Google Android Launches on 7 Inch Tablet PCGoogle Android Launches on 7 Inch Tablet PC

Rumors that Samsung S-pad tablet will run Google Android has gone (In fact, we'd take this with a grain of salt, since there wasn't anything official reported). However, it seems that it's should take a period of time before the so-called Samsung S-pad comes into the market. While Google has confirmed rumors that it will develop an Android-based tablet computer months ago, there is still no sign. However the Chinese manufactures are always full of courage and creativity that they develop the first Google Android tablet PC in the world. And then many android-based tablet PCs are born. Here goes the one.
This 7 inch tablet PC is among the first serials that has adopted Google Android operation system. Compare with those notebooks that have adopted Windows XP or Window 7, this tablet PC will save you trouble and money since Google Android is open source, which means this OS is almost totally free for user and the community will always be updating and programming for this platform. Then this will keep Google Android OS always up-to-date. This is not like that of Microsoft OS, pack too much, more than we desire and cost much, more than we can offer. Mini in size and light in weight, this tablet is really ultra-portable, the right one of so-called UMPC (ultra-mobile PC). Apart from the Google Android OS, this device boasts VIA MW8505 533MHz CPU, supporting WiFi 802.11 b/g. This processor will ensure a smooth operation. With Google Android OS, users can enjoy lots of applications provided by Google, like Google chrome, Google Maps, Google earth, Gmail, Google Talk and others including You Tube. And all these can be conveniently found and download freely in Android Market. You can get what you really need and get rid of the redundant. Be powerful and efficient, but do be simple! This is what "Google" implies!
In a word, adaptive and expandable, this 7 inch high-brightness touch screen pad is fully upgradable! It desires you consideration!

How to Recover Deleted Text From Android Devices

There are a variety of different reasons why an individual would want to recover deleted text messages and other data from their Android cellular device. There are times when people accidentally delete text that they intended on saving for future use, there are numerous individuals that would like to catch cheating partners committing infidelity, employers that are trying to catch thieving employees, and parents that have worries that their teenager is engaging in sexting, bullying, or even using illegal drug substances. Each of these situations can cause a tremendous amount of stress, pain, and excess worrying, and are perfect cases where a cell phone forensic investigation could be beneficial.
When you consult with an expert that performs cell phone forensic investigations on Android cell phone devices, they know how to expertly recover deleted text and other helpful information that can give you the information you need to confront your spouse or partner about the infidelity that they have been engaging in. Besides being able to undelete deleted text, they can also obtain other deleted information that would include the call history that has been removed, device properties, names and telephone numbers of contacts, the browser history of websites that have been visited, data that has been erased from the file system, and any pictures or graphics that have been removed from the cellular device.
The important thing that you should note before trying to recover deleted text messages on your own, is you should never try to use SIM card readers that can be purchased over-the-counter. It is a one in a million chance that you will be able to find one that works just right with your device, and in many cases all they end up doing is completely destroying the very data that you are trying to undelete. Even professionals with tools that cost thousands of dollars generally will need to try several different tools before they find the perfect one that works with a specific cellular device.
If you suspect that your wife is texting another man, or your husband is deleting text messages, it would be worth your while to have an expert recover deleted text and other data from the device so that you will know for sure. What is so great about this type of service is all that you are required to do is send in your Android device and the expert will take care of the rest. Once they have undeleted deleted text and other data, they will send you a disk that contains all of the evidence that was found on the phone.

Top 3 Security Apps For Your Android Phone

Keeping your Android phone safe should be a key concern. You have tons of valuable data that is stored on that. Not only do you not want your personal information getting into the hands of the wrong person. You also do not want to spend money on replacing your phone. You then have to re-enter all of your data into this new phone which is a waste of time. I will show you the apps to keep your phone safe.
Lookout
The Lookout app has tons of security features such as antivirus, a firewall, and intrustion prevention. The best part is that they are extremely lightweight so they do not bog down your phone. Lookout out also helps you if your phone is lost or stolen. You can log into the web interface on any computer and track down your phone. You simply click the locate button and it will show where your phone is on map. Lastly Lookout also comes with data backup. It will back up all of your personal data including contacts, photos, video, e-mail, and text messages.
WaveSecure
WaveSecure is another great security app which is similar to Lookout. WaveSecure lets you lock down your phone from the web interface so that it becomes useless if you have lost your phone. You can also display a message and sound an alarm. Just like Lookout you are also able to track down your phone with WaveSecure. You can set an auto-backup or trigger a backup remotely from the website. The one big feature that WaveSecure offers that Lookout does not is the wipe out feature. You are able to log into the web interface and remotely wipe all the data from your phone.
Protector
Protector is another great app but it's different than the previous 2 apps. Protector allows you to password protect any app on your phone, or any feature of an app. It's a great security program that can be very beneficial for many users. Protector allows you to password protect any Android app. SMS, Gmail, e-mail, Settings, Photos, Calendar, Notepad, Chat...or anything else you can even want to put a password on is an option.
You are even able to protect just particular features of apps if you need to. There is no workaround that will put your apps at danger. Even using a task manager won't prevent the apps from losing their protection. If you try to uninstall the Protector app, you need the pin code to do so!
The only complaint with this app is that there is no pin recovery. If you forget your pin you are totally screwed. That's a big gamble so just make sure you have it somewhere.

iFixIt tears open the Nexus S, discovers curved display’s secrets

iFixIt have shown their love for Google and Samsung’s flagship Gingerbread phone by prying it apart and ripping out their innards.
What’d they find? Well, the feature that most differentiates the Nexus S is its concave screen, which is supposed to be more comfortable to use. You might assume that this screen was some sort of funky curved Super AMOLED panel, but it’s nothing so impressive: rather, the Contour display is just a regular, flat Super AMOLED panel fused to a curved piece of glass.
There’s some other interesting departures. The motherboard is different from the Galaxy S, apparently to accommodate the increased storage capacity as well as the new NFC chips.
Compared to an iPhone, iFixIt were pretty happy with the Nexus S’s repairability, claiming it was easy to teardown. Ultimately, they give it a 7/10 for repairability… a nice change of pace in an increasingly unrepairable sector.
Read more at iFixIt

PlayStation App heading to iPhone and Android platforms

Sony has posted some news on its European Playsation blog that the Japanese company is launching a free Playstation App for iPhone and Android smartphones. However when the app is made available to download you will need at least iPhone iOS 4 or a minimum of Android OS 1.6.
The first version (1.0) will allow you to do the following:

• Check out your PlayStation Network trophies and keep up to date with your friends’ games and online status.
• Discover all the latest games, news and hardware for your PlayStation 3, PSP and PlayStation 2.
• Read all the announcements on the PlayStation.Blog.
• Share your favourite products or news with your friends on Facebook, Twitter or via e-mail.

To start with the app will be available in the following countries: UK, France, Germany, Spain, Italy, and The Netherlands. However the next version will support most SCEE countries and will also let you comment directly on PlayStation.Blog.
Read more at PlayStation.Blog

'Google phone' fever high on eve of Android event

Tuesday, January 5, 2010

By Glenn Chapman, AFP

 

People sit under a Google logo, in 2008.

 

Photographed by:
John Macdougall, AFP

SAN FRANCISCO (AFP) – Google is expected to step into the mobile arena Tuesday with its own Nexus One smartphone in a direct challenge to Apple's heavyweight iPhone handsets.
Google has seized the spotlight in a week when the technology world's attention would typically turn to a premier Consumer Electronics Show that officially begins Thursday in Las Vegas.
"Everybody seems to think it is a Google-supplied phone," Gartner analyst Ken Dulaney said on the eve of what the Internet giant has dubbed an "Android press event" at its Mountain View, California, headquarters.
"It doesn't make any sense. It can't be a true Google phone. I think it is about Android software, but everyone today is guessing."
A true Google phone would be one shipped by the Internet firm, according to the analyst, who believes it is more likely that new generation Android software and applications are being crafted into hardware sold by the manufacturer.
"You could call it a Google phone, but it is not going to be a Google phone," Dulaney said.
"If it really is a Google phone, they are going to make people mad. I don't think they are that stupid."
Google selling its own phone would irk makers of handsets based on Android software.
Internet buzz surrounding Nexus One included some reports by people claiming to have toyed with the touch-screen smartphones.
One reviewer lauded the Nexus One as a worthy rival for the iPhone, while another contended that Google's mastery of software wasn't reflected in the hardware.
The Internet search and advertising giant has already gained a foothold in the market with its Android mobile operating system, featured in a number of phones starting with T-Mobile's G1 in October 2008 and more recently with the Droid from Motorola.
But the Nexus One, designed by Taiwanese handset maker HTC, represents a significant departure in that Google is expected to sell the Google-branded phone directly to consumers who will not be tied to any one telecom carrier.
Apple's popular iPhone, for example, is available exclusively in the United States through AT&T, but buyers of the "Google phone" will reportedly have their choice of wireless carriers.
Technology blog Gizmodo, citing leaked documents, said the Nexus One will cost 530 dollars "unlocked" -- meaning it isn't tied to a specific carrier -- or 180 dollars with a two-year service agreement with T-Mobile, a subsidiary of Germany's Deutsche Telekom AG.
Google has been coy about any plans to jump headfirst into the fast-growing smartphone market, dropping hints but not confirming its intentions outright.
Agence France-Presse and other media outlets have been invited to a press event on Tuesday at Google headquarters.
"With the launch of the first Android-powered device just over a year ago, we've seen how a powerful, open platform can spur mobile product innovation," the invitation said. "And this is just the beginning of what's possible."
Among the hints dropped by Google was a blog post last month in which the company said employees were testing a mobile product internally in an exercise known in the industry as "dogfooding."
Google's plunge into the smartphone market has drawn a mixed reaction.
"It looks like Google is moving to see if they can do the Apple thing," said analyst Rob Enderle, of Enderle Group in Silicon Valley, in a reference to the iPhone, which has enjoyed phenomenal success since it was introduced in 2007.
Pointing to Google's pending 750-million-dollar acquisition of mobile advertising company AdMob, a number of analysts said Google hopes to replicate its Web advertising success in the mobile space.
Ovum research fellow Jonathan Yarmis said Google will have to walk a fine line between marketing its own smartphone and being a supportive partner for the growing number of firms making their own handsets based on Android.
Although Android's share of the US smartphone market is relatively small, it has doubled in the past year to 3.5 percent in October, according to comScore, and Gartner predicts Android-based smartphones will capture 14 percent of the global market by the year 2012.

Omnifone signs music deal for Google's Android

BARCELONA (Reuters) - Omnifone, the digital music service provider, is to make its MusicStation offering available to all mobile handsets which carry Google Inc's Android operating platform, it said on Monday.
Omnifone, which already provides its service to the likes of British pay TV company BSkyB and Vodafone, said it would debut its service on the Google Nexus One and HTC handsets at the Mobile World Congress industry event in Barcelona.
MusicStation for Android will offer all users on the Android platform immediate access to a catalog of over 6.5 million tracks, with additional features such as search and discovery systems, social networking aspects and news updates.
"Omnifone is delighted to be able to deliver the richest and most sophisticated music capability on mobile, and one that will work effortlessly on any manufacturer's Android device," Omnifone Chief Executive Rob Lewis said.
Mobile operators and handset makers have all started to offer music services in a bid to increase customer loyalty and grow revenues.
(Reporting by Kate Holton; Editing by Richard Chang)

Steve Jobs Lashes Out At Android

Steve Jobs doesn't usually make a guest appearance on Apple's post-earnings conference calls with analysts, but this time he made an exception, attacking Google for marketing its operating system as 'open' versus Apple's 'closed' iOS. 'Google loves to characterize Android as "open" and iOS and iPhone as "closed." We find this a bit disingenuous, and clouding the real difference between our two approaches,' said Jobs. 'Android is very fragmented. Many Android [manufacturers], including the two largest, HTC and Motorola, install proprietary user interfaces to differentiate themselves from the commodity Android experience. The user's left to figure it out. Compare this to iPhone, where every handset works the same.' Jobs stated that the real debate is between 'fragmented versus integrated' and which is better for the consumer.

Nexus S Availability And Pricing Announced: Get Thee To Best Buy

Google just announced that the Nexus S is now available at Best Buy and Best Boy mobile stores for $529.99 unlocked (which means it will work on AT&T’s network without 3G (for now)) or $199.99 with a T-Mobile 2 year plan.
Note that some commenters are saying that the phone is not available unlocked right now:

“We will not carry an unlocked version, they are locked to T-Mobile. I know the press releases say so, but it is very locked to T-Mobile and can not be unlocked. If you want to buy without a plan, add to package, click existing customer, and then replacement phone. If you call us please call 8668132021 to place the order for delivery.”

The number is legit (I called), so that may be the best way to go if you want to ensure you’ll be able to get it unlocked in your area.
Product Page
via Google

Android Market Gets A Badly-Needed Facelift (But Web Purchasing Is Still MIA)

I’ve been an Android fan for a while now, but I can’t remember the last time I had anything good to say about its integrated application marketplace, Android Market. Compared to the iPhone’s App Store, Market’s experience has always looked less visually compelling, and in general it’s been harder (and less fun) to navigate.  Today, the Google team has announced that Android Market will be getting an upgrade over the next two weeks. And good news: this update will be going to all Android users who are on version 1.6 or higher, which means it will go out to the vast majority of devices.
I haven’t gotten access to the application yet, but judging by the screenshots the Market has gotten a fresh coat of paint, and looks much more modern. Promoted applications — which until now have been tiles at the top of the screen that would change every few seconds — will now be featured in a swipable view that looks a lot like Apple’s CoverFlow.
Data about each application will now be consolidated into a single window pane. The Market will also include a content rating system (this is not shown in the screenshots, so you can’t really see what this looks like yet). And app targeting has been improved while size restrictions are loosened:

To make it easier for developers to distribute and manage their products, we will introduce support for device targeting based on screen sizes and densities, as well as on GL texture compression formats. We are also increasing the maximum size for .apk files on Market to 50MB, to better support richer games.

One major change that I’m sure developers will applaud involves Android’s refund window. Historically Android has offered a 24 hour return window for users who purchased an application and decided they didn’t want it; this time limit has now been cut down to 15 minutes. Google’s explanation is that this is because it will “help developers manage their businesses more effectively”, and that ”most users who request a refund do so within minutes of purchase” anyway. It’s probably because developers feel frustrated when users buy a game or utility, use it for a full day, and then get a full refund (and there may be some accounting issues, too).
And, from the I-can’t-believe-it-didn’t-have-this-already department, Android Market now has separate categories for Widgets and Live Wallpaper applications. And it looks like the Android typeface (which always made things look a little less polished for some reason) has apparently been abandoned in some menus.
Of course, this new release is still missing one key feature: a web version of Android Market. This was previewed during Google I/O way back in May, promising to let users browse through Android applications from their web browsers, and then wirelessly ‘push’ the applications they purchased to their phones with no tethering needed.
My hunch is that this functionality (or parts of it) is latent in this new version of Android Market, and that Google will activate it once the web component of this is done. Here’s what the team had to say about upcoming releases:

However, we’re not done yet. We plan to continue to rapidly enhance Android Market for both users and developers and make it the best content distribution service for the Android ecosystem.
Please stay tuned as we continue to deliver new capabilities in the coming weeks and months.

Tips and Tricks on How to transform Android SmartPhone turned into a webcam

DroidCam, is the thing for you, if you don’t want to carry a webcam with your laptop or desktop pc. DroidCam helps to turn the Android Smartphone into a webcam, isn’t it amazing?

DroidCam is created by Dev47Apps, the DroidCam 2.0 hasn’t been released, it’s a beta version as it is a work in progress. The beta version still has a few errors; it’s a work in progress.
Since the last month, the developers have made some progress, after the first release. This application has been tested on various PCs which have been run on XP 32 bit, windows 7 and Vista operating systems.
This program, DroidCam 2.0 is a client program for windows that must be installed on the desktop computer or your laptop if one wishes to use it with Android phone. Another thing needs to be kept in mind is that the rest of the part of the software needs to be downloaded from the Android Market and installed on your Smartphone.
The desired software is only well-suited with the smart phones that run with Android 2.0 or higher, for people with an older cell phone, which is an older version, this application won’t be displayed on the Android market.
After the windows client of DroidCam v2.0 Beta is downloaded and installed, you should open a chat program that you wish to use with the webcam and select DroidCam as a microphone and a webcam. This can easily be done by checking the audio settings of the chat program.
The next step is to simply start the application from the start menu and then a message “waiting for device” will be displayed on your screen.
After this message you are supposed to install the other part of the softare. After searching the Android market, you would find “DroidCam 2.1 Beta, as this application has been updated.
After this, just make sure that the wi-fi is enabled on your phone and is connected to your network at home.
To start the DroidCam app just click “connect” on your phone, after which a list of IP addresses would be displayed. Tap “add new” and enter the IP address of your computer.
Save it by tapping on it. A message “connected” will appear, meaning everything is in the correct order. Then you can start the chat program and you would be able to see live video feeds being transmitted by your phone.

DroidCam 2.0

Google Nexus S now available for pre-order on four networks

The Carphone Warehouse has announced that pre-orders on four networks for the forthcoming Google Nexus S have now gone live.
UPDATE: TechRadar spoke to The Carphone Warehouse, which confirmed a 'huge interest' in the device to us:
"The Google Nexus S is a game-changer for Android so it's great to see so many networks getting behind it. We've seen huge interest in the phone over the last few days since pre-ordering began at The Carphone Warehouse," a spokesperson told Techradar.
"We now have a great offering of Android handsets which will continue to grow in the New Year."
The phone will be available to buy both on contract or PAYG/SIM free, with the former costing £35 per month for a free phone - O2, Vodafone, T-Mobile and Orange are supporting the phone, but Three is nowhere to be seen.
However, while £35 per month does get you a plethora of minutes and unlimited texts, the most you can get data-wise is 750MB included.
Go big for a gig
To get over 1GB allowance, you'll need to sign up to a £50 a month deal, which seems a little extreme, and will hopefully be updated when the networks start offering it directly (if they ever do).
SIM free the Google Nexus S will cost £549.95, with the PAYG curiously the same, but with a mandatory £10 top up - usually paying a network for the phone will get you a micro-discount at least.
Still, there's not long to wait, as the Google Nexus S UK release date is set for 20 December - enough time to blackmail Santa (with those photos of him bothering that OTHER reindeer) into bringing you one.

HTC confirms Desire HD Android 2.3 update?

TechRadar contacted HTC earlier today about the recently announced Android 2.3 update and whether or not it will be coming to its flagship phone: the HTC Desire HD.
Although HTC didn't namecheck the phone, it did confirm that a number of its handsets will be given the update.

Be excited
In a statement, a spokesperson for HTC explained: "We are excited about the OS update coming for Android, and while HTC will definitely have some phones running this OS, we do not have a specific timeframe for new phones or updates at this time. Please stay tuned for more details."
While "some phones" is as flimsy an answer you are likely to get, it does confirm that the update will be coming to handsets already in existence.
At the moment, the HTC Desire HD is the flagship phone from the Taiwanese company so we're pinning our bets on this.
However, the Desire Z and Desire will probably get some Android 2.3 loving, too.

Samsung Galaxy S Android 2.3 Gingerbread update confirmed !!!

Samsung has used the medium of Twitter to confirm that its flagship phone, the Samsung Galaxy S, will indeed be getting an Android 2.3 Gingerbread update.

Two tweets came from the official Samsung Mobile India Twitter account, which were sent in response to queries by two Galaxy S owners.
Samsung originally told TechRadar: "In case a new version of Android operating system is publicly announced and released, Samsung will review the possibility of implementation of such new version to the existing Samsung products with Android operating system ("Update")."
But now it's confirmed that the update will come, the only fly in the ointment could be a European launch delay - we're working on finding an answer on that for you.
Android 2.3 incoming
This double confirmation will excite Galaxy S owners as much as a double rainbow, given that there's decent new features in Android 2.3.
Features include better use of the gaming technology inside, an improved keyboard and a decent of copy and paste.
There's no UK release date for the Samsung Galaxy S Android 2.3 Gingerbread update, but we'll keep you posted as soon as we get a visit from the Google gingerbread man.

Android Honeycomb With Tablet Support Coming Next Year

Now that we’ve heard all about Android 2.3 and the Nexus S, here’s something for the future. Andy Rubin announced some pretty exciting things about the next version of Android at the D: Dive Into Mobile conference.
He came out holding a prototype Motorola tablet with an NVIDIA processor, a dual core 3D processor, and a better UI for tablets. He went on to demo a few things on it including Gmail and the new Google Maps from Gingerbread. The look of the interface looks highly customized for the tablet.
It’s coming sometime next year, and it’ll be available on both Android phones and tablets. Rather than me trying to explain more, I put a video from the conference below for you. Enjoy! and what do you think?
[via Engadget]

Licensing Service For Android Applications

Posted by Tim Bray on at 10:00 AM

[This post is by Eric Chu, Android Developer Ecosystem. — Tim Bray]
In my conversations with Android developers, I often hear that you’d like better protection against unauthorized use of your applications. So today, I’m pleased to announce the release of a licensing service for applications in Android Market.
This simple and free service provides a secure mechanism to manage access to all Android Market paid applications targeting Android 1.5 or higher. At run time, with the inclusion of a set of libraries provided by us, your application can query the Android Market licensing server to determine the license status of your users. It returns information on whether your users are authorized to use the app based on stored sales records.
This licensing service operating real time over the network provides more flexibility in choosing license-enforcement strategies, and a more secure approach in protecting your applications from unauthorized use, than copy protection.
The licensing service is available now; our plan is for it to replace the current Android Market copy-protection mechanism over the next few months. I encourage you to check out the Licensing Your Applications section of our Developer Guide and the Android Market Help Center to learn how you can take advantage of this new service immediately.

Best Practices for Handling Android User Data

Posted by Tim Bray on 04 August 2010 at 3:00 PM

[This post is by Nick Kralevich, an engineer on the Android Security Team. — Tim Bray]
As the use of mobile applications grows, people are paying more attention to how these applications use their data. While the Android platform contains extensive permissions designed to protect users, application developers are ultimately responsible for how they handle users’ information. It’s important for developers to understand the code they include, and consider the permissions they request, as mishandling these issues can result in users perceiving a violation of trust.
Maintaining a healthy and trustworthy ecosystem is in every Android developer’s best interest.
Here are a few tips for writing trustworthy Android applications:

1. Maintain a privacy policy
2. Minimize permissions
3. Give your users a choice regarding data collection
4. Don’t collect unnecessary information
5. Don’t send data off the device
6. ... but if you have to, use encryption and data minimization
7. Don’t use code you don’t understand
8. Don’t log device or user specific information.

Maintain a privacy policy

Trustworthy applications are up-front about the data they collect and the reasons for collecting it. Users are generally happy to share information via such apps if they believe they will personally benefit. A clear and concise privacy policy, with details about the type of information collected and how it’s used, goes a long way towards generating trust and good will.

Minimize permissions

Android is unique among mobile operating systems for its simple, straightforward, operating-system-enforced permission model. All Android applications must declare the permissions they require, and users must approve these permissions before the application is installed. Users tend to distrust applications that require excessive permissions.
For example, a user installing this tic-tac-toe game might reasonably wonder why it needs to take pictures.

Give your users a choice regarding data collection

It’s called the paradox of privacy [PDF, 890K]. Users are often happy to share their information, but they want control over that sharing. Trustworthy applications give users control over their information. For example, the Android Browser has privacy settings which enable users to control how their information is shared.

Don’t collect unnecessary information

Trustworthy applications limit the kinds of data they collect. Collecting unnecessary information, especially if you never use it, just invites suspicion. When in doubt, don’t collect it.

Don’t send data off the device

If you have to handle user data, ensure that the data remains on the device whenever possible. Users are comforted knowing that their private information strictly resides in the phone. Sending data outside the phone, even if done for the user’s benefit, tends to draw suspicion.

... but if you have to, use encryption and data minimization

Sometimes, the collection of data is necessary. In that case, applications need to ensure that it is handled safely. A privacy policy will avoid leading to surprised and irritated users; in some cases, it may be advisable to prompt the user before transmitting data off-device.
First, minimize the amount of data you collect. Do you really need the user’s full phone number, or would the area code be sufficient? Can you use a one-way cryptographic hash function on the data before sending it to the server to help protect the user’s confidential information?

A case study: User Favorites

Suppose you want your app to maintain a list of “favorites” for each of your users, without going through a full registration process. In theory, you could do this by sending your server some combination of their phone number, device ID, or SIM ID. But why take the chance of worrying people about privacy issues; why not send a one-way hashed signature of whatever the identifying information is? Or even better, create a random unique id and store it on the phone, and use this unique id as the registration key for your application.
In the end, you’ll will still be able to retrieve their favorites, but you won’t need to send or store anything sensitive.

Second, encryption is critical to the safe handling of user data. Phones often operate on untrusted networks where attackers can sniff confidential traffic. Encrypting data in transit is a critical part of protecting user information.
Finally, when communicating with a server over HTTP, it’s a good idea to avoid encoding user information in a URL that is used with HTTP GET; rather, POST it in a message body. While using POST doesn’t guarantee that your information won’t be sniffed, putting it in the URL increases the likelihood that it will be automatically logged; out of the box, most web server software logs all the URLs that are received.

Don’t use code you don’t understand

In the open-source Android environment, it’s common (and good) practice to rely heavily on other people’s code, in the form of libraries and frameworks. But if that code is handling your users’ information inappropriately, it’s your problem. So make a point of checking code before you rely on it.

Don’t log user or device specific information

Application developers should be careful about on-device logs. Android makes it easy to write to the phone’s log, and anyone who has looked at “logcat” output knows that it is full of important but seemingly random debugging information from many applications. In Android, logs are a shared resource, and are available to an application with the READ_LOGS permission (only with user consent, of course!). Even though the phone log data is temporary and erased on reboot, inappropriate logging of user information could inadvertently leak user data to other applications.

Securing Android LVL Applications

Posted by Tim Bray on at 1:13 PM

[This post is by Trevor Johns, who's a Developer Programs Engineer working on Android. — Tim Bray]
The Android Market licensing service is a powerful tool for protecting your applications against unauthorized use. The License Verification Library (LVL) is a key component. A determined attacker who’s willing to disassemble and reassemble code can eventually hack around the service; but application developers can make the hackers’ task immensely more difficult, to the point where it may simply not be worth their time.
Out of the box, the LVL protects against casual piracy; users who try to copy APKs directly from one device to another without purchasing the application. Here are some techniques to make things hard, even for technically skilled attackers who attempt to decompile your application and remove or disable LVL-related code.

• You can obfuscate your application to make it difficult to reverse-engineer.
• You can modify the licensing library itself to make it difficult to apply common cracking techniques.
• You can make your application tamper-resistant.
• You can offload license validation to a trusted server.

This can and should be done differently by each app developer. A guiding principle in the design of the licensing service is that attackers must be forced to crack each application individually, and unfortunately no client-side code can be made 100% secure. As a result, we depend on developers introducing additional complexity and heterogeneity into the license check code — something which requires human ingenuity and and a detailed knowledge of the application the license library is being integrated into.

Technique: Code Obfuscation

The first line of defense in your application should be code obfuscation. Code obfuscation will not protect against automated attacks, and it doesn’t alter the flow of your program. However, it does make it more difficult for attackers to write the initial attack for an application, by removing symbols that would quickly reveal the original structure of a compiled application. As such, we strongly recommend using code obfuscation in all LVL installations.
To understand what an obfuscator does, consider the build process for your application: Your application is compiled and converted into .dex files and packaged in an APK for distribution on devices. The bytecode contains references to the original code — packages, classes, methods, and fields all retain their original (human readable) names in the compiled code. Attackers use this information to help reverse-engineer your program, and ultimately disable the license check.
Obfuscators replace these names with short, machine generated alternatives. Rather than seeing a call to dontAllow(), an attacker would see a call to a(). This makes it more difficult to intuit the purpose of these functions without access to the original source code.
There are a number of commercial and open-source obfuscators available for Java that will work with Android. We have had good experience with ProGuard, but we encourage you to explore a range of obfuscators to find the solution that works best for you.
We will be publishing a separate article soon that provides detailed advice on working with ProGuard. Until then, please refer to the ProGuard documentation.

Technique: Modifying the license library

The second line of defense against attack from crackers is to modify the license verification library in such a way that it’s difficult for an attacker to modify the disassembled code and get a positive license check as result.
This actually provides protection against two different types of attack: it protects against attackers trying to crack your application, but it also prevents attacks designed to target other applications (or even the stock LVL distribution itself) from being easily ported over to your application. The goal should be to both increase the complexity of your application’s bytecode and make your application’s LVL implementation unique.
When modifying the license library, there are three areas that you will want to focus on:

• The core licensing library logic.
• The entry/exit points of the licensing library.
• How your application invokes the licensing library and handles the license response.

In the case of the core licensing library, you’ll primarily want to focus on two classes which comprise the core of the LVL logic: LicenseChecker and LicenseValidator.
Quite simply, your goal is to modify these two classes as much as possible, in any way possible, while still retaining the original function of the application. Here are some ideas to get you started, but you’re encouraged to be creative:

• Replace switch statements with if statements.
• Use XOR or hash functions to derive new values for any constants used and check for those instead.
• Remove unused code. For instance, if you’re sure you won’t need swappable policies, remove the Policy interface and implement the policy verification inline with the rest of LicenseValidator.
• Move the entirety of the LVL into your own application’s package.
• Spawn additional threads to handle different parts of license validation.
• Replace functions with inline code where possible.

For example, consider the following function from LicenseValidator:

public void verify(PublicKey publicKey, int responseCode, String signedData, String signature) {
    // ... Response validation code omitted for brevity ...
    switch (responseCode) {
        // In Java bytecode, LICENSED will be converted to the constant 0x0
        case LICENSED:
        case LICENSED_OLD_KEY:
            LicenseResponse limiterResponse = mDeviceLimiter.isDeviceAllowed(userId);
            handleResponse(limiterResponse, data);
            break;
        // NOT_LICENSED will be converted to the constant 0x1
        case NOT_LICENSED:
            handleResponse(LicenseResponse.NOT_LICENSED, data);
            break;
        // ... Extra response codes also removed for brevity ...
    }

In this example, an attacker might try to swap the code belonging to the LICENSED and NOT_LICENSED cases, so that an unlicensed user will be treated as licensed. The integer values for LICENSED (0x0) and NOT_LICENSED (0x1) will be known to an attacker by studying the LVL source, so even obfuscation makes it very easy to locate where this check is performed in your application’s bytecode.
To make this more difficult, consider the following modification:

public void verify(PublicKey publicKey, int responseCode, String signedData, String signature) {
       // ... Response validation code omitted for brevity …
        
        // Compute a derivative version of the response code
        // Ideally, this should be placed as far from the responseCode switch as possible,
        // to prevent attackers from noticing the call to the CRC32 library, which would be
        // a strong hint as to what we're done here. If you can add additional transformations
        // elsewhere in before this value is used, that's even better.
        java.util.zip.CRC32 crc32 = new java.util.zip.CRC32();
        crc32.update(responseCode);
        int transformedResponseCode = crc32.getValue();

        // ... put unrelated application code here ...
        // crc32(LICENSED) == 3523407757
        if (transformedResponse == 3523407757) {
            LicenseResponse limiterResponse = mDeviceLimiter.isDeviceAllowed(userId);
            handleResponse(limiterResponse, data);
        }
        // ... put unrelated application code here ...
        // crc32(LICENSED_OLD_KEY) == 1007455905
        if (transformedResponseCode == 1007455905) {
            LicenseResponse limiterResponse = mDeviceLimiter.isDeviceAllowed(userId);
            handleResponse(limiterResponse, data);
        }
        // ... put unrelated application code here ...
        // crc32(NOT_LICENSED) == 2768625435
        if (transformedResponseCode == 2768625435):
            userIsntLicensed();
        }
    }

In this example, we’ve added additional code to transform the license response code into a different value. We’ve also removed the switch block, allowing us to inject unrelated application code between the three license response checks. (Remember: The goal is to make your application’s LVL implementation unique. Do not copy the code above verbatim — come up with your own approach.)
For the entry/exit points, be aware that attackers may try to write a counterfeit version of the LVL that implements the same public interface, then try to swap out the relevant classes in your application. To prevent this, consider adding additional arguments to the LicenseChecker constructor, as well as allow() and dontAllow() in the LicenseCheckerCallback. For example, you could pass in a nonce (a unique value) to LicenseChecker that must also be present when calling allow().
Note: Renaming allow() and dontAllow() won’t make a difference, assuming that you’re using an obfuscator. The obfuscator will automatically rename these functions for you.
Be aware that attackers might try and attack the calls in your application to the LVL. For example, if you display a dialogue on license failure with an “Exit” button, consider what would happen if an attacker were to comment out the line of code that displayed that window. If the user never pushes the “Exit” button in the dialog (which is no not being displayed) will your application still terminate? To prevent this, consider invoking a different Activity to handle informing a user that their license is invalid, and immediately terminating the original Activity; add additional finish() statements to other parts of your code that get will get executed in case the original one gets disabled; or set a timer that will cause your application to be terminated after a timeout. It’s also a good idea to defer the license check until your application has been running a few minutes, since attackers will be expecting the license check to occur during your application’s launch.
Finally, be aware that certain methods cannot be obfuscated, even when using a tool such as ProGuard. As a key example, onCreate() cannot be renamed, since it needs to remain callable by the Android system. Avoid putting license check code in these methods, since attackers will be looking for the LVL there.

Technique: Make your application tamper-resistant

In order for an attacker to remove the LVL from your code, they have to modify your code. Unless done precisely, this can be detected by your code. There are a few approaches you can use here.
The most obvious mechanism is to use a lightweight hash function, such as CRC32, and build a hash of your application’s code. You can then compare this checksum with a known good value. You can find the path of your application’s files by calling context.GetApplicationInfo() — just be sure not to compute a checksum of the file that contains your checksum! (Consider storing this information on a third-party server.)
[In a late edit, we removed a suggestion that you use a check that relies on GetInstallerPackageName when our of our senior engineers pointed out that this is undocumented, unsupported, and only happens to work by accident. –Tim]
Also, you can check to see if your application is debuggable. If your application tries to keep itself from performing normally if the debug flag is set, it may be harder for an attacker to compromise:

boolean isDebuggable =  ( 0 != ( getApplcationInfo().flags &= ApplicationInfo.FLAG_DEBUGGABLE ) );

Technique: Offload license validation to a trusted server

If your application has an online component, a very powerful technique to prevent piracy is to send a copy of the license server response, contained inside the ResponseData class, along with its signature, to your online server. Your server can then verify that the user is licensed, and if not refuse to serve any online content.
Since the license response is cryptographically signed, your server can check to make sure that the license response hasn’t been tampered with by using the public RSA key stored in the Android Market publisher console.
When performing the server-side validation, you will want to check all of the following:

• That the response signature is valid.
• That the license service returned a LICENSED response.
• That the package name and version code match the correct application.
• That the license response has not expired (check the VT license response extra).
• You should also log the userId field to ensure that a cracked application isn’t replaying a license response from another licensed user. (This would be visible by an abnormally high number of license checks coming from a single userId.)

To see how to properly verify a license response, look at LicenseValidator.verify().
As long as the license check is entirely handled within server-code (and your server itself is secure), it’s worth nothing that even an expert cracker cannot circumvent this mechanism. This is because your server is a trusted computing environment.
Remember that any code running on a computer under the user’s control (including their Android device) is untrusted. If you choose to inform the user that the server-side license validation has failed, this must only be done in an advisory capacity. You must still make sure that your server refuses to serve any content to an unlicensed user.

Conclusion

In summary, remember that your goal as an application developer is to make your application’s LVL implementation unique, difficult to trace when decompiled, and resistant to any changes that might be introduced. Realize that this might involve modifying your code in ways that seem counter-intuitive from a traditional software engineering viewpoint, such as removing functions and hiding license check routines inside unrelated code.
For added protection, consider moving the license check to a trusted server, where attackers will be unable to modify the license check code. While it’s impossible to write 100% secure validation code on client devices, this is attainable on a machine under your control.
And above all else, be creative. You have the advantage in that you have access to a fully annotated copy of your source code — attackers will be working with uncommented bytecode. Use this to your advantage.
Remember that, assuming you’ve followed the guidelines here, attackers will need to crack each new version of your application. Add new features and release often, and consider modifying your LVL implementation with each release to create additional work for attackers.And above all else, listen to your users and keep them happy. The best defense against piracy isn’t technical, it’s emotional.

Supporting the new music Voice Action

Posted by Tim Bray on 14 September 2010 at 3:05 PM

[This post is by Mike LeBeau, the Tech Lead and architect behind Voice Actions. — Tim Bray]
We recently launched Voice Actions in the new Google Voice Search for Android — an awesome new way to search, control, and communicate on your phone faster than ever before, by using your voice.
One of these new Voice Actions lets users find and automatically play music. By speaking something like “listen to They Might Be Giants” into the new Voice Search, users can quickly find the music they want online and play it, using any number of different apps. (Pandora, Last.fm, Spotify, mSpot, and Rdio are among the first apps to support this.)
To do this, we leveraged a very common little piece of Android magic: a new Intent. If you develop a music app that supports open-ended music search, you can make it work with users speaking “listen to” Voice Actions simply by registering for the new intent we’ve defined. This new intent isn’t defined as a constant in the SDK yet, but we wanted to make sure music app developers had all the information needed to use it right away.
Here’s all you should need to know:

• In your AndroidManifest.xml, just register one of your activities for the new intent android.media.action.MEDIA_PLAY_FROM_SEARCH:
  

  <application android:label="@string/app_name" android:icon="@drawable/icon">
      <activity android:name="MusicActivity" android:label="@string/app_name">
          <intent-filter>
              <action android:name="android.media.action.MEDIA_PLAY_FROM_SEARCH" />
              <category android:name="android.intent.category.DEFAULT" />
          </intent-filter>
      </activity>
  </application>

• When your activity receives this intent, you can find the user’s search query inside the SearchManager.QUERY string extra:
  

  import android.app.Activity;
  import android.app.SearchManager;
  public class MusicActivity extends Activity {
      @Override
      public void onCreate(Bundle savedInstanceState) {
          super.onCreate(savedInstanceState);
          String query = getIntent().getStringExtra(SearchManager.QUERY);
          // Do something with query...
      }
  }

  This will represent everything the user spoke after “listen to”. This is totally open-ended voice recognition, and it expects very flexible search — so, for example, the string could be the name of any artist (“they might be giants”), an album (“factory showroom”), a song (“metal detector”), or a combination of any of these (“metal detector by they might be giants”).

A few subtle details worth understanding about this intent:

• Your app should do its best to quickly find and automatically play music corresponding to the user’s search query. The intention here is to get users to their desired result as fast as possible, and in this case, that means playing music quickly.
• This will really only work well for music apps that can find music across a very large corpus of options. Because our voice recognition doesn’t currently support any way to provide a list of specific songs to be recognized, trying to use it against a small set of music choices will work poorly — things which are not in the set will be over-recognized, and things which are in the set may not be recognized well. So if you’re not the developer of a large-scale cloud music application, this intent is probably not for you.

We think you’ll find this new intent can greatly enhance your music app’s experience for users. And we hope you enjoy our new Voice Actions as much as we do!

Proguard, Android, and the Licensing Server

Posted by Tim Bray on 21 September 2010 at 4:05 PM

[This post is by Dan Galpin, an Android Developer Advocate specializing in games and comics. — Tim Bray]
The Securing Android LVL Applications blog post makes it clear that an Android developer should use an obfuscation tool such as Proguard in order to help safeguard their applications when using License Server. Of course, this does present another question. How should one integrate such a tool with the Android build process? We’re specifically going to detail integrating Proguard in this post.

Before you Begin

You must be running the latest version of the Android SDK Tools (at least v7). The new Ant build rules file included with v7 contains hooks to support user-created pre and post compile steps in order to make it easier to integrate tools such as Proguard into an Android build. It also integrates a single rules file for building against all versions of the Android SDK.

Adding an Optimization Step to build.xml

First, you’ll have to get Proguard if you don’t yet have it.
If you’ve been using Eclipse to do your development, you’ll have to switch to using the command line. Android builds are done using Apache Ant. A version of Ant ships along with Eclipse, but I recommend installing your own version.
The Android SDK can build you a starter build.xml file. Here is how it’s done:

android update project --path ./MyAndroidAppProject

If all works well, you’ll have a shiny new build.xml file sitting in your path. Let’s try doing a build.

ant release

You should end up with an unsigned release build. The command-line tools can also sign your build for you. You’ll notice that the android tool created a local.properties file in your directory. It will contain the sdk.dir property. You can have it make you a signed build by adding the location of your keystore and alias to this file.

key.store=/Path/to/my/keystore/MyKeystore.ks
key.alias=myalias

So, now you have a signed build from the command line, but still no obfuscated build. To make things easy, you’re going to want to get two helper files: add-proguard-release.xml and procfg.txt.
Copy these files into your root directory (where the build.xml file sits). To add Proguard to your build, you first need to edit your local properties file to add the location of the directory that Proguard is installed in:

proguard.dir=/Directory/Proguard/Is/Installed/In

Finally... you need to add our script to your build file and have it override a few targets. To do this, we use the XML “entity” construct. At the top of your build.xml file, add an entity that references our script file:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE project [
       <!ENTITY add-proguard-release SYSTEM "add-proguard-release.xml">
]>

You’re not done yet. Somewhere within the project tag add the reference to our entity to include our script.

<project name="MyProjectName" default="help">
&add-proguard-release;

That’s it! In many cases, calling

ant release

Will give you an obfuscated build. Now test and make sure that it hasn’t broken anything.

But Wait, My App is Crashing Now

Most crashes happen because Proguard has obfuscated away something that your application needs, such as a class that is referenced in the AndroidManifest or within a layout, or perhaps something called from JNI or reflection. The Proguard configuration provided here tries to avoid obfuscating most of these cases, but it’s still possible that in edge cases you’ll end up seeing something like a ClassNotFoundException.
You can make edits to the procfg.txt file to keep classes that have been obfuscated away. Adding:

-keep public class * [my classname]

should help. For more information about how to prevent Proguard from obfuscating specific things, see the Proguard manual. Specifically, the keep section. In the interest of security, try to keep as little of your application unobfuscated as possible.
The standard settings provided in procfg.txt will be good for many applications, and will catch many common cases, but they are by no means comprehensive. One of the things that we’ve done is had Proguard create a bunch of output files in the obf directory to help you debug these problems.
The mapping.txt file explains how your classes have been obfuscated. You’ll want to make sure to keep this around once you have submitted your build to Market, as you’ll need this to decipher your stack traces.

Conclusion

Tools such as Proguard make the binary of your application harder to understand, and make your application slightly smaller and more efficient at the same time, at the cost of making it slightly more challenging to debug problems in the field. For many applications, the tradeoff is more than worthwhile.

Improving App Quality

[This post is by Roman Nurik, who is passionate about icons. —Tim Bray]
With thousands of new apps being published in Android Market every week, it’s becoming more and more important to proactively work at breaking through the clutter (hooray for marketing jargon!). One way of improving your app’s visibility in the ecosystem is by deploying well-targeted mobile advertising campaigns and cross-app promotions. However, there’s another time-tested method of fueling the impression-install-ranking cycle: improve the product!
A better app can go a very long way: a higher quality app will translate to higher user ratings, generally better rankings, more downloads, and higher retention (longer install periods). High-quality apps also have a much higher likelihood of getting some unanticipated positive publicity such as being featured in Android Market or social media buzz.
The upside to having a higher-quality app is obvious. However, it’s not always clear how to write a so called ‘better app.’ The path to improving app quality isn’t always well-lit. The term ‘quality’, and its close cousins ‘polish’ and ‘fit and finish’ aren’t always well-defined. In this post, we’ll begin to light the path by looking at a couple of key factors in app quality, and furthermore, look at ways of improving your app along these dimensions.

Listen to your users

Given that pretty much any measure of the ‘success’ of an app involves user-related metrics such as number of downloads, daily actives, retention rates, etc., it’s a good idea to start thinking of your app’s quality as it relates back to your users.
The most obvious way to listen to users is by reading and addressing comments on your app in Android Market. Although the comments aren’t always productive or constructive, some will provide valuable insight on aspects of your app that you may not have consciously considered before. It’s important to remember that users have the opportunity to change their ratings and comments about an app as much as they’d like.
Now, since Android Market doesn’t currently provide a bidirectional communication medium for developers and their users, you should set up your own support and discussion destination(s). There are some great support tools out there that can put you in touch with your users directly such as Google Groups, Zoho Discussions, getsatisfaction.com and uservoice.com. Once you get set up with such a tool, make sure to fill in the support link in your Android Market listing -- users do click through to these.
Another way to better listen to your users is by having a public beta or trusted tester program. It’s crucial to have some amount of real user testing before releasing something in Android Market. Fortunately, you can distribute your apps to users outside of Market via a website; this website can require a login or be publicly accessible — it’s entirely up to you. Take advantage of this opportunity by offering your next planned update to some early adopters, before submitting to Market. You’ll be surprised by how many little, yet impactful, improvements can come out of crowd-sourced, real-user testing.

Improve stability and eliminate bugs

I won’t go into detail about why this is important, because hopefully it’s obvious. And hopefully you’ve been reading this blog and following the best practices outlined in previous posts, so you have a solid idea on how to improve in this arena.
One noteworthy and yet relatively underused tool for catching stability issues like crashes, is the UI/Application Exerciser Monkey (aka Monkey). Monkey will send random UI events to your app’s activitie, allowing you to trigger user flows that can uncover stability problems.
Also, with the new error reporting features in Android 2.2, users now have the ability to report application crashes to developers. These show up in aggregate in the Android Market developer console. Make sure to read these reports and act on them appropriately.
Lastly, keep an external bug and feature request tracker. This will enable your users to engage with the app at a closer level, by following features and bugs that affect them. User frustration with app problems can be effectively managed with diligent issue tracking and communication. Some of the community support tools listed above offer issue tracking features, and if your project is open source, most popular repository hosting sites such as Google Code and GitHub will offer this as well.

Improve UI Responsiveness

One sure-fire way to tick off your users is to have a slow UI. Research has shown that speed matters... for any interface, be it desktop, web, or mobile. In fact, the importance of speed is amplified on mobile devices since users often need their information on the go and in a hurry.
As Brad Fitzpatrick mentioned in his Google I/O 2010 talk, Writing Zippy Android Apps, you can improve your apps’s UI responsiveness by moving long-running operations off the application’s main thread. See the talk for detailed recommendations and debugging tips.
One way to improve UI performance is to minimize the complexity of your layouts. If you open up hierarchyviewer and see that your layouts are more than 5 levels deep, it may be time to simplify your layout. Consider refactoring those deeply nested LinearLayouts into RelativeLayout. As Romain Guy pointed out in his World of ListView talk at Google I/O, View objects cost around 1 to 2 KB of memory, so large view hierarchies can be a recipe for disaster, causing frequent VM garbage collection passes which block the main (UI) thread.
Lastly, as Tim pointed out in Traceview War Story, tools like traceview and ddms can be your best frends for improving performance by profiling method calls and monitoring VM memory allocations, respectively.
More resources:

• Designing for Performance
• Designing for Responsiveness

Improve usability

I’ll say it again here, listen to your users! Ask a handful of real Android device users (friends, family, etc.) to try out your application and observe them as they interact with it. Look for cases where they get confused, are unsure how to proceed, or are surprised by certain behaviors. Minimize these cases by rethinking some of the interactions in your app, perhaps working in some of the user interface patterns the Android UI team discussed at Google I/O.
In the same vein, two problems that currently plague Android user interfaces are small tap targets and overly small font sizes. These are generally easy to fix and can make a big impact. As a general rule, optimize for ease of use and legibility, while minimizing, or at least carefully balancing, information density.
Another way to incrementally improve usability, based on real-world data, is to implement Analytics throughout your app to log usage of particular sections. Consider demoting infrequently used sections to the options menu, or removing them altogether. For oftenly-used sections and UI elements, make sure they’re immediately obvious and easily accessible in your app’s UI so that users can get to them quickly.
Lastly, usability is an extensive and well-documented subject, with close ties to interface design, cognitive science, and other disciplines. If you’re looking for a crash-course, start with Donald Norman’s The Design of Everyday Things.

Improve appearance and aesthetics

There’s no substitute for a real user interface designer — ideally one who’s well-versed in mobile and Android, and ideally handy with both interaction and visual design. One popular venue to post openings for designers is jobs.smashingmagazine.com, and leveraging social connections on Twitter and LinkedIn can surface great talent.
If you don’t have the luxury of working with a UI designer, there are some ways in which you can improve your app’s appearance yourself. First, get familiar with Adobe Photoshop, Adobe Fireworks, or some other raster image editing tool. Mastering the art of the pixel in these apps takes time, but honing this skill can help build polish across your interface designs. Also, master the resources framework by studying the framework UI assets and layouts and reading through the new resources documentation. Techniques such as 9-patches and resource directory qualifiers are somewhat unique to Android, and are crucial in building flexible yet aesthetic UIs.
The recently-published Android UI Design Tips slide deck contains a few more best practices for your consideration.

Deliver the right set of features

Having the right set of features in your app is important. It’s often easy to fall into the trap of feature-creep, building as much functionality into your app as possible. Providing instant gratification by immediately showing the most important or relevant information is crucial on mobile devices. Providing too much information can be as frustrating (or even more so) than not providing enough of it.
And again, listen to your users by collecting and responding to feature requests. Be careful, though, to take feature requests with grains of salt. Requests can be very useful in aggregate, to get a sense of what kinds of functionality you should be working on, but not every feature request needs to be implemented.

Integrate with the system and third-party apps

A great way to deliver a delight user experience is to integrate tightly with the operating system. Features like app widgets, live folders, global search integration, and Quick Contacts badges are fairly low-hanging fruit in this regard. For some app categories, basic features like app widgets are par for the course. Not including them is a sure-fire way to tarnish an otherwise positive user experience. Some apps can achieve even tighter OS integration with the new contacts, accounts and sync APIs available in Android 2.0 and later. A few sample apps that show how to use these APIs are SampleSyncAdapter (bundled with the SDK samples) and JumpNote.
Third-party integrations can provide even more user delight and give the user a feeling of device cohesiveness. It’s also a really nice way of adding functionality to your app without writing any extra code (by leveraging other apps’ functionalities). For example, if you’re creating a camera app, you can allow users to edit their photos in Photoshop Express before saving them to their collection, if they have that third-party application installed. More information on this subject is available in the Can I Use this Intent? article.
More resources:

• Designing for seamlessness

Pay attention to details...

One particular detail I’ll call out is in icon quality and consistency. Make sure your app icons (especially your launcher icon) are crisp and pixel-perfect at all resolutions, and follow the icon guidelines, at least in spirit if not in letter. If you’re having trouble or don’t have the resources to design the icons yourself, consider using the new Android Asset Studio tool (a project I’ve recently open-sourced) to generate a set.

...and more...

Along with this blog, make sure to follow @AndroidDev on Twitter — we’re constantly collecting and sharing tips and tricks on Android application development that you won’t always find anywhere else. And of course, don’t be afraid to ask questions in our support forums on Stack Overflow and Google Groups.
Thanks for reading!

Saving Data Safely

With the advent of Gingerbread, we’re going to be running a series of posts in this space about the aspects of Android 2.3 that developers should care about. One thing that developers should care about more than anything else is not losing data. The rules are changing slightly as Gingerbread arrives, so I thought that would be a good starting point. I didn’t write this; I pulled it together from the contents of an email thread involving Android engineers Brad Fitzpatrick, Dianne Hackborn, Brian Swetland, and Chris Tate.

The question is: how do you make really sure your data’s been written to persistent storage? The answer involves a low-level system call named fsync(). Old C programmers like me mostly learned this the hard way back in the Bad Old Days; in 2008 at OSCON I immensely enjoyed Eat My Data: How Everybody Gets File IO Wrong by Stewart Smith; I've included a picture I took of one of his slides.

The reason this should be of concern to Android developers is that with 2.3, an increasing proportion of devices, notably including the Nexus S, are going to be moving from YAFFS to the ext4 filesystem, which buffers much more aggressively; thus you need to be more assertive about making sure your data gets to permanent storage when you want it to.

If you just use SharedPreferences or SQLite, you can relax, because we’ve made sure they Do The Right Thing about buffering. But if you have your own on-disk format, keep in mind that your data doesn't actually consistently reach the flash chip when you write() it or even when you close() it. There are several layers of buffering between you and the hardware! And because of ext4 buffering policy, any POSIX guarantees that you thought you had before (but actually didn't), you especially don't have now.

Some Android devices are already running non-YAFFS filesystems, but as we brought up the Nexus S, buffering issues have actually bitten us a couple of times in framework code. When the Gingerbread source code becomes available, you’ll find lots of examples of how file I/O should be done.

To start with, for raw data consider using one of the synchronous modes of java.io.RandomAccessFile, which take care of calling fsync() for you in the appropriate way. If you can’t, you’ll want Java code that looks something like this.

public static boolean sync(FileOutputStream stream) {
try {
if (stream != null) {
stream.getFD().sync();
}
return true;
} catch (IOException e) {
}
return false;

In some applications, you might even want to check the return status of the close() call.

Now of course, there are two sides to this story. When you call fsync() and force the data onto storage, that can be slow; worse, unpredictably slow. So be sure to call it when you need it, but be careful not to call it carelessly.