There have been several Google security projects but this is the first Android-specific security library that’s part of AndroidX. It’s been a long time coming but I for one am happy to see it. AndroidX security is under alpha and so the feature set may yet change, but currently its primary focus is keeping data secure at rest and its use is recommended in the Android Security best practices. Files and data within your applications’ private data directory are protected by system Linux style user permissions. This prevents access from other applications or would be attackers on  non-rooted devices. However it’s still good security practice to encryption your sensitive app data.

To help developers secure their app’s data at rest it offers two utilities:

  • EncryptedSharedPreferences – automatically encrypts keys and values and adheres to the SharedPreference Interface. It’s easy to replace existing SharedPreference usages with this implementation instead. The rest of the article focuses on EncryptedSharedPreferences but many of the points are valid for EncryptedFile.
  • EncryptedFile – allows you to read/write encrypted files by providing custom implementations of FileInputStream and FileOutputStream.

Having used powerful encryption libraries such as and BouncyCastle – both of which offer the ability to perform secure cryptographic operations but the learning curve and number of customisation options are high. This either puts people off altogether or leads to accidental but critical security mistakes. For example, I accidently used the default Initiation Vector which turned out to be a static 0 byte array – this is bad from a security point of view.  I like the fact AndroidX has a very simple API and defaults to a recommended* AES GCM 256bit based encryption algorithm.

* A note on my recommendations: this is based on my understanding at the time of publishing but please do your own research to confirm this library and encryption algorithm are indeed safe and secure.

How to include in your project?

As with any of the AndroidX packages just include this dependency in your build.gradle file.

implementation ""

Note: This is only available within the AndroidX library suite and as such, there is no backports that are compatible with the old Android Support libraries.

Example using `EncryptedSharedPreferences`

Let’s dig into the EncryptedSharedPreferences part of library and storing arbitrary data on or about users is a common task for many applications.


MasterKeys is a helper class that generates your encryption keys and stores them in the Android Keystore.

val keyGenParameterSpec = MasterKeys.AES256_GCM_SPEC

val masterKeyAlias = MasterKeys.getOrCreate(keyGenParameterSpec)

Note: if you require the strongest security using a hardware-backed Keystore you can use your own KeyGenParameterSpec and alter the options via the KeyGenParameterSpec.Builder.


Create EncryptedSharedPreferences like this:

val sharedPrefs = EncryptedSharedPreferences







You can interact with SharedPreferences as normal – the encryption and decryption happens transparently to you. The masterKeyAlias was created in the previous step and is a String used to identify the key in the Android Keystore.


Under the hood

Here’s what a EncryptedSharedPreferences file looks like. This was extracted from one of my sample apps using Facebook’s Stetho library, although you could just as easily use ADB or Device File Explorer within Android Studio to pull the SharedPreferences XML file from your app’s private data directory.

As noted in the key management section of the security best practises, AndroidX Security uses a 2-part system for key management.

A keyset that contains one or more keys to encrypt a file or shared preferences data. The keyset itself is stored in SharedPreferences.

A master key that encrypts all keysets. This key is stored using the Android Keystore system.

EncryptedSharedPreferences uses two different encryption schemes. The one for the keys is deterministic, by that I mean any key (i.e “access_token”) will render to the same ciphertext every time whereas values are encrypted with a non-deterministic schema. Non-deterministic uses random data with the encryption algorithm for the same text it will generate a different ciphertext. This improved security wouldn’t work for the SharedPreference keys as they need to be consistent in order to look up the values in the HashMap.


The library is relatively new and is in Alpha02. It seems robust in my testing, as have other alpha AndroidX libraries. But it’s certainly a risk worth considering before implementing in production.

To use this library you’ll need to set your minSkdVersion to 23 (Android 6.0). This is mainly due to dependency on the Google encryption library Tink which requires SDK23 for Android Keystore operations. If this security library alone isn’t enough to increase your applications minSDK then you could opt to support AndroidX Security library for SDK 23+ and default to the regular File or SharedPreferences for users on older devices. Why reduce security of all of your users just to support old devices?

You won’t be able to use Preference Activity/Fragment with XML to link directly to the SharedPreference data so before jumping in and encrypting all the things, consider that you’re unlikely to need to encrypt all your app’s shared preferences. I’d recommend splitting out just sensitive data such as OAuth access and refresh tokens, email or any other personally identifiable data.

It’s also worth thinking about the recovery strategy in case the decrypt fails. The use case I’ve often used this type of encryption for is caching server-side data for offline access. If the key fails to be retrieved or for whatever reason, the decrypt fails. The worst case is asking the user to re-authenticate and re-download the data when they next have connectivity. Of course, this recovery strategy of starting again relies on the data being on the server and although it’s not a great user experience, I don’t see it as the end of the world (i.e 1-star rating 😉 ). However, that’s not the case for an offline-only password manager where there would be no recovery option. So remember to catch the SecurityException and handle according to your specific app/use case.

Should you use it?

“It depends” – it’s very much down to your application’s use-cases and the type of data you’re storing. For me, it’s a yes. It’s better than using nothing and from a developer point of view, it’s easy to implement and helps keep the app and user data safer. While it doesn’t offer 100% security (spoiler alert: nothing does) it will be more laborious and increase the required skill level for an attacker to successfully extract data.

If you’re already using one of the many open-source encrypted Shared Preferences libraries then I think its would be a good switch. Certainly, if you’re using SecurePreferences, a library I developed several years back, I’d urge you to migrate to AndroidX Security at this point. As mentioned earlier, the API is simpler, uses AES GCM 256 and is supported by Google rather than being neglected by me ;).

Special thanks to Niall Scott, Mat Rollings and Mez Pahlan for help editing and typo fixing.

If you’re using AndroidX security in development or production I’m keen to hear you’ve experiences.

The Android Dev Summit was an Android-only developer-focused conference hosted in the Computer History Museum in Mountain View. It’s much more deep dive focused that Google I/O and given the locality of Google HQ there were lots Googlers to answer questions.

All sessions videos are here.

Themes and Styling – video

There was a big emphasis on using Theme attributes (e.g `?attr/textColorSecondary`)  to set your colours within our apps rather than setting the specific colours in styles/layouts. The main advantage is you can tweak or change your theme can you don’t have to change all your style definitions. The best use case was supporting day/night mode which switches the app’s colour depending on the time of day.

But also useful when changing colour scheme for a particular screen. i.e if displaying football teams, theme the screen based on team colour. In HelpScout’s case, the way we theme a screen yellow when composing a conversation note.

Also, material specs have been updated form colours point of view. Instead of colour primary, primarydark and accent. It’s now primary and secondary with variants and there’s a focus on the colour of text when it’s on light or dark background more info.  Bonus Lightning talk on vector drawables from Nick Butcher.

Webviews – video

There’s a new AndroidX Webview library whose aim is to provide stability and common API across Android versions. When using shouldOverideUrlLoading() make sure to check WebResourceRequest.hasGesture() to ensure it’s a person clicking a link and not a script (benign or malicious) causing the URL to change.

Continue reading

Moving apps

TL;DR This article fills in some of the gaps in the official docs and add rationale to why you should consider moving your app to a non-human Google account.

Google offers the ability to move/transfer one of many apps from one Google account to another. But before you transfer highly recommend reading the official docs on how to transfer apps to a different developer account here.

Why transfer?

Are you using your personal Google account for apps?

If your app(s) are associated with your personal Google account you run the risk of having your access to Gmail, Google Photos, Drive blocked if Google Play account is suspended due to a breach of Play content policy. The thought of losing access to my emails, family photos is a very frightening prospect. You might think you’ll never be in breach and maybe you’re right? but remember the Play content policy is frequently updated and you have to ask yourself how closely you read the updates. I ran into policy breaches a few times and none of the apps I’ve released are particularly risky. The first app that I wrote to get my first Android job was a wallpaper changer based geotagged Flickr photos and user’s location. It was pulled due to copyright infringement (I mistakenly used Flickr’s logo and name). So certainly worth considering moving them to seperate Google account.


What if the account owner leaves your organisation?

Recently at work the first Android developer left for greener pastures. I mention first because he was only one in the Android team and registered his work Google account as the Google Play Developer owner which I’m sure happens a lot. When he left the company a few weeks ago his Google account was deactivated as you’d expect. However, because that account was the owner on Google Play we *lost* all access to Google Play console 😱😱😱. Thankfully we were able to restore their Google account which restored our access. But keeping an ex-employee’s account active just for this would be less than ideal.

Continue reading

I attended Google I/O for the first time in May 2017 and had an absolute blast! It is by far the best conference I’ve attended. Google listened to the gripes of last year’s I/O at Shoreline and fixed all the niggles.  But what does it costs to attend? I’d estimated a total cost of around £2K after totalling up receipts, I’m reasonably happy to see that I was near in the estimate.

Of course this is highly individual based on my experiences this year and current USD to GBP ratio but I hope it serves as indicator for others. Here’s the rough and rounded the numbers.

  • Flights LHR to SFO:  ~£450  
  • Airport transfers UK: £50
  • Airport transfers US: £60
  • AirBnb (split between 4):  £350
  • Taxi/Uber to/from Shoreline: £55
  • Other food/beer (not at I/O): £150
  • I/O Ticket price £950*  

Total: ~£2065

*Disclaimer: As an GDE for Android I am fortunate to get a complementary I/O ticket. However I thought this article would be more useful if I included the ticket price in the main total.


  • I was able to share uber a few times to cut down some of the travel costs.
  • Didn’t factor lost earnings for the 5 days not working (or the reduced efficiency the week after with jet lag)
  • Haven’t included some leisure activities at weekend like bike hire, Makers faire and travelling to/from San Francisco as I figured it’s purely what I got up to and not indicative of costs for others.

Tips and tricks to cut costs:

  • Remembers it’s near unlimited free food, drink, snacks and beer/wine at Google I/O so on a I/O day you shouldn’t need much else.
  • After researching flights, I discovered you can fly into San Francisco (SFO) or San Jose (SJC). SJC is closer but SFO is often cheaper. I did a fair bit of checking of different flight options to get the flights for £450. This is £200 cheaper than LHR to SJC
    • Also see if flying back on different day helps, I found that returning on the Sunday night saved £1000!!! Over flight on the Friday evening.
  • Book accommodation nearer to bus drop off locations i.e  Mountain view caltrain. This is so I could take advance of the free Google I/O buses.
  • Sharing AirBnb brought the accommodations costs down. Nearby hotels wanted $200 per night.
  • If you’re in a permanent role try to convince your employer to cover some of the costs in exchange for things like blog articles and knowledge transfer sessions.
  • If you’re independent contractors consider working the weekend to recover some lost earnings.
  • Monzo card for fee free payments in USD and ATM withdrawals (always pay in USD and don’t let the ATM/ePOS do the conversion)


Recently I needed to work with OpenSSL in C/Cpp on Android and I couldn’t find a simple way of including it.  I looked at The Guardian project’s openssl for Android but it was very out of date. That’s when I decided to go for compiling OpenSSL myself. This could of been a minefield but luckily there’s a pre-configured build script that only requires a few modifications. This article aims to cover those modifications and how to integrate the compiled OpenSSL files into an NDK project.

openssl_for_ios_and_android tools/script via github

I’ve upload my minor changes (no-zlib compile option) to this fork

NOTE: for my purposes I only needed lib-crypto and lib-ssl as I was focused on local only encryption. If you’re looking to use networking in C/Cpp then you may also need to compile/include curl.

Step 1: Downloads

If you’re new to the NDK check out this Intro to C for Android developers article and the official docs

Step 2: Prep build environment/script

Add ANDROID_NDK environment variable

Add the following line to ~/.bash_profile

export ANDROID_NDK=<path to NDK bundle>

update to use the downloaded openssl version

~line 20 LIB_NAME="openssl-1.0.2k" to the version you downloaded LIB_NAME="openssl-1.1.0e"

update to change the zlib compile option

Change the zlib compile option to no-zlib (if you are not using the scottyab fork). Without this change I had build failure app:externalNativeBuildDebug failed with vairous cmake errors i.e c_zlib.c:(.text+0xbc): undefined reference to deflate`. Based on recommendations from this SO issue.

~Line 53 zlib \ to no-zlib \

Step 3: build

Start the build $ ./

Step 4: Copy output to your Android NDK project

  • Copy the runtimes you want to support, i.e arm, x86, mips from openssl_for_ios_and_android/output to <project root>/distribution/openssl.
  • Rename the directions to remove the openssl- prefix.

Step 5: update cmakerlists.txt file

I used this NDK Samples app Hello-libs as basis for my NDK project setup. Where the native-lib cpp file and cmakerlists.txt are already created/setup.

  • Add the following lines (The references to native-lib is where your Cpp code will likely be)

//configure import libs

set(distribution_DIR ${CMAKE_SOURCE_DIR}/../../../../distribution)

//add the open ssl crypto lib
add_library(libcrypto STATIC IMPORTED)
set_target_properties(libcrypto PROPERTIES IMPORTED_LOCATION ${distribution_DIR}/openssl/${ANDROID_ABI}/lib/libcrypto.a)

# add the open ssl ssl lib

add_library(libssl STATIC IMPORTED)

set_target_properties(libssl PROPERTIES IMPORTED_LOCATION


//add to target_include_directories

target_include_directories(native-lib PRIVATE


//add to target_link_libraries

target_link_libraries( # Specifies the target library.


# Links the openssl crypto



${log-lib} )

Step 6: Finish / Build in gradle

That’s it you should be good to go and ready to start using openssl in your c and cpp files.

./gradlew assemble

I recently completed this question as part of a job application and thought I’d share my thoughts. inbox-intro-logo

Inbox by Google

On the surface just another email client, right? But no, there’s a lot of non obvious niceties that save time and reduce your time in the app so you can go about your day. Gestures are one of the key elements in Inbox’s design that I love. Swiping down to close an email just feels nature and makes using one handed effortless. Also from the  inbox list Swiping emails or bundles in left/right to either dismiss or mark for reminder.

I heavily rely on pinning messages that require further thought/actions and so being able to switch to show only pinned messages straight from the app bar saves me digging through menus.

The dynamic quick responses are often spookily accurate to my replies, which again saves time. Another time saver the dynamic recent contacts list (with profile photo for quick recognition) appear in the FAB sub menu.

I haven’t achieved a regular inbox zero, but I did once and instead of just a empty list Inbox shows a lovely full page happy graphic which feels like a reward/achievement in a game.

In a nutshell the niceties and time saving subtle features turn a mundane email app into something very special.

Slides and links(below) from my “What’s NNNNNNNNew in Android Security” talk at Droidcon London. The video via SkillsMatter is here.


Training and Developer Docs

Would you like me to speak at your conference or meetup? If so please get in contact.

Any questions, please drop me an email or tweet.


Droidcon London is one of my favourite conferences with it’s wall to wall Android theme. I’ve spoken 3 times over the past 6 years or so and I’m super excited to be speaking this year after a break of a couple of years. I tend to speak about Android Security because it’s an area of app development that isn’t often prioritised high enough. Mobile security comes with it’s own set of challenges where devices and data are physically at more risk than traditional PC/Laptop environment.

In addition to checking out the other security talks I’m keen to learn tips and quick wins for view animations and screen transitions. Also top of my list is learning from real world experiences and lessons learnt using different architectural approaches such as MVP and Clean architecture. I’m looking forward to getting to grips with Kotlin based on the news that Kotlin is supported for build scripts in Gradle 3.0. 


My Talk – What’s NNNNNNew in Android Security?

As you might guess from the name is all about the new security features in the most recent versions of Android: Nougat aka N.


Who should come to it?

There were several notable security updates in Android Nougat and in this talk I’ve distilled the information specially for the busy developer who don’t have a lot of time to invest in learning new APIs. I’m personally most excited about Android 7’s Network security config. It’s an easy way to increase your app’s network security without writing any code (just xml based config). I’ll show you the most likely things you’d use it for with code samples. For example allowing self signed certificates for development API and SSL pinning.

See you there!

Also watch @scottyab and speakerdeck profile for the slides 

Thanks to Matt Rollings, Niall Scott and Andy Barber proofreading feedback.

scott badgeConfConf as you might of guessed from the name is a conference about conferences (how meta!), specifically how to run them better! It’s a small single track conference based on professional event organisers sharing their top tips on making the best conferences.

Top 5 tips for running your first technical conference

At SWmobile (a meetup group which I co-run) we’ve talked a little about running our own conference. Here’s the top tips I picked up for others also looking to do this:

  • Independent and for profit – The conference should be independent financially from any non-profit group and the aim should be to make a profit with the conference. This separation helps focus the effort required to setup and run a conference. I thought a good suggestion was to aim to run it for 3 years and if it’s not profitable after 3 years to abandon.
  • Ticket price – The super secret but also simple ticket price calculator should be the total costs / total number of tickets. It’s important not to include sponsor money and so the focus of the marketing is ticket sales. Any money you get from the partners you get on board will increase the chances of it being profitable and allow you to improve things like swag, free beers etc
  • One day only – One day conferences have tended to be more popular recently as it helps keep cost down and it’s easier to convince bosses for the time off to attend.
  • WiFi – Get this right! don’t skimp or rely on the venue’s setup. Sure they’ll say they have a great network but remember this is a tech conference and most attendees will have multiple devices. Rule of thumb 2.7 devices per attendee. Great article from last years confconf.
  • Ditch lunch – Don’t bother with lunch, catering costs allot and is generally crappy quality. This really hit home for me as I cannot think of a conference I’ve attended where the food was good. It’s also one of the main things people moan about!  confconf’s lunch was fairly standard meeting food which was above average for a conference. However they did win the day by pulling out afternoon cream tea!


Top 5 tips for monthly meetups

This is geared up for monthly, free to attend meetup groups such as SWmobile. This list is geared more to the sorts of things I think we can improve on so your mileage may vary. 

  • Sponsors == Partners – referring to and treating sponsors as partners helps emphasise they are more than just giving money. By working together you can use their ‘reach’ to promote your events.
  • Improve speaker management – Be up front about talk timings, whether costs are covered, venue directions, uniqueness of talk, number of attendees, type of audience, who to call in emergency, and in general communicating better before and after an event. 
  • Open a CFP – have a Call For Papers [CFP] for monthly meetups where prospective speakers can easily submit talks. Allow them to indicate if they are new to speaking as this allow you to mix up evenings with pro and newbie speakers. As with the above point and speaker management, be sure to include things on the CFP things like the typical location of meetups, average number attendees, attendee skill/experience level. 
  • Create Code of Conduct policy – If you already have a code of conduct like we do at SWmobile, that’s a great start. But what happens when a complaint or issue is raised? this is where a policy comes in. Be sure to ensure all organisers/volunteers are briefed on this. 
  • Video promo reel – Recording talks are a good way to allow people who couldn’t attend to watch the talk. They also serve as a way to promote the group. However recording and editing can be costly and time consuming. A better use of video would be a promo reel to promote the group and ideally a separate video tailored to prospective speakers, members and partners. 

As in mention in my tweet above I had tons of notes and this is just a small portion of the knowledge gained. I’d definately recommend to techincal meetup and conference organisers. Hope to attend next year! Also more tips can be found on the confconf blog.


Scott MCEI had a great time at MCE conference in Warsaw, Poland in April. I’d recommend MCE as a mobile conference I attended both Android and iOS talks and there were all high quality. Also all the people I met were very friendly and spoke great english. I was introduced to Polish vodka and some tasty polish food. Thanks to the organisers for inviting me and I hope to attend again.

In this presentation I share a story of a recent Android app I developed where app security wasn’t prioritised and how I still provided a minimal level of security to protect the app’s users and developer reputation.

For those wondering why my t-shirt has a mantis shrimp on it? check out this awesome oatmeal comic.