android dev o_auth
TRANSCRIPT
Let's frist begin with
What is Andorid?
Update History
Main Products
System Structure
Android dev
What is Android?
A mobile operating system initially developed by Android Inc.Purchased by Google in 2005.Based upon a modified version of the Linux kernel.A participant in the Open Handset Alliance(OHA).Unit sales for Android OS smartphones ranked first among all smartphone OS handsets sold in the U.S. in the second quarter of 2010, at 33%.
(OHA is a business alliance firms for developing open standards for mobile devices, include Google, HTC, Dell, Intel, Motorola and so on)
Update history
April 30 2009 1.5 (Cupcake)Based on Linux Kernel 2.6.27
September 15 2009
1.6 (Donut)Based on Linux Kernel 2.6.29
October 26 2009 2.0/2.1 (Eclair)Based on Linux Kernel 2.6.29
May 20 2010 2.2 (Froyo)Based on Linux Kernel 2.6.32
Scheduled for Q4 2010 launch
GingerbreadBased on Linux Kernel 2.6.33 or .34Scheduled for Q4
2010 launch
Android OS usage share
Data collected during two weeks ending on October 1, 2010Other: 0.1% of devices running obsolete versions
Main products
Phone: HTC Magic Nexus One Lenovo LePhone Motorola Droid Milestone Sony Ericsson X10
Internet terminal(Web TV): Sony WebTV Internet Terminal INT-W250
Tablet: Archos 7
Archos 7 8GB Home Tablet with Android (Black)
$189.95
System structure
System structure ——Linux kernel
Android is based on Linux kernel, but is not Linux/GNU.
GNU/Linux includes: Cairo、X11、Alsa、FFmpeg、GTK、Pango、Glibc
In Android: bionic replaces Glibc skia replaces Cairo opencore replaces FFmpeg
System structure ——Libraries
System C library - a BSD-derived implementation of the standard C system library (libc), tuned for embedded Linux-based devicesMedia Libraries - based on PacketVideo's OpenCORE; the libraries support playback and recording of many popular audio and video formats, as well as static image files, including MPEG4, H.264, MP3, AAC, AMR, JPG, and PNGSurface Manager - manages access to the display subsystem and seamlessly composites 2D and 3D graphic layers from multiple applicationsLibWebCore - a modern web browser engine which powers both the Android browser and an embeddable web viewSGL - the underlying 2D graphics engine3D libraries - an implementation based on OpenGL ES 1.0 APIs; the libraries use either hardware 3D acceleration (where available) or the included, highly optimized 3D software rasterizerFreeType - bitmap and vector font renderingSQLite - a powerful and lightweight relational database engine available to all applications
System structure ——Runtime
Android Runtime:
Core LibrariesDalvik Virtual Machine
Dalvik Virtual Machine(DVM) Dalvik is the virtual Machine on Android.Before execution, Android applications are converted into the compact .dex format.
JVM ? DVM
Dalvik virtual Machine
Java virtual Machine
File Type dex jar、jad
Based register heap & stack
Needsmachine
instuructions are larger
needs more insturctions
Introduce to developing
Developing environment
Essential tools
Project structure
"Hello Android"
Android Development Flow
Important concepts
Developing environment
Developing In Eclipse, with ADT——recommendedIt gives you access to other Android development tools from inside the Eclipse IDE. For example, ADT lets you access the many capabilities of the DDMS tool: take screenshots, manage port-forwarding, set breakpoints, and view thread and process information directly from Eclipse.It provides a New Project Wizard, which helps you quickly create and set up all of the basic files you'll need for a new Android application.It automates and simplifies the process of building your Android application.It provides an Android code editor that helps you write valid XML for your Android manifest and resource files.It will even export your project into a signed APK, which can be distributed to users.Developing In Other IDEs
Developing with ADT, you need:
Essential tools:
Android SDK there are SDKs for three platforms(Windows, Linux, MAC OS)
ADT Plugin for Eclipse need to install the plugin in Eclipse(must be 3.4 or 3.5)
Virtual Machine with the tool AVD Manager in SDK package, you can install the Virtual Machine
The structure of Android project
Once you complete the New Project Wizard, ADT creates the following folders and files in your new project:
src/ Includes your stub Activity Java file. All other Java files for your application go here.
<Android Version>/ (e.g., Android 1.1/) Includes the android.jar file that your application will build against. This is determined by the build target that you have chosen in the New Project Wizard.
gen/ Ccontains the Java files generated by ADT, such as your R.java file and interfaces created from AIDL files.(R.java is auto created, should not be modified manually)
assets/ Empty. You can use it to store raw asset files.
res/ A folder for your application resources, such as drawable files, layout files, string values, etc.
AndroidManifest.xml The Android Manifest for your project. See The AndroidManifest.xml File.
default.properties Contains project settings, such as the build target. This files is integral to the project, as such,it should be maintained in a Source Revision Control system. It should never be edited manually.
For exampleFiles you can edit or modify:
src - source filesres - the layout files and values fileAndroidManifest.xml
Files you can never modify:R.java - resource file(auto change when .xml changes)default.properties - can be edit through project property
"Hello Android"
package com.hello;
import android.app.Activity;import android.os.Bundle;import android.widget.TextView;
public class SayHello extends Activity { /** Called when the activity is first created. */ @Override public void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); setContentView(R.layout.main); TextView myTextView = (TextView)findViewById(R.id.myTextView); myTextView.setText("Hello Android"); }}
<?xml version="1.0" encoding="utf-8"?><LinearLayout xmlns:android="http://schemas.android.com/apk/res/android" android:orientation="vertical" android:layout_width="fill_parent" android:layout_height="fill_parent" ><TextView android:layout_width="fill_parent" android:layout_height="wrap_content" android:text="@string/hello" /><TextViewandroid:id="@+id/myTextView"android:layout_width="fill_parent"android:layout_height="wrap_content"/></LinearLayout>
SayHello.java main.xml
The result
From "Hello Android", we know:
In Android development,
the xml files in layout folder controls the UI (in addition, AndroidManifest.xml controls the UI too)the source code controls the program running
source code use the items in UI through the R.java, it is auto created
Android Develop-mentFlow
Important concepts in Android dev ——Activity
From Android dev reference: An activity is a single, focused thing that the user can do. Almost all activities interact with the user, so the Activity class takes care of creating a window for you in which you can place your UI with setContentView(View). While activities are often presented to the user as full-screen windows, they can also be used in other ways: as floating windows (via a theme with windowIsFloating set) or embedded inside of another activity (using ActivityGroup).
The Activity class is an important part of an application's overall lifecycle, and the way activities are launched and put together is a fundamental part of the platform's application model.
ActivityLifecycle
Important concepts in Android dev ——Intent
From Android dev reference: An intent is an abstract description of an operation to be performed. It can be used with startActivity to launch an Activity, broadcastIntent to send it to any interested BroadcastReceiver components, and startService(Intent) or bindService(Intent, ServiceConnection, int) to communicate with a background Service.
An Intent provides a facility for performing late runtime binding between the code in different applications. Its most significant use is in the launching of activities, where it can be thought of as the glue between activities.
Android is not only Android
OAuth
Open Authorization
What is OAuth
open standard for authorization;allows users to share their private resources (e.g. photos, videos) stored on one site with another site without having to hand out their credentials(e.g. ID, PSW);a service that is complementary to, but distinct from, OpenID;
OAuth and OpenID
OAuth is not an OpenID extension and at the specification level, shares only few things with OpenID – some common authors and the fact both are open specification in the realm of authentication and access control. ‘Why OAuth is not an OpenID extension?’ is probably the most frequently asked question in the group. The answer is simple, OAuth attempts to provide a standard way for developers to offer their services via an api without forcing their users to expose their passwords (and other credentials). If OAuth depended on OpenID, only OpenID services would be able to use it, and while OpenID is great, there are many applications where it is not suitable or desired. Which doesn’t mean to say you cannot use the two together. OAuth talks about getting users to grant access while OpenID talks about making sure the users are really who they say they are.
Protocol Workflow
Example——background
Jane is back from her Scotland vacation. She spent 2 weeks on the island of Islay sampling Scotch. When she gets back home, Jane wants to share some of her vacation photos with her friends. Jane uses Faji, a photo sharing site, for sharing journey photos. She signs into her faji.com account, and uploads two photos which she marks private.
Example——step1
Jane wants to also share them with her grandmother. She doesn’t want to share her rare bottle of Scotch with anyone. But grandma doesn’t have an internet connection so Jane plans to order prints and have them mailed to grandma. Being a responsible person, Jane uses Beppa, an environmentally friendly photo printing service.
Using OAuth terminology, Jane is the User and Faji the Service Provider. The 2 photos Jane uploaded are the Protected Resources.
Example——step2
Jane visits beppa.com and begins to order prints. Beppa supports importing images from many photo sharing sites, including Faji. Jane selects the photos source and clicks Continue.
Example——step3
Example——step3
Example——step4While Jane waits, Beppa uses the authorized Request Token and exchanges it for an Access Token. Request Tokens are only good for obtaining User approval, while Access Tokens are used to access Protected Resources, in this case Jane’s photos. In the first request, Beppa exchanges the Request Token for an Access Token and in the second (can be multiple requests, one for a list of photos, and a few more to get each photo) request gets the photos.
Example——step4
faji.com
beppa.com
Example——last step
Is OAuth 2.0 Bad for the Web?
One of the most visible utilization of OAuth is Twitter which decided to make it mandatory across its APIs as of this month (September 2010) and consequently killed its support for basic authentication. Michael Calore explains:Twitter’s move mirrors a broader trend on the social web, where basic authentication is being ditched for the more secure OAuth when services and applications connect user’s accounts. Many web sites, such as iCodeBlog, provided tutorials to help developers quickly update their application. And, even though OAuth 2.0 is still a draft, it is already supported by Facebook which is to date the largest implementation of the OAuth protocol and a key stakeholder of the specification.
Is OAuth 2.0 Bad for the Web?
It looks that for once the industry has developed a broad consensus to solve an important problem.
Yet, Eran Hammer-Lahav, published some criticisms about the latest direction of the specification which dropped signatures and cryptography in favor of "bearer tokens". However, to Eran's own admission,"Cryptography is unforgiving". Developers can easily make mistakes in the steps they take to encrypt or sign a message and it is generally unforgiving.
Is OAuth 2.0 Bad for the Web?
The argument of the supporters of this model is as follows: since most services use a cookie-based authentication system, it would not be more secure to use additional mechanisms since an attacker would always target the weakest point. Actually, Eran's concerns are not about OAuth today, but the impact that this specification will have in five years when inherently more secure protocol will be needed.
First, the argument will again be, since OAuth 2.0 is the weakest point, there is no need to implement stronger security mechanisms. Second, the reason why OAuth would work in today's environment is because all the APIs are fairly significant to the clients and most of the API endpoints are declared statically in the clients code or configuration while being thoroughly tested before the application is released. So overall, there is little risk that the token will be sent to an unfriendly destination.
Is OAuth 2.0 Bad for the Web?
"If a client application sends a request to an erroneous address ("mail.exmple.org" instead of "mail.example.org"), the rogue server at "mail.exmple.com" now has the client access token and can access its mail. Of course, in the case of browsers, the browser developer is responsible for not leaking cookies by implementing the same origin policy. OAuth 2.0 client developers will share the same responsibility."
Subbu Allamaraju, author of the RESTful Web Services Cookbook, explained in a private note that:
