Code Audit for Android/iOS - android

I have just been given a task at work to help audit a code base for a mobile app. I am not a mobile app programmer, although I've been a software developer for many years now, but know nothing about mobile apps. I was wondering if there's any tips or tools that I can use for this code audit.
I have seen the replies to this older post for a Java EE application, which can't be applied to my case since they're mostly based on having maven to build the app and in my case they use Gradle. Also these replies are from 2011 and perhaps there are more recent ones I'd really be very grateful to hear about.

In itself, the fact of appointing someone with no experience in the target environment seems like a complete nonsense to me, so I'd question the management here.
I do hope for you that you know at very least the languages these apps are written in: probably Java for Android & Objective-C for iOS (your question didn't mention what technologies your past experience concerned). If not, you're bound to just make remarks about comments, file size, and maybe some about naming conventions, which is of little interest compared to a real audit.
Beyond programming languages, iOS and Android are designed in very different ways, with different conventions & patterns. I actually know very few people who are really good in both environments, and there's a reason for this: these are different worlds, each of which you can easily spend your whole time on to learn APIs, common libraries, design philosophy, work-arounds for common issues, and understand a bit of how the internals work.
I don't know how much time you have to perform this task, but I'd suggest you learn how to code a basic app on the target environment, and learn about the key components.
My approach is generally:
gather some context from the team
get the source
build the app & get a taste of what it's doing (I usually hand-draw a screen flow diagram at this stage, it's useful later when you navigate in the code), also take note of bugs, slow features, non-user-friendly stuff (feedback is important to the team)
go to the source code, examine it's macroscopic layout:
. look at the build scripts to see what external libs it's using
. take note of the general package hierarchy, check that the naming is consistent, that packages are not overloaded with junk
. look generally at the class naming: is it consistent? do class names help figure out what's actually inside
. do some basic stats about file sizes: it's something that can quickly indicate some design flaws
now about the code in itself:
. read it until satisfied that you understand the general way it works (drawing a technical flow diagram helps), I like to start by the app entry-point (generally an activity in Android)
. make sure you spot how what you read achieves what you saw while testing the app
. take note of bad coding habits you spot while reading (naming, comments, it can be anything: there's no limit to how bad the code can be ^^)
. take note of unreadable/overly-complex bits of code (but don't spend days just to understand them)
. if you had noticed slow features in the app, it might be worth looking at those bits of code a little more carefully
. have a good night sleep, then re-read all your notes, and try to extract some high-level remarks about the application design
Now, specifically for Android, here the most common list of things to look for, based on my experience:
components life-cycle handling issues (for components like activities, services, fragments and such): symptoms include device rotation and application switches causing issues
thread handling issues (things done on the UI thread, when they should really run in background)
massive activities / services (many people think that creating activities / fragments / services is all that's required in terms of architecture - it is true only for very simple apps)
I won't enter more into the specifics, because people a lot more intelligent than me wrote books about this. And you have to code apps to really get a grasp of those subjects: a lot of them, so that's what you should start with: code apps yourself, otherwise: 1/ your audit will be irrelevant 2/ the team will spot your lack of skills pretty fast - depending on the aim of this audit, you might have a very hard time facing them...

Related

multiplatform or android platform alone and desktop alone for Kotlin

i am trying to make a project that is designed for a business and a customer where the business will be on the desktop side and the customer will be on the android side.
i was wondering since both the platforms will have unique UI(tabs/services/actions... etc.) that serves their needs:
should i use Kotlin multiplatform and use as much shared code as possible or build a standalone app that works separately on each platform and then share information by servers?
are there even other ways to accomplish my goal?
so far here are the most important pros and cons of multiplatform:
+reduce time consumed
+ability to share code which reduce bugs and possible errors.
still in alpha version (experimental) which means not enough libraries in support .
to be honest the only thing that is stopping me from choosing multiplatform is the "experimental " warning sign and if i chose to make desktop app alone might as well make android/IOS app altogether( since the sharing code ability between android and IOS is very much reliable) and in that way i would have gained an extra platform for my phone app in return for the added time of development
i really need an answer from any experienced Kotlin developer and thank you in advance :)
What the KMP thought for is sharing business logic between platforms.
If you have different business logic(business/customer sides) not sure how much you’ll be able to share, but the least you can do is data objects: you can share same objects between business/client/server to make sure your json parsing is stable and doesn’t require changes in many places.
You’ll be able to share a lot of stuff if you choose to share android business logic with iOS, but note that there’re some pitfalls you need to learn, so I’d say you’ll spend 2x time for two platforms in first 1-3 month (same time as if you would do for two separate apps), and then your’ll be able to make two apps with average speed of 1.5x time.
Don’t forget that all UI part will take same time as for a separate app, so it won’t be “free”
Still if your project is big enough, it should pay off.
What’s about KMP being experimental: as for me it’s already stable enough and I’m using it in my current project for sharing code between ios/android/server.
It’s in active development phase so most of problems you face will be fixed fast, or you’ll get a workaround on the youtrack
For the JVM part you almost loose nothing: you had to use Native frameworks but if you need to using jvm dependencies in the shared module, you had to provide alternative code for an each other platform(ios, etc) using expect/actual
It has some limitations for iOS platform. The main one, I think, is that you had to work with a specific memory model: you can’t modify objects from different threads, but if you choose your architecture wisely it won’t be a big problem.
I think your decision should depend on how much logic code you need to share between different platforms, and if there's a lot - KMP is a good solution.

React-Native cross-platform example write once and use anywhere or DRY?

I am very new to React-Native and love it so far. Really great technology and very impressive tooling. I would like to propose it for use in my company.
However ... react-native examples demoing code-sharing btw Android and IOS platform are simply nowhere to find??? All I have found after 3-4 weeks looking into it is few excellent but only IOS examples. Below, are just few examples of articles lacking this. Although some of them claim in their title to cover both, they cover only IOS:
https://www.raywenderlich.com/165140/react-native-tutorial-building-ios-android-apps-javascript
https://mentormate.com/blog/react-native-components/
http://www.andevcon.com/news/take-a-crack-at-react-native-with-kyle-banks
https://appendto.com/2016/11/build-a-coffee-finder-app-with-react-native-and-the-yelp-api/
https://reactjs.co/react-native-convention/
https://www.lullabot.com/articles/build-native-ios-and-android-apps-with-react-native
https://code.facebook.com/posts/1189117404435352/react-native-for-android-how-we-built-the-first-cross-platform-react-native-app/
https://medium.com/#MentorMate/best-practices-for-building-an-app-with-react-native-components-7dee3b2b010f
https://code.tutsplus.com/tutorials/creating-a-dictionary-app-using-react-native-for-android--cms-24969
http://facebook.github.io/react-native/docs/tutorial.html
... , this list could continue on and on but it should be enough to demonstrate the lack of good resources I'm talking about.
I understand react-native is cross platform in terms that you can write code for both Android and IOS, that is all clear and great.
But is it sharing the code? In other words, is it DRY? From what I see, it is write once for each platform rather than write once for all platforms. Again, I understand some Views (but not all) are platform specific but again, there is no example to show even that on both Android and IOS in the same project.
Where is a non-hello-world (real life) example to clearly demonstrates and teaches how to do that? React native used to have it in version 0.20 or so but it was removed and replaced with a HelloWorld example? Seriously #Facebook???
As per links above, lots of React-Native articles out-there are titled to cover both platforms but then they only talk about IOS without even mentioning any other platform? Very few talk about Android only, again, not even touching other platform in the same project. ... and lots of them are outdated!
I understand that the technology is very new (and very good from what I have seen so far, I really love it).
But assuming I have to propose React-Native as a next-gen platform to a company, I do not see any convincing cross-platform, code-sharing examples demoing this for both Android, IOS (UWP??) that I could help me learn, understand, build, and demo an example for that proposal.
I am not looking for chatty comments or links to courses but rather examples to show how to do this in more than just CRNA generated HelloWorld app.
Found the answer here https://www.codementor.io/vijayst/build-react-native-retrofitting-ios-app-to-android-gsf5uyl1q in the very 1st paragraph and it is exactly what I have been trying to get RN/Facebook answer but they ignored the question all the time.
Very disappointing!
So, ReactNative is not "build-once-use-everywhere" but rather "learn-once-use-everywhere" meaning lots of code duplication. And by everywhere, they mostly mean Android and IOS although the examples out-there are mainly IOS. If they cover both platforms, then it is with almost no code sharing but lots of code-duplication.
Although, RN claims they can achieve up to 90% of code sharing, that is not demonstrated anywhere that I could find. Documentation is very shallow in touching anything let alone topic of code-sharing and the tutorial provided by RN is a HelloWorld, ... yes, seriously. Sad! Although they used to have a better tutorial in older version (like 0.20 or so).
In terms of recommending RN to a company as a next-gen platform, I see few issues
concerning patent license, no answers no explanations, very obscure and concerning for a company that would consider moving to this, I'd rather say open-source under quotation marks. Hopefully this will change as I see it as a mayor showstopper for anyone considering adapting this technology. I would say this is no more applicable as FB made react-native licensed using MIT as per https://github.com/facebook/react-native/issues/16079
documentation that is very basic without giving depth of explanation. For example, this is react-native site with demo sample to demonstrate code-sharing cross-platform nature (I warn you, it is a HelloWorld example) https://facebook.github.io/react-native/docs/tutorial.html
React Native Community facebook page which is the page where you are supposed to find help and ask question as per react-native site will simply block you if you bring this topic on and will not let you in
even here on SO, questions like this (after extremely thorough and time consuming research) will earn you only downgrades and zero answers or even attempts
examples lack clarity and depth of explanation, it seem like whole community follow one pattern, copy / paste demonstrating code-duplication rather than code-sharing
Most examples cover (to most basic extent) only IOS although most claim cross-platform nature on both Android and IOS with Android being mentioned in the title only and the body covering only IOS
Impossible to ask for help on react-native site
Impossible to suggest improvement on react-native site other than create pull request. In other words, they want you to work for them for free
The framework is cross-platform, that is great but it is more of a copy/paste (copy from IOS into Android, then modify what needs modification) rather than code-sharing strategy. Every example I was able to find and it took me a month, was a violation of DRY principle in its best form
Although I mentioned things that bothered me at most during my research, I have to say that I hope this technology will thrive and become clear open source platform in future. I really like it and hope someone at #Facebook / #ReactNative will consider these suggestions, or at least provide improvements in the documentation, examples, access to community, place to ask questions and get help, clear licensing, ... all of which I was not able to get after spending a month researching RN.
Perhaps the technology is still not mature enough, which makes sense, it is very new.
Would I recommend it?
To developers yes, definitely. I really like it myself and will spend more time studying it.
To a company? Not really for the reason explained above.
UPDATES - Getting Better :):
... and to add my 2c to anyone who faced the same problem and contribute to community (at least in terms of finding tutorials that talk about both IOS and Android), I will keep posting links I have managed to find so far:
https://differential.com/insights/sharing-code-between-android-and-ios-in-react-native/ is very basic example. Not really code sharing but rather code duplication but at least something
https://www.codementor.io/vijayst/build-react-native-retrofitting-ios-app-to-android-gsf5uyl1q, also more of a code copying rather than code sharing but hey... going somewhere
https://hackernoon.com/getting-started-with-react-navigation-the-navigation-solution-for-react-native-ea3f4bd786a4 another good one
This document explains that RN philosophy is "learn once, write anywhere" rather than "write once, run anywhere" http://makeitopen.com/tutorials/building-the-f8-app/design/

Pros and Cons for Haxe and Kivy

I'm looking to develop an application for iOS, Android, Windows Phone and for Desktop no matter if it's web or standalone. Does anyone have experience with Haxe + NME or Kivy that they can share in detail?
I've been looking for something that can deploy to all platforms and these are the 2 best options I seem to have found. I'm not looking to make a game though. It's more like an app with a lot of touch listeners on images. Touch image then hide this, create that, and do a lot of math behind the scenes. I do however need a pathfinding library but pretty much all engines I've worked in had the A-star pathfinding library. I also need a slideView library so users can swap pages like they do on their smartphone desktop. Any information you can share on the following topic is greatly appreciated. Thanks in advance for reading and for any help provided. Sorry for the trouble
no experience with Haxe here, but I can answer for Kivy:
First, windows phone is currently unsupported, to my knowledge, no one attempted any port, it's probably doable, but it doesn't exist yet, and no core contributor have a windows phone device, so until that changes, or someone with that motivation comes in, there is low probability that it will happen.
For your interactive needs, Kivy would fit the bill pretty easily, being really focused on making touch handling per-widget easy to define. We don't have much information about your math needs, if they are heavy, you'll probably want something like numpy to be usable behind the scene, and/or use threads to do the heavy lifting without blocking the application, this can totally be done with Kivy, so i see no particular issue there. For A*, there isn't any implementation directly inside kivy, but you should be able to use a python implementation (there are dozens out there), if your needs on this side require more performance, you can cythonize it to increase performances, or use a C implementation compiled for each target.
Hope this helps.
long time Haxe user here, though personally I mostly use Haxe for web-app projects, not NME as much. Until recently NME's main focus has been (far and away) gaming. There has been a few recent efforts to create nice UI toolkits building on NME's cross platform strengths:
https://github.com/RealyUniqueName/StablexUI - Demo (works on HTML5, flash, native desktop&mobile)
https://github.com/ianharrigan/haxeui
but they are very recent additions, so if you're looking for a tried and tested solution Kivy (never heard of it before, but looks cool!) looks like it has a bit more maturity and a bit more polish going for it.
In terms of performance and overall reliability, Haxe/NME is great, but it's getting those native-feeling UI widgets that will be your pain point. Other than that though, it's an amazing language to work with :) Python's pretty good as well though... each to their own!
At the time of writing, people are experimenting with using Native UI (there is a talk at the upcoming conference about an Objective C target, and the Java and C# targets are becoming more mature, so there are your 3 main mobile platforms covered) so that could be an option if you want native ui components, though it's not ready yet, this is me just hoping that it might become reality over the next year or so :)
Good luck with your project either way! If you do choose to go with Haxe/NME, be sure to ask questions (either here, the NME forums, or the Haxe mailing list) so that people can help you on your way.

Cross Mobile Options

I created an Android app. While creating one specific app was an interesting challenge, I'm now looking into creating a group of similar apps.
I'd like to create a group of similar Android apps and then move on to creating the same on tablets and iOS... (anything mobile).
I've considered doing so with a product called PhoneGap or doing a web based mobile app. Both of these options seem less than ideal. Doing the Android app I've been frustrated by Java's lack of control and low level constructs. Moving to something like a web based app seems like the exact wrong direction.
C++ is my language of choice. It has the ability to work at a low level, is highly portable across platforms, and has significant support for generic coding which would be useful for generating a group of similar apps. However, the Android documentation suggests to not use C++ unless your goal is porting existing code or dealing with computationally heavy tasks.
I'm leaning towards using C++ anyway, but are there other options I've not considered?
Thanks
You could in theory write your logic in C++ and then have UI layers on top that make use of it. If you are really comfortable with C++ that might be the way to go.
Almost any other parts (networking, UI, animation, etc) are better off being done in the native language of the platform. Use of cross platform solutions always limits you in some way, and usually leads to an application that is not as good as it could be for any platform.
Well, Google's recommendation to not use C++ is based on the following, I believe. C++ is low level, so you can get extra performance out of it if you know what you are doing. Google makes the reasonable assumption that many programmers do not. It is easier for an inexperienced programmer to do harm in C++ then to get a performance boost.
But, if you know what you are doing, it can help you. UI elements on both iOS and Android are implemented in their main language (obj-c, and Java respectively) so there is not a great way around that, but you can write core logic and other functions in C++ and it will be portable between them (iOS can use C++ directly and Android can use it via the Native Development Kit).
There are a few other options available. The one I ended up using is Appcelerator Titanium but please stay away from it. If your project gets complicated or large at all you will hate yourself for choosing it, as I did. Another interesting one that uses C++ instead of Javascript is Marmalade. I haven't used it though, so I can't comment on it.
A non-free solution that I hear good things about is Xamarin, who have ported both environments to C# and a .NET using Mono. However, you still have to write two versions of your code for the UI as far as I can tell.

Can an app be monitored for security?

A coworker and I were talking (after a fashion) about an article I read (HTC permission security risk). Basically, the argument came down to whether or not it was possible to log every action that an application was doing. Then someone (an abstract theroetical person) would go through and see if the app was doing what it was supposed to do and not trying to be all malicious like.
I have been programming in Android for a year now, and as far as I know if -- if -- that was possible, you would have to hack Dalvik and output what each process was doing. Even if you were to do that, I think it would be completely indecipherable because of the sheer amount of stuff each process was doing.
Can I get some input one way or the other? Is it completely impractical to even attempt to log what a foriegn application is doing?
I have been programming in Android for a year now, and as far as I know if -- if -- that was possible, you would have to hack Dalvik and output what each process was doing.
Not so much "hack Dalvik" but "hack the android.* class library, and perhaps a few other things (e.g., java.net).
Even if you were to do that, I think it would be completely indecipherable because of the sheer amount of stuff each process was doing.
You might be able to do some fancy pattern matching or something on the output -- given that you have determined patterns of inappropriate actions. Of course, there is also the small matter of having to manually test the app (to generate the output).
Is it completely impractical to even attempt to log what a foriegn application is doing?
From an SDK app? I damn well hope so.
From a device running a modded firmware with the aforementioned changes? I'd say it is impractical unless you have a fairly decent-sized development team, at which point it is merely expensive.
This is both possible and practical if you are compiling your own ROM. Android is based on Linux and I know several projects like this for Linux, like Linux Trace Toolkit. I also know of research into visualizing the results and detecting malicious apps from the results as well.
Another thing functionality like this is often used for is performance and reliability monitoring. You can read about the DTRACE functionality in Solaris to learn more about how this sort of stuff is used in business rather than academia.

Categories

Resources