KC-2.0.2 (Jan 8, 2018)
Jan 10, 2017
Jan 8, 2018
Michal (kotomisak)
Michal (kotomisak)
Source code
APK file

Show card

Security showcase

Branch Status

This is sample application pointing some security related practices on Android device.
SecurityShowcase architecture is MVVM based on Google's architecture component.
Complete server-side endpoint implementation for this project is available on GitHub KoTiNode.

Android keystore

Android keystore basics

SecurityShowcase application contains example of using standard Android Security with the Keystore. All Android Keystore related stuff is bundled in KeystoreCompat library (available in this source code).

KeystoreCompat library should help to prevent pain when starting work with keystore from the official documentation or StackOverflow discussion. The main point of this library is to provide the same services for all backward (...Compat) supported API versions (19+). The backward support is something, what all available libraries and blog posts lacks!

KeystoreCompat variant Readme JCenter
KeystoreCompat default (K+) KeystoreCompat
KeystoreCompat L+ KeystoreCompat-elPlus
KeystoreCompat M+ KeystoreCompat-emPlus

Encrypted Realm

For sample implementation of the Realm persistence encryption look at DB Showcase repository.
Related article describing this encryption is available on Medium Encrypted Realm & Android Keystore

Rooted device detection

Very lightweight but powerful solution is using RootBear library which is also used by KeystoreCompat library.
Another solution is to use robust google solution SafetyNet (used for example by AndroidPay solution). SafetyNet is complex online/offline device checking solution, but it requires Google Play Services dependency.

Json Web Token

SecurityShowcase backend/client is using Json Web Token (JWT) to wrap all authentization payload. JWT RFC 7519 is in fact base64 string (easy to transfer in header) containing lot of information and is readable by anyone. JWT is signed by the server, so server can verify JWT (returning from the client) to be not malformed.

How does the process works?


  • client/app sends credentials (username/password) and requests authentication token (JWT)
  • server creates JWT (based on correct credentials) and sign this token with the secret. JWT also contains additional information related to authentized user.
  • client/app obtain proper JWT containing all information about the user and will store this token for the future use.


  • client/app bundle JWT to header of any secured request
  • server verify obtained JWT against original secret (to be not malformed) and then use any information (token validity, users role, users id ...) in the token to authorize user for current operation.


Showcase contains sample implementation of communication with the graphql endpoint (besides the REST).

Apollo client

Official Apollo Android doc

Graph schema

schema.json definition file is not composed manually, but is always completely downloaded from the server. Before download just ensure you have already installed apollo-codegen. If not install it by using npm install apollo-codegen
Generate schema.json using this command apollo-codegen download-schema --output schema.json


GraphiQL console allows to try call query manually, let's try it here:

Login GraphiQL

About GraphQl on the web

02/2017 Using Apollo client for Android 0.1.0
04/2017 Using Apollo client for Android 0.3.0

SecurityShowcase gradle notes

Build sample app

  • ./gradlew assembleRostiRelease

Dependency diagnostic

  • ./gradlew dependencyReport --configuration compile
  • ./gradlew dependencyInsighty --configuration compile --dependency
  • ./gradlew dependencyInsighty --configuration compile --dependency org.jetbrains.kotlin:kotlin-stdlib