I'd like to allow specific third party developers to write plugins for my app without them accessing my app's main source code. And without me accessing their plugin code.
These plugins would extend specific classes, which the main app would scan for, register, and execute dynamically. I have this part working in a project with dynamic feature modules (DFM's), however so far these are all signed by the same cert and built together, by me.
However, the ask is that we each don't see each other's code. I believe you can only execute code in another package which was signed by the same cert.. so herein lies the issue.
I can definitely expose some code for them (the abstract classes / interfaces they'd be extending), but don't want to expose much more than that.
I'm thinking along the lines of a public api module + a private app module, but need help filling in the details as to who builds what with who's certificate. Any good ways to get this done?
Thanks..
Related
I searched a little about this here but didn't found anything that helps me, maybe because it's impossible but I need confirmation.
The situation is the following:
I have an android app that integrate with many mobile POS, these card machines, and because I have many classes to integrate with these machines, the app became heavy for some POS stores, like Stone.
I saw that it's possible to impplement the libs modules and dependencies for specific flavors with android, so I would generate an specific appp, with just the classes that this integration use and nothing more, but I have everything together now, just like in the pics.
And when I build an app that will be used with Stone, for example, it will put all integrations in the JS interface.
I stated changing it, imlementing by flavor but as the implementation is per integration now, the Cielo class starts having problems with its dependencies because, as the app will be for Stone, it doesn't download the Cielo dependencies. The generation process crash.
When I started changing the structure, I manage to make the gradle build work, but after that, everything crashes.
There is something I can do ? Maybe impost only when the Cielo package really exists, or something like that.
If its needed to change the entire structure, it's ok, I just need to make it smaller but still in one place.
Thanks!
I tried useing flavors and separating the source sets alongside main directory, like:
-main
--assets
--java
-cielo
--java
-stone
bus it still have a problem when building because the import inside my main class.
You can split your application to multiple parts:
Main application which implements the app's features except an integration.
Android service API which defines API between the main application and an integration service
Integration services one for every platform. Each service have to implement API from point 2 to provide required contracts to the main application.
Finally you can deploy the main app and only one required integration service.
Background: I have an android application that has been published in GooglePlay and I want to create SDK from that existing application so that others can use it as a library inside their apps.
So far: I was able to generate .ARR file from the existing app source code with little tweaks. and it is working pretty good.
The problem: is I have some sensitive information stored inside my app
since I made .arr file from my app codebase I'm little worried that they can easily get access to my SharedPreferenceManager (util class of mine to deal with SharedPreference) DataBaseManager so on and they can subclass library class and tweak the behaviors
So How can I avoid library users not to misuse my library to exploit my existing app?
is there any other way to export my app as a library?
The basic process would be as follows:
Figure out what you want to expose in your SDK
Move all of this into an android library module
Deploy the AAR
Can you explain a little more what you mean by "I'm little worried that they can easily get access to my SharedPreferenceManager (util class of mine to deal with SharedPreference) DataBaseManager so on and they can subclass library class and tweak the behaviors" ?
You can always utilize obfuscation techniques and finalize classes to make it difficult. I don't think you can guarantee absolutely no misuse, but I am not sure how this would effect your application. If you have a server, for instance, then you would still control the software there and be able to sanitize and sort through the input.
I would like to determine which third-party SDKs (like Mixpanel, Google Analytics, Facebook SDKs) are being used in an app, if any. Is there a way to find this out?
Assume for the purposes of this question that I am not the developer of the app, and therefore I don't have access to the source code.
You can use a service like Appbrain to find that out. It's free for the first few lookups.
It's not possible to reliably enumerate the libraries used by an application, for a few reasons.
The main reason is obfuscation: If a user turns on Proguard or R8, they will rename the library's classes, potentially in such a way as to make them unrecognizable.
Another reason is that there's simply not a comprehensive list of every Android library in existence, or a mapping of class names to libraries.
However, if you did want to try to do this, you'd want to retrieve the application's class files and then hunt through them for the start of package names from libraries you care about (as obfuscators are less likely to rename the entirety package names, though they still might). For example, if you wanted to see if an application uses okhttp3, you'd look to see if there are is an okhttp/okhttp3 folder (for the package okhttp.okhttp3).
You could maybe even automate this by finding a list of popular Maven/Gradle packages, downloading them, extracting the class names, and using that as your dataset.
I want to use a library in my project. But I do not want this library to have permissions to access files, database or download something from the network in my application. How can I achieve my aim?
The library is provided by others, I need to use some function in it, but I do not want it to have permission to hack my app. Maybe I need something like a sandbox to run this library, but I do not know how to achieve this.
If you are embedding the library (JAR or .so) in your app, then you cannot limit its access. The library code is running in the context of your app and is effectively "linked" with your code. It has access to anything your app's process does since it is running within it.
If you want separation, you would need to isolate the library into another APK package and interface with that package via binder or Intent. Even then, you would need to ensure the other package was not using shared user IDs (which is the default) and you would probably want to sign it with a different key.
Currently I am working on an application aimed to small local businesses, which serves as a template for other applications (other stores). The base application allows local stores to send notifications to their customers, depending on the business context, notifications can be to report promotions, inform a client that he can pick up his order at the store, notices of new products in the store, etc ... What I do is work on the template for each client and then customize the appearance of the application in the background but the functionality is the same for everyone. My problem is that every time we have more businesses interested in the application and the problem arises when I find bugs or want further improvements, and to update the code in each of the applications can be hell (open each project, add the lines code, recompile, etc ...), and also publish new applications involves a great job because I have to change namespaces whole project, change the authority of the content provider, update references to the namespace associated with the template, etc. ...
Is there any way that I provide update and / or add portions of code in the original template and the changes are automatically reflected in all projects generated from the template?
I have understood Apache Ant can help with the compiling process of large project with many dependencies, but could be useful in the context of my problem?
The solution that I can think of right now is to create a project library and then put everything common to projects, including resources and Activities. The problem is that for example the application Content Provider could not go there because I need to have a single authority in the Manifiest defined for each application.
In advance thank you very much for taking the time to read my message. Any help or advice is welcome. Thank you again.
My question is there any way that I provide update and / or add portions of code in the original template and the changes are automatically reflected in all projects generated from the template?
Make the core code be an Android library project, and use that library project in all the customer apps.
The solution that I can think of right now is to create a project library and then put everything common to projects, including resources and Activities.
Correct.
The problem is that for example the application Content Provider could not go there because I need to have a single authority in the Manifiest defined for each application.
Your ContentProvider implementation can go in the library project. Your customer-specific project will need the <provider> element in the manifest, with a unique authority, pointing to the ContentProvider class from the library.