Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Three ways to use AI on Android: The Good, the Bad and the Ugly

Marcel
April 28, 2024
Programming
0
110

Three ways to use AI on Android: The Good, the Bad and the Ugly

Session at Android Makers 2024:

Artificial Intelligence is revolutionizing the world, more and more apps are integrating AI, but are we doing it the right way?

In this talk, I will explore practical strategies for using AI responsibly in your Android apps. We will start with the “Ugly”, by showcasing a basic implementation and exploring the consequences. We will move forwards by improving our strategy but exposing the “Bad” pitfalls and leaks we could face. To finish, I will walk you through the “Good” strategy to craft secure prompts, leakproof API keys, and build robust architectures for cost-optimized AI integration in your Android apps.

Check my latest app at https://namewith.ai

Marcel

April 28, 2024
Tweet

More Decks by Marcel

See All by Marcel
Abstracting the map
marxallski
1
94

Other Decks in Programming

See All in Programming
株式会社ゼネテック
genetec
0
110
Fragment Composition of GraphQL
quramy
14
1.6k
禅の心を手に入れよ
eltociear
2
450
チーム立ち上げにAWSを活用したらClaudeさんに褒められた話
mkdev10
3
210
TypeScriptコードの漸進的改善 / Progressive Improvement of TypeScript Code
medley
1
320
How to improve maintainability and readability of your automated tests? ( #scrumniigata )
teyamagu
PRO
1
110
Exploring Type-Informed Lint Rules in Rust based TypeScript Linters
unvalley
3
510
2 週間で Twitter Bot を作ってみた
contour_gara
0
830
Timeline エディター拡張入門
yucchiy
0
420
Amazon SQSコンシューマー疎結合への旅 - 出張! #DevelopersIO IT技術ブログの中の人が語る勉強会 #3
quiver
0
370
冗長なエラーログを削減し、スタックトレースを手に入れる / Reducing Verbose Error Logs and Obtaining Stack Traces
upamune
0
1.1k
ts-morphを使ってコードリプレイスとASTへのハードルを下げる!
nyawach
3
240

Featured

See All Featured
How to name files
jennybc
65
93k
Making the Leap to Tech Lead
cromwellryan
125
8.5k
Intergalactic Javascript Robots from Outer Space
tanoku
266
26k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
660
120k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
323
20k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
26
2.3k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
358
22k
Building Adaptive Systems
keathley
32
1.9k
Visualization
eitanlees
137
14k
A Philosophy of Restraint
colly
197
16k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
245
20k
Documentation Writing (for coders)
carmenintech
60
4k

Transcript

  1. Three ways to use AI on Android Marcel Pintó Biescas

    - Android Dev and Indie-Maker The Good, the Bad and the Ugly
  2. None

  3. What is Generative AI then?

  4. What is Generative AI then? Generative AI

  5. What is Generative AI then? Generative AI Foundation Models Not

    limited to language tasks (image recognition, sound processing, etc…)

  6. What is Generative AI then? Generative AI Foundation Models Large

    Language Models (LLM) Not limited to language tasks (image recognition, sound processing, etc…) GPT 3.5 / 4, LLaMa, Mistral, etc…

  7. What is Generative AI then? Generative AI Foundation Models Large

    Language Models (LLM) ChatGPT Gemini … Not limited to language tasks (image recognition, sound processing, etc…) GPT 3.5 / 4, LLaMa, Mistral, etc… User interface, chatbots

  8. Let’s use AI!

  9. Peak of Inflated Expectations Innovation Trigger Trough of Disillusionment Plateau

    of Productivity Slope of Enlightenm ent Let’s use AI! Time Expectations

  10. I have an idea!

  11. Hey, how are you? I have an idea!

  12. • Share text with the app Hey, how are you?

    I have an idea!

  13. • Share text with the app • Create a reply

    Hey, how are you? I have an idea!

  14. • Share text with the app • Create a reply

    • Copy to clipboard Hey, how are you? I have an idea!

  15. • Share text with the app • Create a reply

    • Copy to clipboard • I will make millions! Hey, how are you? I have an idea!

  16. Let’s check the docs Using Gemini SDK

  17. Let’s check the docs 1. Get the API Key (easy!)

    Using Gemini SDK

  18. Let’s check the docs 1. Get the API Key (easy!)

    2. Secure API key Using Gemini SDK

  19. Let’s check the docs 1. Get the API Key (easy!)

    2. Secure API key Hardcode Key Using Gemini SDK

  20. Let’s check the docs 1. Get the API Key (easy!)

    2. Secure API key Hardcode Key Using Gemini SDK 3. Create Client

  21. Let’s check the docs 1. Get the API Key (easy!)

    2. Secure API key Hardcode Key Using Gemini SDK 3. Create Client 4. Generate response

  22. @Composable fun ShareScreen(sourceText: String) { val context = LocalContext.current val

    clipboardManager = remember { context.getSystemService<ClipboardManager>()!! } val gemini = remember { GenerativeModel( modelName = "gemini-pro", apiKey = BuildConfig.apiKey ) } var result by remember { mutableStateOf("") } LaunchedEffect(Unit) { try { val prompt = "Create a funny reply for the given text: $sourceText"

  23. } val gemini = remember { GenerativeModel( modelName = "gemini-pro",

    apiKey = BuildConfig.apiKey ) } var result by remember { mutableStateOf("") } LaunchedEffect(Unit) { try { val prompt = "Create a funny reply for the given text: $sourceText" result = gemini.generateContent(prompt).text!! clipboardManager.setPrimaryClip( ClipData.newPlainText("result", result) ) } catch (e: Exception) { result = "Something went wrong" e.printStackTrace() } } // ... }

  24. } val gemini = remember { GenerativeModel( modelName = "gemini-pro",

    apiKey = BuildConfig.apiKey ) } var result by remember { mutableStateOf("") } LaunchedEffect(Unit) { try { val prompt = "Create a funny reply for the given text: $sourceText" result = gemini.generateContent(prompt).text!! clipboardManager.setPrimaryClip( ClipData.newPlainText("result", result) ) } catch (e: Exception) { result = "Something went wrong" e.printStackTrace() } } // ... }

  25. } val gemini = remember { GenerativeModel( modelName = "gemini-pro",

    apiKey = BuildConfig.apiKey ) } var result by remember { mutableStateOf("") } LaunchedEffect(Unit) { try { val prompt = "Create a funny reply for the given text: $sourceText" result = gemini.generateContent(prompt).text!! clipboardManager.setPrimaryClip( ClipData.newPlainText("result", result) ) } catch (e: Exception) { result = "Something went wrong" e.printStackTrace() } } // ... }

  26. MVP is ready! 1. Share any text with the app

    2. Generate an answer 3. Copy to the clipboard 4. Reply!

  27. MVP is ready! 1. Share any text with the app

    2. Generate an answer 3. Copy to the clipboard 4. Reply!

  28. Let’s Ship it!

  29. None

  30. Next day… 15/04 16/04 17/04 18/04

  31. Next day… 15/04 16/04 17/04 18/04 $0.5 $1.2 $1200

  32. What happened?

  33. What happened? API Key was stolen!

  34. What happened? • Download APK API Key was stolen!

  35. What happened? • Download APK • Use Android Studio (or

    others) API Key was stolen!

  36. What happened? • Download APK • Use Android Studio (or

    others) • Analyse the APK • Key is right there! API Key was stolen!

  37. THE BAD

  38. Let’s improve this!

  39. Let’s improve this! Obfuscation

  40. Let’s improve this! Obfuscation • R8 & ProGuard

  41. Let’s improve this! Obfuscation • R8 & ProGuard • Base64

    or custom logic

  42. Let’s improve this! Obfuscation • R8 & ProGuard • Base64

    or custom logic • Native code

  43. Let’s improve this! Obfuscation • R8 & ProGuard • Base64

    or custom logic • Native code • DexGuard

  44. Let’s improve this! Obfuscation Encryption

  45. Let’s improve this! Obfuscation Encryption Remote

  46. Let’s Ship it!

  47. Next day… 17/04 18/04 19/04 20/04

  48. Next day… 17/04 18/04 19/04 20/04 $1200 $0.1 $1800

  49. THE BAD

  50. THE BAD THE UGLY

  51. What happened?

  52. What happened? API Key was stolen! again…

  53. What happened? API Key was stolen! again… Get Public Key

    Get Encrypted Key Locally decrypt API Key

  54. Let’s improve this! Obfuscation Encryption Remote

  55. Let’s improve this! Authentication Obfuscation Encryption Remote

  56. Flow

  57. Flow 1. Encrypt API Key

  58. Flow 1. Encrypt API Key 2. Obfuscate public key in

    code

  59. Flow 1. Encrypt API Key 2. Obfuscate public key in

    code 3. Authenticate app/user

  60. Flow 1. Encrypt API Key 2. Obfuscate public key in

    code 3. Authenticate app/user 4. Return encrypted API Key

  61. Flow 1. Encrypt API Key 2. Obfuscate public key in

    code 3. Authenticate app/user 4. Return encrypted API Key 5. Decrypt with Public Key

  62. A way to do it R8 / ProGuard Jetpack security-crypto

    Firebase Authentication Firebase Remote Config or Firestore

  63. There is still an issue…

  64. There is still an issue…

  65. There is still an issue…

  66. There is still an issue…

  67. Let’s use App Check

  68. None
  69. None

  70. There is a better way! Proxy

  71. There is a better way! Firebase Functions

  72. Firebase.appCheck.installAppCheckProviderFactory( PlayIntegrityAppCheckProviderFactory.getInstance(), ) private suspend fun generateResponse(content: String): String {

    val result = Firebase.functions .getHttpsCallable("generate") .call(mapOf("content" to content)) .await() return result.data as String }

  73. Firebase.appCheck.installAppCheckProviderFactory( PlayIntegrityAppCheckProviderFactory.getInstance(), ) private suspend fun generateResponse(content: String): String {

    val result = Firebase.functions .getHttpsCallable("generate") .call(mapOf("content" to content)) .await() return result.data as String }

  74. rateResponse(content: String): String { e.functions e("generate") tent" to content)) s

    String

  75. rateResponse(content: String): String { e.functions e("generate") tent" to content)) s

    String @https_fn.on_call(enforce_app_check=True) def generate(req: https_fn.CallableRequest) -> https_fn.Response: """Given a text, generate a response""" if req.auth is None: raise https_fn.HttpsError( code=https_fn.FunctionsErrorCode.UNAUTHENTICATED, message="User not found.", ) content = req.data.get("content") if not content: raise https_fn. HttpsError( code=https_fn.FunctionsErrorCode.INVALID_ARGUMENT, message="Missing content", ) return generate_response(content)

  76. rateResponse(content: String): String { e.functions e("generate") tent" to content)) s

    String @https_fn.on_call(enforce_app_check=True) def generate(req: https_fn.CallableRequest) -> https_fn.Response: """Given a text, generate a response""" if req.auth is None: raise https_fn.HttpsError( code=https_fn.FunctionsErrorCode.UNAUTHENTICATED, message="User not found.", ) content = req.data.get("content") if not content: raise https_fn. HttpsError( code=https_fn.FunctionsErrorCode.INVALID_ARGUMENT, message="Missing content", ) return generate_response(content)

  77. rateResponse(content: String): String { e.functions e("generate") tent" to content)) s

    String @https_fn.on_call(enforce_app_check=True) def generate(req: https_fn.CallableRequest) -> https_fn.Response: """Given a text, generate a response""" if req.auth is None: raise https_fn.HttpsError( code=https_fn.FunctionsErrorCode.UNAUTHENTICATED, message="User not found.", ) content = req.data.get("content") if not content: raise https_fn. HttpsError( code=https_fn.FunctionsErrorCode.INVALID_ARGUMENT, message="Missing content", ) return generate_response(content)

  78. @https_fn.on_call(enforce_app_check=True) def generate(req: https_fn.CallableRequest) -> https_fn.Response: """Given a text, generate

    a response""" if req.auth is None: raise https_fn.HttpsError( code=https_fn.FunctionsErrorCode.UNAUTHENTICATED, message="User not found.", ) content = req.data.get("content") if not content: raise https_fn. HttpsError( code=https_fn.FunctionsErrorCode.INVALID_ARGUMENT, message="Missing content", ) return generate_response(content)

  79. @https_fn.on_call(enforce_app_check=True) def generate(req: https_fn.CallableRequest) -> https_fn.Response: """Given a text, generate

    a response""" if req.auth is None: raise https_fn.HttpsError( code=https_fn.FunctionsErrorCode.UNAUTHENTICATED, message="User not found.", ) content = req.data.get("content") if not content: raise https_fn. HttpsError( code=https_fn.FunctionsErrorCode.INVALID_ARGUMENT, message="Missing content", ) return generate_response(content)

  80. @https_fn.on_call(enforce_app_check=True) def generate(req: https_fn.CallableRequest) -> https_fn.Response: """Given a text, generate

    a response""" if req.auth is None: raise https_fn.HttpsError( code=https_fn.FunctionsErrorCode.UNAUTHENTICATED, message="User not found.", ) content = req.data.get("content") if not content: raise https_fn. HttpsError( code=https_fn.FunctionsErrorCode.INVALID_ARGUMENT, message="Missing content", ) return generate_response(content)

  81. @https_fn.on_call(enforce_app_check=True) def generate(req: https_fn.CallableRequest) -> https_fn.Response: """Given a text, generate

    a response""" if req.auth is None: raise https_fn.HttpsError( code=https_fn.FunctionsErrorCode.UNAUTHENTICATED, message="User not found.", ) content = req.data.get("content") if not content: raise https_fn. HttpsError( code=https_fn.FunctionsErrorCode.INVALID_ARGUMENT, message="Missing content", ) return generate_response(content)

  82. @https_fn.on_call(enforce_app_check=True) def generate(req: https_fn.CallableRequest) -> https_fn.Response: """Given a text, generate

    a response""" if req.auth is None: raise https_fn.HttpsError( code=https_fn.FunctionsErrorCode.UNAUTHENTICATED, message="User not found.", ) content = req.data.get("content") if not content: raise https_fn. HttpsError( code=https_fn.FunctionsErrorCode.INVALID_ARGUMENT, message="Missing content", ) return generate_response(content)

  83. private suspend fun generateResponse(content: String): String { val result =

    Firebase.functions .getHttpsCallable("generate") .call(mapOf("content" to content)) .await() return result.data as String } @https_fn.on_call(enforce_app_check=T def generate(req: https_fn.CallableRe """Given a text, generate a respo if req.auth is None: raise https_fn.HttpsError( code=https_fn.FunctionsEr message="User not found." ) content = req.data.get("content") if not content: raise https_fn. HttpsError( code=https_fn.FunctionsEr message="Missing content" ) return generate_response(content)

  84. private suspend fun generateResponse(content: String): String { val result =

    Firebase.functions .getHttpsCallable("generate") .call(mapOf("content" to content)) .await() return result.data as String } @https_fn.on_call(enforce_app_check=T def generate(req: https_fn.CallableRe """Given a text, generate a respo if req.auth is None: raise https_fn.HttpsError( code=https_fn.FunctionsEr message="User not found." ) content = req.data.get("content") if not content: raise https_fn. HttpsError( code=https_fn.FunctionsEr message="Missing content" ) return generate_response(content)

  85. Let’s Ship it!

  86. Next day… 20/04 21/04 22/04 23/04 24/04 25/04

  87. Next day… 20/04 21/04 22/04 23/04 24/04 25/04

  88. THE BAD THE UGLY

  89. THE GOOD THE BAD THE UGLY

  90. THE GOOD THE UGLY THE BAD

  91. THE GOOD THE UGLY THE BAD As Proxy

  92. THE GOOD THE UGLY THE BAD

  93. THE GOOD THE UGLY THE BAD • Key never in

    the client • Avoids unauthorised usage • Change prompts easily • Server side logic

  94. THE GOOD THE UGLY THE BAD • Key never in

    the client • Avoids unauthorised usage • Change prompts easily • Server side logic • Increased time • More costly • Hard to implement streaming AI response

  95. THE GOOD THE UGLY THE BAD • Key never in

    the client • Avoids unauthorised usage • Change prompts easily • Server side logic • Increased time • More costly • Hard to implement streaming AI response • Super easy to implement • Direct communication • Easy to hack • Hard to update API Key

  96. THE GOOD THE UGLY THE BAD • Key never in

    the client • Avoids unauthorised usage • Change prompts easily • Server side logic • Increased time • More costly • Hard to implement streaming AI response • Super easy to implement • Direct communication • Easy to hack • Hard to update API Key • Direct communication • Fairly secure (for starting) • Easy to update API Key • Increase of cost • Slightly complex to implement • Harder to hack but possible

  97. Some recommendations…

  98. Some recommendations… • Always use App Check or similar mechanism

  99. Some recommendations… • Always use App Check or similar mechanism

    • Do not store the key in Version control

  100. Some recommendations… • Always use App Check or similar mechanism

    • Do not store the key in Version control • Use key management service

  101. Some recommendations… • Always use App Check or similar mechanism

    • Do not store the key in Version control • Use key management service • Prefer Proxy-server to local keys

  102. Some recommendations… • Always use App Check or similar mechanism

    • Do not store the key in Version control • Use key management service • Prefer Proxy-server to local keys • Do not store unencrypted key in device storage

  103. Some recommendations… • Always use App Check or similar mechanism

    • Do not store the key in Version control • Use key management service • Prefer Proxy-server to local keys • Do not store unencrypted key in device storage • Import encrypted keys into secure hardware (e.g KeyStore)

  104. Some recommendations… • Always use App Check or similar mechanism

    • Do not store the key in Version control • Use key management service • Prefer Proxy-server to local keys • Do not store unencrypted key in device storage • Import encrypted keys into secure hardware (e.g KeyStore) • Set hard-limits to your API when possible.

  105. Security last words THE GOOD THE UGLY THE BAD "There's

    no silver bullet"

  106. Security last words THE GOOD THE UGLY THE BAD HARD

    NOT so EASY EASY "There's no silver bullet"

  107. Thank you Follow me: @marxallski Latest app: https://namewith.ai