Posted by Petra Cross, Engineer, Google Wallet and Jose Ugia, Google Developer Relations Engineer
Today more than ever, consumers expect to be able to digitize their physical wallet, from payments and loyalty to tickets and IDs. At Google I/O we announced Google Wallet, which allows users to do exactly that. Consumers can securely store and manage their payment and loyalty cards, board a flight, access a gym and much more, all with just their Android phone.
For Android developers, who manage their own digital passes, Google Wallet offers a fast and secure entry point, especially when quick access is needed. Google Wallet will be quickly accessible from the device lock screen on Pixel devices and from the pulldown shade. Your users will be able to quickly access their passes when they need them – all in one place.
Integrating with Google Wallet became even easier and more flexible. We’ve summarized the news of what you can expect as an Android developer.
New Android SDK
The existing Android SDK supports saving three types of passes: offers, loyalty cards, and gift cards. You asked us to add support for other pass types, and we’ve heard you. Today, we are announcing a new, more extensible API and Android SDK, that in addition to tickets, boarding passes, and transit tickets, and additional pass types, includes support for the new generic pass, which lets your users store any pass or card to Google Wallet. The Android SDK lets you create passes using JSON or JSON Web Token as a payload without a backend integration.
Using the Android SDK is straightforward. First, you create a payload with information about the pass. You can either build it directly in your Android app, or retrieve it from your backend stack. Then, you call the savePasses or savePassesJwt method in the “PayClient” to add the pass to Google Wallet.
Here is how you define and save a sample generic pass object:
Once your app calls savePassesJwt, the process guides your users through the flow of adding a pass to Google Wallet, and allows them to preview the pass before confirming the save operation.
Developer documentation, samples and codelabs
You can find the new Wallet API documentation on developers.google.com/wallet. We customized our developer guides for each pass type to make all the information easily accessible for your specific needs. You will also find plenty of code samples demonstrating how to check for availability of the Google Wallet API on the Android device, how to handle errors, and how to add the “Add to Google Wallet” button to your app.
Don’t forget to play with our interactive passes visual demo, which lets you fill in the fields and create your own custom pass prototype without writing a single line of code. The tool also generates code samples that you can use to build this pass’ data structures which we call “classes” and “objects”.
We’re really excited to build a great digital wallet experience with you, and can’t wait to see how you use the Google Wallet API to enrich your customer experience. Take a look at our hands-on workshop “Digitize any wallet object with the Google Wallet API” to see a full integration tutorial on Android.
Posted by Ankita Tripathi, Community Manager (Dev Library)
Witnessing a plethora of open-source enthusiasts in the developer ecosystem in recent years gave birth to the idea of Google’s Dev Library. The inception of the platform happened in June 2021 with the only objective of giving visibility to developers who have been creating and building projects relentlessly using Google technologies. But why the Dev Library?
Why Dev Library?
Open-source communities are currently at a boom. The past 3 years have seen a surge of folks constantly building in public, talking about open-source contributions, digging into opportunities, and carving out a valuable portfolio for themselves. The idea behind the Dev Library as a whole was also to capture these open-source projects and leverage them for the benefit of other developers.
This platform acted as a gold mine for projects created using Google technologies (Android, Angular, Flutter, Firebase, Machine Learning, Google Assistant, Google Cloud).
With the platform, we also catered to the burning issue – creating a central place for the huge number of projects and articles scattered across various platforms. Therefore, the Dev Library became a one-source platform for all the open source projects and articles for Google technologies.
How can you use the Dev Library?
“It is a library full of quality projects and articles.”
External developers cannot construe Dev Library as the first platform for blog posts or projects, but the vision is bigger than being a mere platform for the display of content. It envisages the growth of developers along with tech content creation. The uniqueness of the platform lies in the curation of its submissions. Unlike other platforms, you don’t get your submitted work on the site by just clicking ‘Submit’. Behind the scenes, Dev Library has internal Google engineers for each product area who:
thoroughly assess each submission,
check for relevancy, freshness, and quality,
approve the ones that pass the check, and reject the others with a note.
It is a painstaking process, and Dev Library requires a 4-6 week turnaround time to complete the entire curation procedure and get your work on the site.
What we aim to do with the platform:
Provide visibility: Developers create open-source projects and write articles on platforms to bring visibility to their work and attract more contributions. Dev Library’s intention is to continue to provide this amplification for the efforts and time spent by external contributors.
Kickstart a beginner’s open-source contribution journey: The biggest challenge for a beginner to start applying their learnings to build Android or Flutter applications is ‘Where do I start my contributions from’? While we see an open-source placard unfurled everywhere, beginners still struggle to find their right place. With the Dev Library, you get a stack of quality projects hand-picked for you keeping the freshness of the tech and content quality intact. For example, Tomas Trajan, a Dev Library contributor created an Angular material starter project where they have ‘good first issues’ to start your contributions with.
Recognition: Your selection of the content on the Dev Library acts as recognition to the tiring hours you’ve put in to build a running open-source project and explain it well. Dev Library also delivers hero content in their monthly newsletter, features top contributors, and is in the process to gamify the developer efforts. As an example, one of our contributors created a Weather application using Android and added a badge ‘Part of Dev Library’.
Keeping developers in mind, we’ve updated features on the platform as follows:
Added a new product category; Google Assistant – All Google Assistant and Smart home projects now have a designated category on the Dev Library.
Integrated a new way to make submissions across product areas via the Advocu form.
Introduced a special section to submit Cloud Champion articles on Google Cloud.
Included displays on each Author page indicating the expertise of individual contributors
Upcoming: An expertise filter to help you segment out content based on Beginner, Intermediate, or Expert levels.
To submit your idea or suggestion, refer to this form, and put down your suggestions.
Dev Library as a platform is more about the contributors who lie on the cusp of creation and consumption of the available content. Here are some contributors who have utilized the platform their way. Here’s how the Dev Library has helped along their journey:
Roaa Khaddam: Roaa is a Senior Flutter Mobile Developer and Co-Founder at MultiCaret Inc.
How has the Dev Library helped you?
“It gave me the opportunity to share what I created with an incredible community and look at the projects my fellow Flutter mates have created. It acts as a great learning resource.”
“I used to discover new open source libraries and helpful articles for Android development in many places and it took me longer than necessary. But the Dev Library allows me to explore these useful resources in one place.”
Kevin Kreuzer: Kevin is an Angular developer and contributes to the community in various ways.
How has the Dev Library helped you?
“Dev Library is a great tool to find excellent Angular articles or open source projects. Dev Library offers a great filtering function and therefore makes it much easier to find the right open source library for your use case.”
What started as a platform to highlight and showcase some open-source projects has grown into a product where developers can share their learnings, inspire others, and contribute to the ecosystem at large.
Do you have an Open Source learning or project in the form of a blog or GitHub repo you’d like to share? Please submit it to the Dev Library platform. We’d love to add you to our ever growing list of developer contributors!
Posted by Tanvi Somani, Program Manager – Regional Lead, Google Developer Student Clubs, Google Developer Relations India
Android Study Jams, hosted by Google Developer Student Clubs (GDSC) chapters across the globe and in India, leverage peer-to-peer teaching to train a new generation of student Android developers. The program aims to help student developers build their careers and put them on a solid path towards earning an Associate Android Developers Certification. Three students from the GDSC community in India, Amsavarthan Lv, Rishi Balamurugan, and Sanjay S. went the extra kilometer to earn their certifications.
Meet the newly certified Android developers
“From childhood onward, I was inspired by my brother to learn to program. He’s also a certified Android developer,” says Amsavarthan Lv, the GDSC Lead at the Chennai Institute of Technology and a full-stack web and mobile developer. “I used to be amazed by seeing the code and information on his output screen. Over time, I started exploring tech, and I chose my career as a full-stack web and mobile developer.”
Rishi Balamurugan’s father introduced him to coding, and he eventually built an application for his dad’s company. A member of GDSC Shiv Nadar University from Bangalore, Rishi was the facilitator for the Android Study Jams on his campus.
Sanjay S. mused he didn’t like technology at first, but a friend introduced him to Android with Java through an online course, which changed the course of his career. Now, he’s a pre-final-year engineering student, specializing in Android and full-stack development, at Sri Ramakrishna Engineering College – Coimbatore Tamil Nadu.
(Pictured from left to right) Amsavarthan Lv, Rishi Balamurugan, and Sanjay S. each recently earned a certification in Android Development.
Leveling up Android development skills
These three newly certified Android developers completed the program with comprehensive Android development skills and the confidence and preparation to build a career in Android development.
“As an Android developer, I have taken several webinars and workshops through GDSC and other campus programs,” Amsavarthan says. “The course and the content provided in Android Study Jams was a piece of cake for getting started as an Android developer. It had everything from creating basic layouts to implementing a local database.”
“After learning the fundamentals, I heard about this certification and started to prepare,” says Sanjay. “I thought this would help me stand out in my career and boost my confidence.”
After receiving mentorship from the Google Play team on Google Play and Play Academy, the students built simple applications and learned what’s involved to deploy to the Google Play Store.
YouTube Thumbnail Search App: A solution for users who just want to browse thumbnails and not play the videos shown in the YouTube search list, the application leverages LiveData and ViewModel to handle the UI Logic. Screenshots
SimplDo: This application keeps track of your todo list, with options to add, check, update, and delete items. List items are displayed using Recycler view and stored using View Model and Live Data; Jetpack navigation is used to handle navigation between the fragments and pass data. Screenshots
Alert’em: An emergency alerter with local helpline numbers, this app’s “Emergency Alerting System” sends an SMS containing the recent call log of the user to their emergency contacts. It uses a flexible constraint layout and a Jetpack Navigation to switch between different screens. Screenshots
Building confidence and career readiness
Over 65.5 thousand developers participated in 800+ Android Study Jams in India and emerged with new skills from the Android Basics in Kotlin Course and Appscale academy sessions. Program facilitators could earn Google Developer Profile badges and become Android Educators.
“Android Study Jams helped me to try out new libraries such as Jetpack, DataStore, and WorkManager and showed me how to work in a step-by-step manner,” says Sanjay. “It was organized in such a way that even a beginner can start learning Android easily.”
Amsavarthan, Rishi, and Sanjay took the initiative to gain the skills to pursue employment as full-time Android developers after graduation, and as the program continues, more Android Study Jams participants will be on their way to bright futures.
How to join a Google Developer Student Club and lead or attend an Android Study Jam:
If you’re a university student interested in opportunities to learn about Google developer products, including Android Study Jams, sign up for a Google Developer Student Club near you here.
Want to make a similar impact on your campus? Sign up to become a Google Developer Student Clubs Lead here.
Posted by Rodrigo Akira Hirooka, Regional Lead, Latin America
Getting acquainted with Android career options
Cecilia Castillo loves mobile development. She’s confident that she’d be happy focusing on it for the rest of her career. Cecilia’s career in mobile development began when her friend Adrian Catalan (Director of the Innovation Lab at Galileo University), launched a Google Developer Groups (GDG) chapter in Guatemala and began to teach Android courses.
Up until that point, Cecilia had used technologies like ASPX and Ruby on Rails – and was no stranger to technical concepts, having studied computer science at Galileo University in Guatemala and earned a Master’s degree in information technology, but she was also itching to learn something new in a supportive environment. That’s when she attended a locally organized GDG event. “ I got more involved in GDG meetups and helped organize them, and I learned how to code in Android.”
“Mobile experiences are often the first interaction people have with a product or service. An experience on mobile can determine whether someone will love it or hate it, and I think that is a big responsibility and a privilege.”
2013: a pivotal year of community leadership
In time, she found the GDG community helped her feel a sense of camaraderie in the LATAM tech community and in 2013, Cecilia decided to attend Google I/O. She found it “life-changing,” she says, and loved being able to share her enthusiasm for mobile development with more people from all over the world.
That very year, Cecilia began helping plan International Women’s Day back home in Guatemala and helped run the first International Women’s Day (IWD) event there. “It was the start of something exciting. I was always passionate about creating spaces where other women could share their experiences, their talents, and everything technical they were learning,” she says.
She says IWD events make it possible for her to meet women from all over the world who are doing interesting work in technology. In addition, Cecilia says International Women’s Day events and GDG groups create momentum around the idea that women are tech experts and leaders.
Inspiring other female leaders and improving the local programs
Cecilia says she and her planning team try to make their IWD event bigger and better every year, making sure to invite a combination of new speakers and women with more experience who have been giving talks and working in tech for a while.
The Innovation Lab at Galileo University now supports the two-day virtual event, which occurred on March 11-12 this year. This year’s event included student-focused programming to encourage prospective developers to pursue tech careers or apply tech to their interests. Around 70 speakers participated, some from different countries in Latin America and others from Guatemala.
Cecilia says the university has played an important role to help the GDG chapter achieve its goal of more visibility and reaching a broader audience. Furthermore, Celicila recognized that Evelyn Cruz, lead of the Engineering Education Group at Galileo University, has been instrumental during the planning process.
Looking ahead to new opportunities
“I think it is important to create moments and spaces where we can celebrate and spotlight all the amazing things women are doing,” says Cecilia. “By being part of a bigger network like GDG, we also get to know and learn from talented women from all over Latin America and the world.
“The GDG community offers a very diverse group of people, and I think this diversity of countries, companies, and expertise adds value for anyone who is involved in these communities.”
Developing those initial Android skills has paid off, as Castillo now serves as a co-organizer for Google Developer Group (GDG) in Guatemala, holds a position as a Women Techmakers ambassador, and works as a Senior Mobile Engineer at PayPal. In this role she works on both Android and iOS platforms and she’s now giving back to the community in so many ways.
For Women’s History Month, we’re celebrating a few of our Google Developer Experts. Meet Annyce Davis, Android GDE and Vice President of Engineering at Meetup.
When Annyce Davis first started learning about Android development, she was fascinated by the ability to create applications for a device that she carried around in her purse. “The ecosystem was young, and it was full of opportunities and challenges,” she says. “I could finally show my friends and family what I worked on every day!”
She says the fact that Android developers support multiple form factors and devices makes Android development fun and challenging. “Something that works on one type of Android device doesn’t necessarily work on another,” she says. “Being able to have the patience to work through the nuances makes it a challenging career.”
In the course of her career, Annyce has had the opportunity to develop Android applications across multiple form factors and in various contexts. She has designed applications for Android TV and tablets focused on video streaming. At another point in her career, she was designing for low-end devices with limited internet connectivity. “In each of the circumstances, I’m able to use specific aspects of the Android platform to get the job done,” she says. “I love that I get to develop applications used by millions of people around the world. I also appreciate being a part of the constant evolution of the Android ecosystem.”
She has taught thousands of people about Android development through blog posts, Meetup events, and conference talks. In her current professional role as the Vice President of Engineering at Meetup, Annyce says Android gives organizations flexibility, numerous resources, and community support. “As Android has evolved, it’s becoming easier to learn and develop for,” she says. “Additionally, the community support is unmatched. You have numerous resources that you can avail yourself of to get help when needed.”
When Annyce reflects upon her career, she says she wishes she had been braver about asking questions. She advises other women developers to be confident about asking for help or information and to be unafraid to make mistakes. “I experienced the most growth in my career when I was willing to put myself out there and just ask,” she says. “Being vulnerable and reaching out to others helped me to accelerate my growth. Grow your network and don’t be afraid to ask for help.”
The Google Developers Experts program is a global network of highly experienced technology experts, influencers, and thought leaders who actively support developers, companies, and tech communities by speaking at events and publishing content.
Posted by Vikrant Rana, Product Manager and Badi Azad, Group Product Manager, Google
At Google, we constantly strive to provide safer ways for users to sign-in and share their Google account data with third-party applications. In the spirit of that work, we will be rolling out a set of protections against phishing and app impersonation attacks during the OAuth interactions.
The Google sign-in and authorization flows are powered by the Google OAuth platform and over the years we have developed and supported a number of ways for app developers to integrate with supported OAuth flows. With the goal of keeping users safer online, we will end support for two legacy flows and will require developers to migrate to alternative implementation methods that offer greater protections.
To ensure a smooth transition and avoid any service interruption we will give ample time to implement and meet the compliance dates which are specified below. We will share further updates on this rollout via email so please make sure your support email address is up to date in project settings on the Google API console.
The Loopback IP address flow is vulnerable to man in the middle attack where a malicious app, accessing the same loopback interface on some operating systems, may intercept the OAuth response and gain access to the authorization code. We intend to remove this threat vector by disallowing this flow for iOS, Android and Chrome app OAuth client types. The existing clients will be able to migrate to more secure implementation methods. New clients will be unable to use this flow starting on March 14, 2022.
Determine if your app is using the Loopback IP address flow
You can inspect your app code or the outgoing network call (in case your app is using an OAuth library) to determine if the Google OAuth authorization request your app is making has the following values for “redirect_uri” parameter.
redirect_uri=http://127.0.0.1:port or http://[::1]:port”>http://[::1]:port or
Migrate to an alternative flow
If your app is using the Loopback IP address method you need to migrate to another method which is more secure by default. Please consider the following alternative methods for migration.
OAuth out-of-band (OOB) is a legacy flow developed to support native clients which do not have a redirect URI like web apps to accept the credentials after a user approves an OAuth consent request. The OOB flow poses a remote phishing risk and clients must migrate to an alternative method to protect against this vulnerability. New clients will be unable to use this flow starting on Feb 28, 2022.
You can inspect your app code or the outgoing network call (in case your app is using an OAuth library) to determine if the Google OAuth authorization request your app is making has the following values for “redirect_uri” parameter.
redirect_uri=urn:ietf:wg:oauth:2.0:oob or urn:ietf:wg:oauth:2.0:oob:auto or oob
Migrate to an alternative flow
If your app is using the OOB method you need to migrate to another method which is more secure by default. Please consider the following alternative methods for migration.
A user-facing warning message may be displayed for non-compliant requests one month before the aforementioned OAuth methods are due to be blocked. The message will convey to the users that the app may be blocked soon while displaying the support email that you have registered in the OAuth consent screen in Google API Console.
[Sample user-facing warning]
The developers can acknowledge the user-facing warning message and suppress it by passing a query parameter in the authorization call as shown below.
A recent study by 451 Research showed that for merchants with over 50% of sales occurring online, 69% of them used multiple PSPs. We first demonstrated with the aforementioned samples how you can implement a consistent interface to multiple PSPs, streamlining your codebase while also providing more flexibility for the future. We’ve now taken this one step further and brought this unified PSP interface to the Firebase platform, by way of a Firebase Extension for Google Pay, making it easier than ever to integrate Google Pay with one or more PSPs.
Google Pay Firebase Extension
Firebase Extensions are open source pre-packaged bundles of code that developers can easily pull into their apps, and are designed to increase productivity, and provide extended functionality to your apps without the need to research, write, or debug code on your own. Following this line, the Google Pay Firebase Extension brings the unified PSP interface to developers’ Firebase apps.
With the Google Pay Firebase Extension installed, you can pass a payment token from the Google Pay API to your Cloud Firestore database. The extension will listen for a request written to the path defined during installation, and then send the request to the PSP’s API. It will then write the response back to the same Firestore node.
Like all Firebase Extensions, the Google Pay Firebase Extension is entirely open source, so you can modify the code yourself to change the functionality as you see fit, or even contribute your changes back via pull requests – the sky’s the limit.
Furthermore, as the extension is backed by the aforementioned PSP samples project, the same set of PSPs are supported. Want to see your favorite PSP supported? Head on over to the PSP samples project which contains instructions for adding it.
Summing it up
Whether you’re new to Google Pay or Firebase, or an existing user of either, the new Google Pay extension is designed to save you even more time and effort when integrating Google Pay and any number of Payment Service Providers with your application.
Welcome to #IamaGDE – a series of spotlights presenting Google Developer Experts (GDEs) from across the globe. Discover their stories, passions, and highlights of their community work.
Gaston Saillen started coding for fun, making apps for his friends. About seven years ago, he began working full-time as an Android developer for startups. He built a bunch of apps—and then someone gave him an idea for an app that has had a broad social impact in his local community. Now, he is a senior Android developer at Distillery.
Meet Gaston Saillen, Google Developer Expert in Android and Firebase.
Building the Uh-LaLa! app
After seven years of building apps for startups, Gaston visited a local food delivery truck to pick up dinner, and the server asked him, “Why don’t you do a food delivery app for the town, since you are an Android developer? We don’t have any food delivery apps here, but in the big city, there are tons of them.”
The food truck proprietor added that he was new in town and needed a tool to boost his sales. Gaston was up for the challenge and created a straightforward delivery app for local Cordoba restaurants he named Uh-Lala! Restaurants configure the app themselves, and there’s no app fee. “My plan was to deliver this service to this community and start making some progress on the technology that they use for delivery,” says Gaston. “And after that, a lot of other food delivery services started using the app.”
The base app is built similarly to food delivery apps for bigger companies. Gaston built it for Cordoba restaurants first, after several months of development, and it’s still the only food delivery app in town. When he released the app, it immediately got traction, with people placing orders. His friends joined, and the app expanded. “I’ve made a lot of apps as an Android engineer, but this is the first time I’ve made one that had such an impact on my community.”
He had to figure out how to deliver real-time notifications that food was ready for delivery. “That was a little tough at first, but then I got to know more about all the backend functions and everything, and that opened up a lot of new features.”
He also had to educate two groups of users: Restaurant owners need to know how to input their data into the app, and customers had to change their habit of using their phones for calls instead of apps.
Gaston says seeing people using the app is rewarding because he feels like he’s helping his community.“All of a sudden, nearby towns started using Uh-LaLa!, and I didn’t expect it to grow that big, and it helped those communities.”
During the COVID-19 pandemic, many restaurants struggled to maintain their sales numbers. A local pub owner ran a promotion through Instagram to use the Uh-Lala! App for ten percent off, and their sales returned to pre-COVID levels. “That is a success story. They were really happy about the app.”
Becoming a GDE
Gaston has been a GDE for seven years. When he was working on his last startup, he found himself regularly answering questions about Android development and Firebase on StackOverflow and creating developer content in the form of blog posts and YouTube videos. When he learned about the GDE program, it seemed like a perfect way to continue to contribute his Android development knowledge to an even broader developer community. Once he was selected, he continued writing blog posts and making videos—and now, they reach a broader audience.
“I created a course on Udemy that I keep updated, and I’m still writing the blog posts,” he says. “We also started the GDG here in Cordoba, and we try to have a new talk every month.”
Gaston enjoys the GDE community and sharing his ideas about Firebase and Android with other developers. He and several fellow Firebase developers started a WhatsApp group to chat about Firebase. “I enjoy being a Google Developer Expert because I can meet members of the community that do the same things that I do. It’s a really nice way to keep improving my skills and meet other people who also contribute and make videos and blogs about what I love: Android.”
The Android platform provides developers with state-of-the art tools to build apps for user. Firebase allows developers to accelerate and scale app development without managing infrastructure; release apps and monitor their performance and stability; and boost engagement with analytics, A/B testing, and messaging campaigns.
Gaston looks forward to developing Uh-La-La further and building more apps, like a coworking space reservation app that would show users the hours and locations of nearby coworking spaces and allow them to reserve a space at a certain time. He is also busy as an Android developer with Distillery.
Gaston’s advice to future developers
“Keep moving forward. Any adversity that you will be having in your career will be part of your learning, so the more that you find problems and solve them, the more that you will learn and progress in your career.”
Posted by Stephen McDonald, Developer Relations Engineer, Google Pay
Easily connect Google Pay with your preferred payment processor
Adding Google Pay as a payment method to your website or Android application provides a secure and fast checkout option for your users. To enable Google Pay, you will first need a Payment Service Provider (PSP). For the integration this means understanding how your payments processing stack works with Google Pay APIs.
End-to-end PSP samples
A recent study by 451 Research showed that for merchants with over 50% of sales occurring online, 69% of merchants used multiple PSPs. With these new samples, we demonstrate how you can implement an entirely consistent interface to multiple PSPs, streamlining your codebase while also providing more flexibility for the future.
Lastly, we’ve also added support to both the Web and Android Google Pay sample applications, making it easy to demonstrate the new PSP samples. Simply run the PSP samples project, and configure the Web or Android samples to send their cart information and Google Pay token to the PSP samples app, which will then send the relevant data to the PSP’s API and return the PSP’s response back.
To start with, we’ve included support for 6 popular PSPs: Adyen, Braintree, Checkout.com, Cybersource, Square, and Stripe. But that’s just the beginning. If you’re involved with a PSP that isn’t yet included, we’ve made adding new PSPs to the open source project as simple as possible. Just head on over to the GitHub repository which contains instructions on contributing your preferred PSP to the project.
Launching Google Pay for your website
When you’ve completed your testing, submit your website integration in the Google Pay Business Console. You will need to provide your website’s URL and screenshots to complete the submission.
Summing it up
Integrating Google Pay into your website is a great way to increase conversions and to improve the purchasing experience for your customers, and with these new open source samples, the process is even easier.
What do you think? Follow us on Twitter for the latest updates @GooglePayDevs
Do you have any questions? Let us know in the comments below or tweet using #AskGooglePayDevs.
Posted by Vikrant Rana, Product Manager, and Badi Azad, Group Product Manager
Google Identity strives to be the best stewards for Google Account users who entrust us to protect their data. At the same time, we want to help our developer community build apps that give users amazing experiences. Together, Google and developers can provide users three important ways to manage sharing their data:
Give users control in deciding who has access to their account data
Make it easier and safer for users to share their Google Account data with your app when they choose to do so
Make it clear to users the specific data they are sharing with apps
What we are doing today
In service of that stewardship, today we are announcing an OAuth consent experience that simplifies how users can share data with apps. This experience also improves the consent conversion for apps that use incremental authorization, which requests only one scope. Users can now easily share this kind of request with a single tap.
Previous Screen New Screen
A quick recap
Let’s summarize a few past improvements so you have a full picture of the work we have been doing on the OAuth consent flow.
In mid-2019, we significantly overhauled the consent screen to give users fine-grained control over the account data they chose to share with a given app. In that flow, when an app requested access to multiple Google resources, the user would see one screen for each scope.
In July 2021, we consolidated these multiple-permission requests into a single screen, while still allowing granular data sharing control for users. Our change today represents a continuation of improvements on that experience.
The Identity team will continue to gather feedback and further enhance the overall user experience around Google Identity Services and sharing account data.
What do developers need to do?
There is no change you need to make to your app. However, we recommend using incremental authorization and requesting only one resource at the time your app needs it. We believe that doing this will make your account data request more relevant to the user and therefore improve the consent conversion. Read more about incremental authorization in our developer guides.
If your app requires multiple resources at once, make sure it can handle partial consent gracefully and reduce its functionality appropriately as per the OAuth 2.0 policy.
Posted by Badi Azad, Group Product Manager (@badiazad)
The Google Identity team is continually working to improve Google Account security and create a safer and more secure experience for our users. As part of that work, we recently introduced a new secure browser policy prohibiting Google OAuth requests in embedded browser libraries commonly referred to as embedded webviews. All embedded webviews will be blocked starting on September 30, 2021.
Embedded webview libraries are problematic because they allow a nefarious developer to intercept and alter communications between Google and its users by acting as a “man in the middle.” An application embedding a webview can modify or intercept network requests, insert custom scripts that can potentially record every keystroke entered in a login form, access session cookies, or alter the content of the webpage. These libraries also allow the removal of key elements of a browser that hold user trust, such as the guarantee that the response originates from Google’s servers, display of the website domain, and the ability to inspect the security of a connection. Additionally the OAuth 2.0 for Native Apps guidelines from IETF require that native apps must not use embedded user-agents such as webviews to perform authorization requests.
Embedded webviews not only affect account security, they could affect usability of your application. The sandboxed storage environment of an embedded webview disconnects a user from the single sign-on features they expect from Google. A full-featured web browser supports multiple tools to help a logged-out user quickly sign-in to their account including password managers and Web Authentication libraries. Google’s users also expect multiple-step login processes, including two-step verification and child account authorizations, to function seamlessly when a login flow involves multiple devices, when switching to another app on the device, or when communicating with peripherals such as a security key.
Developers must register an appropriate OAuth client for each platform (Desktop, Android, iOS, etc.) on which your app will run, in compliance with Google’s OAuth 2.0 Policies. You can verify the OAuth client ID used by your installed application is the most appropriate choice for your platform by visiting the Google API Console’s Credentials page. A “Web application” client type in use by an Android application is an example of mismatched use. Reference our OAuth 2.0 for Mobile & Desktop Apps guide to properly integrate the appropriate client for your app’s platform.
Applications opening all links and URLs inside an embedded webview should follow the following instructions for Android, iOS, macOS, and captive portals:
Embedded webviews implementing or extending Android WebView do not comply with Google’s secure browser policy for its OAuth 2.0 Authorization Endpoint. Apps should allow general, third-party links to be handled by the default behaviors of the operating system, enabling a user’s preferred routing to their chosen default web browser or another developer’s preferred routing to its installed app through Android App Links. Apps may alternatively open general links to third-party sites in Android Custom Tabs.
Embedded webviews implementing or extending WKWebView, or the deprecated UIWebView, do not comply with Google’s secure browser policy for its OAuth 2.0 Authorization Endpoint. Apps should allow general, third-party links to be handled by the default behaviors of the operating system, enabling a user’s preferred routing to their chosen default web browser or another developer’s preferred routing to its installed app through Universal Links. Apps may alternatively open general links to third-party sites in SFSafariViewController.
If your computer network intercepts network requests, redirecting to a web portal supporting authorization with a Google Account, your web content could be displayed in an embedded webview controlled by a captive network assistant. You should provide potential viewers instructions on how to access your network using their default web browser. For more information reference the Google Account Help article Sign in to a Wi-Fi network with your Google Account.
If you’re a developer that currently uses an embedded webview for Google OAuth 2.0 authorization flows, be aware that embedded webviews will be blocked as of September 30, 2021. To verify whether the authorization flow launched by your application is affected by these changes, test your application for compatibility and compliance with the policies outlined in this post.
You can add a query parameter to your authorization request URI to test for potential impact to your application before September 30, 2021. The following steps describe how to adjust your current requests to Google’s OAuth 2.0 Authorization Endpoint to include an additional query parameter for testing purposes.
Go to where you send requests to Google’s OAuth 2.0 Authorization Endpoint. Example URI: https://accounts.google.com/o/oauth2/v2/auth
Add the disallow_webview parameter with a value of true to the query component of the URI. Example: disallow_webview=true
An implementation affected by the planned changes will see a disallowed_useragent error when loading Google’s OAuth 2.0 Authorization Endpoint, with the disallow_webview=true query string, in an embedded webview instead of the authorization flows currently displayed. If you do not see an error message while testing the effect of the new embedded webview policies your app’s implementation might not be impacted by this announcement.
Note: A website’s ability to request authorization from a Google Account may be impacted due to another developer’s decision to use an embedded webview in their app. For example, if a messaging or news application opens links to your site in an embedded webview, the features available on your site, including Google OAuth 2.0 authorization flows, may be impacted. If your site or app is impacted by the implementation choice of another developer please contact that developer directly.
Developers may acknowledge the upcoming enforcement and suppress the warning message by passing a specific query parameter to the authorization request URI. The following steps explain how to adjust your authorization requests to include the acknowledgement parameter:
Go to where you send requests to Google’s OAuth 2.0 Authorization Endpoint. Example URI: https://accounts.google.com/o/oauth2/v2/auth
Add an ack_webview_shutdown parameter with a value of the enforcement date: 2021-09-30. Example: ack_webview_shutdown=2021-09-30
A successful request to Google’s OAuth 2.0 Authorization Endpoint including the acknowledgement query parameter and enforcement date will suppress the warning message in non-compliant authorization requests. All non-compliant authorization requests will display a disallowed_useragent error when loading Google’s OAuth 2.0 Authorization Endpoint after the enforcement date.
Posted by Brian Shen, Program Manager, Google Developers
Google Developer Groups are one of the largest community networks of developers in the world. Every group has an organizer that helps curate events based on the interests of their local developer community.
As we continue to explore how different Google Developer Groups build their communities, we interviewed Hebe He, an organizer of Google Developer Group Guangzhou in China. Learn more about how she is building the developer scene in China, thinking up new events for her community, and more below.
Hebe He, an organizer of Google Developer Group Guangzhou in China.
Tell us about yourself.
I am Hebe from China and I’m a native of Guangzhou. I’m the organizer of GDG Guangzhou, as well as an ambassador for Women Techmakers (WTM). I work at one of China’s new electric-vehicle brands, where I’m responsible for the intelligent business operation of the Internet of Vehicles. I’m relatively outgoing and active, so I really like to deal with different people, whether it’s at work or in other activities.
How did you learn about Google Developer Groups?
In 2014, I participated in GDG Guangzhou DevFest for the first time by coincidence and met the founder of GDG Guangzhou. Afterward, I joined the founder’s company and volunteered at many GDG programs. In 2017, I officially became an organizer after the existing organizers recognized my ability and desire to contribute more to the GDG Guangzhou community.
Tell us more about Guangzhou and the developer community there.
Our community members are talented, passionate, and amazing. I see all kinds of possibilities in them. They’re always excited for every event we hold, keep a fanatical attitude toward Google’s technological innovation, and are particularly interested in Android, Kotlin, and Flutter.
What are events like in your community?
We highly value feedback from event participants, who are interested in a wide range of topics. For this reason, we generally use 15% of every event to cover non-technical topics, such as entrepreneurship, business management, and careers. For more comprehensive activities, such as DevFest, we increase the amount of non-technical content to roughly 30%.
What is your Google Developer Group focused on right now?
We devote most of our energy to improving the quality of activities. We try to add more elements to the event to strengthen the interaction of participants in hopes of improving the feedback mechanism and gaining more valuable suggestions for future event optimization. We also try to improve the quality of guests and themes, and pay more attention to event details, such as event announcements, registration, and check-in.
What’s your favorite community memory from a Google Developer Group event?
The memory that touches me the most is the construction of WTM Guangzhou. From the first event with only 80 developers to the audience of more than 500 people in recent years, it represents the recognition of, and support for, our events. There are many people who come to participate every year; some are actively encouraging their friends to participate and others are even urging us to hold events. They feel honored to be invited to our events and their enthusiasm endured during the pandemic.
What’s next for you and your Google Developer Group?
There’s still lots of room to grow in our community. We hope that we can continue to develop a Google Developer Group that reflects the best of Guangzhou. We also hope to find better ways to accumulate the experience shared by speakers and the value of community users.