Skip to content

Feature/android release hardening#97

Open
Jerryvic911 wants to merge 2 commits into
ericmt-98:mainfrom
Jerryvic911:feature/android-release-hardening
Open

Feature/android release hardening#97
Jerryvic911 wants to merge 2 commits into
ericmt-98:mainfrom
Jerryvic911:feature/android-release-hardening

Conversation

@Jerryvic911
Copy link
Copy Markdown

@Jerryvic911 Jerryvic911 commented May 27, 2026
edited
Loading

Closes #89

Changes

Signing

  • Configured release signing via keystore.properties (gitignored — never committed)
  • Added keystore.properties.example as a template for teammates
  • Release build now produces app-release.apk (signed) instead of app-release-unsigned.apk

R8 / Minification

  • Enabled minifyEnabled true and shrinkResources true in release build
  • Switched from proguard-android.txt to proguard-android-optimize.txt
  • Added full ProGuard keep rules for Capacitor core, MLKit barcode scanning,
    secure storage, geolocation, status bar and app plugins

Network Security

  • Added network_security_config.xml — HTTPS only, no cleartext in production
  • Debug builds allow user-installed CAs for local proxy tools (Charles/Proxyman)
  • Set android:usesCleartextTraffic="false" in AndroidManifest
  • Removed allowMixedContent: true from capacitor.config.ts

Backup Hardening

  • Added backup_rules.xml (Android 6–11) — excludes all sharedpref, database, file, external and root domains
  • Added data_extraction_rules.xml (Android 12+) — same exclusions for cloud backup and device transfer
  • Wired both in AndroidManifest alongside existing allowBackup="false"

Versioning

  • Aligned versionName to "1.0.0" in build.gradle
  • Aligned version to "1.0.0" in package.json
  • versionCode strategy: increment by 1 per Play Store upload

Build

  • Increased Gradle daemon heap from 1536m to 2048m to prevent OOM crash on full clean builds
  • Enabled android.enableR8.fullMode=true in gradle.properties

Acceptance Criteria

  • Signed release build generates reproducibly
  • Versioning supports clean upgrades
  • Production build uses HTTPS and no local endpoints
  • Secrets/JWT/keypairs are not backed up insecurely
  • Store readiness checklist is complete

Test Notes

  • Built with ./gradlew clean assembleRelease
  • Verified with apksigner verify --verbose app-release.apk
  • v2 scheme verified: true (required for Android 7+)

@Jerryvic911
feat(android): release hardening, signing and store readiness (ericmt…
d4071e2 
…-98#89)

- Enable R8/minification and shrinkResources in release build
- Configure release signing via keystore.properties (gitignored)
- Add network_security_config.xml — HTTPS only, no cleartext
- Add backup_rules.xml and data_extraction_rules.xml — exclude all sensitive data
- Wire networkSecurityConfig and dataExtractionRules in AndroidManifest
- Remove allowMixedContent from capacitor.config.ts
- Align versionName to 1.0.0 across build.gradle and package.json
- Add proguard rules for Capacitor, MLKit and all plugins
- Enable R8 full mode in gradle.properties
@Jerryvic911
fix(android): increase Gradle daemon heap to 2048m to prevent OOM crash
8c4c203
@drips-wave
Copy link
Copy Markdown

drips-wave Bot commented May 27, 2026

@Jerryvic911 Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Android release hardening, signing and store readiness

1 participant

@Jerryvic911