Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Three ways to use AI on Android: The Good, the ...

Marcel
April 28, 2024
Programming
1
190

Three ways to use AI on Android: The Good, the Bad and the Ugly

Session at Android Makers 2024:

Artificial Intelligence is revolutionizing the world, more and more apps are integrating AI, but are we doing it the right way?

In this talk, I will explore practical strategies for using AI responsibly in your Android apps. We will start with the “Ugly”, by showcasing a basic implementation and exploring the consequences. We will move forwards by improving our strategy but exposing the “Bad” pitfalls and leaks we could face. To finish, I will walk you through the “Good” strategy to craft secure prompts, leakproof API keys, and build robust architectures for cost-optimized AI integration in your Android apps.

Check my latest app at https://namewith.ai

Marcel

April 28, 2024
Tweet

More Decks by Marcel

See All by Marcel
Abstracting the map
marxallski
1
99

Other Decks in Programming

See All in Programming
OSSで起業してもうすぐ10年 / Open Source Conference 2024 Shimane
furukawayasuto
0
100
macOS でできる リアルタイム動画像処理
biacco42
9
2.4k
CSC509 Lecture 11
javiergs
PRO
0
180
『ドメイン駆動設計をはじめよう』のモデリングアプローチ
masuda220
PRO
8
540
Pinia Colada が実現するスマートな非同期処理
naokihaba
4
230
Generative AI Use Cases JP (略称:GenU)奮闘記
hideg
1
290
Nurturing OpenJDK distribution: Eclipse Temurin Success History and plan
ivargrimstad
0
920
距離関数を極める! / SESSIONS 2024
gam0022
0
280
ActiveSupport::Notifications supporting instrumentation of Rails apps with OpenTelemetry
ymtdzzz
1
230
Enabling DevOps and Team Topologies Through Architecture: Architecting for Fast Flow
cer
PRO
0
330
Click-free releases & the making of a CLI app
oheyadam
2
120
見せてあげますよ、「本物のLaravel批判」ってやつを。
77web
7
7.8k

Featured

See All Featured
Designing Dashboards & Data Visualisations in Web Apps
destraynor
229
52k
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
6
410
Building a Modern Day 
E-commerce SEO Strategy
aleyda
38
6.9k
BBQ
matthewcrist
85
9.3k
Embracing the Ebb and Flow
colly
84
4.5k
Unsuck your backbone
ammeep
668
57k
GraphQLの誤解/rethinking-graphql
sonatard
67
10k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
169
50k
Designing the Hi-DPI Web
ddemaree
280
34k
Into the Great Unknown - MozCon
thekraken
32
1.5k
GitHub's CSS Performance
jonrohan
1030
460k
Git: the NoSQL Database
bkeepers
PRO
427
64k

Transcript

  1. Three ways to use AI on Android Marcel Pintó Biescas

    - Android Dev and Indie-Maker The Good, the Bad and the Ugly
  2. None

  3. What is Generative AI then?

  4. What is Generative AI then? Generative AI

  5. What is Generative AI then? Generative AI Foundation Models Not

    limited to language tasks (image recognition, sound processing, etc…)

  6. What is Generative AI then? Generative AI Foundation Models Large

    Language Models (LLM) Not limited to language tasks (image recognition, sound processing, etc…) GPT 3.5 / 4, LLaMa, Mistral, etc…

  7. What is Generative AI then? Generative AI Foundation Models Large

    Language Models (LLM) ChatGPT Gemini … Not limited to language tasks (image recognition, sound processing, etc…) GPT 3.5 / 4, LLaMa, Mistral, etc… User interface, chatbots

  8. Let’s use AI!

  9. Peak of Inflated Expectations Innovation Trigger Trough of Disillusionment Plateau

    of Productivity Slope of Enlightenm ent Let’s use AI! Time Expectations

  10. I have an idea!

  11. Hey, how are you? I have an idea!

  12. • Share text with the app Hey, how are you?

    I have an idea!

  13. • Share text with the app • Create a reply

    Hey, how are you? I have an idea!

  14. • Share text with the app • Create a reply

    • Copy to clipboard Hey, how are you? I have an idea!

  15. • Share text with the app • Create a reply

    • Copy to clipboard • I will make millions! Hey, how are you? I have an idea!

  16. Let’s check the docs Using Gemini SDK

  17. Let’s check the docs 1. Get the API Key (easy!)

    Using Gemini SDK

  18. Let’s check the docs 1. Get the API Key (easy!)

    2. Secure API key Using Gemini SDK

  19. Let’s check the docs 1. Get the API Key (easy!)

    2. Secure API key Hardcode Key Using Gemini SDK

  20. Let’s check the docs 1. Get the API Key (easy!)

    2. Secure API key Hardcode Key Using Gemini SDK 3. Create Client

  21. Let’s check the docs 1. Get the API Key (easy!)

    2. Secure API key Hardcode Key Using Gemini SDK 3. Create Client 4. Generate response

  22. @Composable fun ShareScreen(sourceText: String) { val context = LocalContext.current val

    clipboardManager = remember { context.getSystemService<ClipboardManager>()!! } val gemini = remember { GenerativeModel( modelName = "gemini-pro", apiKey = BuildConfig.apiKey ) } var result by remember { mutableStateOf("") } LaunchedEffect(Unit) { try { val prompt = "Create a funny reply for the given text: $sourceText"

  23. } val gemini = remember { GenerativeModel( modelName = "gemini-pro",

    apiKey = BuildConfig.apiKey ) } var result by remember { mutableStateOf("") } LaunchedEffect(Unit) { try { val prompt = "Create a funny reply for the given text: $sourceText" result = gemini.generateContent(prompt).text!! clipboardManager.setPrimaryClip( ClipData.newPlainText("result", result) ) } catch (e: Exception) { result = "Something went wrong" e.printStackTrace() } } // ... }

  24. } val gemini = remember { GenerativeModel( modelName = "gemini-pro",

    apiKey = BuildConfig.apiKey ) } var result by remember { mutableStateOf("") } LaunchedEffect(Unit) { try { val prompt = "Create a funny reply for the given text: $sourceText" result = gemini.generateContent(prompt).text!! clipboardManager.setPrimaryClip( ClipData.newPlainText("result", result) ) } catch (e: Exception) { result = "Something went wrong" e.printStackTrace() } } // ... }

  25. } val gemini = remember { GenerativeModel( modelName = "gemini-pro",

    apiKey = BuildConfig.apiKey ) } var result by remember { mutableStateOf("") } LaunchedEffect(Unit) { try { val prompt = "Create a funny reply for the given text: $sourceText" result = gemini.generateContent(prompt).text!! clipboardManager.setPrimaryClip( ClipData.newPlainText("result", result) ) } catch (e: Exception) { result = "Something went wrong" e.printStackTrace() } } // ... }

  26. MVP is ready! 1. Share any text with the app

    2. Generate an answer 3. Copy to the clipboard 4. Reply!

  27. MVP is ready! 1. Share any text with the app

    2. Generate an answer 3. Copy to the clipboard 4. Reply!

  28. Let’s Ship it!

  29. None

  30. Next day… 15/04 16/04 17/04 18/04

  31. Next day… 15/04 16/04 17/04 18/04 $0.5 $1.2 $1200

  32. What happened?

  33. What happened? API Key was stolen!

  34. What happened? • Download APK API Key was stolen!

  35. What happened? • Download APK • Use Android Studio (or

    others) API Key was stolen!

  36. What happened? • Download APK • Use Android Studio (or

    others) • Analyse the APK • Key is right there! API Key was stolen!

  37. THE BAD

  38. Let’s improve this!

  39. Let’s improve this! Obfuscation

  40. Let’s improve this! Obfuscation • R8 & ProGuard

  41. Let’s improve this! Obfuscation • R8 & ProGuard • Base64

    or custom logic

  42. Let’s improve this! Obfuscation • R8 & ProGuard • Base64

    or custom logic • Native code

  43. Let’s improve this! Obfuscation • R8 & ProGuard • Base64

    or custom logic • Native code • DexGuard

  44. Let’s improve this! Obfuscation Encryption

  45. Let’s improve this! Obfuscation Encryption Remote

  46. Let’s Ship it!

  47. Next day… 17/04 18/04 19/04 20/04

  48. Next day… 17/04 18/04 19/04 20/04 $1200 $0.1 $1800

  49. THE BAD

  50. THE BAD THE UGLY

  51. What happened?

  52. What happened? API Key was stolen! again…

  53. What happened? API Key was stolen! again… Get Public Key

    Get Encrypted Key Locally decrypt API Key

  54. Let’s improve this! Obfuscation Encryption Remote

  55. Let’s improve this! Authentication Obfuscation Encryption Remote

  56. Flow

  57. Flow 1. Encrypt API Key

  58. Flow 1. Encrypt API Key 2. Obfuscate public key in

    code

  59. Flow 1. Encrypt API Key 2. Obfuscate public key in

    code 3. Authenticate app/user

  60. Flow 1. Encrypt API Key 2. Obfuscate public key in

    code 3. Authenticate app/user 4. Return encrypted API Key

  61. Flow 1. Encrypt API Key 2. Obfuscate public key in

    code 3. Authenticate app/user 4. Return encrypted API Key 5. Decrypt with Public Key

  62. A way to do it R8 / ProGuard Jetpack security-crypto

    Firebase Authentication Firebase Remote Config or Firestore

  63. There is still an issue…

  64. There is still an issue…

  65. There is still an issue…

  66. There is still an issue…

  67. Let’s use App Check

  68. None
  69. None

  70. There is a better way! Proxy

  71. There is a better way! Firebase Functions

  72. Firebase.appCheck.installAppCheckProviderFactory( PlayIntegrityAppCheckProviderFactory.getInstance(), ) private suspend fun generateResponse(content: String): String {

    val result = Firebase.functions .getHttpsCallable("generate") .call(mapOf("content" to content)) .await() return result.data as String }

  73. Firebase.appCheck.installAppCheckProviderFactory( PlayIntegrityAppCheckProviderFactory.getInstance(), ) private suspend fun generateResponse(content: String): String {

    val result = Firebase.functions .getHttpsCallable("generate") .call(mapOf("content" to content)) .await() return result.data as String }

  74. rateResponse(content: String): String { e.functions e("generate") tent" to content)) s

    String

  75. rateResponse(content: String): String { e.functions e("generate") tent" to content)) s

    String @https_fn.on_call(enforce_app_check=True) def generate(req: https_fn.CallableRequest) -> https_fn.Response: """Given a text, generate a response""" if req.auth is None: raise https_fn.HttpsError( code=https_fn.FunctionsErrorCode.UNAUTHENTICATED, message="User not found.", ) content = req.data.get("content") if not content: raise https_fn. HttpsError( code=https_fn.FunctionsErrorCode.INVALID_ARGUMENT, message="Missing content", ) return generate_response(content)

  76. rateResponse(content: String): String { e.functions e("generate") tent" to content)) s

    String @https_fn.on_call(enforce_app_check=True) def generate(req: https_fn.CallableRequest) -> https_fn.Response: """Given a text, generate a response""" if req.auth is None: raise https_fn.HttpsError( code=https_fn.FunctionsErrorCode.UNAUTHENTICATED, message="User not found.", ) content = req.data.get("content") if not content: raise https_fn. HttpsError( code=https_fn.FunctionsErrorCode.INVALID_ARGUMENT, message="Missing content", ) return generate_response(content)

  77. rateResponse(content: String): String { e.functions e("generate") tent" to content)) s

    String @https_fn.on_call(enforce_app_check=True) def generate(req: https_fn.CallableRequest) -> https_fn.Response: """Given a text, generate a response""" if req.auth is None: raise https_fn.HttpsError( code=https_fn.FunctionsErrorCode.UNAUTHENTICATED, message="User not found.", ) content = req.data.get("content") if not content: raise https_fn. HttpsError( code=https_fn.FunctionsErrorCode.INVALID_ARGUMENT, message="Missing content", ) return generate_response(content)

  78. @https_fn.on_call(enforce_app_check=True) def generate(req: https_fn.CallableRequest) -> https_fn.Response: """Given a text, generate

    a response""" if req.auth is None: raise https_fn.HttpsError( code=https_fn.FunctionsErrorCode.UNAUTHENTICATED, message="User not found.", ) content = req.data.get("content") if not content: raise https_fn. HttpsError( code=https_fn.FunctionsErrorCode.INVALID_ARGUMENT, message="Missing content", ) return generate_response(content)

  79. @https_fn.on_call(enforce_app_check=True) def generate(req: https_fn.CallableRequest) -> https_fn.Response: """Given a text, generate

    a response""" if req.auth is None: raise https_fn.HttpsError( code=https_fn.FunctionsErrorCode.UNAUTHENTICATED, message="User not found.", ) content = req.data.get("content") if not content: raise https_fn. HttpsError( code=https_fn.FunctionsErrorCode.INVALID_ARGUMENT, message="Missing content", ) return generate_response(content)

  80. @https_fn.on_call(enforce_app_check=True) def generate(req: https_fn.CallableRequest) -> https_fn.Response: """Given a text, generate

    a response""" if req.auth is None: raise https_fn.HttpsError( code=https_fn.FunctionsErrorCode.UNAUTHENTICATED, message="User not found.", ) content = req.data.get("content") if not content: raise https_fn. HttpsError( code=https_fn.FunctionsErrorCode.INVALID_ARGUMENT, message="Missing content", ) return generate_response(content)

  81. @https_fn.on_call(enforce_app_check=True) def generate(req: https_fn.CallableRequest) -> https_fn.Response: """Given a text, generate

    a response""" if req.auth is None: raise https_fn.HttpsError( code=https_fn.FunctionsErrorCode.UNAUTHENTICATED, message="User not found.", ) content = req.data.get("content") if not content: raise https_fn. HttpsError( code=https_fn.FunctionsErrorCode.INVALID_ARGUMENT, message="Missing content", ) return generate_response(content)

  82. @https_fn.on_call(enforce_app_check=True) def generate(req: https_fn.CallableRequest) -> https_fn.Response: """Given a text, generate

    a response""" if req.auth is None: raise https_fn.HttpsError( code=https_fn.FunctionsErrorCode.UNAUTHENTICATED, message="User not found.", ) content = req.data.get("content") if not content: raise https_fn. HttpsError( code=https_fn.FunctionsErrorCode.INVALID_ARGUMENT, message="Missing content", ) return generate_response(content)

  83. private suspend fun generateResponse(content: String): String { val result =

    Firebase.functions .getHttpsCallable("generate") .call(mapOf("content" to content)) .await() return result.data as String } @https_fn.on_call(enforce_app_check=T def generate(req: https_fn.CallableRe """Given a text, generate a respo if req.auth is None: raise https_fn.HttpsError( code=https_fn.FunctionsEr message="User not found." ) content = req.data.get("content") if not content: raise https_fn. HttpsError( code=https_fn.FunctionsEr message="Missing content" ) return generate_response(content)

  84. private suspend fun generateResponse(content: String): String { val result =

    Firebase.functions .getHttpsCallable("generate") .call(mapOf("content" to content)) .await() return result.data as String } @https_fn.on_call(enforce_app_check=T def generate(req: https_fn.CallableRe """Given a text, generate a respo if req.auth is None: raise https_fn.HttpsError( code=https_fn.FunctionsEr message="User not found." ) content = req.data.get("content") if not content: raise https_fn. HttpsError( code=https_fn.FunctionsEr message="Missing content" ) return generate_response(content)

  85. Let’s Ship it!

  86. Next day… 20/04 21/04 22/04 23/04 24/04 25/04

  87. Next day… 20/04 21/04 22/04 23/04 24/04 25/04

  88. THE BAD THE UGLY

  89. THE GOOD THE BAD THE UGLY

  90. THE GOOD THE UGLY THE BAD

  91. THE GOOD THE UGLY THE BAD As Proxy

  92. THE GOOD THE UGLY THE BAD

  93. THE GOOD THE UGLY THE BAD • Key never in

    the client • Avoids unauthorised usage • Change prompts easily • Server side logic

  94. THE GOOD THE UGLY THE BAD • Key never in

    the client • Avoids unauthorised usage • Change prompts easily • Server side logic • Increased time • More costly • Hard to implement streaming AI response

  95. THE GOOD THE UGLY THE BAD • Key never in

    the client • Avoids unauthorised usage • Change prompts easily • Server side logic • Increased time • More costly • Hard to implement streaming AI response • Super easy to implement • Direct communication • Easy to hack • Hard to update API Key

  96. THE GOOD THE UGLY THE BAD • Key never in

    the client • Avoids unauthorised usage • Change prompts easily • Server side logic • Increased time • More costly • Hard to implement streaming AI response • Super easy to implement • Direct communication • Easy to hack • Hard to update API Key • Direct communication • Fairly secure (for starting) • Easy to update API Key • Increase of cost • Slightly complex to implement • Harder to hack but possible

  97. Some recommendations…

  98. Some recommendations… • Always use App Check or similar mechanism

  99. Some recommendations… • Always use App Check or similar mechanism

    • Do not store the key in Version control

  100. Some recommendations… • Always use App Check or similar mechanism

    • Do not store the key in Version control • Use key management service

  101. Some recommendations… • Always use App Check or similar mechanism

    • Do not store the key in Version control • Use key management service • Prefer Proxy-server to local keys

  102. Some recommendations… • Always use App Check or similar mechanism

    • Do not store the key in Version control • Use key management service • Prefer Proxy-server to local keys • Do not store unencrypted key in device storage

  103. Some recommendations… • Always use App Check or similar mechanism

    • Do not store the key in Version control • Use key management service • Prefer Proxy-server to local keys • Do not store unencrypted key in device storage • Import encrypted keys into secure hardware (e.g KeyStore)

  104. Some recommendations… • Always use App Check or similar mechanism

    • Do not store the key in Version control • Use key management service • Prefer Proxy-server to local keys • Do not store unencrypted key in device storage • Import encrypted keys into secure hardware (e.g KeyStore) • Set hard-limits to your API when possible.

  105. Security last words THE GOOD THE UGLY THE BAD "There's

    no silver bullet"

  106. Security last words THE GOOD THE UGLY THE BAD HARD

    NOT so EASY EASY "There's no silver bullet"

  107. Thank you Follow me: @marxallski Latest app: https://namewith.ai