Improving app security and performance on Google Play for years to come

In this post of the Android official blog you can read that during the year 2018 and for the long term all apps publish on Google Play Store must be targeting the latest SDK.

  • In the second half of 2018, Play will require that new apps and app updates target a recent Android API level. This will be required for new apps in August 2018, and for updates to existing apps in November 2018. This is to ensure apps are built on the latest APIs optimized for security and performance.
  • In August 2019, Play will require that new apps and app updates with native libraries provide 64-bit versions in addition to their 32-bit versions.
  • Additionally, in early 2018, Play will start adding a small amount of security metadata on top of each APK to further verify app authenticity. You do not need to take any action for this change.

Leaving you to read all the article by your own, I block quote here below an explanation of the above point one:

In order to provide users with the best Android experience possible, the Google Play Console will require that apps target a recent API level:

 

  • August 2018: New apps required to target API level 26 (Android 8.0) or higher.
  • November 2018: Updates to existing apps required to target API level 26 or higher.
  • 2019 onwards: Each year the targetSdkVersion requirement will advance. Within one year following each Android dessert release, new apps and app updates will need to target the corresponding API level or higher.

Don’t wait too long! Be prepared.

Improving app security and performance on Google Play for years to come

iOS Simulator and Android Emulator HTTP Proxy

For iOS and Android developers, it’s very important inspecting HTTP/HTTPs traffic in order to have a better understanding of what’s happening during a debugging session.

During these years, setting a proxy for simulators (or emulators) has became more and more easy and today I’m pretty happy to show you how to do on your Mac.

On Windows you could, of course, set a proxy only for Android and I will write a dedicated post and we will use a different proxy program.

But for now we must focus on OS X.

What do we need to do that?

  • BurpSuite (HTTP proxy)
  • Android Studio (for Android developers)
  • XCode (for iOS developers)

Let’s download BurpSuite free edition from its official site: https://portswigger.net/burp/

After you have been installed the program, lunch it and choose “Temporary Project” and for this very first time “Choose Burp Default”.

Go to Proxy and then disable interception, then go to Proxy -> Option and check whether the standard proxy port is okay for your, otherwise change it with the edit button on the left.

I need to listen on port 8888 instead to port 8080 and for Android we need to add another rule for listen specifically to your Mac IP Address.

Your final configuration should look like that (except for the IPv4 192.168.1.2 because your machine should have another one).

Then if you wanna save your settings (except for the interception that must be removed every time you start Burp) you can go to Burp -> Project Options -> Save project options and save your settings so at the next start you can say Burp to load settings from the file you saved

Android

With BurpSuite running, open Android Studio and lunch your Emulator.

Open Emulator settings and use a manual configuration for proxy.

Set host as 192.168.1.2 and port as 8888. Save and close.

Open the Browser and go to 192.168.1.2:8888. We need to install the Proxy CA Certificate in order to listen to SSL traffic.

Click above on the right the CA certificate button and Download it.

If your version of Android lets you install it from the Download folder you can try to open it directly from there. Otherwise the path that works in any case is the following one.

Go to Downloads App and rename cacert.der in cacert.cer and move it on SD Card,

Then go to Settings -> Security -> Install from SD Card choose our certificate.

Then click on it and follow the instruction.

At the end open the Browser and navitgate to https://www.google.it and you can now sniff your HTTP and also HTTPS traffic.

We have left a very final step to do, and It’s to enable proxy also to our Data Connection on the Emulator. This because we wanna sniff traffic of our Apps and not only of the Browser.

And finally if you have a web call on your Application you can easily inspect it.

Pay attention to the Filter section (the red arrow highlights it) in which by default Burp filter CSS, images, etc. If you want to see also this HTTP calls you must enable it by clicking on the filter section and check the right choices.

I hope this could help you, as an Android Developer, debugging all your Rest API.

UPDATE: As of targeting SDK API 24 or higher you must follow this configuration for your Android APK in order to be able to sniff SSL Traffic: trusting debug CA.

NOTE: on Windows the procedure is exactly the same if you use always Burp Suite. But on Windows environment I prefer to use Fiddler from Telerik (http://www.telerik.com/fiddler). You have to do a litte change in Fiddler regarding the CA Certificate, I hope to write a post soon.

iOS

iOS Simulator has not a specific settings section for Proxy. It uses the System Proxy, so that we have to set the proxy directly on the Advanced Settings of our current network interface.

Go to System Preferences -> Network and choose your current interface, click Advanced and go to Proxy tab to set Proxy settings. In this case, differently from Android, you could use the localhost address.

Set the same configuration either for HTTP and for HTTPS. Ok and Save.

Now let’s try:

It works! The only drawback is that having set a global system proxy, we proxy all the traffic of our Mac, not only the one of the simulator like for Android.

Note: If you test, like me, an image HTTP Request, check the Filter section of BurpSuite and opt-in for images too because, by default, images are filter out. The Filter section is just below “HTTP history” tab. You have only to click on it to expand its configurations.

Also in our iOS simulator in order to be able to sniff HTTPS traffic we need to install BurpSuite CA Certificate.

Similarly as we have done for the Android emulator we must open the browser and navitagate to http://127.0.0.1:8888 and install the certificate.

Here the process it’s simpler but on iOS 11 we need to do one more thing. Enable the Full Trust from the About Settings menu.

And it works!

So we have finished our setup. We can now start coding happier!

NOTE: of course you can set a proxy also on a real device. If you do that (the proxy settings are on the netwok configuration of the device you use) remember that the device and the PC where is the proxy must belong to the same Network and they must be reachable from each other.
Moreover if you wanna sniff the SSL traffic you must install the CA Certificate of the proxy but that exposes your device to the MITM Attack (it’s that what we do here, we act like a Man In The Middle) if you use it in your real life. So… remember to remove the certificate once done.

iOS Simulator and Android Emulator HTTP Proxy

Android Studio – Crea UI Test con Espresso Test Recorder

E’ ancora in beta la versione di Espresso Test Recorder su Android Studio, ma promette moooolto bene! 🙂

Con Espresso, come bene saprete, è possibile creare Test Automatizzati sulla User Interface della nostra App.

Scrivere un Test articolato può essere laborioso. Ma ecco che ci viene in aiuto Espresso Test Recorder!

Leggete qui!

Ad esempio creiamo un nuovo progetto di una “Basic Activity” e se abbiamo Android Studio 2.3 o superiore vedrete che Espresso sarà già impostato come da documentazione nel progetto.

A questo punto… magia 🙂

Andate in Run –> Record Espresso Test

Clicchiamo sul bottone “fab” e asseriamo che il testo “hello world” esista! 🙂

E finiamo.

Ecco il nostro test bello che scritto!!!

Nell’esempio noterete che ho cliccato (per sbaglio) due volte sul pulsante “fab”.

Beh… che dire… fantastico!

Provate e fatemi sapere.

Alla prossima.

 

Android Studio – Crea UI Test con Espresso Test Recorder

Cyanogenmod 13 (Android 6 aka Marshmallow) update

Incredibile… oggi ho scoperto, mio malgrado, che Cyanogen sta rilasciando gli aggiornamenti alla versione 13 in via ufficiale anche su tutte le sue ROM.

Infatti oggi la mia ragazza ha deciso che quell’update che il suo cellulare le proponeva era da fare… (ma non avevamo detto di mettere la cyanogenmod proprio per evitare gli update?).

Lei ha un Samsung Galaxy S3 (i9300) e dopo l’update i “Google Play Services” e “Trebuchet” continuavano ad andare in crash continuamente (quasi ogni secondo!).

Quindi, volevo fare altre cose… ma sono stato costretto a mettermi il cappellino dell’IT anche a casa…

Riuscendo a fatica ad andare nelle impostazioni dal menu a tendina che si ottiene trascinando il dito verso il basso, sono riuscito a seguire i consigli di molti forum di cancellare dati e cache dei “Google Play Services” e di “Trebuchet”. Mentre per Trebuchet ha funzionato, non è stato altrettanto di successo per i GPS.

Allora ho scaricato gli OpenGApps per la Cyanogen 13, ma… ClockWorkMod (che non viene più supportato) non riesce ad installarli.

Ho dovuto installare TWRP e per fare questo, ho acceso il PC Windows e scaricato Odin 3.09 (attenzione che ci sono un sacco di versioni di Odin – quelle più recenti – con dentro dei Virus! Mi raccomando, non aprite nessun .zip o .rar che vi richieda una password e fate sempre l’MD5 del file scaricato e anche una scansione con virustotal.com).

Allora Odin 3.09 è uno .zip con dentro un .exe e un .ini.

Qui vi metto a disposizione la versione che ho utilizzato io pulita:

SHA256: 9dfb96551a1e71cde26e996993b83fde431d5f3c817ec8d42a146cbbc7706366

VirusTotal Scan Results.

Odin 3.09 Download.

Quindi ho scaricato l’immagine di TWRP 2.8.4.0-i9300.tar e finalmente ho installato il nuovo loader di ripristino sul Galaxy S3 – non metto le istruzioni, ne trovate una marea su internet 😉

A questo punto (ammiro in effetti il nuovo firmare di ripristino essere migliore di CWM) e riesco ad installare gli OpenGApps-arm-6-nano.

Faccio il wipe di Cache+Dalvik.

Riavvio il sistema… crash ancora più copiosi!!! Wow! Che bella giornata! 😀

A questo punto vi dico io cosa fare, mettetevi una mano sul cuore perché dovrete reimpostare l’account google e tutte le vostre App, ma vedrete che funzionerà alla grande.

Riavviate ancora in modalità ripristino e in TWRP andate in Wipe –> Avanzate –> e fate il Wipe di Cache, Dalvik e anche Data. Questo cancellerà tutte le vostre impostazioni come se fosse un reset di fabbrica ( ma non l’sdcard! 😉 ).

Riavviate e reimpostate il vostro nuovo Galaxy S3 con Marshmallow (Cyanogenmod Edition!).

NOTA: io per capire tutto questo ho preinstallato addirittura tutto Marshmallow con questa build da questo link.

Spero che vi risparmiate un po’ di mal di testa!

 

Cyanogenmod 13 (Android 6 aka Marshmallow) update