1. Android developing & OAuth
by Zongren Liu
lzongren@gmail.com

2. Let's frist begin with
What is Andorid?
Update History
Main Products
System Structure
Android dev

3. What is Android?
A mobile operating system initially developed by Android
Inc.
Purchased by Google in 2005.
Based upon a modified version of the Linux kernel.
A participant in the Open Handset Alliance(OHA).
Unit sales for Android OS smartphones ranked first among
all smartphone OS handsets sold in the U.S. in the second
quarter of 2010, at 33%.
(OHA is a business alliance firms for developing open
standards for mobile devices, include Google, HTC, Dell, Intel,
Motorola and so on)

4. Update history
April 30 2009
1.5 (Cupcake)Based
on Linux Kernel 2.6.27
September 15
2009
1.6 (Donut)Based on
Linux Kernel 2.6.29
October 26 2009
2.0/2.1 (Eclair)Based
on Linux Kernel 2.6.29
May 20 2010
2.2 (Froyo)Based on
Linux Kernel 2.6.32
Scheduled for
Q4 2010 launch
GingerbreadBased on
Linux Kernel 2.6.33 or
.34Scheduled for Q4
2010 launch

5. Android OS usage share
Data collected during two weeks ending on October 1, 2010
Other: 0.1% of devices running obsolete versions

6. Main products
Phone:
HTC Magic
Nexus One
Lenovo LePhone
Motorola Droid Milestone
Sony Ericsson X10
Internet terminal(Web TV):
Sony WebTV Internet
Terminal INT-W250
Tablet:
Archos 7
Archos 7 8GB Home Tablet with
Android (Black)
$189.95

7. System structure

8. System structure
——Linux kernel
Android is based on Linux kernel, but is not
Linux/GNU.
GNU/Linux includes:
Cairo、X11、Alsa、FFmpeg、GTK、Pango、Glibc
In Android:
bionic replaces Glibc
skia replaces Cairo
opencore replaces FFmpeg

9. System structure
——Libraries
System C library - a BSD-derived implementation of the standard C system library
(libc), tuned for embedded Linux-based devices
Media Libraries - based on PacketVideo's OpenCORE; the libraries support playback
and recording of many popular audio and video formats, as well as static image files,
including MPEG4, H.264, MP3, AAC, AMR, JPG, and PNG
Surface Manager - manages access to the display subsystem and seamlessly
composites 2D and 3D graphic layers from multiple applications
LibWebCore - a modern web browser engine which powers both the Android browser
and an embeddable web view
SGL - the underlying 2D graphics engine
3D libraries - an implementation based on OpenGL ES 1.0 APIs; the libraries use either
hardware 3D acceleration (where available) or the included, highly optimized 3D software
rasterizer
FreeType - bitmap and vector font rendering
SQLite - a powerful and lightweight relational database engine available to all
applications

10. System structure
——Runtime
Android Runtime:
Core Libraries
Dalvik Virtual
Machine
Dalvik Virtual Machine(DVM)
Dalvik is the virtual Machine on Android.Before
execution, Android applications are converted into the
compact .dex format.

11. JVM ? DVM
Dalvik virtual
Machine
Java virtual
Machine
File Type dex jar、jad
Based register heap & stack
Needs
machine
instuructions
are larger
needs more
insturctions

12. Introduce to developing
Developing environment
Essential tools
Project structure
"Hello Android"
Android Development
Flow
Important concepts

13. Developing environment
Developing In Eclipse, with ADT——recommended
It gives you access to other Android development tools from inside the Eclipse IDE.
For example, ADT lets you access the many capabilities of the DDMS tool: take
screenshots, manage port-forwarding, set breakpoints, and view thread and process
information directly from Eclipse.
It provides a New Project Wizard, which helps you quickly create and set up all of
the basic files you'll need for a new Android application.
It automates and simplifies the process of building your Android application.
It provides an Android code editor that helps you write valid XML for your Android
manifest and resource files.
It will even export your project into a signed APK, which can be distributed to users.
Developing In Other IDEs

15. Developing with ADT, you need:
Essential tools:
Android SDK
there are SDKs for three
platforms(Windows, Linux, MAC
OS)
ADT Plugin for Eclipse
need to install the plugin in
Eclipse(must be 3.4 or 3.5)
Virtual Machine
with the tool AVD Manager in
SDK package, you can install the
Virtual Machine

16. The structure of Android project
Once you complete the New Project Wizard, ADT creates the following folders and
files in your new project:
src/
Includes your stub Activity Java file. All other Java files for your application go here.
<Android Version>/ (e.g., Android 1.1/)
Includes the android.jar file that your application will build against. This is determined by the
build target that you have chosen in the New Project Wizard.
gen/
Ccontains the Java files generated by ADT, such as your R.java file and interfaces created
from AIDL files.(R.java is auto created, should not be modified manually)
assets/
Empty. You can use it to store raw asset files.
res/
A folder for your application resources, such as drawable files, layout files, string values, etc.
AndroidManifest.xml
The Android Manifest for your project. See The AndroidManifest.xml File.
default.properties
Contains project settings, such as the build target. This files is integral to the project, as such,it
should be maintained in a Source Revision Control system. It should never be edited manually.

17. For example
Files you can edit or
modify:
src - source files
res - the layout files and
values file
AndroidManifest.xml
Files you can never modify:
R.java - resource file
(auto change when .xml
changes)
default.properties - can
be edit through project
property

18. "Hello Android"
package com.hello;
import android.app.Activity;
import android.os.Bundle;
import android.widget.TextView;
public class SayHello extends Activity {
/** Called when the activity is first
created. */
@Override
public void onCreate(Bundle
savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.main);
TextView myTextView = (TextView)
findViewById(R.id.myTextView);
myTextView.setText("Hello Android");
}
}
<?xml version="1.0" encoding="utf-8"?>
<LinearLayout xmlns:android="http:
//schemas.android.com/apk/res/android"
android:orientation="vertical"
android:layout_width="fill_parent"
android:layout_height="fill_parent"
>
<TextView
android:layout_width="fill_parent"
android:layout_height="wrap_content"
android:text="@string/hello"
/>
<TextView
android:id="@+id/myTextView"
android:layout_width="fill_parent"
android:layout_height="wrap_content"
/>
</LinearLayout>
SayHello.java main.xml

19. The result

20. From "Hello Android", we know:
In Android development,
the xml files in layout folder controls the UI (in
addition, AndroidManifest.xml controls the UI too)
the source code controls the program running
source code use the items in UI through the R.
java, it is auto created

21. Android
Develop
-ment
Flow

22. Important concepts in Android dev
——Activity
From Android dev reference:
An activity is a single, focused thing that the user can do.
Almost all activities interact with the user, so the Activity class takes
care of creating a window for you in which you can place your UI with
setContentView(View). While activities are often presented to the user
as full-screen windows, they can also be used in other ways: as
floating windows (via a theme with windowIsFloating set) or
embedded inside of another activity (using ActivityGroup).
The Activity class is an important part of an application's overall
lifecycle, and the way activities are launched and put together is a
fundamental part of the platform's application model.

23. Activity
Lifecycle

24. Important concepts in Android dev
——Intent
From Android dev reference:
An intent is an abstract description of an operation to be
performed. It can be used with startActivity to launch an Activity,
broadcastIntent to send it to any interested BroadcastReceiver
components, and startService(Intent) or bindService(Intent,
ServiceConnection, int) to communicate with a background
Service.
An Intent provides a facility for performing late runtime
binding between the code in different applications. Its most
significant use is in the launching of activities, where it can be
thought of as the glue between activities.

25. Android is not only Android

26. OAuth
Open Authorization

27. What is OAuth
open standard for
authorization;
allows users to share their
private resources (e.g.
photos, videos) stored on
one site with another site
without having to hand out
their credentials(e.g. ID,
PSW);
a service that is
complementary to, but
distinct from, OpenID;

28. OAuth and OpenID
OAuth is not an OpenID extension and at the specification level,
shares only few things with OpenID – some common authors and the
fact both are open specification in the realm of authentication and
access control. ‘Why OAuth is not an OpenID extension?’ is probably
the most frequently asked question in the group. The answer is simple,
OAuth attempts to provide a standard way for developers to offer their
services via an api without forcing their users to expose their passwords
(and other credentials). If OAuth depended on OpenID, only OpenID
services would be able to use it, and while OpenID is great, there are
many applications where it is not suitable or desired. Which doesn’t
mean to say you cannot use the two together. OAuth talks about getting
users to grant access while OpenID talks about making sure the users
are really who they say they are.

29. Protocol Workflow

30. Example——background
Jane is back from her Scotland
vacation. She spent 2 weeks on
the island of Islay sampling
Scotch. When she gets back
home, Jane wants to share some
of her vacation photos with her
friends. Jane uses Faji, a photo
sharing site, for sharing journey
photos. She signs into her faji.com
account, and uploads two photos
which she marks private.

31. Example——step1
Jane wants to also share them
with her grandmother. She
doesn’t want to share her rare
bottle of Scotch with anyone. But
grandma doesn’t have an
internet connection so Jane
plans to order prints and have
them mailed to grandma. Being a
responsible person, Jane uses
Beppa, an environmentally
friendly photo printing service.
Using OAuth terminology, Jane is the User
and Faji the Service Provider. The 2 photos
Jane uploaded are the Protected Resources.

32. Example——step2
Jane visits beppa.com
and begins to order prints.
Beppa supports importing
images from many photo
sharing sites, including
Faji. Jane selects the
photos source and clicks
Continue.

33. Example——step3

34. Example——step3

35. Example——step4
While Jane waits, Beppa uses the
authorized Request Token and
exchanges it for an Access Token.
Request Tokens are only good for
obtaining User approval, while
Access Tokens are used to
access Protected Resources, in
this case Jane’s photos. In the first
request, Beppa exchanges the
Request Token for an Access
Token and in the second (can be
multiple requests, one for a list of
photos, and a few more to get
each photo) request gets the
photos.

36. Example——step4
faji.com
beppa.com

37. Example——last step

38. Is OAuth 2.0 Bad for the Web?
One of the most visible utilization of OAuth is Twitter which
decided to make it mandatory across its APIs as of this month
(September 2010) and consequently killed its support for basic
authentication.
Michael Calore explains:Twitter’s move mirrors a broader
trend on the social web, where basic authentication is being
ditched for the more secure OAuth when services and
applications connect user’s accounts.
Many web sites, such as iCodeBlog, provided tutorials to
help developers quickly update their application. And, even
though OAuth 2.0 is still a draft, it is already supported by
Facebook which is to date the largest implementation of the
OAuth protocol and a key stakeholder of the specification.

39. Is OAuth 2.0 Bad for the Web?
It looks that for once the industry has developed a broad
consensus to solve an important problem.
Yet, Eran Hammer-Lahav, published some criticisms
about the latest direction of the specification which dropped
signatures and cryptography in favor of "bearer tokens".
However, to Eran's own admission,"Cryptography is
unforgiving". Developers can easily make mistakes in the
steps they take to encrypt or sign a message and it is
generally unforgiving.

40. Is OAuth 2.0 Bad for the Web?
The argument of the supporters of this model is as follows: since
most services use a cookie-based authentication system, it would not
be more secure to use additional mechanisms since an attacker would
always target the weakest point.
Actually, Eran's concerns are not about OAuth today, but the impact
that this specification will have in five years when inherently more
secure protocol will be needed.
First, the argument will again be, since OAuth 2.0 is the weakest
point, there is no need to implement stronger security
mechanisms.
Second, the reason why OAuth would work in today's environment
is because all the APIs are fairly significant to the clients and most
of the API endpoints are declared statically in the clients code or
configuration while being thoroughly tested before the application
is released.
So overall, there is little risk that the token will be sent to an
unfriendly destination.

41. Is OAuth 2.0 Bad for the Web?
"If a client application sends a request to an
erroneous address ("mail.exmple.org" instead
of "mail.example.org"), the rogue server at
"mail.exmple.com" now has the client access
token and can access its mail. Of course, in the
case of browsers, the browser developer is
responsible for not leaking cookies by
implementing the same origin policy. OAuth 2.0
client developers will share the same
responsibility."
Subbu Allamaraju, author of the RESTful Web Services
Cookbook, explained in a private note that:

42. Thank you :D
lzongren@gmail.com