About the Android developing and Oauth.

1. Android developing & OAuth
by Zongren Liu
lzongren@gmail.com

2. Let's frist begin with
• What is Andorid?
• Update History
• Main Products
• System Structure
• Android dev

3. What is Android?
• A mobile operating system initially developed by Android
Inc.
• Purchased by Google in 2005.
• Based upon a modified version of the Linux kernel.
• A participant in the Open Handset Alliance(OHA).
• Unit sales for Android OS smartphones ranked first among
all smartphone OS handsets sold in the U.S. in the second
quarter of 2010, at 33%.
(OHA is a business alliance firms for developing open
standards for mobile devices, include Google, HTC, Dell, Intel,
Motorola and so on)

4. Update history
April 30 2009
1.5 (Cupcake)Based
on Linux Kernel 2.6.27
September 15
2009
1.6 (Donut)Based on
Linux Kernel 2.6.29
October 26 2009
2.0/2.1 (Eclair)Based
on Linux Kernel 2.6.29
May 20 2010
2.2 (Froyo)Based on
Linux Kernel 2.6.32
Scheduled for Q4
2010 launch
GingerbreadBased on
Linux Kernel 2.6.33 or .
34Scheduled for Q4
2010 launch

5. Android OS usage share
Data collected during two weeks ending on
October 1, 2010
Other: 0.1% of devices running obsolete versions

6. Main products
Phone:
• HTC Magic
• Nexus One
• Lenovo LePhone
• Motorola Droid Milestone
• Sony Ericsson X10
Internet terminal(Web TV):
• Sony WebTV Internet
Terminal INT-W250
Tablet:
• Archos 7
Archos 7 8GB Home Tablet with
Android (Black)
$189.95

7. System structure

8. System structure
——Linux kernel
Android is based on Linux kernel, but is not
Linux/GNU.
GNU/Linux includes:
Cairo 、 X11 、 Alsa 、 FFmpeg 、 GTK 、 Pango 、 Glibc
In Android:
o bionic replaces Glibc
o skia replaces Cairo
o opencore replaces FFmpeg

9. System structure
——Libraries
• System C library - a BSD-derived implementation of the standard C system library (libc),
tuned for embedded Linux-based devices
• Media Libraries - based on PacketVideo's OpenCORE; the libraries support playback
and recording of many popular audio and video formats, as well as static image files,
including MPEG4, H.264, MP3, AAC, AMR, JPG, and PNG
• Surface Manager - manages access to the display subsystem and seamlessly
composites 2D and 3D graphic layers from multiple applications
• LibWebCore - a modern web browser engine which powers both the Android browser and
an embeddable web view
• SGL - the underlying 2D graphics engine
• 3D libraries - an implementation based on OpenGL ES 1.0 APIs; the libraries use either
hardware 3D acceleration (where available) or the included, highly optimized 3D software
rasterizer
• FreeType - bitmap and vector font rendering
• SQLite - a powerful and lightweight relational database engine available to all applications

10. System structure
——Runtime
Android Runtime:
• Core Libraries
• Dalvik Virtual
Machine
Dalvik Virtual Machine(DVM)
Dalvik is the virtual Machine on Android.Before
execution, Android applications are converted into the
compact .dex format.

11. JVM ? DVM
Dalvik virtual
Machine
Java virtual
Machine
File Type dex jar 、 jad
Based register heap & stack
Needs
machine
instuructions are
larger
needs more
insturctions

12. Introduce to developing
• Developing
environment
• Essential tools
• Project structure
• "Hello Android"
• Android Development
Flow
• Important concepts

13. Developing environment
• Developing In Eclipse, with ADT——recommended
• It gives you access to other Android development tools from inside the
Eclipse IDE. For example, ADT lets you access the many capabilities of the
DDMS tool: take screenshots, manage port-forwarding, set breakpoints,
and view thread and process information directly from Eclipse.
• It provides a New Project Wizard, which helps you quickly create and set
up all of the basic files you'll need for a new Android application.
• It automates and simplifies the process of building your Android application.
• It provides an Android code editor that helps you write valid XML for your
Android manifest and resource files.
• It will even export your project into a signed APK, which can be distributed
to users.
• Developing In Other IDEs

15. Developing with ADT, you need:
Essential tools:
• Android SDK
there are SDKs for three
platforms(Windows, Linux, MAC
OS)
• ADT Plugin for Eclipse
need to install the plugin in
Eclipse(must be 3.4 or 3.5)
• Virtual Machine
with the tool AVD Manager in
SDK package, you can install the
Virtual Machine

16. The structure of Android project
Once you complete the New Project Wizard, ADT creates the following folders and files in your
new project:
• src/
Includes your stub Activity Java file. All other Java files for your application go here.
• <Android Version>/ (e.g., Android 1.1/)
Includes the android.jar file that your application will build against. This is determined by
the build target that you have chosen in the New Project Wizard.
• gen/
Ccontains the Java files generated by ADT, such as your R.java file and interfaces
created from AIDL files.(R.java is auto created, should not be modified manually)
• assets/
Empty. You can use it to store raw asset files.
• res/
A folder for your application resources, such as drawable files, layout files, string
values, etc.
• AndroidManifest.xml
The Android Manifest for your project. See The AndroidManifest.xml File.
• default.properties
Contains project settings, such as the build target. This files is integral to the project, as
such,it should be maintained in a Source Revision Control system. It should never be edited
manually.

17. For example
Files you can edit or modify:
• src - source files
• res - the layout files and
values file
• AndroidManifest.xml
Files you can never modify:
• R.java - resource
file(auto change when
.xml changes)
• default.properties - can
be edit through project
property

18. "Hello Android"
package com.hello;
import android.app.Activity;
import android.os.Bundle;
import android.widget.TextView;
public class SayHello extends Activity {
/** Called when the activity is first
created. */
@Override
public void onCreate(Bundle
savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.main);
TextView myTextView =
(TextView)findViewById(R.id.myTextView);
myTextView.setText("Hello Android");
}
}
<?xml version="1.0" encoding="utf-8"?>
<LinearLayout
xmlns:android="http://schemas.android.co
m/apk/res/android"
android:orientation="vertical"
android:layout_width="fill_parent"
android:layout_height="fill_parent"
>
<TextView
android:layout_width="fill_parent"
android:layout_height="wrap_content"
android:text="@string/hello"
/>
<TextView
android:id="@+id/myTextView"
android:layout_width="fill_parent"
android:layout_height="wrap_content"
/>
</LinearLayout>
SayHello.java main.xml

19. The result

20. From "Hello Android", we know:
In Android development,
• the xml files in layout folder controls the UI
(in addition, AndroidManifest.xml controls
the UI too)
• the source code controls the program
running
• source code use the items in UI through the
R.java, it is auto created

21. Android
Develop
-ment
Flow

22. Important concepts in Android dev
——Activity
From Android dev reference:
An activity is a single, focused thing that the user can do.
Almost all activities interact with the user, so the Activity class
takes care of creating a window for you in which you can place
your UI with setContentView(View). While activities are often
presented to the user as full-screen windows, they can also be
used in other ways: as floating windows (via a theme with
windowIsFloating set) or embedded inside of another activity
(using ActivityGroup).
The Activity class is an important part of an application's
overall lifecycle, and the way activities are launched and put
together is a fundamental part of the platform's application
model.

23. Activity
Lifecycle

24. Important concepts in Android dev
——Intent
From Android dev reference:
An intent is an abstract description of an operation to be
performed. It can be used with startActivity to launch an
Activity, broadcastIntent to send it to any interested
BroadcastReceiver components, and startService(Intent) or
bindService(Intent, ServiceConnection, int) to communicate
with a background Service.
An Intent provides a facility for performing late runtime
binding between the code in different applications. Its most
significant use is in the launching of activities, where it can be
thought of as the glue between activities.

25. Android is not only Android

26. OAuth
Open Authorization

27. What is OAuth
• open standard for
authorization;
• allows users to share their
private resources (e.g.
photos, videos) stored on
one site with another site
without having to hand out
their credentials(e.g. ID,
PSW);
• a service that is
complementary to, but
distinct from, OpenID;

28. OAuth and OpenID
OAuth is not an OpenID extension and at the
specification level, shares only few things with OpenID –
some common authors and the fact both are open
specification in the realm of authentication and access
control. ‘Why OAuth is not an OpenID extension?’ is probably
the most frequently asked question in the group. The answer
is simple, OAuth attempts to provide a standard way for
developers to offer their services via an api without forcing
their users to expose their passwords (and other credentials).
If OAuth depended on OpenID, only OpenID services would
be able to use it, and while OpenID is great, there are many
applications where it is not suitable or desired. Which doesn’t
mean to say you cannot use the two together. OAuth talks
about getting users to grant access while OpenID talks about
making sure the users are really who they say they are.

29. Protocol Workflow

30. Example——background
Jane is back from her Scotland
vacation. She spent 2 weeks on
the island of Islay sampling Scotch.
When she gets back home, Jane
wants to share some of her
vacation photos with her friends.
Jane uses Faji, a photo sharing
site, for sharing journey photos.
She signs into her faji.com
account, and uploads two photos
which she marks private.

31. Example——step1
Jane wants to also share them
with her grandmother. She doesn’t
want to share her rare bottle of
Scotch with anyone. But grandma
doesn’t have an internet
connection so Jane plans to order
prints and have them mailed to
grandma. Being a responsible
person, Jane uses Beppa, an
environmentally friendly photo
printing service.
Using OAuth terminology, Jane is the User
and Faji the Service Provider. The 2 photos
Jane uploaded are the Protected Resources.

32. Example——step2
Jane visits beppa.com and
begins to order prints.
Beppa supports importing
images from many photo
sharing sites, including
Faji. Jane selects the
photos source and clicks
Continue.

33. Example——step3

34. Example——step3

35. Example——step4
While Jane waits, Beppa uses the
authorized Request Token and
exchanges it for an Access Token.
Request Tokens are only good for
obtaining User approval, while
Access Tokens are used to access
Protected Resources, in this case
Jane’s photos. In the first request,
Beppa exchanges the Request
Token for an Access Token and in
the second (can be multiple
requests, one for a list of photos,
and a few more to get each photo)
request gets the photos.

36. Example——step4
faji.com
beppa.com

37. Example——last step

38. Is OAuth 2.0 Bad for the Web?
One of the most visible utilization of OAuth is Twitter which
decided to make it mandatory across its APIs as of this month
(September 2010) and consequently killed its support for basic
authentication.
Michael Calore explains:Twitter’s move mirrors a broader
trend on the social web, where basic authentication is being
ditched for the more secure OAuth when services and
applications connect user’s accounts.
Many web sites, such as iCodeBlog, provided tutorials to
help developers quickly update their application. And, even
though OAuth 2.0 is still a draft, it is already supported by
Facebook which is to date the largest implementation of the
OAuth protocol and a key stakeholder of the specification.

39. Is OAuth 2.0 Bad for the Web?
It looks that for once the industry has developed a broad
consensus to solve an important problem.
Yet, Eran Hammer-Lahav, published some criticisms about
the latest direction of the specification which dropped
signatures and cryptography in favor of "bearer tokens".
However, to Eran's own admission,"Cryptography is
unforgiving". Developers can easily make mistakes in the
steps they take to encrypt or sign a message and it is
generally unforgiving.

40. Is OAuth 2.0 Bad for the Web?
The argument of the supporters of this model is as follows: since most
services use a cookie-based authentication system, it would not be more
secure to use additional mechanisms since an attacker would always
target the weakest point.
Actually, Eran's concerns are not about OAuth today, but the impact
that this specification will have in five years when inherently more secure
protocol will be needed.
• First, the argument will again be, since OAuth 2.0 is the weakest
point, there is no need to implement stronger security mechanisms.
• Second, the reason why OAuth would work in today's environment is
because all the APIs are fairly significant to the clients and most of
the API endpoints are declared statically in the clients code or
configuration while being thoroughly tested before the application is
released.
• So overall, there is little risk that the token will be sent to an
unfriendly destination.

41. Is OAuth 2.0 Bad for the Web?
"If a client application sends a request to an
erroneous address ("mail.exmple.org" instead of
"mail.example.org"), the rogue server at
"mail.exmple.com" now has the client access
token and can access its mail. Of course, in the
case of browsers, the browser developer is
responsible for not leaking cookies by
implementing the same origin policy. OAuth 2.0
client developers will share the same
responsibility."
Subbu Allamaraju, author of the RESTful Web Services
Cookbook, explained in a private note that:

42. Thank you :D
lzongren@gmail.com