Visit GitHub Repo

Security showcase

Sample application was suspended from GooglePlay because it again: violates the deceptive device settings changes policy. Even when I already fixed first violation.
It's again because of usage of BIND_DEVICE_ADMIN for API 19. Since I have been actively working on version 3 of the KeystoreCompat library, I will solve this violation alongside with releasing that new library version



Branch Status
master Build Status
developV2 Build Status
developV3 Build Status

This is sample application pointing some security related practices on Android device.
SecurityShowcase architecture is MVVM based on Google's architecture component.
Complete server-side endpoint implementation for this project is available on GitHub KoTiNode.

Android keystore

Android keystore basics

SecurityShowcase application contains example of using standard Android Security with the Keystore. All Android Keystore related stuff is bundled in KeystoreCompat library (available in this source code).

KeystoreCompat library should help to prevent pain when starting work with keystore from the official documentation or StackOverflow discussion. The main point of this library is to provide the same services for all backward (...Compat) supported API versions (19+). The backward support is something, what all available libraries and blog posts lacks!

[KeystoreCompat documentation](./android-keystore-compat/
KeystoreCompat variant Readme JCenter
KeystoreCompat default (K+) KeystoreCompat Download
KeystoreCompat L+ KeystoreCompat-elPlus Download
KeystoreCompat M+ KeystoreCompat-emPlus Download

KeystoreCompat princip


Encrypted Realm

For sample implementation of the Realm persistence encryption look at DB Showcase repository.
Related article describing this encryption is available on Medium Encrypted Realm & Android Keystore

Rooted device detection

Very lightweight but powerful solution is using RootBear library which is also used by KeystoreCompat library.
Another solution is to use robust google solution SafetyNet (used for example by AndroidPay solution). SafetyNet is complex online/offline device checking solution, but it requires Google Play Services dependency.

Json Web Token

SecurityShowcase backend/client is using Json Web Token (JWT) to wrap all authentization payload. JWT RFC 7519 is in fact base64 string (easy to transfer in header) containing lot of information and is readable by anyone. JWT is signed by the server, so server can verify JWT (returning from the client) to be not malformed.

How does the process works?


  • client/app sends credentials (username/password) and requests authentication token (JWT)
  • server creates JWT (based on correct credentials) and sign this token with the secret. JWT also contains additional information related to authentized user.
  • client/app obtain proper JWT containing all information about the user and will store this token for the future use.


  • client/app bundle JWT to header of any secured request
  • server verify obtained JWT against original secret (to be not malformed) and then use any information (token validity, users role, users id ...) in the token to authorize user for current operation.


Showcase contains sample implementation of communication with the graphql endpoint (besides the REST).

Apollo client

Official Apollo Android doc

Graph schema

schema.json definition file is not composed manually, but is always completely downloaded from the server. Before download just ensure you have already installed apollo-codegen. If not install it by using npm install apollo-codegen
Generate schema.json using this command apollo-codegen download-schema --output schema.json


GraphiQL console allows to try call query manually, let's try it here:

Login GraphiQL

About GraphQl on the web

02/2017 Using Apollo client for Android 0.1.0
04/2017 Using Apollo client for Android 0.3.0

SecurityShowcase gradle notes

Switch keystore-compat-dependency local/maven To use keystore compat directly from local sources uncomment keystore.compat.dependency.type=local in

Build sample app

  • ./gradlew assembleRostiRelease

Dependency diagnostic

  • ./gradlew dependencyReport --configuration compile
  • ./gradlew dependencyInsighty --configuration compile --dependency
  • ./gradlew dependencyInsighty --configuration compile --dependency org.jetbrains.kotlin:kotlin-stdlib

Become Pro in Android by watching videos