Enhancing Application Audits — Ilia Zadiabin
A Flutter Developer’s Perspective
Our expert today is Ilia Zadiabin, a mobile developer specializing in Flutter and Dart. In less than five years, Ilia has built an impressive career, having worked in various industries, from FinTech to EdTech to e-commerce. Ilia excels in cross-platform development with a focus on Flutter/Dart, setting up CI/CD pipelines, implementing user analytics, and creating comprehensive documentation. His versatile background includes working in diverse team sizes, from startups to large corporations. Today, we are talking with Ilia about application audits in cross-platform software development.
1. Ilia, could you start by telling our readers a bit about yourself? I already know that you have extensive experience in mobile development. How did your professional journey begin? What inspired your specialization in Flutter?
I’m a mobile software developer specializing in creating financial services, online banks, and e-commerce apps for iOS and Android. My passion for mobile development was ignited after a successful hackathon victory, which inspired me to continue expanding my solution into a startup. This is how Slai was born – an EdTech startup transforming language learning through speaking sessions with an AI tutor (a competitor to such apps as Duolingo and Falou). Back in 2021, LLMs were not widely adopted by the general public, so you could say we pioneered the market with our AI solution.
We used Android/Kotlin to make the app’s first version in the early days of Slai. Later, I discovered the cross-platform solution Flutter. Nowadays, Flutter is a significant part of the mobile development industry, but back then, it was a spanking-new technology. I was amazed by how fast and convenient this framework was, especially used for both mobile platforms. I suggested that we switch to Flutter, and with it, the team finished the next release significantly faster than expected.
There was also another advantage of Flutter that became obvious right away. before Slai, I had extensive experience in conducting app audits, especially during the onboarding process. Flutter, being a cross-platform development framework, dramatically sped up and streamlined this process. With Flutter and my suggestions, the team was able to progress faster with the development. And that was how my relationship with Flutter began.
2. So, the topic of our conversation today is application audit. What kind of procedure is it? What makes such an audit an essential part of the software development process, and what key components should it include to ensure application quality?
You can see application audit as a stage of the software development process – like a security review or a compliance check, only broader. It also involves various teams – from development to QA to security to compliance – to identify weaknesses and potential risks that can impact your app. It is a process of a holistic evaluation of an application – its codebase quality, architecture, security, and performance.
First of all, application audit helps ensure that the app meets the required standards and best practices, which is a critical moment if you want to maintain high quality and performance. Second, it detects security vulnerabilities that could be exploited by malicious actors; through this process, we protect our users’ data and maintain trust. Last but not least, it highlights areas that can be optimized, helping enhance the app’s speed, responsiveness, and overall UX.
The key components of an effective application audit include:
- Analyzing the team’s code review process. It’s important to evaluate the code for adherence to best practices, readability, and maintainability. This step often includes static code analysis to detect potential bugs and vulnerabilities.
- Assessing the architecture of your app, making sure it is scalable, modular, and follows the design principles you need it to.
- Identifying bottlenecks and areas for improvement by measuring how the app behaves under varying conditions. E.g., using it with a slow or no internet connection or repeatedly pressing interface elements like checkboxes and buttons to check if the app reacts as it should to multiple requests.
- Searching for vulnerabilities in the code that could lead to data breaches. This includes checking for secure keys in the app and moving them to CI/CD.
- Gathering data on app usage and performance to inform further improvements. This includes setting up services like Crashlytics or Sentry.
As you have certainly gathered from my description above, data collection is an essential component of application audits if we want to understand how our app performs in real-world scenarios. However, this brings us to an important consideration – user privacy and data protection.
3. You mentioned data collection. Considering the growing concern for privacy and data protection, how do you balance the need for thorough data collection in audits with user privacy and security requirements? Can you share with our readers some effective strategies for protecting sensitive information during audits you have employed yourself?
Generally, we can opt out of looking into user data when conducting an audit. The only place where we may encounter collected data is when reviewing how analytics is gathered. The important part of the audit is to ensure that:
- Data is collected where needed to calculate important app metrics (retention, user journey, session time, etc.)
- Data is transferred securely.
- The amount of data collected is minimal.
Here are some effective strategies I’ve employed myself when I developed a privacy-focused logging system:
- Collect only the data that is absolutely necessary for the audit. The more user-related data you have, the higher the privacy risks are, so you should avoid gathering excessive or irrelevant information.
- Ensure that all the data you collect is anonymized. You can do it by stripping personally identifiable information from the datasets or using established analytics services that handle anonymization.
- Use strong encryption to protect data both within the database and in transit. This way, data will remain unreadable even if intercepted or accessed without authorization.
- Make sure your data collection practices comply with regulations like GDPR. This implies, first of all, obtaining user consent where necessary and providing users with options to opt out of data collection. This is a crucial point, so you better implement the necessary options first thing before you collect a lot of data that you won’t be able to work with later.
- Perform regular security audits and penetration tests to detect and address any vulnerabilities in your data handling processes.
4. Ilia, you have just mentioned a privacy-focused logging system you created. Could you elaborate on what such systems are and what it takes to design a user-centric error monitoring system that maintains high privacy standards?
Yes, that was a special logging system implemented in a personal finance app. The request from the users and business was to be able to pinpoint bugs as quickly as possible without bothering the clientele. The important detail was that the app targeted only a small number of customers, approximately 100 users. With that in mind, I implemented a thorough system that recorded every step a particular user made without tracking their personal data.
For example, it recorded their journey through the app and what they clicked. Privacy mattered too: this info stayed on the user’s device until they decided to report a bug. Alongside the bug report, they sent a comprehensive trace. This trace not only contained their actions but also the app’s state and info.
With such a system, every time I received a bug report, I could locate the precise problem almost immediately. I could just replicate the user’s journey and reproduce the bug myself.
Mind you, this system is not suitable for every app: logging such an enormous amount of data for thousands of users would be unreasonably expensive. But in my case, due to the nature of our application, we had only a handful of users.
5. When you talked about the Slai project, you said that you managed to improve user satisfaction and retention using user analytics. Can you tell us more about user analytics and its role in application audits?
In Slai, I increased satisfaction by identifying the main problems with the user journey. For instance, I found that the number of users who completed the sign-up phase dropped significantly. This indicated that our sign-up page was non-intuitive, so I rebranded it.
Analytics is crucial to check during an audit. As a developer, you must be able to detect issues with your data and quickly solve them. And if you are, say, a product manager, then you need this data to pivot the business in the right direction.
Additionally, you would need a proper architecture in place, one that would make it easy to expand and add analytics throughout the app. If you don’t, you’ll be challenged to set up new analytics events every time.
Usually, analytics is implemented via popular third-party services with a reputation for storing data properly – like Google Analytics, Amplitude, or Mixpanel. And should you opt for an in-house analytics solution (rare, but feasible), the audit would have to thoroughly check the security of such a decision.
6. Going back to testing and quality assurance, could you share some efficient strategies you employed in mobile development? What tools and techniques for seamless deployment and comprehensive testing can you recommend?
No developer I know loves to write comprehensive tests, so we need to ensure that adding a new test doesn’t take too much time and repetitive actions. I always recommend setting up a simple CI/CD, even if you are a small startup. Setting up a pipeline might be tedious at the beginning, but once it’s working, it’s infinitely easier to add more layers to it.
The most important benefits would be:
- Your code is always tested.
- Developers can focus on what matters.
- No mistakes during deployment to the stores.
- The QA team can get their special app version immediately.
Here are the tools you can use to set up such a pipeline:
- Codemagic for the easiest setup, as it’s designed for mobile development.
- GitLab is especially feasible if you already manage your code there
- GitHub also has options for meticulous fine-tuning of your automation process.
For the distribution, you can use Firebase App Distribution, a functionality of a backend-as-a-service for mobile apps called Firebase. For the QA team, along with a tailored app version, they can use BrowserStack – a service to test your app on numerous devices.
7. You have rich experience developing cross-platform applications. What challenges have you faced during audits for different OSs? What measures can you recommend to developers to ensure consistent quality across various platforms?
Cross-platform solutions are a game changer for testing costs. Generally, the same functionality doesn’t need to be thoroughly tested twice on iOS and Android because they essentially utilize the same code. However, there are circumstances where you need to double-check the implementation on both systems. These tend to involve the devices themselves. For the following functionalities, you need to pay attention to:
- If your app uses the camera as a scanner, then you need to check it for all platforms.
- The same goes for voice recording features, geolocation, accessing the device’s memory, push notifications (especially these), biometrics authentication support, etc. Generally, any part of cross-platform code which accesses the native system capabilities.
- Not critical, but sometimes the expected behavior can vary in keyboard, scroll, and native alert dialogs.
- You must be careful when connecting third-party services such as analytics, bug trackers, and push notifications services because they usually require different configurations for each platform.
8. And the final question we usually ask our quest experts: which emerging trends or technologies in auditing and quality control do you foresee becoming essential in this area shortly?
Just a few years ago, the industry didn’t have many easy-to-set-up automation processes like CI/CD with a few clicks, seamless deployment, and AI suggestions.
I believe there are fresh technologies that are going to grow even more in the foreseeable future:
- AI suggestions in every step of auditing and quality assurance. Even now, these are available in Sentry, the service for monitoring errors. It has an AI that suggests what part of the code might be the problem and even the ways to solve it. Of course, it’s not always right, but it looks promising.
- AI suggestions in CI/CD may be really helpful in identifying weak spots in terms of security. For example, Zapier, a tool for creating automation, allows you to write your request in human language, and the AI will interpret your text into a configured pipeline.
- Quality control can be tested using AI. Even now, Google Play uses AI in some areas to test applications alongside human review. Such tests can be written much faster using human language to automate manual QA.
- Static code analysis helps with development and quality control. However, in the current industry, static analyzers are implemented without AI. Modern analyzers are usually open-source, but some are paid products, such as DCM and SonarQube. I believe, in the future, these solutions will use AI to analyze code.
- Using AI can cause security concerns for companies since such a black box can have uncontrolled exposure to their data. Thus, some services offer in-house AIs so that you don’t send any data to a third party. That opens an opportunity to audit in-house AIs for particular companies.