Tuesday, March 2, 2010

Mixing it up with Android and Google App Engine

In my opinion, Google has solved the mobile development puzzle when it comes to networking and security. A handset only application is fine, but a secure networked application is much more fun.

I've been theorizing a "Send to Friend" feature for Todo Q for a little while. I have more than one user (ok, just one) who wanted the ability to send tasks to their spouse and/or kids. (we too are an all droid family)

I really liked this customer's idea, but had trouble deciding how to implement the feature. A few of the ways to implement:
  1. a "break-it-up-over-SMS" idea
  2. some kind of email kludge
  3. shared calendar with auto import
  4. or some kind of server-based solution
The "break-it-up-over-SMS" idea was workable, but looked ugly and cluttered the users SMS inbox. Maybe there is a way to send it to an application "port", but it wasn't documented well enough to figure out and you still had the multiple message issue. The email kludge was also possible, but I didn't like that solution really even though Mailinator would have made it easy. The shared calendar solution would get most of it, but Todo Q carries location data and mangling that into the google calendar would have resulted in ugly calendar entries. When I 1st wrote Todo Q, it didn't have its own database and just piggybacked on the google calendar. I didn't really want to go back that direction, so it fell to the server-based solution.

The server-based solution was a bit daunting due to security concerns. Was I going to have to write a whole security framework just to support this feature? Seemed like more trouble than it might be worth. I had written a couple of applications on Google App Engine (GAE) before and knew I wanted to use it again for this feature due to the minimal cost and maximum scalability. Amazon EC2 was another option, but the cost is just too high for a micro-isv like me. (I do have experience with EC2 costs)

Turns out that others, such as Gast Studios, have already been down this road with Android and GAE. Todo Q supports only 2.0 devices and higher, so my solution was a little easier than the Gast solution. His post at stackoverflow.com had all the details necessary to implement the security feature. Instead of inventing my own security, Todo Q could use the google account associated with the device. No username & password prompting, credential caching or anything nasty was involved. The final solution uses the device AccountManager to get the "authorization token" and perform an HttpGet to appengine which returns a cookie that identifies the user. Subsequent requests to app engine will automatically use this cookie and be authenticated as the app engine user. Once again Google let me focus on my application and not build another framework.

Todo Q for 1.1.0 has support for "Send to Friend" and is available for $1.99 from the android market.

Follow me on twitter here.