00:10
hi everyone thank you for coming to this
00:12
session my name is Nicola today we're
00:14
going to talk about I have no idea what
00:16
my app is doing so first mandatory slide
00:20
about me so I work as Android engineer
00:25
at Yelp Yap is an American company we
00:29
are based in San Francisco although I
00:30
work for the German office in Hamburg I
00:33
love to call myself a community lover
00:35
I run a couple of communities in Italy
00:37
and in Germany and those are my passions
00:40
but today this torque is not endorsed by
00:43
my company this is stuff that I love to
00:45
talk about so it's not yet related so I
00:50
have no idea what my app is doing the
00:54
title is catchy and I would love to say
00:58
that this is not a classical technical
01:01
session we can call it like maybe 50
01:03
percent technical at 50 percent
01:05
inspirational I want to raise awareness
01:07
I want to tell a little bit about my
01:10
experience onboarding big code bases and
01:13
actually understanding what my Android
01:16
application was doing and giving that
01:19
I'm from Italy I think we're gonna use
01:23
some metaphors to make sure that the
01:24
concepts are easy to understand and now
01:27
we're gonna talk about something that we
01:29
as Italian I really enjoy there is food
01:32
so whenever I go around especially
01:35
Germany I really enjoy to get like pizza
01:38
and try like what are a cultural thing
01:42
that Pizza actually is but you know I
01:45
always want to know like what what's
01:48
inside methods I want to get mine get to
01:50
know my pizza I really like I don't like
01:53
a white bits or stuff like that
01:54
so I really want to get to know what I'm
01:57
working on I really want to get to know
01:58
my my codebase so how do you actually
02:03
start so how do you start eating a pizza
02:05
how do you start onboarding on code
02:08
bases they are not aware of so if you
02:10
are like if you're lucky you maybe start
02:12
a project from scratch so you set up the
02:15
create everything but in the majority of
02:17
the cases you just on board on code
02:18
bases that you're not the first author
02:20
so you need first to understand exactly
02:22
what their app is doing so they start
02:25
first one byte at a time
02:27
you can't expect to learn I've like got
02:30
the entire code base immediately
02:32
it takes time obviously try to start
02:36
with small changes especially if you're
02:37
a junior like try 225 there are like
02:39
sections of the code base there you can
02:41
touch try to change them and see how
02:44
your changes impact that and then
02:47
another source of that is really useful
02:50
from boarding is get in touch with you
02:52
with tests tests if they're good written
02:55
they tend to be a relief informative
02:57
part of the code base and they can tell
03:00
you a lot about what the app is supposed
03:02
to do one thing I learned the hard way
03:05
is you can't eat everything
03:07
also with pizzas so don't expect to read
03:10
the old code base that's probably like
03:13
sounds obvious maybe but when I was
03:15
junior and my first job the first thing
03:18
that I did is like I will spend some
03:21
days reading everything just because I
03:23
want to know what's going on and that
03:24
took me a lot of time I was kinda
03:27
useless so I would say try to understand
03:31
your module boundaries like you will end
03:33
up working on some modules try to
03:35
understand what's the size of the module
03:38
and now that module interacts with the
03:40
core of the app that should be enough to
03:43
make you in a good position where you
03:45
can actually start working another
03:50
suggestion for onboarding big code bases
03:54
is pay attention to tag depth
03:57
specifically if if the code base that
03:59
you're bored and here I want to mention
04:01
that like I mean the app I'm working on
04:04
is like two million lines of code so
04:06
when you start working with that don't
04:09
try to change the code style like it can
04:12
be really painful especially if you have
04:14
something like this like hey look this
04:16
file is still using rax Java one I'm
04:18
aborting why can't I just convert it to
04:20
extra two in the meanwhile you might end
04:23
up with something like this like get
04:25
reverting your last two hours of work
04:27
just because if that file is incorrect
04:30
Java one maybe someone else at this add
04:32
that same idea in the past and another
04:35
learning when I wasn't waiting bit code
04:38
base code bases is never trust
04:41
appearances so if you're from German you
04:45
probably know this brand and like frozen
04:49
pizzas this is pizza for me it looks
04:53
pretty great on the picture over there I
04:56
don't know if you ever tried this one I
04:58
think there are like not more than three
05:01
mushrooms on top so never trust what the
05:04
outside of your code tells you so for
05:08
example if you end up having a
05:09
functionary something like this is
05:10
available or return false that's trivial
05:12
maybe the results are comment on top
05:14
always return false and when I was like
05:19
onboarding my first project I said like
05:20
oh you know what I'm gonna read
05:22
everything I'm gonna add Java doc
05:24
comments on every function so it's like
05:27
the commutation that's also going to be
05:29
cool then it happens that someone else
05:33
decided that the module started to be
05:34
available and they never updated a
05:36
comment and then you go there you get
05:38
blame and you realize that you are the
05:41
guy that wrote the comment so never
05:43
trust comments they're a great source of
05:45
documentation but always stick to their
05:48
code because that's real logical so I
05:52
assume now you embody your project you
05:54
are working at a company since like one
05:56
month two months now you want to make
05:59
sure that the code that you work with
06:02
and the food that you eat
06:04
sugar-free you want to make sure there
06:07
are no extra stuff added on top you want
06:10
to make sure that you're going bug free
06:12
so to detect unintended behavior of your
06:15
application there are a lot of points
06:17
that you can start investigating to see
06:19
if the app is behaving in a way that you
06:21
don't really expect one of these is
06:25
using a proxy so if you're not familiar
06:28
with proxies proxies are tools that
06:32
allows you to inspect the network and
06:34
see what what your application is
06:37
actually doing under the hood I
06:38
generally love to use charts I know it's
06:41
paid but the subscription subscription
06:44
is not that crazy pricy so that's
06:46
probably worth the cost I'm not working
06:49
for charts anyway you can see all the
06:52
requests the application is firing
06:55
unfortunately it's not they're really
06:57
easy to configure I mean it requires
06:59
some configuration on the emulator and
07:01
on your computer I need to look like
07:03
something like this you will have like
07:05
all the requests the application fired
07:08
and you can inspect the body and see
07:10
like all the communication between
07:12
Europe and the back end is opening if
07:14
you don't want to pay for chars and you
07:17
don't want to like especially if like a
07:20
backing engineer needs to use that you
07:21
don't want to set up charts in their
07:23
computer you can use another tool it's
07:26
called checker it's open source it's
07:29
indeed up this digital proxy but works
07:31
on RL layer it's basically an oak HTTP
07:34
interceptor and it works on device
07:37
without any sort of configuration
07:38
it's just library there you plug in and
07:40
again it's useful to catch on internet
07:43
behavior so let's let's say for example
07:45
they are implementing like a list and
07:47
you have paging and you realize that
07:50
your application is calling them from
07:51
twice for whatever reason we have a bug
07:54
in your erect Java configuration that's
07:57
really useful and it's also useful to
07:59
build awareness so the UI of the library
08:03
it's something like this these are tests
08:05
so let's simulate some HTTP activity and
08:08
you will have this like sort of personal
08:11
education you can click and see all the
08:14
or the network requested so this allows
08:18
like for example a product manager or a
08:20
designer to get sort of an idea of what
08:22
is going on like when you click on the
08:24
button network is being invoked so I
08:28
know it's still tacky but product
08:30
managers and designers if they're not
08:32
like if tips I'm a little bit of tech
08:34
background they might understand that
08:36
and I find it useful so this is like a
08:38
fork of another library it's called
08:40
Chuck that unfortunately it's not
08:42
maintained anymore so if you use a que
08:44
HTTP especially if you use a HTTP for
08:46
that's comparable so think about that it
08:50
solved a lot of problem for us another
08:53
place where you can look to check
08:54
exactly what your app is going on or
08:56
what your final app is going on is the
08:58
manifest so not just the manifest you're
09:01
right but emerge manifest so the actual
09:04
manifest that will end up in your apk so
09:08
if you're not aware of these the
09:10
manifest on Android follows a two-step
09:12
merge process so first all the manifests
09:14
from all of your libraries and all of
09:16
your modules are collected they're
09:18
merged and then all the manifests from
09:20
all of your source sets are collected as
09:22
well and they're merged specifically
09:25
there is the tab on the bottom of the
09:29
manifest that is called merged manifest
09:31
that allows you to show what's the
09:33
difference between the manifest they
09:34
actually wrote and the manifest that
09:37
will end up in your apk and a lot of
09:39
times you have libraries there are
09:42
pulling in permissions or whatsoever and
09:47
you have no idea why at the end of the
09:49
story you have that extra permission
09:51
with the merge manifest you can have
09:53
like colors and for every color you see
09:56
which library is pulling in that
09:58
specific section of the manifest and
10:01
then the last thing that I want to
10:03
mention it's enforce conventions so make
10:08
sure you spend some time setting up your
10:10
static analysis on your CI system we
10:13
will talk about that for like we could
10:15
give give appropriate talk about this
10:17
I'm just mentioning it my policy here is
10:20
always break to build like John
10:22
trust warnings like don't use warnings
10:24
just break and make sure that people are
10:26
fixing whatever convention you want to
10:29
enforce also think about sharing your
10:33
pre-commit talks another Android
10:35
community is not such a thing about like
10:39
sharing a comic books across projects or
10:41
I mean everyone has a different approach
10:44
to do that I would love to mention
10:45
pre-commit comm is a tool that allows to
10:48
have like a configuration file in your
10:50
app oh and Tay and explains which
10:53
recommitted should be applied and this
10:55
is a nice way to share per commit across
10:58
people working on the same project so
11:01
now you're boarded your your project and
11:05
you also know where to find problems
11:07
from your codebase that might have
11:09
unintended behavior but what happens
11:12
when you're not preparing your own food
11:14
we are getting food from someone else
11:17
and you need to pay attention to the
11:21
place where you get your order or you
11:23
need to pay attention to the like your
11:25
dependencies like other code that ends
11:29
up in your application and there is out
11:31
so if you are developing Android apps
11:33
nowadays you probably know that you
11:35
can't really do it without external
11:38
dependencies I don't know if you know
11:39
this meme but when I got out from
11:41
university I like I think a follow one
11:43
course on Android development and they
11:45
told me yeah you need to use a sequel
11:47
light open helper and all that stuff
11:51
that's not the reality
11:53
like the realities that use the stuff
11:55
there is over here external libraries
11:57
you can't really you can really live
11:59
without and just to give you an idea
12:01
that's you're not supposed to read it
12:03
but that's the amount of code they need
12:05
to make a network all without using any
12:09
external library without like using only
12:11
the code that the Android SDK is
12:13
providing you and if you start adding
12:16
like cuddling and some proper
12:20
passing library and okay HTTP on top you
12:23
would see that your code shrinks and
12:25
shrinks and it's just like way more
12:27
maintainable and you will end up with
12:30
like three lines to make the same
12:32
network hole so you can't really live
12:34
without external dependencies so given
12:37
that you anyway need to get your food
12:40
outside I think it's really important
12:42
where do you get them from like not all
12:46
the restaurants are the same
12:49
specifically the restaurants in the
12:52
context of Android development are the
12:54
maven repository so the places where you
12:57
get your dependencies from there are
12:59
several I'm pretty sure you're familiar
13:01
with them let's like refresh them there
13:03
is the Google maven repo J Center Bob in
13:07
central you can also specify other
13:09
Marvin dependent Marvin repository using
13:12
the URL like in this way I want to
13:16
mention jetpack it's a really famous
13:18
service that gets github repository
13:22
builds them and post them and also you
13:25
can have your own local repository
13:28
called Marvin local so the order of this
13:33
repository is extremely important and
13:36
why we would see later so when you when
13:41
you go ordering food like I don't know
13:44
if you if you like sushi but I love to
13:47
choose okay I never go to the restaurant
13:49
and I say like you know what give me the
13:51
best you have and I mean maybe you do it
13:55
but in terms of dependencies that's not
13:58
always great in terms of dependencies
13:60
that means avoid dynamic dependencies so
14:03
them will end up making your build less
14:07
reproducible and dynamic dependencies
14:09
are stuff that looks like this so JP is
14:12
to see the dependency is uramaki plus
14:15
that means like give me the bus here my
14:16
Kiev out there also this is a dynamic
14:19
dependency this is like 2+2 0 plus and I
14:23
want to mention one thing about this
14:25
because there's no developers that are
14:26
using it here you would think like okay
14:29
and I stick to todaro but that's like
14:33
the patch version I don't really care
14:35
about that do you really believe that
14:37
all the Android developers and all the
14:39
trauma developers out there really
14:40
follow semantic versioning there are a
14:43
lot of libraries that in the 20.1 they
14:46
introduced breaking changes so pay
14:50
attention to these and also if you do
14:51
stuff like this one there you can do
14:53
that in Gradle that's not so dynamic
14:56
dependency so think about when you do
14:59
that because you never know what you're
15:00
gonna end up having so this is one thing
15:03
in Gradle that you can use and it's
15:06
called version lock and I know it's not
15:09
that much use but I find it really
15:11
useful so in your dependencies block you
15:14
can still say hey you know what
15:15
I always want the best uramaki in the
15:18
configurations block inside the
15:20
isolation the resolution strategy block
15:22
you can activate dependency locking so
15:25
if you do these and you call the
15:28
dependency task with the - - right -
15:32
locks this will happen so you will have
15:35
a great folder with a dependency lock
15:39
file inside and this file will contain
15:43
the resolved version of all of your
15:46
dependency not only they wander you
15:49
define but all the transitive
15:50
dependencies your built is fetching and
15:55
for example here we can see that Aramaki
15:57
is at version 3.14 well this subsequent
16:00
builds of Gradle will keep on using
16:03
those fixed locked versions you can
16:07
always obviously update them so if you
16:09
run again we - - update - locks and a
16:12
pattern those versions will be checked
16:15
if there are new versions released and
16:16
we will be updated you can also do like
16:19
asterisk asterisk and update everything
16:21
there it's really useful especially if
16:23
you want to like have a CIE task that
16:27
every like every week runs that there is
16:30
this file that you can commit and see
16:32
actually what is going on and before
16:33
updating the locks you can actually run
16:35
your test and make sure that your build
16:37
is still working fine
16:39
so let's talk about favorite restaurant
16:44
I'm really picky and I know where is the
16:47
best sushi that I can get in Amberg so
16:50
you can actually restrict dependencies
16:52
to specific repository so you can say
16:56
for example the uramaki you want it from
16:58
that repository only so here it comes
17:02
the thing that I mentioned before the
17:05
order of your repository is important
17:07
because they get queried top to bottom
17:09
and you can specify rules to prevent
17:12
resolution of specific dependencies
17:15
inside specific repositories for example
17:18
inside your repositories block you can
17:20
say that you have a repository there is
17:22
your internal repo like repo sushi JP
17:24
Marvin - and these will include the
17:27
group JP sushi so those dependencies
17:30
will be fetched only there and you can
17:33
say that inside J Center for example you
17:36
want to exclude group by rejects for
17:40
example JP sushi so this allows you to
17:44
make sure that your internal company
17:47
dependency are not fetched by external
17:49
repository it's also really flexible
17:52
because there are a lot of function that
17:54
you can use with regex and you can
17:58
specify like all of your configuration
18:01
what about if you want to make sure that
18:04
you eat gluten-free so what I mention
18:09
here is like maybe the sushi that you're
18:12
eating is gluten-free but there might be
18:15
ingredients inside there are not so pay
18:18
attention to transitive dependencies
18:20
like the band insists they are pulled in
18:23
by others so on Gradle you can define
18:26
constrain constraints for your
18:28
dependencies and what is also cool or at
18:32
least useful is you can leave a because
18:34
message and we will see how and the last
18:39
thing that I want to mention is pay
18:41
extreme attention to a version
18:42
resolution and there are some tricky
18:46
scenarios that could happen
18:48
so let's say that for your project you
18:51
need kaiten sushi version 100 you can
18:56
define constraints and you can say that
18:60
if California will ever be needed you
19:04
want version 301 and if sashimi will
19:08
you need version 4200 so the fact that
19:13
those two are inside the constraints
19:14
block means that those are not
19:17
necessarily dependency but if they will
19:19
end up being inside your dependency tree
19:22
you specify which version you want you
19:24
can also leave a because message for
19:26
example California 300 at gluten I
19:29
didn't wanted that and sashimi 42 is
19:33
just the best ever what's the what
19:36
happens if another dependency in your
19:38
tree pulls in sashimi 43 there is a
19:42
highest version the highest version will
19:44
win you can say force equal true - mm
19:48
force that specific version because
19:50
maybe you really want the version 32 you
19:54
can actually force the version also at
19:56
the implementation level like I really I
19:58
need this dependency and I really want
20:01
this version and if you really need
20:03
fine-grained control all over all of
20:05
your dependencies you can still specify
20:08
these transitive equal faults I think
20:11
you will probably never need these but
20:13
just to tell you what it does this
20:15
basically blocks transitive dependency
20:17
resolution so you will need to specify
20:19
all the dependency manually otherwise
20:22
your build will never succeed so a
20:26
couple of words related to a version
20:28
resolution so if you have kaiten sushi
20:31
100 you can run the dependencies task to
20:36
see the dependency tree and kaiten sushi
20:39
imports - dependency California and
20:41
sashimi and those are the versions
20:43
what happens if sashimi pulls in also
20:46
California 302 you will see inside a
20:50
graph that the highest version will win
20:54
California 301 will not be used the 302
20:57
will be used when telling you this
20:59
because you might end up end up in a
21:01
situation when those two libraries ends
21:05
up having guava guava 27.1 and one meets
21:09
the Android and the other needs the JRE
21:13
first do you guys know which person will
21:17
win know the theory because it's Gradle
21:27
used a compare function from string so
21:31
those are string and like
21:33
lexicographically highest string will
21:36
win so what I wanted to say here is like
21:40
I saw there are libraries that are using
21:41
text inside the version pay attention to
21:44
that then I think from one of the
21:48
upcoming version of grill there will be
21:50
support for variants that allows that
21:54
this notion of Android and JRE not
21:56
inside the version but inside the
21:57
artifact that will prevent scenarios
21:59
like this just make sure that versions
22:02
are resolved using string dot compare
22:05
what about the quality of the food that
22:08
you get what about L checks you want to
22:11
make sure that the quality of the fish
22:12
is the best so unfortunately the current
22:15
status of the dependency environment on
22:18
Java and Android it's not the best
22:21
dependencies are really hard to verify
22:23
so when you when you publish artifacts
22:26
on maven central Orange a center Jerry
22:29
published also md5 or sha-1 artifacts
22:35
and those are checked if they are there
22:36
but the problem is that like the GPG
22:39
signatures are ignored so i don't know
22:42
if you have experienced publishing
22:43
libraries but you know that you need to
22:45
have a GPT key and sign your artifacts
22:47
re wise you will not be able to publish
22:48
those signature are basically completely
22:51
ignored we will see how so this is a
22:55
not in Central and there are those ASC
22:58
file there are actually the signature of
23:01
the artifacts basically I don't know
23:04
what's the percentage of people are
23:05
actually looking at that file by your
23:07
build system is ignoring them there is
23:10
actually like ticket on the Apache issue
23:15
tracker and the problem here is that
23:19
there is no easy way to relate a
23:22
developer to a GPG key so I will need a
23:25
way to say like hey I am Nicola that's
23:28
my library and that's my GPG public key
23:30
you can use it to verify my artifact so
23:32
you can be sure that I am the developer
23:34
that actually uploaded their artifact
23:37
ideally the file could be extended with
23:41
those sort of information
23:44
unfortunately Android developers are not
23:47
I mean really interested in these kind
23:50
of things but they can be risky so this
23:52
ticket is open since a while and there
23:53
is not much movement so I don't expect
23:56
major solutions coming out over here but
23:59
my purpose is to raise awareness and let
24:02
you know that stuff can go really bad
24:04
and they can go really bad and they can
24:07
lead to a scenario there is this one so
24:10
there were like a blog post I think one
24:13
year ago it was called like a confusing
24:16
dependency so here call it confusing
24:19
order and what's the problem here the
24:22
problem is that what do you see on
24:24
github is not necessarily what's inside
24:26
your build so what you see on get up
24:28
when you open the source code of a
24:29
library is not necessarily what your app
24:31
will actually use tax is really
24:34
important to understand because you
24:36
might end up in kind of an attack that
24:39
is called xbi cross build an injection
24:42
and you will have code in your build
24:44
that you don't expect and might have
24:47
malicious side-effects so malicious
24:49
packages got uploaded for timber and
24:51
android audio recorder on J Center and
24:54
undried developers just started using it
24:57
the promise that the real package for
25:00
example for timber or
25:02
Android audio recorder was not on J
25:04
Center so Jason had a free spot for that
25:08
artifact and stuff got uploaded on J
25:12
Center and yeah developers starting
25:15
starting to use it that's the link to
25:18
the original blog post they really
25:19
invite you to read if you're interested
25:20
in to these kind of things and the code
25:23
looked something like this
25:24
that's the Android audio recorder
25:26
library and in the constructor
25:29
the library was just like saving a
25:32
stuffed activity and that was trivial
25:34
like this was the code there was
25:35
available on github but if you get the
25:38
dependency from JSON T if you open the
25:40
jar you will see that the code is doing
25:42
that plus starting a thread and the
25:46
thread was doing stuff like trying to
25:51
resolve making like DNS resolution
25:54
requests and inside the DNS resolution
25:56
they were like adding model and device
25:59
of the device inside a hostname so that
26:03
data was sent on the network somewhere
26:06
you might not even notice this stuff it
26:09
will just happen and you are starting to
26:11
distribute this to all of our users and
26:14
what was the problem the problem was
26:16
Android audio recorded wasn't it back
26:21
it's a great tool but there was at the
26:24
bottom so your Gradle build whenever you
26:27
request Android audio recorder 0 300 it
26:31
will start to ask Google it do you have
26:33
it they don't have it will go to J
26:36
Center just until used to don't have
26:38
this dependency so ideally you would
26:40
have asked jetpack to get it but someone
26:45
else uploaded stuff on J Center there at
26:47
that same dependency so if you comment
26:51
out jetpack the builds will succeed and
26:54
that's a big problem
26:57
there were like post-mortem from Jay
27:01
Fogg and J Center God it's interesting
27:07
it's not super much detailed but I
27:10
really invite you to take a look there
27:12
is like overview of what actually
27:14
happened of course of events and
27:17
unfortunately yeah the description is
27:19
short but what is long is the list of
27:22
all the packages that got uploaded and
27:25
the reason how they managed to upload it
27:27
it's it's so stupid like they just use
27:31
take Wharton there was a free username
27:34
so yeah that's the scope of my talk I
27:40
wanted to raise awareness about this
27:42
this kind of attack actually are not new
27:46
there are famous also in other
27:47
environment specifically there is this
27:49
blog post I'm a visiting credit card
27:52
numbers and password from your site is
27:54
how this is related to node so it's
27:57
extremely interesting I invite you to
27:59
read it and I think one or two weeks ago
28:05
the way these are a blog post want to
28:07
take over the Java code system all you
28:09
need is a man-in-the-middle so about
28:12
this one a couple of other words so this
28:16
kind of attack happens if you fetch our
28:19
dependencies using HTTP rather than HTTP
28:23
this could happen based on how you set
28:25
up your Gradle like if you have a maven
28:28
repository and then you write an HTTP
28:31
URL you will just use plain HTTP to get
28:35
dependencies and if you happen to be in
28:38
a man-in-the-middle attack someone else
28:40
might answer instead of the maven repo
28:43
and provide you dependencies and now you
28:45
will say like yeah ok come on how often
28:48
it will happen there will be a
28:49
man-in-the-middle attack but if you just
28:52
like have an access point and you create
28:55
network and you call it Starbucks and
28:58
you go in the center
28:59
Alexanderplatz and you see down there
29:03
people will get connected and especially
29:06
if you start building Android stuff and
29:09
you connect to that network without
29:11
password and you fetch those
29:14
dependencies they get cached in your
29:16
local cache so you will reuse it also
29:18
when you go back to your office so pay
29:21
attention to this and the last thing
29:24
that I want just tool that I want to
29:25
mention is this dependency check so
29:30
these two doesn't really solve the
29:32
problem that I mentioned but it's useful
29:34
to check if some of your dependency
29:38
contains security flaws or
29:40
vulnerabilities so there is this from a
29:44
wasp and there is this list of all the
29:47
vulnerabilities known so this tool will
29:50
check your Gradle build and will check
29:52
if you're using one of these dependency
29:54
I will tell you hey you are using this
29:55
old version of this library that
29:58
contains women really is like just
30:00
update but these will not prevent you
30:03
from situation like what you think you
30:06
might use you're using HTTP 4 we
30:10
reversing that by you're actually using
30:12
a version there is okgd before with some
30:15
sugar added on top that's pretty easy
30:18
it's just a greater plugin you enable
30:20
leap like that and you have an extra
30:23
task there is dependency check analyze
30:25
it will take some time because it has to
30:27
download the list of all the
30:29
vulnerabilities and checks your stuff at
30:32
least I think the first build is a bit
30:33
longer but it's kind of useful to anyway
30:37
make sure that your app is secure and
30:39
you have good quality code inside so to
30:43
wrap up oh you got some insights and you
30:47
learn something new - like how to avoid
30:49
big projects or like get to know your
30:52
pizza make sure like you're able to like
30:56
and you go sugar-free and most important
30:60
you watch out where you get your food
31:01
from and where you get your dependencies
31:03
from and with these I'm done Thanks
