The CommonsBlog


"Exploring Android" Version 2.2 Released

Subscribers now have access to an update to Exploring Android, known as Version 2.2, in PDF, EPUB, and MOBI/Kindle formats, in addition to the online reader. Just log into your Warescription page and download away, or set up an account and subscribe!


The book is now up to date for Android Studio Arctic Fox and newer versions of all the dependencies.

The biggest change, in terms of the actual content, is switching to use StateFlow and SharedFlow instead of LiveData and BroadcastChannel. There were some other minor tweaks to view binding behavior in fragments, and the newer Koin required removal of annotations added in the previous release.

A corresponding update to Elements of Android Jetpack should be out in October.

Sep 14, 2021


"Elements of Android Room" Version 0.6 Released

Subscribers now have access to Version 0.6 of Elements of Android Room, in PDF, EPUB, and MOBI/Kindle formats. Just log into your Warescription page to download it, or set up an account and subscribe!


This update adds two more chapters, covering:

Also, the chapter on paging was updated to Paging 3.

In addition:

  • A bunch of dependencies were updated, notably Room itself

  • Various bugs were fixed

Aug 09, 2021


Inside Code Transparency: The Verification Process

A week ago, I looked at the contents of the JWT file created by the code transparency process. Today, let’s peek at how that gets verified.

bundletool Commands

Last week, when I showed you a bundletool command to add code transparency, I used a command that used a Java keystore directly. That does not seem to be an option for the verification step. For that (or for adding code transparency), you need an actual certificate file. You can obtain one from your keystore using keytool:

keytool -export \
  -alias WhateverAliasYouUsed \
  -keystore /path/to/your/keystore.jks \
  -rfc \
  -file /path/to/your/exported.cert

You can then use the check-transparency command to verify the contents of… something. The --mode option indicates what the “something” is. --mode=bundle says that you are verifying an App Bundle, such as one created by you or your CI server:

bundletool check-transparency \
  --mode=bundle \
  --bundle=/path/to/your/AppBundleWithCT.aab \
  --transparency-key-certificate=/path/to/your/exported.cert

If you leave off the --transparency-key-certificate option, bundletool will print the SHA-256 fingerprint of the certificate:

No APK present. APK signature was not checked.
Code transparency signature is valid. SHA-256 fingerprint of the code transparency key certificate (must be compared with the developer's public key manually): 25 98 AA 59 62 BA 4C C0 7B 40 74 F4 19 09 02 A0 2A CD F1 1B 1F 42 84 92 93 23 8B 6F 87 E5 42 B4
Code transparency verified: code related file contents match the code transparency file.

This should match the one you get from keytool:

keytool -list \
  -alias WhateverAliasYouUsed \
  -keystore /path/to/your/keystore.jks

Alternatively, you can have bundletool verify the code transparency for an installed app, via --mode=connected_device:

bundletool check-transparency \
  --mode=connected_device \
  --package-name=com.commonsware.scrap

As before, if you include --transparency-key-certificate, bundletool will check against it; otherwise it will print the SHA-256 fingerprint.

bundletool Implementation

Much of the code for code transparency support in bundletool resides in the com.android.tools.build.bundletool.transparency package.

The core “driver” of the verification resides in a set of static methods on ApkTransparencyCheckUtils. This code works off of a list of filesystem paths to the APKs to check. Where those APKs come from depends on your --mode. Of particular note, for --mode=connected_device, bundletool uses adb shell commands to copy the APKs to a temporary directory for analysis – the verification is not performed in situ on the device.

The code uses this JSON Web Toolkit library, which seems to be actively maintained, which is nice.

Unfortunately, the code for bundletool seems to be fairly monolithic. It does not appear to be organized as a library with a first-class API that also happens to have a CLI — it looks like it is just a CLI. And, since bundletool historically has only been needed for development machines and CI servers, in many places it seems to assume that environment. Getting verification logic that can run on-device will require reverse-engineering a spec from the implementation and creating a separate library, unless Google has interest in a significant reworking of bundletool.

Jul 18, 2021


Random Musings on the Android 12 Beta 3

Android 12 Beta 3 is out! And, as one would expect from a late beta, not much has changed.

The good news is that we can use 31 for compileSdkVersion and targetSdkVersion. That means that we should have reached API stability.

Of the stuff that was announced:

  • App Search: you saw it here first!

  • The permission group lookup APIs are nice, but I seem to recall Google getting rather testy about apps trying to determine the relationship between permissions and groups. I wonder what changed… 🤔

Beyond that:

Strangely, TranslationManager and the rest of android.view.translation remain unannounced. They showed up in Beta 1, and Google hasn’t said anything about them AFAICT. More stuff to 🤔

This should wrap up the 2021 edition of the “Random Musings” posts — if we have reached API stability, there should be nothing more for me to muse about.

Jul 15, 2021


"Elements of Android Jetpack" Version 2.1 Released

Subscribers now have access to an update to Elements of Android Jetpack, known as Version 2.1, in PDF, EPUB, and MOBI/Kindle formats, in addition to the online reader. Just log into your Warescription page and download away, or set up an account and subscribe!


OK, this took a lot longer to be released than I had expected, in part because Android Studio 4.2 took a lot longer to be released than I had expected.

There are a lot of changes in this update:

  • There is a new chapter, focusing on app widgets, those interactive home screen elements that apps can contribute

  • There is also a new chapter on using library modules, plus a new section on creating library modules

  • The chapter on dependency inversion was moved up one in the chapter sequence, and the chapter on Room was updated to use Koin’s DI implementation for the Kotlin sample

  • The chapter on Jetpack Navigation now also covers the Kotlin DSL

  • The various uses of startActivityForResult() were replaced by registerForActivityResult() and ActivityResultContracts

  • Everything was updated for Android Studio 4.2.2, the current shipping version

And, in addition to all of that, there are the usual suite of bug fixes, to the prose and to the sample code.

There should be one more update in 2021, after Android Studio 2020.3.1 Arctic Fox ships in stable form. That is in a beta right now, so it is likely to be at least a month or two before the stable release.

Jul 12, 2021


Older Posts