Android Performance Optimization & Security Checklist for Production Apps
Building high-performance Android apps requires attention to both speed and security. This checklist covers essential techniques for Kotlin/Jetpack Compose developers.
Performance Optimization Tips
1. LazyColumn Key Lambda
Always provide a key lambda in LazyColumn to help Compose reuse composables efficiently:
LazyColumn {
items(items, key = { it.id }) { item ->
ItemRow(item)
}
}
2. Remember State
Cache expensive computations with remember:
val expensiveValue = remember {
calculateExpensiveValue(input)
}
3. Derived State Of
Use derivedStateOf to avoid unnecessary recompositions:
val filteredItems = remember {
derivedStateOf { items.filter { it.matches(query) } }
}
4. @stable Annotation
Mark data classes as @Stable to help Compose skip recompositions:
@Stable
data class User(val id: Int, val name: String)
5. collectAsStateWithLifecycle
Collect Flow emissions respecting lifecycle to avoid memory leaks:
val state = viewModel.uiState.collectAsStateWithLifecycle()
6. Dispatchers.IO for Network/Disk
Offload I/O operations to the correct dispatcher:
viewModelScope.launch(Dispatchers.IO) {
val data = fetchFromNetwork()
}
7. Baseline Profiles
Generate baseline profiles during app installation for faster app startup and runtime performance:
android {
baselineProfile {
enable = true
}
}
8. Image Sizing
Always size images appropriately to reduce memory consumption:
Image(
painter = painterResource(R.drawable.my_image),
contentDescription = "Description",
modifier = Modifier.size(64.dp)
)
Security Checklist
1. EncryptedSharedPreferences
Never store sensitive data in plain text. Use EncryptedSharedPreferences:
val encryptedSharedPreferences = EncryptedSharedPreferences.create(
context,
"secret_shared_prefs",
MasterKey.Builder(context).setKeyScheme(MasterKey.KeyScheme.AES256_GCM).build(),
EncryptedSharedPreferences.PrefKeyEncryptionScheme.AES256_SIV,
EncryptedSharedPreferences.PrefValueEncryptionScheme.AES256_GCM
)
2. HTTPS Only
Enforce HTTPS connections and reject HTTP:
<!-- network_security_config.xml -->
<domain-config cleartextTrafficPermitted="false">
<domain includeSubdomains="true">api.example.com</domain>
</domain-config>
3. Certificate Pinning
Pin certificates to prevent man-in-the-middle attacks:
val certificatePinner = CertificatePinner.Builder()
.add("api.example.com", "sha256/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=")
.build()
val httpClient = OkHttpClient.Builder()
.certificatePinner(certificatePinner)
.build()
4. API Key Management
Never hardcode API keys. Use BuildConfig or secure server-side validation:
// buildTypes {
// release {
// buildConfigField "String", "API_KEY", "\"${System.getenv('API_KEY')}\""
// }
// }
val apiKey = BuildConfig.API_KEY
5. R8 Obfuscation
Enable R8/ProGuard to obfuscate release builds:
android {
buildTypes {
release {
minifyEnabled true
shrinkResources true
proguardFiles getDefaultProguardFile('proguard-android-optimize.txt'), 'proguard-rules.pro'
}
}
}
6. Input Validation
Always validate user input to prevent injection attacks:
fun validateEmail(email: String): Boolean {
return email.matches(Regex("^[A-Za-z0-9+_.-]+@(.+)$"))
}
fun sanitizeInput(input: String): String {
return input.trim().replace(Regex("[^A-Za-z0-9]"), "")
}
7. Minimal Permissions
Request only necessary permissions and use runtime permissions for Android 6.0+:
<uses-permission android:name="android.permission.INTERNET" />
<uses-permission android:name="android.permission.CAMERA" />
Summary
Apply these patterns systematically across your Android codebase to ensure both performance and security in production. Test thoroughly and monitor metrics like startup time, memory usage, and crash rates.
Want more Android templates and production-ready apps?
Check out our 8 Android App Templates with built-in security best practices, performance optimizations, and reusable components:
π 8 Android App Templates β myougatheax.gumroad.com
Get instant access to templates for task managers, habit trackers, expense budgets, and moreβall production-ready and fully documented.
Top comments (0)