Author Archives: Android Developers

10 things you might be doing wrong when using the SafetyNet Attestation API

Posted by Oscar Rodriguez, Developer Advocate

The SafetyNet Attestation API helps you assess the security and compatibility of the Android environments in which your apps run. Since it was introduced in March 2015, many developers have successfully integrated it into their Android apps to make more informed decisions based on the integrity and compatibility of the devices running their apps.

Throughout the years, the SafetyNet Attestation API has evolved, and its adoption has steadily increased. However, as with any security/anti-abuse related API, there are many common pitfalls that may lead developers into developing unstable systems, or worse, into a false sense of security.

In this post, we provide a list of the most common mistakes we have seen developers make when integrating the SafetyNet Attestation API.

1. Not getting an API key

Just like many other Google APIs, the SafetyNet Attestation API requires an API key in order to run. Furthermore, the SafetyNet Attestation API has a per-key usage quota. Although you can get this quota increased, you need to provide your API key to do so.

Getting an API key is easy and free of charge. There is no reason not to get an API key, so if you haven't already, get an API key now.

2. Not using the latest version of the API

The SafetyNet Attestation API has evolved throughout its history, and with it, there have been some interface changes. Most recently, with the release of Google Play services 11.0.0, we revamped the entire SafetyNet API to offer an interface that is easier and more streamlined to use: the new API uses SafetyNetClient instead of SafetyNetApi, which is now deprecated, so make sure you update your implementation to use the latest version of the API.

Most devices should have the latest version of Google Play services installed, but if a device doesn't have Google Play services installed, or doesn't have it up to date, using the SafetyNet Attestation API may lead to the app becoming unresponsive or crashing. You can prevent this by checking the installed version of Google Play services before using the API.

3. Using nonces incorrectly

The SafetyNet Attestation API lets you set a nonce to uniquely and globally identify each call to the API. Use this feature to prevent a malicious user from reusing a successful attestation result in place of an unsuccessful result (also known as a Replay Attack).

One good way to create a nonce is to create a large (16 bytes or longer) random number on your server using a cryptographically-secure random function. The SafetyNet attestation response includes the nonce you set, so make sure you verify that the returned nonce matches the one you included in the request you made.

4. Not checking the results on your server

SafetyNet can provide useful signals about the state of the device in which your app is running. However, if the logic that acts on these signals is only implemented and enforced directly on the device, an attacker could be able to modify your app and bypass any checks you perform.

To prevent this situation, you should run any logic that verifies the attestation result and enforces any actions based on them on a server that you control and trust.

5. Using the test attestation verification service for production

In order to simplify development and testing of the SafetyNet Attestation API, Google offers an online verification service that checks the digital signature of a SafetyNet Attestation result using a simple HTTPS request.

As useful as this service may seem, it is designed for test purposes only, and it has very strict usage quotas that will not be increased upon request. Instead, you should implement the digital signature verification logic on your server in a way that it doesn't depend on Google's servers. Most JWT libraries offer signature verification functionality, and we have code samples that show how to perform this verification in Java and C#. We plan to provide samples for more languages in the future.

6. Not checking the nonce, timestamp, APK name, and hashes

The SafetyNet Attestation API is most widely known for its integrity and compatibility checks, whose results are returned in ctsProfileMatch and basicIntegrity. Although these two values are indeed very useful, you should check the other values in the response, as they contain important information as well.

Use nonce to match a response to its request, as explained above, and use timestampMs to check how much time has passed since you made the request and you got the response. A delayed response that arrives several hours or days after the request may suggest suspicious activity.

Use apkPackageName to check the name of the APK that made the attestation request, and match apkDigestSha256 and apkCertificateDigestSha256 to those from your app's signed APK in Google Play, to get a signal about the integrity of the installed app.

Remember that the trustworthiness of the response as a whole is tied to the results of ctsProfileMatch and basicIntegrity. It is not unthinkable for a compromised device that fails basicIntegrity to have forged the rest of the values in the response.

7. Not understanding the differences between ctsProfileMatch and basicIntegrity

The SafetyNet Attestation API initially provided a single value called basicIntegrity to help developers determine the integrity of a device. As the API evolved, we introduced a new, stricter check whose results appear in a value called ctsProfileMatch, which allows developers to more finely evaluate the devices on which their app is running.

In broad terms, basicIntegrity gives you a signal about the general integrity of the device and its API. Rooted devices fail basicIntegrity, as do emulators, virtual devices, and devices with signs of tampering, such as API hooks.

On the other hand, ctsProfileMatch gives you a much stricter signal about the compatibility of the device. Only unmodified devices that have been certified by Google can pass ctsProfileMatch. Devices that will fail ctsProfileMatch include the following:

  • Devices that fail basicIntegrity
  • Devices with an unlocked bootloader
  • Devices with a custom system image (custom ROM)
  • Devices for which the manufactured didn't apply for, or pass, Google certification
  • Devices with a system image built directly from the Android Open Source Program source files
  • Devices with a system image distributed as part of a beta or developer preview program (including the Android Beta Program)

8. Not having a strategy for timing attestation checks

The SafetyNet Attestation API gives you a snapshot of the state of a device at the moment when the attestation request was made. A successful attestation doesn't necessarily mean that the device would have passed attestation in the past, or that it will in the future.

Because an attestation is just a spot check, you should plan a sensible strategy for choosing when to make attestation requests. You may choose to require successful attestations before users make in-app purchases, after a certain number of days have passed since the last successful attestation, each time your app is launched, after every reboot, or any other strategy that makes sense for your app.

Keep in mind that an attestation request is computationally expensive, consumes battery and bandwidth, and uses your quota. We recommend you plan a strategy to use the least amount of attestations required to satisfy your use case.

9. Using the SafetyNet Attestation API results as the only signal to attack abuse

It may be tempting to think that the SafetyNet Attestation API provides all the necessary signals for protecting an app against abusers, and use it as the only signal for building an anti-abuse system.

The SafetyNet Attestation API can only give signals about the state of a device, not the intent of a user, which is what an anti-abuse system should be designed to detect. Therefore, you might want to consider including other signals, such as access logs and behavioral patterns, to more accurately detect abusive users, and consider not blocking users solely on a failed attestation. Furthermore, there are many other conditions that cause an attestation to fail, such as network connection problems, quota issues, and other transient problems.

In other words, not all users who fail attestation are necessarily abusers, and not all abusers will necessarily fail attestation. By blocking users solely on their attestation results, you might be missing abusive users that don't fail attestations. Furthermore, you might also be blocking legitimate, loyal customers who fail attestations for reasons other than abuse.

10. Not monitoring and managing your usage quota

As mentioned before, the SafetyNet Attestation API is rate limited, and there is a default quota of 10,000 requests per day for each API key. Although this quota might be enough for most development, testing, and initial app launches, your app might reach the default limit as it increases in popularity.

To prevent inadvertently reaching your quota and getting attestation errors, you should build a system that monitors your usage of the API and warns you well before you reach your quota so you can get it increased. You should also be prepared to handle attestation failures because of an exceeded quota and avoid blocking all your users in this situation.

If you are close to reaching your quota, or expect a short-term spike that may lead you to exceed your quota, you can submit this form to request short or long-term increases to the quota for your API key. This process, as well as the additional quota, is free of charge.

Making Pixel better for Drivers

Posted by Marc Stogaitis and Tajinder Gadh, Software Engineers

Driving is an essential part of our daily activities. So at Google we spend a lot of time thinking how we can make Android devices better and safer for our users. How we can prevent distracted driving and together build an open ecosystem to enable safety first smartphone experiences.

Recently we launched Driving Do-Not-Disturb on the newly announced Pixel 2 generation of devices. Once enabled, Driving Do-Not-Disturb automatically puts your device into a do not disturb mode while driving. During this mode any incoming messages and notifications are silenced while you can still receive incoming calls, navigation directions and voice interactions using a connected Car bluetooth. The product is designed to limit distractions during driving while at the same time not getting in the way so users can continue to use navigation or other similar apps with minimal friction.

Behind the scenes, it uses AI powered on-device Activity Recognition that detects when a person is driving using low power signals from multiple sensors, bluetooth and WiFi. Activity Recognition uses the Android Sensor Hub to ensure low latency, low power and accurate driving detection.

This is a next step in our journey, but we are far from done. Early next year we are introducing the Activity Recognition Transition Api, which is the same Api used by Driving Do Not Disturb to build distraction-free driving experiences.

We appreciate the feedback, and will continue to listen to your feedback as the product evolves.

If you have questions about setting up the Driving Do-Not-Disturb, check out our Help Center.

Google and Ideas United Announce Infinite Deviation: Games Program Winners

Posted by Kate Brennan and Mathilde Cohen Solal, Google Play and Daraiha Greene, CS in Media

Google Play is committed to empowering new and existing voices in gaming. Earlier this year, we hosted the Indie Games Festival and sponsored the Girls Make Games summer camp. We also announced a collaboration between Infinite Deviation and Google Play.

Infinite Deviation is an initiative created by Google Computer Science (CS) in Media and Ideas United in order to tackle issues of representation in computer science. The collaboration between Google Play and Ideas United brought the Infinite Deviation program to gaming, called Infinite Deviation: Games. The program invited game designers from all backgrounds to pitch an original mobile game concept that resonates with underrepresented audiences.

Today we are excited to announce the three teams selected for the Infinite Deviation: Games development program.

A select panel of industry experts reviewed applications and chose the top three ideas. The judging panel included Colleen Macklin (Founder and Co-Director, PETLab), Jeremy Vanhoozer (Senior Creative Director, Plants vs Zombies), Molly Proffitt (CEO, Ker-Chunk Games), Shirin Laor-Raz Salemnia (Founder and CEO, PlayWerks), and Sarah Thomson (Global BD Lead, Indies, Google). These judges scored and delivered personal feedback for each submission, with the three highest scoring games moving into further development.

Here's a closer look at the three games we'll be funding and supporting development over the next six months:

Historic Gay Bar Tycoon

Mo Cohen & Maria Del Castillo Infantas - Queermo Games

Historic Gay Bar Tycoon (name pending) starts you off with a brand new queer bar in the 1920s. This game explores the role bars played in LGBT history. Will your bar survive revolutions, epidemics, and the rise of dating apps?

Queermo Games is pretty much what it sounds like: a scrappy and small indie game developing team just trying to make more LGBT games. Conveniently, they are also next door neighbors. Maria is a queer Latina who handles the art and the music, and Mo is a non-binary Jewish queer who tackles the programming and writing. Together, they also work on another longer-term project called Queer Quest with their buddy Hagen.

Burn Ban

Harrison Barton & Morgan Rowe - Pride Interactive

Burn Ban is an interactive visual novel in which you assume the role of Twig, a mentally ill queer girl. After showing destructive tendencies to cope with the death of a close friend, she is sent to Camp Sisquoc, a summer retreat for misguided students. After attending the camp for a few days, her dead friend's online social media page mysteriously starts posting again, and Twig and friends are set with determining the mystery behind the posts.

Pride Interactive is currently made up of two developers, Harrison Barton and Morgan Rowe. Pride Interactive was started as a student game team, and is now continuing on to develop independent projects. Pride Interactive endeavors to further their mission of creating a more diverse environment in the industry through games that deal with serious themes, and diverse character driven narratives.

Ghost in the Graveyard

Adnan Agha, Vivian Allum, and Armand Silvani - Ghost Stories

Ghost in the Graveyard is a story-driven mobile mystery game where you snoop through your missing brother's old phone to try and find him. "Can you find a missing person when all you have is their phone?"

Ghost Stories is a three member team from NYC with a mission to create genuine and unique experiences that connect with players. The team consists of Vivian, the lead designer and programmer, Armand, the artist and writer, and Adnan, the programmer and resident ghost. They've previously published a school project to the Xbox One and are thrilled to be able to work with Infinite Deviation to publish to Google Play.

You can find more information about the program at InfiniteDeviation.com/Games. Congratulations to the three winners and thanks to all the people who have entered the competition for their continuous work to push the boundaries of gaming design and providing a unique voice to the industry.

Announcing Architecture Components 1.0 Stable

Posted by Lukas Bergstrom, Product Manager, Android Developer Frameworks Team

Android runs on billions of devices, from high-end phones to airplane seatbacks. The Android OS manages resources aggressively to perform well on this huge range of devices, and sometimes that can make building robust apps complicated. To make it easier, we launched a preview of Architecture Components at Google I/O to provide guidance on app architecture, with libraries for common tasks like lifecycle management and data persistence. Together, these foundational components make it possible to write modular apps with less boilerplate code, so developers can focus on innovating instead of reinventing the wheel - and we hope to keep building on this foundation in the future.

Today we're happy to announce that the Room and Lifecycle Architecture Components libraries have reached 1.0 stable. These APIs are ready for production apps and libraries, and are our recommendation for developers looking for help with app architecture and local storage (although they're only recommended, not required.) Lifecycles are now also integrated with the Support Library, so you can use them with standard classes like AppCompatActivity.

Although we're declaring them stable today, the beta components are already used in apps that together, have billions of installs. Top developers, like Zappos, have been able to spend more time on what's important thanks to Architecture Components:

Prior to the release of Android Architecture Components we had our own ViewModel implementation. We used Loaders and Dependency Injection to persist our ViewModel through config changes. We recently switched to the Architecture Components ViewModel implementation and all that boilerplate went away. We found that we were able to spend more time on design, business logic and testing, and less on writing boilerplate or worrying about Android lifecycle issues.

We've also started to use LiveData which hooks directly into the Activity lifecycle. We use it to retrieve and display network data and no longer have to concern ourselves with ​network call subscription management. - David Henry, Android Software Engineer, Zappos

Architecture Components provide a simple, flexible and practical approach that frees developers from some common problems so they can focus on building great experiences. This is based on core building blocks tied together by guidance on app architecture.

Lifecycles

Every Android developer has to deal with the operating system starting, stopping and destroying their Activities. That means managing the state of components - such as observables used to update UI - as you move through the lifecycle. Lifecycles enables the creation of lifecycle-aware components that manage their own lifecycles, reducing the possibility of leaks or crashes. The Lifecycle library is the foundation for other Architecture Components like LiveData.

LiveData

LiveData is a lifecycle-aware observable that holds data and provides updates. Your UI code subscribes to changes and provides LiveData a reference to its Lifecycle. Because LiveData is lifecycle-aware, it provides updates when its Lifecycle is started or resumed, but stops providing updates when the LifecycleOwner is destroyed. LiveData is a simple way to build reactive UIs that are safer and more performant.

ViewModel

ViewModel separates ownership of view data and logic from lifecycle-bound entities like Activities and Fragments. A ViewModel is retained until its associated Activity or Fragment is disposed of forever - that means view data survives events like a Fragment being recreated due to rotation. ViewModels not only eliminate common lifecycle issues, they help build UIs that are more modular and easier to test.

Room

Nearly all apps need to store data locally. While Android has bundled SQLite with the platform since version 1, using it directly can be painful. Room is a simple object-mapping layer that provides the full power of SQlite with less boilerplate. Features like compile-time query verification and built-in migration make it easier to build a robust persistence layer, while integration with LiveData lets Room provide database-backed, lifecycle-aware observables. Room blends of simplicity, power and robustness for managing local storage, and we hope you give it a try.

Guide to App Architecture and more

Last but not least, we created a Guide to App Architecture that provides core principles applicable to all developers, and specific guidance on using Architecture Components together. Because we've heard from you that clear and consistent guidance is important, today we're updating developer documentation to point to Architecture Components where appropriate. We also have a rich set of videos, codelabs and sample apps available at the Architecture Components site, with more to come.

Watch this space

Although the first set of Architecture Components is now stable, we know there's more work to do. Over the last few months, we've listened to your feedback and made improvements. We also recently launched a new Architecture Component, PagedList, to alpha, in response to your feedback that handling large datasets with RecyclerView is too difficult. This is just the beginning - we have more major components under development that we're looking to announce in the upcoming months.

Our hope with Architecture Components is to free developers to focus on providing unique new experiences for mobile devices. We're glad we can finally announce them as stable for production use. We'd like to thank the community, which has given such great feedback along the way, and we look forward to continuing the discussion in the comments of this post. Finally, for those of you who've been waiting for this stable launch, get started today.

Update on Kotlin for Android

Posted by James Lau, Product Manager (twitter.com/jmslau)

Today is the beginning of KotlinConf. It's been almost 6 months since we announced Kotlin as a first-class language for Android at Google I/O. During this period, the number of apps on Google Play using Kotlin has more than doubled. More than 17% of the projects in Android Studio 3.0 are now using Kotlin. We are really excited about the strong momentum, and we are thrilled that Android developers all over the world are discovering the joy of Kotlin programming.

Kotlin for Android is production-ready. From startups to Fortune 500 companies, developers are already using Kotlin to build their apps. Developers from Pinterest, to Expedia, to Basecamp -- and many others -- are finding their use of Kotlin is increasing productivity and their overall developer happiness levels. Take a look at some of their experiences with Kotlin below.

With the recent release of Android Studio 3.0, there is now a stable version of our IDE that has Kotlin support built-in. With Support Library 27, we have started adding nullability annotations to make the APIs friendlier to use in Kotlin. We recently published the Android Kotlin Guides on GitHub to provide some guidance for Android Kotlin style and interop. We have also been porting some of our Android samples to Kotlin, and we are adding Kotlin to our official documentation.

Android Studio 3.0

Last week, we released Android Studio 3.0 on the stable channel. This is the first stable release of Android Studio that has Kotlin support built-in. Building on the strength of IntelliJ's Kotlin support, many critical IDE features like code completion and syntax highlighting work well for Kotlin. You can choose to convert Java code to Kotlin by using CodeConvert Java File to Kotlin File, or you can convert snippets of code just by pasting Java code into a Kotlin file.

Project and code templates have also been updated with Kotlin support. When you create a new project or add a new code file, you can choose Kotlin as one of the language options.

The tooling experience with Kotlin is by no means perfect yet. We are aware of several known issues, and we will continue to improve the IDE support for Kotlin in future releases.

Android Kotlin Guides

There are two separate Android Kotlin Guides:

  1. Style guide - details a set of rules and coding standards that Google recommends when writing Kotlin for Android. The guide addresses naming conventions, formatting, structure of the source contents, and much more.
  2. Interop guide - provides a set of rules for creating APIs in the Java and Kotlin programming languages, so that the consuming code in the other language will feel idiomatic.

We intend these guides to be living documents and will evolve them over time. They are hosted on GitHub and we welcome your contributions.

Nullability Annotations

Null-safety is an important feature of the Kotlin language. It helps developers avoid NullPointerExceptions and improves the quality of their apps. Null-safety is a bit more complicated when using Java code from Kotlin. Since any reference in Java may be null, Kotlin's requirement for strict null-safety becomes impractical for Java objects. Types declared in Java that do not contain nullability annotations are called platform types - this means the Kotlin compiler does not know whether it is nullable or not. When calling methods with variables of platform types, the Kotlin compiler relaxes null-safety checks. That means the overall null-safety of your app is weakened.

To let developers take more advantage of Kotlin's strict null-safety, we have started adding nullability annotations in Support Library 27. The Support Library contains a huge API surface area, and we will continue to expand the nullability annotation coverage in the next several releases. In addition, we will also be adding nullability annotations to other Android APIs over time.

While the Kotlin adoption growth is fantastic, our commitment to the Java and C++ programming languages remains unchanged. We've added Java 8 language features support in Android Studio 3.0, and we've added more Java 8 language APIs in Android Oreo. We are also continuing to improve our support for C++17 in the NDK. So even if you are not using Kotlin, your language support will continue to improve.

It's an exciting time to be an Android developer. If you haven't had a chance to try Kotlin, you can get started by learning the basic syntax and by playing with the excellent Kotlin Koans. When you are ready to use Kotlin in your Android app, you can jump to the Android Kotlin page for more resources. With Kotlin's Java interoperability and Android Studio's Java to Kotlin converter, it's easy to start using Kotlin in your project.

Happy Kotlin-ing!

Announcing Fast Pair – effortless Bluetooth pairing for Android

Posted by Ritesh Nayak M and Ronald Ho, Product Managers

Today we're announcing Fast Pair, a hassle-free process to pair your Bluetooth devices on all supported Android devices running Google Play services 11.7+ with compatibility back to Marshmallow (Android 6.0). Fast Pair makes discovery & pairing of Bluetooth devices easy and is currently rolling out to Android 6.0+ devices. You can try this out with Google Pixel Buds or Libratone's Q Adapt On-Ear, and soon on Plantronics Voyager 8200 series wireless headsets.

Ease of use, speed and security are the design principles driving the Fast Pair specification. Fast Pair uses BLE (Bluetooth Low Energy) for advertising and discovery and uses classic Bluetooth for pairing. Here's what a Fast Pair flow looks like:

  1. Turn on a Fast Pair-enabled device and put it in pairing mode.
    • Android scans for BLE broadcasts in close proximity of the user's phone and discovers a Fast Pair packet (provided Bluetooth and Location is turned on).
    • This packet is sent to our servers to get back the device's product image, product name and companion app (if there is one).
  2. The user receives a high priority notification asking them to "Tap to pair" to the device. The notification contains the product name and image.
  3. When the user taps on the notification, we use classic Bluetooth to establish a connection.
  4. A success notification is shown which contains a link to download the companion app (if there is one).

Imagine doing all of this without ever fumbling with Bluetooth settings. Users get a seamless and secure pairing experience and confidence that they're connecting to the right product. Manufacturers get their brand, device name and companion app in front of the users.

Thanks to a couple of our partners who have been instrumental in prototyping and testing this spec, and whose feedback has been invaluable to the Fast Pair effort. If you are a Bluetooth accessory manufacturer and want to adopt Fast Pair for your device, please reach out to us.

Plantronics is an audio pioneer and a global leader in the communications industry. From Unified Communications and customer service ecosystems, to data analytics and Bluetooth headsets, Plantronics delivers high-quality communications solutions that customers count on today, while relentlessly innovating on behalf of their future. For more information visit plantronics.com

Libratone is on a mission to liberate sound and to expand peoples' experiences with music in the era of streaming. Founded in 2009 in Denmark, Libratone is one of the first audio companies to consider the aesthetics of speakers – to move them out of the corner of the room and into the center and onward, for the consumer on the move. For more information visit libratone.com

GNSS Analysis Tools from Google

Posted by Frank van Diggelen, Software Engineer

Last year in Android Nougat, we introduced APIs for retrieving Global Navigation Satellite System (GNSS) Raw measurements from Android devices. This past week, we publicly released GNSS Analysis Tools to process and analyze these measurements.

Android powers over 2 billion devices, and Android phones are made by many different manufacturers. The primary intent of these tools is to enable device manufacturers to see in detail how well the GNSS receivers are working in each particular device design, and thus improve the design and GNSS performance in their devices. However, with the tools publicly available, there is also significant value to the research and app developer community.

How to use the tool

The GNSS Analysis Tool is a desktop application that takes in raw the GNSS Measurements logged from your Android device as input.

This desktop application provides interactive plots, organized into three columns showing the behavior of the RF, Clock, and Measurements. This data allows you to see the behavior of the GNSS receiver in great detail, including receiver clock offset and drift to the order of 1 nanosecond and 1 ppb and measurement errors on a satellite-by-satellite basis. This allows you to do sophisticated analysis at a level that, until now, was almost inaccessible to anyone but the chip manufacturers themselves.

The tools support multi-constellation (GPS, GLONASS, Galileo, BeiDou and QZSS) and multi-frequency. The image below shows the satellite locations for L1, L5, E1 and E5 signals tracked by a dual frequency chip.

The tools provide an interactive control screen from which you can manipulate the plots, shown below. From this control screen, you can change the background color, enable the Menu Bars for printing or saving, and select specific satellites for the plots.

Receiver test report

The tools also provide automatic test reports of receivers. Click "Make Report" to automatically create the test report. The report evaluates the API implementation, Received Signal, Clock behavior, and Measurement accuracy. In each case it will report PASS or FAIL based on the performance against known good benchmarks. This test report is primarily meant for the device manufacturers to use as they iterate on the design and implementation of a new device. A sample report is shown below.

Our goal with providing these Analysis Tools is to empower device manufacturers, researchers, and developers with data and knowledge to make Android even better for our customers. You can visit the GNSS Measurement site to learn more and download this application.

Android 8.1 Developer Preview

Posted by Dave Burke, VP of Engineering

Today we're giving you an early look at Android 8.1. This update to Android Oreo includes a set of targeted enhancements including optimizations for Android Go (for devices with 1GB or less of memory) and a new Neural Networks API to accelerate on-device machine intelligence. We've also included a few smaller enhancements to Oreo in response to user and developer feedback.

We're bringing you this Developer Preview so you can get your apps ready; we've already been helping device makers prepare for this new version. We recommend starting soon -- we're expecting the final public version in December.

It's easy to get Android 8.1 Developer Preview on your Pixel or Nexus device. Just enroll in the Android Beta Program -- you'll soon receive an over-the-air update to Android 8.1 beta. If you enrolled previously, you're all set, there's no need to re-enroll. The Developer Preview will be available for Pixel 2 and Pixel 2 XL devices, as well as for Pixel, Pixel XL, Pixel C, Nexus 5X, Nexus 6P, and the Android emulator.

What's in Android 8.1?

Android 8.1 includes select new features and developer APIs (API level 27), along with the latest optimizations, bug fixes, and security patches. Some of the new APIs include:

  • Android Go memory optimizations and targeting -- Android 8.1 includes a set of memory optimizations for Android Go configurations (1GB or less of memory). We've added new hardware feature constants so you can now target the distribution of your apps and APK splits to normal or low-RAM devices running Android 8.1 and later.
  • Neural Networks API -- as part of our efforts to bring machine intelligence to Android, we've added a Neural Networks API via the NDK. It enables hardware-accelerated inference operations on supported devices. We designed the Neural Networks API as a foundational layer for ML frameworks like TensorFlow Lite -- Google's upcoming cross-platform ML framework for mobile -- as well as Caffe2 and others. Stay tuned for TensorFlow Lite announcements.
  • Autofill enhancements -- we've made it easier for password managers and other Autofill services to use the Autofill framework. For example, we've added support for more UI customization of the Save dialog, as well as setAutofillOptions() for users to set credit card expiration using a spinner.
  • Shared memory API -- this new API lets apps allocate shared memory for faster access to common data. Apps can map anonymous shared memory and manage protection controls using the SharedMemory API. The API is parcelable, AIDL friendly, and exposes useful features like removing write permissions.

Take a look at Android 8.1 site for more information, including the diff report and updated API reference docs.

Test your apps on Android 8.1

With the consumer launch coming in December, it's important to test your current app now. This gives users a seamless transition to Android 8.1 when it arrives on their devices.

Just enroll your eligible device in Android Beta to get the latest update, then install your app from Google Play and test. If you don't have a Pixel or Nexus device, you can set up an Android 8.1 emulator for testing instead. If you notice any issues, fix them and update your app in Google Play right away -- without changing the app's platform targeting.

Build with new features and APIs

When you're ready, take advantage of the new features and APIs in Android 8.1, which we've already finalized as API Level 27. For an overview of what's new, take a look at Android 8.1 for Developers. You can also extend your apps with established Android Oreo features as well, see the Android Oreo site for details.

If your app uses forms, make sure to test them with autofill so that users can take advantage of this convenient feature. Enable "Autofill with Google" or a similar service in Settings and test the form fills to make sure they work as expected. We strongly recommend providing explicit hints about your fields, and also associating your website and mobile app, so that logins can be shared between them.

If your app uses the Camera2 API and you have a Pixel 2 device, you can try an early version of Pixel Visual Core, Google's first custom-designed co-processor for image processing and machine learning on consumer products. To begin testing HDR+ through Pixel Visual Core, just enable the new developer option "Camera HAL HDR+" (and make sure that CONTROL_ENABLE_ZSL is "true").

Speed your development with Android Studio

To build with Android 8.1, we recommend updating to Android Studio 3.0, which is now available from the stable channel. On top of the new app performance profiling tools, support for the Kotlin programming language, and Gradle build optimizations, Android Studio 3.0 makes it easier to develop with Android Oreo features like Instant Apps, XML Fonts, downloadable fonts, and adaptive icons.

We also recommend updating to the Android Support Library 27.0.0, which is available from Google's Maven repository. New in this version are: a ContentPager library for efficiently loading "paged" data on a background thread; ViewCompat wrappers for Autofill methods; an AmbientMode headless fragment that improves Wear ambient mode support, fullscreen Trusted Web Activities, and more. See the version notes for more information.

You can update your project's compileSdkVersion to API 27 to compile against the official Android 8.1 APIs. We also recommend updating your app's targetSdkVersion to API 27 to test with compatibility behaviors disabled. See the this guide for details on how to set up your environment to build with Android 8.1.

Publish your updates to Google Play

The Android 8.1 APIs are already final, so we've opened Google Play for apps compiled against or targeting API level 27. When you're ready, you can publish your APK updates in your alpha, beta, or production channels. Make sure that your updated app runs well on Android 8.1 as well as older versions. We recommend using Google Play's beta testing feature to run an alpha test on small group of users, then run a much larger open beta test. When you're ready to launch your update, you can use a staged rollout. We're looking forward to seeing your app updates!

Give us your feedback!

As always, your feedback is crucial, so please let us know what you think. We've set up different hotlists where you report Android platform and tools issues, app compatibility issues, and third-party SDKs and tools issues. We also have a new hotlist for Neural Networks API issues.

You can also give us feedback through the Android Developer community or Android Beta community as we work towards the consumer release in December.

Android Studio 3.0

Posted by Jamal Eason, Product Manager, Android

Android Studio 3.0 is ready to download today. Announced at Google I/O 2017, Android Studio 3.0 is a large update focused on accelerating your app development on Android.

This release of Android Studio is packed with many new updates, but there are three major feature areas you do not want to miss, including: a new suite of app profiling tools to quickly diagnose performance issues, support for the Kotlin programming language, and a new set of tools and wizards to accelerate your development on the latest Android Oreo APIs.

We also invested time in improving stability and performance across many areas of Android Studio. Thanks to your feedback during the preview versions of Android Studio 3.0! If you are looking for high stability, want to build high quality apps for Android Oreo, develop with the Kotlin language, or use the latest in Android app performance tools, then you should download Android Studio 3.0 today.

Check out the the list of new features in Android Studio 3.0 below, organized by key developer flows.

What’s new in Android Studio 3.0

Develop

  • Kotlin Programming Language - As announced at Google I/O 2017, the Kotlin programming language is now officially supported for Android development. Kotlin is an expressive and concise language that is interoperable with existing Android languages and runtimes, which means you can use as little or as much of the language in your app as you want. Kotlin is a production-ready language used by many popular Android apps on Google Play today.

    This release of Android Studio is the first milestone of bundles the Kotlin language support inside the IDE. Many of your favorite features such as code completion and syntax highlighting work well this release and we will continue to improve the remaining editor features in upcoming release. You can choose to add Kotlin to your project using the built-in conversion tool found under CodeConvert Java File to Kotlin File, or create a Kotlin enabled project with the New Project Wizard. Lean more about Kotlin language support in Android Studio.

Kotlin Language Conversion in Android Studio

  • Java 8 Language features - In Android Studio 3.0, we are continuing to improve the support for Java 8 language features. With the migration to a javac based toolchain, using Java 8 language features in your project is even easier. To update your project to support the new Java 8 Language toolchain, simply update your Source and Target compatibility levels to 1.8 in the Project Structure dialog. Learn more.
  • Layout Editor - The component tree in the Layout Editor has with better drag-and-drop view insertions, and a new error panel. Learn more.
  • Adaptive Icon Wizard - The new wizard creates a set of launcher icon assets and provides previews of how your adaptive icon will look with different launcher screen icon masks. Support for VectorDrawable layers is new for this release. Learn more.
  • XML Fonts & Downloadable Fonts - If you target Android Oreo (API Level 26 and higher) for your Android app, you can now add custom fonts & downloadable fonts using XML with Android Studio 3.0.
  • Android Things Support - Android Studio 3.0 includes a new set of templates in the New Project wizard and the New Module wizard to develop for the Android Things platform. Learn more.
  • IntelliJ Platform Update: Android Studio 3.0 includes the IntelliJ 2017.1 release, which has features such as Java 8 language refactoring, parameter hints, semantic highlighting, draggable breakpoints, enhanced version control search, and more. Learn more.

Build

  • Build Speed Improvements - To further improve the speed of Gradle for larger scale projects with many modules, we introduced a rare breaking API change in the Android Gradle Plugin to improve scalability and build times. This change is one of reasons we jumped version numbers from Android Studio 2.4 to 3.0. If you depend on APIs provided by the previous Gradle plugin you should validate compatibility with the new plugin and migrate to the new APIs. To test, update the plugin version in your build.gradle file. Learn more.
  • Google's Maven Repository - To facilitate smaller and faster updates, Android Studio 3.0 utilizes Google's Maven Repository by default instead of using the Android SDK Manager to find updates to Android Support Library, Google Play Services, and Firebase Maven dependencies. Used in combination with the latest command line SDK Manager tool and Gradle, Continuous Integration builds should migrate to Google's Maven Repository for future Maven repository updates. Learn more.

Test & Debug

  • Google Play System Images - We also updated the emulator system images for Android Oreo to now include the Google Play Store. Bundling in the Google Play store allows you to do end-to-end testing of apps with Google Play, and provides a convenient way to keep Google Play services up-to-date in your Android Virtual Device (AVD). Just as Google Play services updates on physical devices, you can trigger the same updates on your AVDs.
    Google Play Store in Android Emulator

    To ensure app security and a consistent experience with physical devices, the emulator system images with the Google Play store included are signed with a release key. This means you will not be able to get elevated privileges. If you require elevated privileges (root) to aid with your app troubleshooting, you can use the Android Open Source Project (AOSP) emulator system images that do not include Google apps or services. Learn more.

  • OpenGL ES 3.0 Support in Android Emulator - The latest version of the Android Emulator has OpenGL ES 3.0 support for Android Oreo system images along with significant improvements in OpenGL ES 2.0 graphics performance for older emulator system images. Learn more.
  • App Bug Reporter in Android Emulator - To help in documenting bugs in your app, we have added an easier way to generate a bug report with the Android Emulator with all the necessary configuration settings and space to capture your repro steps. Learn more.
  • Proxy Support in Android - If you use a proxy to access the Internet, we have added a user interface to manage the HTTP proxy settings used by the emulator. Lean more.
  • Android Emulator Quick Boot (Canary) - One of the most common pain points we hear is that the emulator takes too long to boot. To address this concern, we are excited to preview a new feature to solve this called Quick Boot, which significantly speeds up your emulator start time. Once enabled, the first time you start an AVD a cold boot will occur (just like powering on a device), but all subsequent starts are fast and the system is restored to the state at which you closed the emulator (similar to waking a device). If you want to try it out, ensure you are on the canary update release channel and then you will find v26.2.0 of the Android Emulator in the SDK Manager. Learn more.
  • APK Debugging - Android Studio 3.0 allows you to debug an arbitrary APK. This functionally is especially helpful for those who develop your Android C++ code in another IDE, but want to debug and analyze the APK in the context of Android Studio. As long as you have a debuggable version of your APK, you can use the new APK Debugging features to analyze, profile & debug the APK. Moreover, if you have access to the sources of your APK, you can link the source to the APK debugging flow for a higher fidelity debugging process. Get started by simply selecting Profile or debug APK from the Android Studio Welcome Screen or File → Profile or debug APK. Learn More.
APK Debugging
  • Layout Inspector - In this release we have added a few additional enhancements for the Layout Inspector including better grouping of properties into common categories, as well as search functionality in both the View Tree and Properties Panels. Learn more.
  • Device File Explorer - The new Device File Explorer in Android Studio 3.0 allows you to view the file and directory structure of your Android device or emulator. As you are testing your app, you can now quickly preview and modify app data files directly in Android Studio. Learn more.
  • Android Test Orchestrator Support - When used with AndroidJUnitRunner 1.0 or higher, the Android Gradle plugin 3.0 supports the use of the Android Test Orchestrator. The Android Test Orchestrator allows each of your app's tests to run within its own Instrumentation. Learn more.

Optimize

  • Android Profiler - Android Studio 3.0 includes a brand new suite of tools to help debug performance problems in your app. We completely rewrote the previous set of Android Monitor tools, and replaced them with the Android Profiler. Once you deploy your app to a running device or emulator, click on the Android Profiler tab and you will now have access to a real-time & unified view of the CPU, Memory, & Network activity for your app. Each of the performance events are mapped to the UI event timeline which highlights touch events, key presses, and activity changes so that you have more context on when and why a certain event happened. Click on each timeline to dig into each performance aspect of your app. Learn more.
Android Profiler - Combined timeline view.

CPU Profiler
Memory Profiler
Network Profiler
  • APK Analyzer Improvements - We also updated APK Analyzer with additional enhancements to help you further optimize the size of your APK. Learn more.

To recap, Android Studio 3.0 includes these new major features:

Develop

Build

Optimize

Check out the release notes for more details.

Getting Started

Download

Test & Debug

If you are using a previous version of Android Studio, you can upgrade to Android Studio 3.0 today or you can download the update from the official Android Studio Preview download page. As mentioned in this blog, there are some breaking Gradle Plugin API changes to support new features in the IDE. Therefore, you should also update your Android Gradle plugin version to 3.0.0 in your current project to test and validate your app project setup.

We appreciate any feedback on things you like, issues or features you would like to see. If you find a bug or issue, feel free to file an issue. Connect with us -- the Android Studio development team ‐ on our Google+ page or on Twitter

Playtime 2017: Find success on Google Play and grow your business with new Play Console features


Posted by Vineet Buch, Director of Product Management, Google Play Apps & Games
Today we kicked off our annual global Playtime series with back-to-back events in Berlin and San Francisco. Over the next month, we’ll be hearing from many app and game developers in cities around the world. It has been an amazing 2017 for developers on Google Play, there are now more than 8 billion new installs per month globally.

To help you continue to take advantage of this opportunity, we're announcing innovations on Google Play and new features in the Play Console. Follow us on Medium where presenters will be posting their strategies, best practices, and examples to help you achieve your business objectives. As Google Play continues to grow rapidly, we want to help people understand our business. That's why we're also publishing the State of Play 2017 report that will be updated annually to help you stay informed about our progress and how we’re helping developers succeed.

Apps and games on Google Play bring your devices to life, whether they're phones and tablets, Wear devices, TVs, Daydream, or Chromebooks like the new Google Pixelbook. We're making it even easier for people to discover and re-engage with great content on the Play Store.



Recognizing the best

We're investing in curation and editorial to showcase the highest quality apps and games we love. The revamped Editors' Choice is now live in 17 countries and Android Excellence recently welcomed new apps and games. We also continue to celebrate and support indie games, recently announcing winners of the Indie Games Festival in San Francisco and opening the second Indie Games Contest in Europe for nominations.



Discovering great games

We've launched an improved home for games with trailers and screenshots of gameplay and two new browse destinations are coming soon, 'New' (for upcoming and trending games) and 'Premium' (for paid games).



Going beyond installs

We’re showing reminders to try games you’ve recently installed and we’re expanding our successful ‘live operations’ banners on the Play Store, telling you about major in-game events in popular games you’ve got on your device. We're also excited to integrate Android Instant Apps with a 'Try it Now' button on store listings. With a single tap, people can jump right into the app experience without installing.

The new games experience on Google Play

The Google Play Console offers tools which help you and your team members at every step of an app’s lifecycle. Use the Play Console to improve app quality, manage releases with confidence, and increase business performance.



Focus on quality

Android vitals were introduced at I/O 2017 and already 65% of top developers are using the dashboard to understand their app's performance. We're adding five new Android vitals and increasing device coverage to help you address issues relating to battery consumption, crashes, and render time. Better performing apps are favored by Google Play's search and discovery algorithms.
We're improving pre-launch reports and enabling them for all developers with no need to opt-in. When you upload an alpha or beta APK, we'll automatically install and test your app on physical, popular devices powered by Firebase Test Lab. The report will tell you about crashes, display issues, security vulnerabilities, and now, performance issues encountered.
When you install a new app, you expect it to open and perform normally. To ensure people installing apps and games from Google Play have a positive experience and developers benefit from being part of a trusted ecosystem, we are introducing a policy to disallow apps which consistently exhibit broken experiences on the majority of devices such as​ crashing,​ closing,​ ​freezing,​ ​or​ ​otherwise​ ​functioning​ ​abnormally. Learn more in the policy center.



Release with confidence

Beta testing lets trusted users try your app or game before it goes to production so you can iterate on your ideas and gather feedback. You can now target alpha and beta tests to specific countries. This allows you to, for example, beta test in a country you're about to launch in, while people in other countries receive your production app. We'll be bringing country-targeting to staged rollouts soon.
We've also made improvements to the device catalog. Over 66% of top developers are using the catalog to ensure they provide a great user experience on the widest range of devices. You can now save device searches and see why a specific device doesn't support your app. Navigate to the device catalog and review the terms of service to get started.



Grow your subscriptions business

At I/O 2017 we announced that both the number of subscribers on Play and the subscriptions business revenue doubled in the preceding year. We're making it easier to setup and manage your subscription service with the Play Billing Library and, soon, new test instruments to simplify testing your flows for successful and unsuccessful payments.
We're helping you acquire and retain more subscribers. You can offer shorter free trials, at a minimum of three days, and we will now enforce one free trial at the app level to reduce the potential for abuse. You can opt-in to receive notifications when someone cancels their subscription and we're making it easier for people to restore a canceled subscription. Account hold is now generally available, where you can block access to your service while we get a user to fix a renewal payment issue. Finally, from January 2018 we're also updating our transaction fee for subscribers who are retained for more than 12 months.



Announcing the Google Play Security Reward Program

At Google, we have long enjoyed a close relationship with the security research community. Today we're introducing the Google Play Security Reward Program to incentivize security research into popular Android apps, including Google's own apps. The program will help us find vulnerabilities and notify developers via security recommendations on how to fix them. We hope to bring the success we have with our other reward programs, and we invite developers and the research community to work together with us on proactively improving Google Play ecosystem's security.



Stay up to date with Google Play news and tips




Opt in to emails from Google Play



Follow @GooglePlayDev on Twitter



Google Play Apps & Games on Medium



Google Play Apps & Games on LinkedIn




How useful did you find this blogpost?