Google Dropping an Android Wear API and OAuth 1.0

Google is making some changes to Android Wear and Google under the hood, and developers need to take heed. The company has deprecated an API for Android Wear and plans to fully retire OAuth 1.0 in the near future. Replacements for these outgoing tools are already in place, so if your apps aren't up to date, it's time to make them compliant.

First up, Google has deprecated the BIND_LISTENER intent filter API for Android Wear. Google says this API has a number of limitations. When first introduced, the API allowed apps to listen to changes such as message arrivals and peer connections. It kicked on any time these events occurred, even if the app only needed to check one type of change. Phones with a large number of apps installed using the API forced a bunch of services to start up, which could clog device memory and cause other operations to shut down. Google realized this is not ideal and decided a new API was needed.

Google provided that API in Google Play Services 8.3, which it released earlier this year. Play Services 8.3 has a new, fine-grained intent filter that gives developers the power to select exactly which events can wake their app. The API supports multiple events. Google warns developers to include at least one event, or their service will never be called. There is a master tool (AndroidManifest. XML for CAPABILITY_CHANGED) that will allow services to wake any time, but Google suggests it be used sparingly.

"In general, you should only use a listener in AndroidManifest.xml for events that must launch your service," explained Wayne Piekarski, Developer Advocate, Android Wear, in a blog post. "For example, if your watch app needs to send an interactive message or data to the phone. You should try to limit the number of wake-ups of your service by using filters."

In order to call attention to the change, Google is flagging the old API in Android Studio 2.1. Developers who compile their Play Services 8.2-compliant apps with the newest version of Studio will see errors. Google says exiting apps installed on end-user devices will not be affected.

More information is available in documentation here.

Second on the docket today: OAuth 1.0 (2LO). Google said several years ago that it planned to move away from OAuth 1.0 as OAuth 2.0 became common. Arguably, OAuth 2.0 is more secure than OAuth 1.x and is less complex for developers to use. Whereas Twitter depends on OAuth 2.0 for application-only Authentication, it still depends on OAuth 1.0a for user-based authentication. OAuth 1.0 (3LO) was shut down a year ago and Google plans to shut down OAuth 1.0 (2LO) on October 20, 2016. Google says developers should use OAuth 2.0 service accounts to migrate to the new standard.

Developers who don't move to OAuth 2.0 before October 20 will no longer be able to connect with Google services, including the ability to sign in. Google says it is critical that developers migrate to OAuth 2.0 to ensure their services aren't interrupted and end users aren't locked out of their apps.

"With this step, we continue to move away from legacy authentication/authorization protocols, focusing our support on modern open standards that enhance the security of Google accounts and that are generally easier for developers to integrate with," said Vartika Agarwal, Technical Program Manager, Identity & Authentication.

Google suggests developers who have technical questions reach out publicly in its forums.

Be sure to read the next Wearable article: Apple Warns Developers To Update Watch Apps