Android - Code Review Process
This page explains what Q2 reviews during the merge request approval process and what remains the responsibility of the partner or financial institution.
Review Scope
Q2's code review focuses exclusively on security, safety, and user experience protection. Our goal is to ensure that your module does not introduce risks that could harm end users or the financial institution.
What Q2 Reviews
Q2 reviews your code for the following concerns:
Security Vulnerabilities
- Code that could expose sensitive user data
- Improper handling of authentication tokens or credentials
- Insecure network communications
- Weak cryptographic implementations
- SQL injection, XSS, or other injection vulnerabilities
- Improper data storage (storing sensitive data insecurely)
- Security misconfigurations
Privacy and Data Protection
- Unauthorized data collection
- Data leakage to third parties
- Improper handling of personally identifiable information (PII)
- Violations of user consent and privacy policies
- Unnecessary permissions requests
Stability and User Experience Issues
- Code that could cause application crashes or freezes
- Memory leaks or resource exhaustion
- Infinite loops or deadlocks
- Blocking operations on the main thread that cause UI freezes
- Poor error handling that leads to crashes
- Code that could corrupt user data
Compliance and Platform Issues
- Violations of Android platform guidelines
- Deprecated APIs that could cause compatibility issues
- Code that bypasses platform security features
- Improper use of Q2 Mobile SDK APIs
- Missing or inadequate ProGuard/R8 consumer rules
Malicious or Harmful Behavior
- Code that attempts to access unauthorized system resources
- Malware or malicious functionality
- Backdoors or hidden functionality
- Code that could harm device functionality
What Q2 Does NOT Review
The following aspects of your code are your responsibility and are not part of Q2's review process:
Code Quality and Maintainability
- Whether your code is well-organized or clean
- Use of design patterns or architectural approaches
- Code readability or documentation quality
- Naming conventions for classes, methods, or variables
- Code duplication or refactoring opportunities
- Technical debt
Development Best Practices
- Whether you follow SOLID principles
- Dependency injection patterns
- Use of modern Kotlin features vs Java
- Code style preferences (beyond basic security concerns)
- Comment quality or documentation coverage
- Unit test coverage or testing strategies
Business Logic Correctness
- Whether your module's business logic is correct
- Whether your implementation matches your requirements
- Edge cases in your business rules
- Accuracy of calculations or data transformations
- Correctness of your module's feature implementation
Performance Optimization
- Whether your code is optimally performant (unless it causes severe user experience issues)
- Algorithm efficiency choices
- Database query optimization
- Caching strategies
- Memory usage optimization (unless it causes leaks)
You are fully responsible for:
- Writing maintainable, high-quality code
- Following software engineering best practices
- Testing your module thoroughly
- Ensuring your business logic is correct
- Optimizing performance for your use cases
- Providing adequate documentation for future maintenance
- Managing technical debt
Q2's review is a security and safety checkpoint, not a comprehensive code quality audit.
Review Process
1. Initial Review
When you submit a merge request and support ticket:
- Q2 assigns a reviewer to your merge request
- The reviewer examines your code focusing on the security and safety concerns listed above
- Review typically completes within a few business days (varies based on change complexity)
2. Feedback and Iteration
If issues are identified:
Q2 will provide:
- Specific security or safety concerns found
- Explanation of the risk or issue
- Suggestions for remediation (when applicable)
- Links to relevant documentation or guidelines
You should:
- Address all security and safety concerns raised
- Make necessary code changes in your feature branch
- Test the changes locally with DevApp
- Push updates to the same feature branch (MR auto-updates)
- Notify Q2 via the support ticket that updates are ready for re-review
This cycle repeats until all security and safety concerns are resolved.
3. Approval
Once Q2 determines your code meets security and safety standards:
- The merge request is approved
- Your code is merged to the
masterbranch - The CI pipeline generates a test artifact
- The workflow proceeds to the test build phase
Common Review Issues
Here are common issues that may be flagged during review:
Missing or Inadequate ProGuard Rules
Issue: Consumer rules are missing, incomplete, or use overly broad keep-all rules.
Why it matters: Incorrect ProGuard rules can cause crashes in production builds or increase app size unnecessarily.
How to fix:
- Test your consumer rules locally with minify enabled
- Be specific - avoid keep-all rules like
-keep class ** { *; } - See Consumer ProGuard Rules
Hardcoded Credentials or API Keys
Issue: API keys, passwords, or other credentials are hardcoded in the source code.
Why it matters: Exposed credentials create security vulnerabilities and can be exploited.
How to fix:
- Use the module
data {}configuration in settings.json for API endpoints and keys - Never commit credentials to source control
- Use Android Keystore for sensitive data when appropriate
Insecure Network Communication
Issue: Using HTTP instead of HTTPS, or improperly implementing certificate pinning.
Why it matters: Unencrypted communications can expose user data to interception.
How to fix:
- Always use HTTPS for network requests
- Implement certificate pinning correctly if required
- Use OkHttp or other secure networking libraries properly
Improper Data Storage
Issue: Storing sensitive data in SharedPreferences, plain text files, or other insecure locations.
Why it matters: User data could be accessed by malicious apps or through device compromise.
How to fix:
- Use Android Keystore for sensitive data
- Encrypt data before storing when necessary
- Follow Q2's data security guidelines
Main Thread Blocking Operations
Issue: Network requests, database queries, or heavy computations on the main thread.
Why it matters: Causes UI freezes and poor user experience, potential ANR (Application Not Responding) errors.
How to fix:
- Use coroutines, RxJava, or background threads for long-running operations
- Keep main thread operations lightweight
- For MethodModule, leverage the background threading it provides
Excessive Permissions
Issue: Requesting Android permissions that aren't necessary for module functionality.
Why it matters: Violates user privacy and increases security risk.
How to fix:
- Only request permissions that are essential
- Document why each permission is needed
- Use runtime permission checks appropriately
Poor Error Handling
Issue: Catching all exceptions without handling them, or letting exceptions crash the app.
Why it matters: Can lead to app crashes or undefined behavior that impacts users.
How to fix:
- Handle exceptions appropriately for your use case
- Log errors for debugging but don't expose sensitive information
- Fail gracefully when possible
- Don't silently swallow exceptions that indicate real problems
Tips for Faster Review
- Test locally with minify enabled - Catch ProGuard issues before review
- Follow security best practices - Avoid common security pitfalls
- Provide clear MR descriptions - Help reviewers understand your changes quickly
- Include module data configuration changes - Prevent configuration-related issues
- Respond promptly to feedback - Keep the review cycle moving
- Ask questions early - Use general support tickets if you're unsure about security requirements
Questions During Review
If you have questions about feedback received during review:
- Reply directly in the merge request with your questions
- Update your support ticket with clarifying questions
- For general security questions, create a new support ticket
Q2 reviewers will clarify concerns and provide guidance to help you address issues.
Additional Resources
- Development Workflow - Complete workflow from development to production
- Local Development - Day-to-day development practices
- Submitting Support Tickets - How to submit tickets and MRs
- Consumer ProGuard Rules - ProGuard rules guide
- Module Debugging - Debugging tools and techniques
If you have questions about the code review process or need clarification on security requirements, contact Q2 support through q2developer.com.