Skip to content

Developer Best Practices

In this category we want to collect some best-practice-hints for the developers of the apps we host. Let's start with some useful links:

  • Keeping your signing keys safe: Signing your app is an essential part of your app's security. Unfortunately, „key loss“ happens more often than we'd expect. So here are some hints on How to keep your key safe and what measures to take for the event of loss?
  • Key Rotation: Speaking of signing: what if you need to "upgrade" your "very old key" as it used an algorithm now considered weak, or your app shall be transferred to another developer? Since Android 9, you can use Signing Key Rotation. Resulting APKs are supported by IzzyOnDroid. If your app was set up with reproducible builds at F-Droid, this will not work there as key rotation is not supported with their setup.
  • Build variants: You have your app at Google Play, use some proprietary libs there, but now want to provide a „fully F/LOSS variant“ – but keep your app at Google Play the way it is? Build flavors have you covered there.
  • Per-ABI-APKs: Your app got too big? If the cause are native libraries (*.so files), consider per-ABI split APKs.
  • Analytics: You think your cannot do without some analytics? Please, at least choose a framework/library that is not proprietary. Some candidates are listed under acceptable analytics. Also make sure to configure them opt-in (you respect the privacy of the people using your app, don't you?) to get clear consent – and to avoid the Tracking anti-feature.
  • Metadata (app description, graphics): You want to control how your app is presented? Great! We recommend setting up Fastlane structures in your app's repo for that. Our Fastlane Documentation can help you with guidance there. To have your donation links shown, take a look at Github's FUNDING.yml, which can be used in your Codeberg or GitLab repo as well (and will be picked up by IzzyOnDroid as well as by F-Droid).
  • APK library scan: You want to scan your apps yourself to see if "something might have slipped in"? A very good idea! You might wish to check the article Identify modules in apps to learn how you can use our scanner for yourself.
  • Licencing: Not sure what license to use for your new app? The SPDX license list might help with that. Or check the recommendations at Codeberg.

More hints can be found in the „sub pages“ of this category.