Web vs. Native Mobile Apps: How to Choose the Right Approach (Cloud Next '19)

Web vs. Native Mobile Apps: How to Choose the Right Approach (Cloud Next '19)

Show Video

My, name's Shawn gedevan I work on a team here. At Google, called Android. Enterprise our. Team is responsible, for, the. Business to business success of, the Android platform so, if you're an IT organization, like. An HSBC or, a Walmart. Or a. Sa. P you're, often interacting, with folks on our team, who. Are working. With partners that help you deploy those devices to help you build applications for, those devices, John, and myself work with large, enterprise. Is v's as well folks. Like Salesforce, SAT Manhattan, associates, ServiceNow folks like that, but. We find ourselves being brought into a lot of conversations. It feels like right, now or this interesting transition point where IT is being asked to do more kind of brand things, and. As, an example we like John and I were in a conversation. With. A large retailer, and they said hey we really want to go and optimize, our consumer, experience, and, I. Told, them you know well hey you should probably be thinking about building for the web for a lot of different reasons that we'll talk about today, and. Then they said fantastic and. Then we'll use that for all of our store associates, whoa, wait wait not so fast let's. Talk about what you want to do for this project. What, that means for you know running mobile devices in the warehouse and figure, out which technologies, are gonna be, appropriate for you and that's that's. What we want to get out of today's. Presentation, so, let's. Talk a little bit about an overview of what we want to get out of today's presentation, what, we really are gonna talk about is, an, overview of web technologies, as they apply specifically, the Android will touch a little bit about other mobile platforms in the market as well, well. Also how to think about talk about how to think about, building. APICS, periences, so what are some of the design and development considerations. You. Want to think about when building out, web. Experiences. Specifically, for mobile and we'll, talk about some considerations, on trade-offs, as. You, think about on a project-by-project, basis. Should I be building for the web or building for native. Um this, is not designed to be a deep presentation. About building for the web it's not designed to be a presentation, on how to implement service workers provide. Code level implementation. For PWA or for native we're. Not also going to not cover things like grey areas there's a lot of initiatives. Around how do I make apps more discoverable, how do I make them surface. And search things like instant apps on Play we're, not going to talk about that as well because, I only have 50 minutes to get through the content, thank. You for fixing the clicker so. We'll start, kind of to. Frame. Out this morning's presentation with, a little bit of a story how. Many of you here in the room, traveled. From outside of San Francisco, and needed a hotel in order to be able to attend next. So. Most of you about, two-thirds, so. When you went through that experience the, likelihood, this is data from a talk, McKinsey, did back in 2018. They. Looked at some data around. How people, in, the travel sector were actually, looking through their purchase journeys and what. They found was that, 63%. Of those journeys, so from, hey, I'm thinking about traveling to Aruba to, actually, getting my plane tickets purchased um, came, from a mix, of both mobile, and cross-device. Journeys, so what that meant is I likely. Am on the, train on my phone going gosh it would be really great to go to Aruba and then. Maybe I go through and I do some research I. Picked. That that session up on my desktop I do a little bit more research I start to narrow down the hotel's, Google. Doesn't pay me enough so the 5-star hotels get thrown out immediately and. I. Go, back and forth until I eventually go and make a purchasing, decision what. They also found was that 31% of those of those journeys, came to search so. It's not that I went directly to, travel, calm or whatever website you choose Google flights as an example or, Google Maps to go buy a hotel I went. And used, search, to go through and look for things like cheap, flights to rubra which. Hotels are best in Aruba and I, used that as a. Catalyst. To starting. My purchase journey. 26%. Of those purchases, came from the mobile web so. That, meant that somebody in this sort of cross-device journey was. Going through and finishing, that actual, purchase, on their phone and, this. Is really important, because it means that we, really need to be optimizing.

Our Experiences. For a mix of different devices we don't necessarily know. From. The brand perspective which. Particular modality, a person's, gonna be using when they actually go and enter in enter. Into my site and they'll that. Is also likely, true for employee apps we're, seeing a lot of employees use. A mix of mobile devices and laptops to, actually get their work done and so it's really important, as we, think about what tools will be enabling, our employees, with that, we'd be enabling for both. Now. The web has changed a lot, web. Pages used to be super static, they, used to load everything at once and for. Whatever reason, back in the 90s I think mainly as developers, real like oh my gosh if I add one more thing it'll be that much better look, there's a blink tag and I I figured, out how animations, work so let's make things scroll for inexplicable, reasons and sort. Of overloaded, the sites this is actually an example from Stack Overflow, that, they did for April Fool's they. Actually, redesign the entire site circa 1990. So. The good news is that at least in the desktop web things have changed a lot we're, making sites much more interactive, you. Can actually now run Windows. 2000, in a browser I don't, know why you'd do that but it's a really great example of webassembly. The. Challenge, is that the, mobile web has traditionally. Been lackluster a lot. Of brands, many organizations. Use, the mobile web as a placeholder. A static, placeholder, to advertise, the mobile app they've built and basically. There's a link that says visit. Us on the app store or visit us on Google Play or sometimes. They're not particularly good at this game so they just say visit us on the App Store and it makes really infuriates, us Android users and the. Challenge, there is that we know these patterns, of development, behavior, don't work. The. Google+, team before, we wound down Google+, actually did an experiment and they. Added, an. Advertisement. To the Google+ app. To, plus.google.com so. When you went on your mobile phone to. Plus.google.com you. Saw this ad that's up here on the screen that says get the app and what they found in that survey was that 69%, of users abandoned, the site entirely, they. Neither went to the mobile website nor, did they actually go through and download the application. Say. What you will about Google+, is a platform I think this is indicative of a broader user behavior, the. Activation. Energy to download, an application particularly. As a consumer, who's not really attached to your brand is high I have, to go to play I have to click install I have to wait then I have to sign up for an account and. If. I've, never heard, of your. Brand before why, am I gonna go through all of that work and so. It's really important, I believe to. Be thinking about at least having. Much. Of my experience, optimized, for the mobile web it doesn't necessarily, mean abandon, your your, mobile application Spotify, has actually gone through this journey where. They've said hey we want to allow users. To discover music so if anybody has been to bottle. Rock Napa Valley or other music festivals, likely, you gets a custom Spotify playlist, that says you know it's designed to get you excited about the. Band's you're gonna go see and it used to be you click that link and it says hi go download the Spotify app and if your answer is what to Spotify you. Probably just abandon that experience, entirely and so they've really seen, a high, degree of conversion since. Opening, Spotify. Up to the web of people, who are actually, finding about out about the service do these other brand, interactions, like music festivals, like news, articles, and the like. So. We know the building for the mobile web is important, so, if we're gonna build for a built better mobile web what, are some of the things that we're absolutely want to want to consider, one. Is around making our. Web, experiences, engaging that, starts, with UX and really optimizing.

Around. The variety, of form, factors and screens. That. The web presents, right not everything's a phone not. Of things the tablet, foldables. Are gonna make this even more confusing because, it'll be both in my pocket, and, so we really want to make sure that we're making really dynamic UX, experience. We. Want to make our sites engaging through, things potentially, like hardware integrations, we'll talk about hardware in a minute. Through, push notifications. So, being able to go through and re-engage, our users that come to our site hey I saw, you liked this pair of black slacks there's, a new there. You know they're now 10% off or. We now have them back in stock which happens to me and. Then credentials, being able to go through and actually if, the, user has saved credentials, being able to reuse those credentials or even potentially, being able to single sign-on through. Credential stores like Google. Another. Consideration is making the web installable, so. If I'm as a user, have. Visited. Your brand and I'm really, showing a high degree of engagement how do I get them to come back now one option may be hey. Go download my my my mobile app it really seems like you like me another. Way is just to say hey can I'm gonna add this web experience, to your home screen and this experience might not be everything, that you want to do for, your mobile experience, but you're sort of bringing that user into, the experience, transition. Them through hey, I'm gonna add this to the home screen maybe with this even more engagement, I keep them there or maybe I bring them onto my mobile app and. So in addition for. Those of you that are Enterprise developers, you, can take web experiences. And surface them through manage Google Play manage. Google Play is a version. Of the Play Store that's available for enterprises, who, want to distribute internal, applications, out to their employees, and so, you can create basically, your own private, Play Store that distributes. Native apps and now you can distribute web apps as well. We. Want to make sites, reliable, for. All the talk about 5g. Connectivity. Is not perfect, I read. A stat recently that, roughly. Half of all of. All. Connections, on, the web are, still, coming from 3G devices, or 3G networks, so. We really need to be thinking about performance. Optimization. Which I guess Falls more in the fast bucket but also hey, I'm going. From London, to Paris and, I go through a tunnel I get. Buck online and I go through a tunnel again and, I go back online and I'm on a tunnel again this happened to John and I recently because we were both in France visiting, customers and I. Was not particularly, active on those websites that didn't know how to optimize for offline and. Then. Finally I'm fast, so we really want to make sure we're optimizing, performance we, know that. Low. Bandwidth high latency connections are still out there and we want to make sure that we're optimizing for those and we'll talk about some of that in a minute. One. Way to enable, these reliable experiences. Is through service workers so service if you think about the old way of doing the web the old way is I would basically have. A server out there somewhere on the internet my browser would go and pop up and it would download everything, at once. That, was fine but, as sites became more complex and more interactive it became, really really tricky to go through and do everything. At once and so the idea of service workers is that, you can build, out a client-side proxy in JavaScript, and have, a little agent on the inside, the browser that's separate from the dom and separate from the main thread that can do work on your behalf, some.

Of That work or things like notification. Api is that we'll talk about in a minute. Push, api is which allow you to go in and and get push messages, to go and do other things. Background. Synchronization. So you can go through and start. To go and paint the page and load additional, things in. The background as the user starts to figure out where they want to go. When. We think about the web though it's, great to have a bunch of technical tools that are at our disposal, but. One thing that I often coach people about is you really want to build out your UX to be dynamic. One, way to do that is to use a lot of the design. Patterns that are already in material. You. Can use things like responsive. Grids and breakpoints to change the UI as the, screen size changes, i'm twitter, with, twitter light has done an excellent job of this where. As you go and expand the screen not, only am i changing the horizontal, width of what's being displayed but, as I go from smartphone, to tablet, and out to desktop I'm actually, uncovering. Additional. Functionality. And additional, content, because. I now have the additional screen real estate to do so so, you can see on the on the right-hand side as the browser as. The. Browser. Pane goes and expands, I actually, go Twitter actually goes into, hey here's who you should follow here's, trends in San Francisco, in addition. To the the twitter feed for google next nineteen. These. Um design. Patterns are not only, relevant for the mobile web these are also design, patterns, are highly relevant for native apps as well many. Of you are aware that Android, native apps can run on Chromebooks and. Certainly. Chromebooks. If you're designing for Chromebooks, need. To be more responsive, things. Like window, resizing, maximizing, and whatnot it's not particularly, awesome to, be on your Chromebook and go cool, a phone app and it just looks exactly like a phone app and you. Want to be designing for it for for, both one. Final thing about the web is you can also design, those apps and run those apps in full-screen so you can actually have your.

Applications. Your web applications, run almost as if they were like a native app. Another. Way to think about dynamic. Workflows is to hardware integration so. Obviously. Cellular, and Wi-Fi those, are gonna be your base connectivity, mechanisms, that. Are allowing, you to go and get content, into the browser. But there's a lot of other hardware, capabilities, that come with building out for PWA things. Like GPS hey I want to go through and find what store locations, are near me or where. Something is in the mall I can pop up my location and provide, some interactivity, back to the user or potentially, even things like the. Camera for object recognition or, microphone, for for voice search you, have a lot of these hardware capabilities, at your disposal whether, you're building for the web or building for native John we'll talk about in a minute that, this is not obviously, the totality, of hardware that's available on Android and so you'll need to be thinking about the level of hardware interactivity, you have when, deciding, which tools that you want to build for your projects. Um. Push. Notifications, are a really great way to actually engage with your users and, actually, get them to re-engage with, your website um, one, of the pieces of guidance I give is please. Don't go as soon as I hit the site and say hi I'd like to subscribe you to push notifications. Because, one that's. Obnoxious and, two it's, not I have not really shown a ton of brand loyalty to you yet like you haven't necessarily earned, the right to, go through and start sending me a bunch of additional notifications, but, if I miss and in that Lancome has actually done this on their site shown, a high degree of interest on things I'm actually navigating, through the site I'm. Engaging. With a lot of different content, I can go and not only ask for push notification. But more importantly, emphasize, what I'm gonna get from. Subscribing. To those push notifications. So. As an example I, can emphasize in. The case of Lancome that hey. Let. Me tell you what some of the best deals are let me tell you about new products we're gonna bring out for the season and I'll bring that content to you right away. One. Of the things about push notifications, is in Android, when, you subscribe to push notifications. Android. Will wake you up in the background and actually surface, that push notification, in. Desktop, the, browser actually needs to be open the browser needs to be resident, in memory for, those Bush notifications to work so there's some, the. Reliability, of those push notifications, may change depending on whether or not you're designing on desktop. Versus web. Credential. Management also comes up quite a bit from, customers, and the. Good news is that there's really great api's for, the web to handle things like credential management, so you, can actually go through and say hey. Surfaced. Out to the user I know you're signing and locally you're not clicking in sign with Google you're, actually using local, account credentials to acne Inc do. You want to save these credentials, and credential, management allows you to save those into the browser and in, cases like chrome you. Can actually save those credentials across. Devices. So I can hop between my, Android device my. Chromebook. My. Windows, desktop why, I would use that I don't know but, I, can. Go through and have those credentials, be stored across across devices not just across sessions and you can decide whether. Or not you want to store. The entire set of credentials so username and password, or just autofill. Username, and have these or type and password those decisions, are up to you. Um. The, next is, to create an installable experience, Starbucks has done this what, they're Nate I would start with their word native with their web-based application. For. Doing, things like checking in Starbucks rewards or. Going. Through and ordering lattes, from, the local Starbucks what. The add to homescreen prompt, allows me to do is. Do. Just that add that PWA experience, to my home screen that, allows the webpage to install much. Like a native app and, with, things like an app menu in the apps. Settings. Tray. In Android. It adds obviously. You know home screen icons and the like but, again you really want to be triggering, this prompt at a meaningful moment, for the user I don't. Necessarily want, to install, the Starbucks, experience, the first time I start you, know go to Starbucks, calm I might, want to install the install, the Starbucks experience, when I've successfully, ordered, something or I'm checking my account or at least I've logged in and saved credentials, because. The likelihood that I'll want to come back to that is much higher I mentioned. Manage Google Play there's, also. You. Can also surface, pwace, for, your brand into Google Play itself, so if you're entirely.

On The web you, can actually publish these web experiences, both. For employees, as well as for the consumer Play Store. When, you're distributing, these applications. Through manage Play you, can decide, how both. Who you want these applications. To go to in. Your install base so you can decide hey this, is a financial workflow, app don't publish it to the entire company only, publish, it out to the people in finance, and, you don't have to be a G suite customer to do that there, are tools out there where, you Confederate. Manage Google Play to your existing. Active, Directory or other LDAP, data store so. You don't have to go and create G suite a G, suite domain or, create gmail accounts, for every user inside, of your organization and as. You go and create the app store listings, for your users you can decide how you want that application, to render do you want to render like a website and so. Show things like the toolbar and the address bar do you want to be more of a minimal experience. So users can differentiate, when they're in a native app versus, when they're in the web or do you want to just have it be a full screen experience. Have. It be a full screen experience and feel much more like a native application. You can publish these applications. Out via a few different mechanisms, certainly. You could publish the play console but. A couple of new mechanisms, we've recently introduced, are custom, publishing api's, which allow you to basically script, a lot of application. Management to manage play as. Well as the manage play iframes so for those of you that have a mobility. Management system you can now control play directly. From from your EMM. Who. Here is seeing the screen before. Now. I love, when I go offline because it means I get to go and play the dinosaur game and like figure, out you. Know what what I can whether, or not I can beat my high-score and from this animation I'm not particularly good at it but, the, point here is is that as, much as I might love this level of interactivity it's not necessarily, great for your brand experience, it's not gonna help me continue. To research hotels, it's, not gonna help me figure out whether or not I want to go purchase something so, as designers. And developers we, really, want to try and limit, the.

Amount Of. Offline. Messages. That we give out to the end user and potentially, even have quite, a bit of work flow available, even while that user is offline. So. One. Thing you can do and. This is both a performance, benefit as well as an offline benefit is cache certain parts of your site locally, into the browser that, allows you to go through and allows the user to have some degree of interactivity and continue. To browse inside, of your web app without, necessarily, having to be online more. Importantly, you. Can go through and this is this is super. Useful in, workflow. Based applications. So imagine, if you're an airline, I don't, need necessarily need. To be. Online. To, go get my boarding pass or to go look up my trip itinerary, or know what gate I know I guess I gates, change but the, idea here is is that I can surface, the last known information about, my flight without. Having to necessarily be online, that's. Super useful for traveling internationally by the way. But. Certainly also you want to allow users to continue to use the Site and alert them when they're offline so pop open say, hey you're offline right now this is an example from trivago. You're. Offline right now I'm, gonna go and display what I can and you can reconnect or. Maybe used to go and start a workflow cache in the background and resume it when the user comes back online. But. And we know that, in. Addition to offline support performance, is absolutely critical 53 this is a recent study from Accenture. In Google looking at users, in asia-pacific, fifty-three. Percent of mobile visits were likely to be abandoned, if load times were greater, than three seconds twenty. Percent of dropping, conversions, were found for every second, that a delay, of. Delay in a mobile web site so in, other words if, you. Don't. Have really fast sites people won't actually go through your experience, and they won't buy stuff so. We. Want to go through and make sure that we use caching for speed and reliability speed. Up the load time for returning visitors ensuring a consistent experience, and, also, again lay that foundation for, offline experience, we, also want to use things like lazy loading, and lazy loading, allows you to go through and start, to render the first parts of the page but, also work in the background, to go through and load things that don't necessarily, need, to be up there and up in front of the user in, order for that first piece of interactivity this is actually an example from. Tinder where, they were going through and looking at how their site was built and they found they were loading, a lot of images from. Places like Facebook and other places and. The. User hadn't logged in yet so what's the point of reloading, all the pre loading all this content, if the, user hasn't logged in and hasn't created a tinder account so you, can go through and say hey login. Or create account and be in the background loading all these images so the user has a fast experience, once, they've gotten through that first game. Performance. Budgets, are another way to do this you, can go through and set. Milestones, to make sure that, technical, debt doesn't increase in your site and you don't go and degrade the experience, as new, features get implemented. Over time just some, milestones, that you might think about these. Are actually from web dev, and given the Accenture data I might say three seconds instead of five for, time to interactive, you, can also look at things like the. Size of the code that you're having so you can optimize that. But there's the milestones, that you really should be thinking about our first, contentful, paint which is basically when data. Starts to be displayed into the browser and then time to interactive how quickly. Are you loading that site and in order for the user to have a meaningful interaction, be. Using, testing and validation tools we have things like light lighthouse, and webpage, calculate, from Google that can help you go through and optimize but don't just optimize once this isn't like the rotisserie. Oven where you set it and forget it you actually have to be doing this as you go and re-release the site or you, can end up with performance, degradation x' i'm, guys skip that slide because that's not particularly useful slide.

So. Let's talk about this from a case study perspective. PWA, is a great, they've. Clearly offers a lot of benefit but what does it look like from an end to end experience so, this is actually. The. Trivago app again, just. Continuing, with continuing. With our theme of travel and you can see here when I go to trivago I'm coming back as a, user it says hey would you want us to go and add, this. To the homescreen so I can add trivago out, and come back to it I type, in San Francisco, I start to get my wildly, overpriced, hotels here in the city because there's, like next and two other conferences, going on right now. And all, the sudden I've experienced, the connectivity, disruption, which you can see. You. Can see actually here in the middle pane and. So you can see even though I'm excited. Here. In the middle pane so. As I go through and I go through that connectivity disruption, I can still go through and browse to the site look at some amount of data that's been cached in the background and then when I reached that limit of what's been cached onto the device I, go, through and get a notification hey, you're offline do. You want to you know reconnect and continue, browsing, and. Obviously. When I restore the connection I can go out there and buy my hotel trivago. Has also done a really good job of optimizing their, web experience, for native and mobile, so, you can see that I'm getting a very similar look and feel whether. I'm using this on my Android device or whether I'm using this on my Chromebook so. They've they, know and I think they understand, this. Idea of multi-modality, interaction. And the fact that I'm likely gonna go to trivago once look at some stuff go to trivago again look at some stuff and the devices that I do that with are gonna vary so let's make sure there's a consistent, experience across them, in in. The trivago case, they've. Seen. Exam a ton of benefit, in migrating. A lot of their functionality to the web they've so far launched, across, 33. Languages in 55 countries but more importantly, they, saw a 97. Percent increase. And click out so tel offers when, they actually went and optimized, for the web experience, so rather, than telling the user hey go download something, go through lots of additional steps in order to get into trivago they're, actually saying people go through a really elegant flow, and the users are then buying at the end of that purchase by.

Going Offline they and while the dataset is relatively, small in the case study they still saw a 60 to 70 percent improvement. In return visits to the site when there's been connectivity, disruptions so because. They're providing a really interactive experience, even when the users offline the users willing to come back or persist, through the connectivity, disruption, in order, to go through and, engage. With that brand. So. We're, we're, set right we're all in for the web. Jon's. Actually gonna go and, talk a little bit about some of the challenges we've seen with customers particularly, as they think about enterprise, app workflows and why. Don't I turn the stage over to you to talk about native. Thank. You hey thanks Sean so. Before we get started here when. Sean first asked me to do this talk with him the, first thought in my mind was this is a horrible idea the, web, versus native is almost. Never goes well there's always a Twitter or something. That comes up from it so apologize. In advance I'm, gonna be as objective as possible you. Know a lot of people ask my advice and again that's why we're doing this is because people ask us so often you, know what are we billed for and obviously. The. Decision to build for mobile or web really depends on what you're doing and I, never just say oh just, because I work on Android, you. Know you should always build for Android or you should always build for native so, I would never say that so just just want to preamble the you, know this section of the talk, so. With that said my name is John Markoff I lead developer relations for Android enterprise, and. You. Know as Sean mentioned you know the web has a lot of benefits and a lot of great things if you're, building native, apps and especially enterprise, space there's. A few other things you might want to take. Into account so, if, your app is going to store a lot of information locally. Web. Browsers especially. In mobile have a lot of you know more restrictions, on how much storage. And data you can save offline, Chrome.

For Example you. Can save up to 6% of the free space on the device whereas. Something like Safari you only get 50 megabytes total so if your, app is for workers, in. A warehouse or. Delivering. Packages or something like that where you're not gonna have connectivity all the time and you need to download a lot of different things especially if you are a service provider or you know someone that a cable company fixing, and, you need videos to be able to like understand, and like see different situations. Where. You're. You just need to have a lot of space in the device so if you're downloading videos, you don't like a lot of local content for offline the. Web might be a bit challenging there for you especially, if your device is. Lower powered and doesn't. Really come a lot of storage so if you could only have like 4 gigs of free space you're. Gonna have not, too much with. Even chrome in this case. So. I Shawn mentioned you know the web does give you a lot of available. Ated hardware but there's a few things that are different so, for example. NFC. And attestation. Are, two, really large ones that are missing from the web you do have the ability to use biometrics, so you can, authenticate. On the web but, if you want to do more Hardware backed, Keast. Android key store or. Crypto. You'll. Need to, have a native app to access those features. And. Again. This is kind of just an overview of all the different. Web. Browsers and the features that they support. So. Let's talk about native app security. If. You store files on the local filesystem like. Who can access them you. Know ideally. Only. You know your user and the person using the device but what happens if the device is stolen what the device is compromised, in some way how do you ensure that your, data, is actually stored properly, especially in offline mode. With. The web you don't really have any options of how to change, this data because unless you do some sort of like JavaScript, crypto which would. Would not really be able to take. Advantage of the DES. Trusted execution trusted, execution environment. On Android so. Hmm. For. Data at rest so if you want actually store files and you want to encrypt them on the device. You. Can use the Android key store with, the native app to ensure. That your keys are never leaked, and will never come off the device your, application, cannot even get the key material once it's created. As. Of Android or EO we added sensitive data protection what this means is your, key you, as a user you must be using, a phone that's been unlocked so, the key won't be available to the, application, if the device isn't unlocked, and. To. Add to this even more they they also support. Biometric. Authentication so, when you creating keys with the enter a key store you can actually set flags to say always. Require authentication have. A time-out on the authentication and, require, sensitive data protection so you could actually have it require. A user, to be present for, any time the keys even access so depending, on the level of data that you're working, on here. With. Key attestation you. Can also ensure that your keys haven't been compromised, and that they never left, the device. What. About data in transit what if I'm sending, data what if I'm calling really sensitive services, and I need to make sure that. Someone, hasn't injected. A bad certificate. You. Can use OCSP. Which is the online certificate status protocol, which is built into Android as a nougat which, is Android. 7 and that allows you to add. Checks. To. Actually. Ensure that you can talk to your certificate. Authority and make sure that this certificate is valid and, it. Is what it says it is. One. Other thing you can do as well is TLD, verification, so that's the top-level domains and making sure that someone, hasn't created a fake one or. Someone hasn't tried to compromise the device. Protected. Conformation. We. Launched a Titan keys on pixel, devices and we just announced that we're taking that to more.

Devices As of yesterday with. Cloud and on. Android and protected. Conformation allows you to verify. That. The. Transaction, you're trying to accomplish, is. Being executed by our actual person, on the device so similar to a be key if you want to login if you have a. Corporate laptop, it. Basically. Makes sure that you, are actually. Present so someone's not emulating. Or stimulating your application, and in a you. Know Android studio or, other. Tools and it. Provides the fact that you're there because if, someone packets sniffs your, services they can try to bake calls and replay calls. But with built-in hardware in the device you can't fake that. Safety. Net. One, other thing that you can't enforce when you're building just a pure web app on mobile is how. Do I know if my device has been routed how I know how do I know if I'm actually on a real Android device at all. Because. You, know you can rip apks from. The web you can rip them off your phone and try to run them you can deconstruct them and figure, out like how can i how, can i try to compromise this app how can I try to replay and run run, this app without doing that safety. Net allows you to validate that you are actually. On an, actual device and it's a CTS compliant, device that means that. Google. Knows about it and it's a device that meets the test specifications, of what we have so somebody. Just didn't build a random open-source version of Android just to try, to compromise and run your app. As. An. Example. Here's. What safety looks like after, you call it I'm not gonna jump into the code here but just, as an example like the two last fields. In this JSON signature. Blob that come back our basic integrity, which means has. This device been rooted at all and CTS. Profile match which means that it's actually a device. And. In. More detail safety. Net has, a few steps that it takes and this is to ensure that, you. Actually. Know. That you've won you you know that the call is happening you know what user is using is. Actually calling the service and then. Ensuring from, Google that I actually, have a real response. From. Safety net so, to. Jump through these really quick, the. First thing we're gonna do is you're gonna generate a nonce which is a one-time use token and. That. Should be tied to whatever user is logged. In for your application, in that way and this, is something you save and make sure on your back-end yourself, that. You know is only used once and you know it's tied to the correct person. In, Android, you would call safety, net you, call the API to. Attest that this device has not, been routed in to reach. Out to Google to say hey you. Know do you know about this devices have been routed what's going on here. You're. Gonna get back the, JSON web signature that I showed you earlier that has a. Key. Is a. Signature. And all the different fields that you might want to look at time stamps apk you.

Know Is this compromised, or not and you. Need to send this back to your server and, check. All these fields to make sure hey does this make sense you. Know I just sent this it was a time make sense does the signature make sense and you, reach out to Google to ask one last time hey by the way, yeah. You know did you just a real response does the signature match if. Yes, that's, great you're fine if not then you, know that you can disable that user on your back-end as well so that means that you know that this user has been using a compromised device and you. Can block them from accessing any. Any services after that. You. Know one other thing as well that you, know you have some, device management with. Chrome and web. Browsers on mobile but. You have much more control over this with third-party tools like MMS, which, allow you to inject, settings, into your application, so. If you're, building for the, web you would have to build in all the different features so if I wanted to have a configurable, application. Where. I have, different settings based on different user types. You. Actually have to build that india-rubber application, or what. You can do is if you're, using like a commercial EMM. You. Can inject, settings by, a managed config which. Will configure, each user's device from an admin console so you don't actually have to write custom code to, handle the different situations, that make sense. Android. Doctor. If everyone knows there is a concept, of a work profile, so. If your. Enterprise. Or company supports. Bringing. Your own device to work you, can install a work profile which is a separate, container, on the device that allows you to. Basically. Separate your work and personal life it's it, maintains. Privacy, and, it'll. Actually allows you to now you can turn it off at night if you want to to not be getting pings and working emails and everything like that all the time and, then. On the corporate side if your company actually hands you a phone or device, this. Device has a lot more features that you can get pull logs as deep inspection, and. It has full admin visibility, on everything that's going on on it so, in these kinds of cases you. Know with, a lot more enterprises, are using you, they use both but for some of the really. Specific. Use. Cases we're talking about with especially custom hardware. You, probably have a company, on device so. Here's here's, some information on we don't to go through all these things but if. You're building for work profile your application.

Automatically. Kind of has to handle a few situations and, scenarios and, this. Is important because you. Know it's it allows you to, run your app in a limited privileged container which. It might not necessarily be, aware of so a few, things here not. Really gonna go over them in super detail but your. App might not act like it usually does there's, gonna be features like the camera might not exist you might not be able to share things you might not be able to save. Files like you don't really do and. You and you can't handle notifications, in the same way they work a little bit differently in the word profile. So. I mentioned badge configurations, earlier just. To kind of go through with that flow. Looks like. When. You're building Android application, you're going, to define, like. How it's configurable so let's say I'm a email client well. You're probably gonna have an email address server, and depending. On that server type you might have port and a bunch of other information, so. You generated, a little XML file which defines hey I'm expecting, an email address is just a string I'm expecting. A port which is an int and maybe you know an. Address, which is a string as well and what, that does is play. Automatically, knows and reads that. So. That gets ejected into Google Play which. Talks, to an EMM which says okay, this, app has these settings to configure so when, they're adding from the EMM perspective, or your admin is adding a new phone or device, they. Would. Be able to set those fields automatically, so you just start your phone up and oh look I know this is John this is email address this is this so I open the app and it just works already I don't have to I don't, have to go like try to figure out my email settings are for example. And. Then yeah so. That's. The native side of things we. Do have more resources a couple, things I didn't mention from. A design. Perspective and I mentioned that there's. You know all the different browsers and the challenges there obviously, also there's a lot of different Android devices a lot different Android versions, we. Launched jetpack two years ago at Google i/o which is a.

More Holistic support. Library, for Android and that allows you to more. Easily handle, backward compatibility. Yeah. So I think that's it I think we can I'll. Pass it back to Sean and then we'll open it up for questions. So. So, hopefully this gives you a high-level overview of, building. For, enterprise, I think, what we often coach, folks on and John brought this up at, the beginning of the presentation like this is not a religious, war, at. The end of the day what you're building for it needs to depend on the projects that you're actually building inside of your organization there. Are lots of cases where building. For the web is a really simple way to get, basic, work flows into the hands of your users it's, certainly, from a brand at a b2c, perspective, an absolutely. Critical way to. Be engaging with your customers, but it's not necessarily, the right technology. Depending. On what types of workflows you're, building out I'm for your enterprise, so. As John mentioned we have a ton of tools out, there whether you're building trying to understand how to build out enterprise, apps use, some of the tools that John I mentioned, definitely. Encourage you to go to those.

2019-04-15 14:39

Show Video

Other news