives to consider.  In the next article we’ll look at similar options for safeguarding your API keys.

Subscribe to our Android Developer Newsletter
Join our Android Developers newsletter to get all the top developer news, tips & links once a week in your inbox

About the author

Godfrey NolanGodfrey Nolan is the founder and president of the mobile and web development company RIIS LLC based in Troy, Michigan, and Belfast, Northern Ireland.He has had a healthy obsession with reverse engineering bytecode. See more from him here. He’s also the author of Bulletproof Android: Practical Advice for Building Secure Apps.


Google to have app ratings based on age, region

Posted by wicked March - 18 - 2015 - Wednesday Comments Off

In an effort to better serve both developers and users, Google announced that they will be implementing a new app rating system that will be based on age and region, and not a universal standard. “Appropriate” content varies from country/region and age group, and so you cannot hold just one standard for everything, is what Google is saying, and in the next few weeks, this will reflect in all the existing apps in the Google Play Store.

Before a developer submits an app for uploading in the Play Store, they now need to fill up a content rating questionnaire, which will then be turned over to appropriate ratings bodies (depending on what country/region your app or game will be sold in) to be rated objectively. Google assures developers that this process is not that “painful” and will give even better feedback fro you. By May, all apps submitted by developers must have the accomplished questionnaire before getting approved (or denied).

Even the already existing apps will have to be reviewed. Developers will be prompted to go into their console and take the same ratings questionnaire for each of their current apps that have already been published or are still waiting for approval. If the questionnaire is left unanswered or incomplete, the apps will have an “unrated” status. This is not good because your app might get deemed inappropriate in some regions for some age groups.

Another update for developers is that Google will now let you know why your app will not be approved. Previously, you’ll just receive a notice that it has been rejected, but without any explanation. Now that you will know why, it means you can fix what’s wrong and submit it again for approval.

SOURCE: Google

New Google reference app helps developers build multi-screen apps

Posted by wicked March - 12 - 2015 - Thursday Comments Off

Android Reference

With the recent introduction of Android Wear, Android TV and Android Auto, Google is expanding its ecosystem to as many screen sizes as possible. With all of the new screen sizes now on the Android platform, the company is urging developers to create the best looking applications as possible, no matter what size screen. To do so, Google has created a new reference sample application called the Universal Music Player for developers to use as a reference point. The app combines a number of different features from Android 5.0 Lollipop and will show developers the recommended way to build their apps for Wear, Auto and Google Cast devices.

Universal Music Player

The application uses recently-added features like MediaStyle notifications, MediaSession and MediaBrowserService, which allows developers to easily implement browsing and playback on multiple devices while only using one version of the application. The app also shows developers how to add album artwork to the lock screen, control music playback through the Wear and Auto platforms, and much more.

If you’re a developer that’s interested in trying out the Universal Music Player, head to the GitHub link below. Or if you’d like some more information on the topic, check out the Google Developers Blog.

Yo, Developers, the Android 5.1 SDK was Released Today

Posted by Kellex March - 10 - 2015 - Tuesday Comments Off

After announcing Android 5.1 and then giving us factory images of the latest build for a handful of Nexus devices, Google went ahead this morning and also made the new Android 5.1 SDK available. The new SDK falls under API Level 22 and includes a small set of new APIs. 

Some of the new APIs include support for multiple SIM cards and enhanced enterprise features that better support the newly announced Android for Work. Again, this is a pretty small update.

According to the announcement, we should start to see Android 5.1 updates arriving on your favorite Nexus phones and tablets within the “next few weeks.”

To see a list of features and changes in Android 5.1, check out this post.

Via:  Android Developers

Yo, Developers, the Android 5.1 SDK was Released Today is a post from: Droid Life

While MWC is still alive and kicking with news, the GDC (Game Developers Conference) is also taking place down in San Francisco this week. Yesterday, Google took the stage to announce a few important things, specifically focused on in-app purchases, in-app advertising, and a new API which allows developers to turn your smartphone into an Android TV game controller. 

As for ads and IAPs, Google harped on creating better advertising experiences for players, while staying true to any app’s overall design and UI. With Native Ads, currently available as a limited beta, Google is giving developers the power to weave advertisements straight into a game’s design fabric. For an example, look at this photo. If you are familiar with in-app advertising, almost all of the time, an ad looks completely out of place, and does take away from the overall user experience. With Native Ads, Google hopes to solve that issue, allowing developers to customize an ad to fit in perfectly with whatever design scheme their utilizing.

On the in-app purchase side of things, game players will need to be more aware of when they are being targeted by developers. According to Google’s announcement, “AdMob can now predict which users are more likely to spend on in-app purchases, and developers will be able to show these users customized text or display ads promoting items for sale.” For this very reason, a certain player is bound to see more IAPs opportunities than others, if the developer plans to utilize this new feature, which is still in beta.

Back to the actual gamers, Google also introduced the Nearby Connections API, which allows developers to turn your smartphone into a game controller when synced to an Android TV. For example, if you and your buddies want to play a round of Beach Buggy Racing, but only have one game controller for your Nexus Player, your friends can simply sync to the Android TV, then use their smartphone as a racing controller. A video demoing this new API can be viewed below.

To see the full list of info and announcements, follow the via link below to the Android Developers blog.

Via: Android Developers

Google at GDC 2015: Native In-App Ads Introduced, Nearby Connections API for Second-Screen Controls Showcased is a post from: Droid Life

Google_Play_Services_Splash_BannerGoogle has officially updated Play Services to version 7.0 bringing several new features and enhancements for developers to take advantage of. They had previously mentioned some additions to AdMob and Google Play Games, but now the entire service has been updated.

The new Places API seems like the biggest new addition to Play Services, as it will allow apps to get information from Google’s database of locations, venues, and restaurants, and users can quickly get info about the business in particular including addresses and phone numbers. 

Google Fit has introduced a handful of new APIs for tracking new measurements and sensors, and it’s supposedly significantly lighter on memory requirements for Fit apps. AdMobs is seeing some Google Analytics integrations, and Google Play Games has adopted a new feature that will let games use a nearby device as a second screen for content. This is especially useful for using your Android device as a controller on Android TV.

Although the developer SDK hasn’t gone live yet, this update should be hitting your devices in the near future. For Google’s full blog post about it, hit the link below.

source: Android Developers

Come comment on this article: Google Play Services 7.0 released, brings improvements to locations, Google Fit, and AdMob

ePad 7 Android 4.0 ICS
$162 $100 FREE SHIPPING 

10" Android 4.2 1.2GHz Tablet PC