加载中...

25 April 2013

Tablet Optimization Tips in the Google Play Developer Console

Posted by Ellie Powers, Google Play team

Last week we updated our guidelines for making great tablet apps and added the ability to upload tablet screenshots that are shown preferentially in Google Play to users on those devices. Today we’re introducing a new Optimization Tips page in the Google Play Developer Console that lets you quickly see how your app is doing against basic guidelines for tablet app distribution and quality.

When you upload an app, the Developer Console now runs a series of checks to verify basic criteria from the Tablet App Quality Checklist and shows you any issues it finds in the Optimization Tips page.

If you’re developing for tablets, make sure to visit your Optimization Tips page to ensure that your app is delivering a great tablet experience. If there are any issues listed, we recommend addressing them in your app as soon as possible and uploading a new binary for distribution, if needed.

For ideas on how to design and build a great tablet app, including details on how to address issues listed in your Optimization Tips page, check out the Tablet App Quality Checklist. Remember that a great tablet experience goes well beyond these basic checks. Keep working to bring your tablet users the most polished UI and richest content possible.

Posted by at Links to this post
Labels: , ,

16 April 2013

Update on Tablet App Guidelines and Screenshots

Posted by Ellie Powers, Google Play team

More and more, developers are investing in a full tablet experience for their apps and seeing those investments pay off big. Starting today, it’s even easier to show off those tablet apps to users and to understand what it takes to make a great tablet app.

Many of you have already made optimizations to your apps to make them more beautiful and useful on tablets, and we’re giving you a way to showcase your application’s specialized tablet layouts. You’re now able to upload screenshots of your app running on 7” and 10” tablets to the Google Play Developer Console, and those screenshots are shown preferentially in Google Play to users on those devices.

In October, we published the tablet app quality checklist, which shares best practices for creating tablet applications that users will love. We've updated this checklist with additional tips and guidelines, as well as more details on specific technical checks you should perform to ensure your app is correctly optimized for tablets. Soon, we’ll start surfacing tips based on our tablet app quality guidelines directly in the Google Play Developer Console, and we’ll use these guidelines to help users better discover tablet apps in Google Play.

So upload your tablet screenshots and confirm your app follows the quality guidelines today.

Posted by at Links to this post
Labels: ,

09 April 2013

New Look, New Purchase Flow in Google Play

Posted by Purnima Kochikar, Director of Business Development, Games & Applications

Today we announced that a new version of the Google Play Store app is rolling out worldwide to Android phones and tablets. This new app brings a redesigned UI that’s easier to use and showcases more great content for users. For developers, the new app offers more ways for your app to get noticed, as well as a new, simpler purchase flow.

The new UI is simple and easier to browse. Collections are front and center on the homepage, helping users discover great content through recommendations and curated lists. Items in collections are now presented as cards, with a larger area for your app’s graphics and a larger touch target for users. Overall, the homepage surfaces more apps than before and highlights them more effectively right on the page.

Most important for apps that sell in-app products, the new UI offers a dramatically simplified, dialog-based purchase flow that lets users buy your products without leaving the context of the app. Your app remains active and visible behind the purchase dialogs. When the purchase is complete, users return directly to the place they left, without your app having to reconstruct its state. It’s especially powerful when combined with In-app Billing v3, providing a faster and more reliable purchase flow.

All of these changes build on the core features of Google Play. Our editorial team will continue to look for exemplary apps to showcase in Editors’ Choice and other collections, and our familiar top lists will continue to track the market performance of your app on an ongoing basis.

Watch for the new Play Store app (version 4.0.25) coming to your devices soon. The rollout has already started and we expect all devices running Android 2.2 or higher to have received the update over the next few weeks.

Posted by at Links to this post
Labels:

12 March 2013

Now is the time to switch to the new Google Play Developer Console

Posted by Ellie Powers, Google Play team

The new Google Play Developer Console is out of preview and is the default experience. In addition to offering all of the functionality of the old version, the new version features a streamlined publishing flow, store listings in more languages with language-specific graphics, and new user ratings statistics, so you’ll have better tools for delivering great Android apps that delight users. If you haven't already made the switch, now is the time, as we'll be retiring the former version on April 15 to focus our efforts on this new experience.

The new Developer Console brings you new functionality built on top of a quick-to-navigate user experience. You can add language-specific graphics to your store listing to help your users around the world understand what your app is about. New graphs let you track your ratings over time with breakdowns by device, country, app version, and more. The statistics page now shows you when you released each version of your app, so you see how each new version changes your installations and ratings, and you can view crashes specific to an application version. These new features are only the beginning of what’s to come for developers on Google Play in the future.

If you're still using the old Developer Console, now is the time to switch over fully to the new version by clicking “Try the new version” in the header. Let us know what you think by clicking the “Feedback” link in the header in the new Developer Console, and if you experience any serious issues, please contact support. We’re planning some more improvements in the next month and in the future. Your input will continue to be key to what we do.

Posted by at Links to this post
Labels: ,

04 March 2013

Native RTL support in Android 4.2

Posted by Fabrice Di Meglio, Android Frameworks Team

Android 4.1 (Jelly Bean) introduced limited support for bidirectional text in TextView and EditText elements, allowing apps to display and edit text in both left-to-right (LTR) and right-to-left (RTL) scripts. Android 4.2 added full native support for RTL layouts, including layout mirroring, allowing you to deliver the same great app experience to all of your users, whether their language uses a script that reads right-to-left or one that reads left-to-right.

If you do nothing, your app will not change — it will continue to appear as it currently does. However, with a few simple changes, your app will be automatically mirrored when the user switches the system language to a right-to-left script (such as Arabic, Hebrew, or Persian). For example, see the following screenshots of the Settings app:

To take advantage of RTL layout mirroring, simply make the following changes to your app:

  1. Declare in your app manifest that your app supports RTL mirroring.

    Specifically, add android:supportsRtl="true" to the <application> element in your manifest file.

  2. Change all of your app's "left/right" layout properties to new "start/end" equivalents.
    • If you are targeting your app to Android 4.2 (the app's targetSdkVersion or minSdkVersion is 17 or higher), then you should use “start” and “end” instead of “left” and “right”. For example, android:paddingLeft should become android:paddingStart.
    • If you want your app to work with versions earlier than Android 4.2 (the app's targetSdkVersion or minSdkVersion is 16 or less), then you should add “start” and end” in addition to “left” and “right”. For example, you’d use both android:paddingLeft and android:paddingStart.

For more precise control over your app UI in both LTR and RTL mode, Android 4.2 includes the following new APIs to help manage View components:

You can even create custom versions of layout, drawables, and other resources for display when a right-to-left script is in use. Simply use the resource qualifier "ldrtl" to tag your resources, meaning “layout direction right-to-left”. To debug and optimize custom right-to-left layouts, HierarchyViewer now lets you see start/end properties, layout direction, text direction, and text alignment for all the Views in the hierarchy.

It's now easy to create beautiful Android apps for all your users, whether they use a right-to-left or left-to-right language. We look forward to seeing some great apps!

Posted by at Links to this post
Labels: , ,

26 February 2013

Google+ Sign-In Now Part of Google Play Services

Google Play Services is our platform for offering you better integration with Google products, and providing new capabilities to use within your apps. Today we’re rolling out Google Play services v3.0, which includes Google+ Sign-In and Google Maps Android API improvements.

Google+ Sign-In


Google+ Sign-In lets users sign in to your Android app with their existing Google credentials, and bring along their Google+ info for an upgraded experience. In addition to basic authentication, today’s release includes features that can accelerate both app downloads and engagement.


Over-the-air installs from your website

After signing in with Google on your web site, users will now have the option to install your Android app on their devices instantly. They’ll enjoy a seamless desktop-to-mobile experience, and you’ll be able to drive more downloads. Linking your web site and Android apps is as simple as registering your project and clients with the Google APIs console.


App customization

When users sign in with Google, they can now bring their Google+ info with them (like their public profile, and the people in their circles). This lets your app welcome them by name, display their picture, connect them with friends, and lots more.


Interactive posts

Shares from your app can now include calls to action (like “listen,” “RSVP,” and “check-in”), custom thumbnails, and brand attribution — all of which help them stand out in users’ Google+ streams. Clicking on an interactive post can also deep link to a specific piece of content inside your app, further improving engagement.


App activity that’s useful, not annoying

Users’ app activities will only be visible to the Google+ circles they specify (if any), and they’ll only appear when they’re relevant. Putting users in control, and not spraying their stream builds trust in your app, and encourages meaningful sharing.

Measure and monitor key metrics

Once your Google+ Sign-In integration is live, you’ll be able to measure and monitor downloads, total users, interactive post performance, and other key metrics. To set up Google+ Platform Insights for your Android app, simply connect it with your Google+ page.

More about Google+ Sign-In

To learn more about integrating with Google+ Sign-In, visit our developer docs. You can also read our announcement on the Google+ Developers Blog, or download some of the first apps to include this functionality.

Google Maps Android API v2


This release includes fixes for more than 20 bugs, including half of the top 10 issues filed in the Google Maps API issue tracker. These include improvements to map rendering and the behavior of markers and infowindows.

Also included are features like native support for new map shapes such as circles, anti-clockwise polygons, and the OnMyLocationChangeListener event, which is called when a change in location is detected.

Check out the product documentation for a complete set of release notes.

More About Google Play Services


To learn more about Google Play services and the APIs available to you through it, visit the Google Services area of the Android Developers site.
Posted by at Links to this post
Labels: , ,

19 February 2013

Using Cryptography to Store Credentials Safely

random_droid

Following our talk "Security and Privacy in Android Apps" at Google I/O last year, many people had specific questions about how to use cryptography in Android. Many of those revolved around which APIs to use for a specific purpose. Let's look at how to use cryptography to safely store user credentials, such as passwords and auth tokens, on local storage.

An anti-pattern

A common (but incorrect) pattern that we've recently become aware of is to use SecureRandom as a means of generating deterministic key material, which would then be used to encrypt local credential caches. Examples are not hard to find, such as here, here, here, and elsewhere.

In this pattern, rather than storing an encryption key directly as a string inside an APK, the code uses a proxy string to generate the key instead — similar to a passphrase. This essentially obfuscates the key so that it's not readily visible to attackers. However, a skilled attacker would be able to easily see around this strategy. We don't recommend it.

The fact is, Android's existing security model already provides plenty of protection for this kind of data. User credentials should be stored with the MODE_PRIVATE flag set and stored in internal storage, rather than on an SD card, since permissions aren't enforced on external storage. Combined with device encryption, this provides protection from most types of attacks targeting credentials.

However, there's another problem with using SecureRandom in the way described above. Starting with Android 4.2, the default SecureRandom provider is OpenSSL, and a developer can no longer override SecureRandom’s internal state. Consider the following code:

  SecureRandom secureRandom = new SecureRandom();
  byte[] b = new byte[] { (byte) 1 };
  secureRandom.setSeed(b);
  // Prior to Android 4.2, the next line would always return the same number!
  System.out.println(secureRandom.nextInt());

The old Bouncy Castle-based implementation allowed overriding the internally generated, /dev/urandom based key for each SecureRandom instance. Developers which attempted to explicitly seed the random number generator would find that their seed replaces, not supplements, the existing seed (contrary to the reference implementation’s documentation). Under OpenSSL, this error-prone behavior is no longer possible.

Unfortunately, applications who relied on the old behavior will find that the output from SecureRandom changes randomly every time their application starts up. (This is actually a very desirable trait for a random number generator!) Attempting to obfuscate encryption keys in this manner will no longer work.

The right way

A more reasonable approach is simply to generate a truly random AES key when an application is first launched:

public static SecretKey generateKey() throws NoSuchAlgorithmException {
    // Generate a 256-bit key
    final int outputKeyLength = 256;

    SecureRandom secureRandom = new SecureRandom();
    // Do *not* seed secureRandom! Automatically seeded from system entropy.
    KeyGenerator keyGenerator = KeyGenerator.getInstance("AES");
    keyGenerator.init(outputKeyLength, secureRandom);
    SecretKey key = keyGenerator.generateKey();
    return key;
}

Note that the security of this approach relies on safeguarding the generated key, which is is predicated on the security of the internal storage. Leaving the target file unencrypted (but set to MODE_PRIVATE) would provide similar security.

Even more security

If your app needs additional encryption, a recommended approach is to require a passphase or PIN to access your application. This passphrase could be fed into PBKDF2 to generate the encryption key. (PBKDF2 is a commonly used algorithm for deriving key material from a passphrase, using a technique known as "key stretching".) Android provides an implementation of this algorithm inside SecretKeyFactory as PBKDF2WithHmacSHA1:

public static SecretKey generateKey(char[] passphraseOrPin, byte[] salt) throws NoSuchAlgorithmException, InvalidKeySpecException {
    // Number of PBKDF2 hardening rounds to use. Larger values increase
    // computation time. You should select a value that causes computation
    // to take >100ms.
    final int iterations = 1000; 

    // Generate a 256-bit key
    final int outputKeyLength = 256;

    SecretKeyFactory secretKeyFactory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1");
    KeySpec keySpec = new PBEKeySpec(passphraseOrPin, salt, iterations, outputKeyLength);
    SecretKey secretKey = secretKeyFactory.generateSecret(keySpec);
    return secretKey;
}

The salt should be a random string, again generated using SecureRandom and persisted on internal storage alongside any encrypted data. This is important to mitigate the risk of attackers using a rainbow table to precompute password hashes.

Check your apps for proper use of SecureRandom

As mentioned above and in the New Security Features in Jelly Bean, the default implementation of SecureRandom is changed in Android 4.2. Using it to deterministically generate keys is no longer possible.

If you're one of the developers who's been generating keys the wrong way, we recommend upgrading your app today to prevent subtle problems as more users upgrade to devices running Android 4.2 or later.

Posted by at Links to this post
Labels: ,
Subscribe to: Posts (Atom)