Your SlideShare is downloading. ×
Android dev o_auth
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Android dev o_auth

471
views

Published on


0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
471
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Android developing & OAuth by Zongren Liu lzongren@gmail.com
  • 2. Let's frist begin with What is Andorid? Update History Main Products System Structure Android dev
  • 3. What is Android? A mobile operating system initially developed by Android Inc. Purchased by Google in 2005. Based upon a modified version of the Linux kernel. A participant in the Open Handset Alliance(OHA). Unit sales for Android OS smartphones ranked first among all smartphone OS handsets sold in the U.S. in the second quarter of 2010, at 33%. (OHA is a business alliance firms for developing open standards for mobile devices, include Google, HTC, Dell, Intel, Motorola and so on)
  • 4. Update history April 30 2009 1.5 (Cupcake)Based on Linux Kernel 2.6.27 September 15 2009 1.6 (Donut)Based on Linux Kernel 2.6.29 October 26 2009 2.0/2.1 (Eclair)Based on Linux Kernel 2.6.29 May 20 2010 2.2 (Froyo)Based on Linux Kernel 2.6.32 Scheduled for Q4 2010 launch GingerbreadBased on Linux Kernel 2.6.33 or .34Scheduled for Q4 2010 launch
  • 5. Android OS usage share Data collected during two weeks ending on October 1, 2010 Other: 0.1% of devices running obsolete versions
  • 6. Main products Phone: HTC Magic Nexus One Lenovo LePhone Motorola Droid Milestone Sony Ericsson X10 Internet terminal(Web TV): Sony WebTV Internet Terminal INT-W250 Tablet: Archos 7 Archos 7 8GB Home Tablet with Android (Black) $189.95
  • 7. System structure
  • 8. System structure ——Linux kernel Android is based on Linux kernel, but is not Linux/GNU. GNU/Linux includes: Cairo、X11、Alsa、FFmpeg、GTK、Pango、Glibc In Android: bionic replaces Glibc skia replaces Cairo opencore replaces FFmpeg
  • 9. System structure ——Libraries System C library - a BSD-derived implementation of the standard C system library (libc), tuned for embedded Linux-based devices Media Libraries - based on PacketVideo's OpenCORE; the libraries support playback and recording of many popular audio and video formats, as well as static image files, including MPEG4, H.264, MP3, AAC, AMR, JPG, and PNG Surface Manager - manages access to the display subsystem and seamlessly composites 2D and 3D graphic layers from multiple applications LibWebCore - a modern web browser engine which powers both the Android browser and an embeddable web view SGL - the underlying 2D graphics engine 3D libraries - an implementation based on OpenGL ES 1.0 APIs; the libraries use either hardware 3D acceleration (where available) or the included, highly optimized 3D software rasterizer FreeType - bitmap and vector font rendering SQLite - a powerful and lightweight relational database engine available to all applications
  • 10. System structure ——Runtime Android Runtime: Core Libraries Dalvik Virtual Machine Dalvik Virtual Machine(DVM) Dalvik is the virtual Machine on Android.Before execution, Android applications are converted into the compact .dex format.
  • 11. JVM ? DVM Dalvik virtual Machine Java virtual Machine File Type dex jar、jad Based register heap & stack Needs machine instuructions are larger needs more insturctions
  • 12. Introduce to developing Developing environment Essential tools Project structure "Hello Android" Android Development Flow Important concepts
  • 13. Developing environment Developing In Eclipse, with ADT——recommended It gives you access to other Android development tools from inside the Eclipse IDE. For example, ADT lets you access the many capabilities of the DDMS tool: take screenshots, manage port-forwarding, set breakpoints, and view thread and process information directly from Eclipse. It provides a New Project Wizard, which helps you quickly create and set up all of the basic files you'll need for a new Android application. It automates and simplifies the process of building your Android application. It provides an Android code editor that helps you write valid XML for your Android manifest and resource files. It will even export your project into a signed APK, which can be distributed to users. Developing In Other IDEs
  • 14. Developing with ADT, you need: Essential tools: Android SDK there are SDKs for three platforms(Windows, Linux, MAC OS) ADT Plugin for Eclipse need to install the plugin in Eclipse(must be 3.4 or 3.5) Virtual Machine with the tool AVD Manager in SDK package, you can install the Virtual Machine
  • 15. The structure of Android project Once you complete the New Project Wizard, ADT creates the following folders and files in your new project: src/ Includes your stub Activity Java file. All other Java files for your application go here. <Android Version>/ (e.g., Android 1.1/) Includes the android.jar file that your application will build against. This is determined by the build target that you have chosen in the New Project Wizard. gen/ Ccontains the Java files generated by ADT, such as your R.java file and interfaces created from AIDL files.(R.java is auto created, should not be modified manually) assets/ Empty. You can use it to store raw asset files. res/ A folder for your application resources, such as drawable files, layout files, string values, etc. AndroidManifest.xml The Android Manifest for your project. See The AndroidManifest.xml File. default.properties Contains project settings, such as the build target. This files is integral to the project, as such,it should be maintained in a Source Revision Control system. It should never be edited manually.
  • 16. For example Files you can edit or modify: src - source files res - the layout files and values file AndroidManifest.xml Files you can never modify: R.java - resource file (auto change when .xml changes) default.properties - can be edit through project property
  • 17. "Hello Android" package com.hello; import android.app.Activity; import android.os.Bundle; import android.widget.TextView; public class SayHello extends Activity { /** Called when the activity is first created. */ @Override public void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); setContentView(R.layout.main); TextView myTextView = (TextView) findViewById(R.id.myTextView); myTextView.setText("Hello Android"); } } <?xml version="1.0" encoding="utf-8"?> <LinearLayout xmlns:android="http: //schemas.android.com/apk/res/android" android:orientation="vertical" android:layout_width="fill_parent" android:layout_height="fill_parent" > <TextView android:layout_width="fill_parent" android:layout_height="wrap_content" android:text="@string/hello" /> <TextView android:id="@+id/myTextView" android:layout_width="fill_parent" android:layout_height="wrap_content" /> </LinearLayout> SayHello.java main.xml
  • 18. The result
  • 19. From "Hello Android", we know: In Android development, the xml files in layout folder controls the UI (in addition, AndroidManifest.xml controls the UI too) the source code controls the program running source code use the items in UI through the R. java, it is auto created
  • 20. Android Develop -ment Flow
  • 21. Important concepts in Android dev ——Activity From Android dev reference: An activity is a single, focused thing that the user can do. Almost all activities interact with the user, so the Activity class takes care of creating a window for you in which you can place your UI with setContentView(View). While activities are often presented to the user as full-screen windows, they can also be used in other ways: as floating windows (via a theme with windowIsFloating set) or embedded inside of another activity (using ActivityGroup). The Activity class is an important part of an application's overall lifecycle, and the way activities are launched and put together is a fundamental part of the platform's application model.
  • 22. Activity Lifecycle
  • 23. Important concepts in Android dev ——Intent From Android dev reference: An intent is an abstract description of an operation to be performed. It can be used with startActivity to launch an Activity, broadcastIntent to send it to any interested BroadcastReceiver components, and startService(Intent) or bindService(Intent, ServiceConnection, int) to communicate with a background Service. An Intent provides a facility for performing late runtime binding between the code in different applications. Its most significant use is in the launching of activities, where it can be thought of as the glue between activities.
  • 24. Android is not only Android
  • 25. OAuth Open Authorization
  • 26. What is OAuth open standard for authorization; allows users to share their private resources (e.g. photos, videos) stored on one site with another site without having to hand out their credentials(e.g. ID, PSW); a service that is complementary to, but distinct from, OpenID;
  • 27. OAuth and OpenID OAuth is not an OpenID extension and at the specification level, shares only few things with OpenID – some common authors and the fact both are open specification in the realm of authentication and access control. ‘Why OAuth is not an OpenID extension?’ is probably the most frequently asked question in the group. The answer is simple, OAuth attempts to provide a standard way for developers to offer their services via an api without forcing their users to expose their passwords (and other credentials). If OAuth depended on OpenID, only OpenID services would be able to use it, and while OpenID is great, there are many applications where it is not suitable or desired. Which doesn’t mean to say you cannot use the two together. OAuth talks about getting users to grant access while OpenID talks about making sure the users are really who they say they are.
  • 28. Protocol Workflow
  • 29. Example——background Jane is back from her Scotland vacation. She spent 2 weeks on the island of Islay sampling Scotch. When she gets back home, Jane wants to share some of her vacation photos with her friends. Jane uses Faji, a photo sharing site, for sharing journey photos. She signs into her faji.com account, and uploads two photos which she marks private.
  • 30. Example——step1 Jane wants to also share them with her grandmother. She doesn’t want to share her rare bottle of Scotch with anyone. But grandma doesn’t have an internet connection so Jane plans to order prints and have them mailed to grandma. Being a responsible person, Jane uses Beppa, an environmentally friendly photo printing service. Using OAuth terminology, Jane is the User and Faji the Service Provider. The 2 photos Jane uploaded are the Protected Resources.
  • 31. Example——step2 Jane visits beppa.com and begins to order prints. Beppa supports importing images from many photo sharing sites, including Faji. Jane selects the photos source and clicks Continue.
  • 32. Example——step3
  • 33. Example——step3
  • 34. Example——step4 While Jane waits, Beppa uses the authorized Request Token and exchanges it for an Access Token. Request Tokens are only good for obtaining User approval, while Access Tokens are used to access Protected Resources, in this case Jane’s photos. In the first request, Beppa exchanges the Request Token for an Access Token and in the second (can be multiple requests, one for a list of photos, and a few more to get each photo) request gets the photos.
  • 35. Example——step4 faji.com beppa.com
  • 36. Example——last step
  • 37. Is OAuth 2.0 Bad for the Web? One of the most visible utilization of OAuth is Twitter which decided to make it mandatory across its APIs as of this month (September 2010) and consequently killed its support for basic authentication. Michael Calore explains:Twitter’s move mirrors a broader trend on the social web, where basic authentication is being ditched for the more secure OAuth when services and applications connect user’s accounts. Many web sites, such as iCodeBlog, provided tutorials to help developers quickly update their application. And, even though OAuth 2.0 is still a draft, it is already supported by Facebook which is to date the largest implementation of the OAuth protocol and a key stakeholder of the specification.
  • 38. Is OAuth 2.0 Bad for the Web? It looks that for once the industry has developed a broad consensus to solve an important problem. Yet, Eran Hammer-Lahav, published some criticisms about the latest direction of the specification which dropped signatures and cryptography in favor of "bearer tokens". However, to Eran's own admission,"Cryptography is unforgiving". Developers can easily make mistakes in the steps they take to encrypt or sign a message and it is generally unforgiving.
  • 39. Is OAuth 2.0 Bad for the Web? The argument of the supporters of this model is as follows: since most services use a cookie-based authentication system, it would not be more secure to use additional mechanisms since an attacker would always target the weakest point. Actually, Eran's concerns are not about OAuth today, but the impact that this specification will have in five years when inherently more secure protocol will be needed. First, the argument will again be, since OAuth 2.0 is the weakest point, there is no need to implement stronger security mechanisms. Second, the reason why OAuth would work in today's environment is because all the APIs are fairly significant to the clients and most of the API endpoints are declared statically in the clients code or configuration while being thoroughly tested before the application is released. So overall, there is little risk that the token will be sent to an unfriendly destination.
  • 40. Is OAuth 2.0 Bad for the Web? "If a client application sends a request to an erroneous address ("mail.exmple.org" instead of "mail.example.org"), the rogue server at "mail.exmple.com" now has the client access token and can access its mail. Of course, in the case of browsers, the browser developer is responsible for not leaking cookies by implementing the same origin policy. OAuth 2.0 client developers will share the same responsibility." Subbu Allamaraju, author of the RESTful Web Services Cookbook, explained in a private note that:
  • 41. Thank you :D lzongren@gmail.com

×