Obtaining Gradle
If you will only be using Gradle in the context of Android Studio, the IDE will take care of getting Gradle for you. If, however, you are planning on using Gradle outside of Android Studio (e.g., command-line builds), you will want to consider where your Gradle is coming from. This is particularly important for situations where you want to build the app outside of an IDE, such as using a continuous integration (CI) server, like Jenkins or Circle CI.
Also, the way that Android Studio works with Gradle — called the Gradle Wrapper — opens up security issues for your development machine, if you like to download open source projects from places like GitHub and try using them.
Direct Installation
What some developers looking to use Gradle outside of Android Studio will wind up doing is installing Gradle directly.
The Gradle download page contains links to ZIP archives for Gradle itself: binaries, source code, or both.
You can unZIP this archive to your desired location on your development machine.
OS Packages
You may be able to obtain Gradle via a package manager for your particular operating system
The gradlew
Wrapper
A brand new Android Studio project — and many of those that you will find in places like GitHub — will have a gradlew
and gradlew.bat
file in the project root, along with a gradle/
directory. This represents the “Gradle Wrapper”.
The Gradle Wrapper consists of three pieces:
- the batch file (
gradlew.bat
) or shell script (gradlew
) - the JAR file used by the batch file and shell script (in the
gradle/wrapper/
directory) - the
gradle-wrapper.properties
file (also in thegradle/wrapper/
directory)
Android Studio uses the gradle-wrapper.properties
file to determine where to download Gradle from, for use in your project, from the distributionUrl
property in that file:
#Sat Sep 11 19:07:11 EDT 2021
distributionBase=GRADLE_USER_HOME
distributionUrl=https\://services.gradle.org/distributions/gradle-7.0.2-bin.zip
distributionPath=wrapper/dists
zipStorePath=wrapper/dists
zipStoreBase=GRADLE_USER_HOME
When you create or import a project, or if you change the version of Gradle referenced in the properties file, Android Studio will download the Gradle pointed to by the distributionUrl
property and install it to a .gradle/
directory (note the leading .
) in your project. That version of Gradle will be what Android Studio uses.
RULE #1: Only use a distributionUrl
that you trust.
If you are importing an Android project from a third party — such as something that you download from GitHub — and they contain the gradle/wrapper/gradle-wrapper.properties
file, examine it to see where the distributionUrl
is pointing to. If it is loading from services.gradle.org
, or from an internal enterprise server, it is probably trustworthy. If it is pointing to a URL located somewhere else, consider whether you really want to use that version of Gradle, as it may have been modified by some malware author.
The batch file, shell script, and JAR file are there to support command-line builds. If you run the gradlew
command, it will use a local copy of Gradle installed in .gradle/
in the project. If there is no such copy of Gradle, gradlew
will download Gradle from the distributionUrl
, as does Android Studio. Note that Android Studio does not use gradlew
for this role — that logic is built into Android Studio itself.
RULE #2: Only use a gradlew
that you REALLY trust.
It is relatively easy to examine a .properties
file to check a URL to see if it seems valid. Making sense of a batch file or shell script can be cumbersome. Decompiling a JAR file and making sense of it can be rather difficult. Yet, if you use gradlew
that you obtained from somebody, that script and JAR are running on your development machine, as is the copy of Gradle that they install. If that code was tampered with, the malware has complete access to your development machine and anything that it can reach, such as servers within your organization.
Prev Table of Contents Next
This book is licensed under the Creative Commons Attribution-ShareAlike 4.0 International license.