Saturday, July 19, 2025

Essential Android Interview Questions and Answers to Jumpstart Your Preparation

 1- Jetpack Compose Interview Questions and Answers

Advanced Jetpack Compose Interview Questions and Answers

 Q: What is the Slot API in Jetpack Compose?

 A: The Slot API allows developers to pass Composables as parameters, enabling content injection.

 It's commonly used in custom UI components like Scaffold, AlertDialog, or your own Composable

 functions.


 Q: Explain Skippable vs Restartable Composables.

 A: Restartable: Composables that can be re-invoked during recomposition.

 Skippable: If Compose determines that inputs haven't changed, it can skip recomposing them to

 improve performance.


 Q: How does Jetpack Compose handle recomposition behind the scenes?

 A: Compose uses a snapshot system that tracks state reads during composition. When state

 changes, Compose only re-executes affected Composables (based on changed state).


 Q: What is LaunchedEffect and when should you use it?

 A: LaunchedEffect runs suspend functions in a composable-safe coroutine scope. It is keyed, so

 when the key changes, the block cancels and restarts. Useful for one-time effects or when inputs

 change.


 Q: How does rememberCoroutineScope() differ from LaunchedEffect?

 A: rememberCoroutineScope() provides a scoped CoroutineScope that survives recomposition,

 giving you manual control. LaunchedEffect is lifecycle-aware and tied to composition changes.


 Q: What is derivedStateOf and when should it be used?

 A: derivedStateOf creates a derived state from other state objects, recomputing only when inputs

 change. Ideal for expensive computations that depend on observable state.


 Q: How do you implement a performant LazyColumn with dynamic content?

 A: Use key parameter to prevent unnecessary recompositions.

 Use itemsIndexed() or items() with unique keys.

 Avoid state inside each row unless necessary.

 Use rememberLazyListState() for scroll handling and performance tracking.


 Q: How do you integrate Jetpack Compose with legacy View-based code?

 A: Use ComposeView in XML layout.

 Use AndroidView() to embed Views inside Compose.

 Share ViewModels and data layers to bridge both systems.


 Q: What are Modifier.composed {} and why is it needed?

 A: Modifier.composed {} is used to create custom Modifiers with internal state or side effects.

 Allows access to remember and recomposition-aware logic inside a Modifier.


 Q: How do you measure and layout custom Composables manually?

 A: Use Layout { measurables, constraints -> ... } to measure and place children manually, enabling

 complex UI designs like custom flow layouts, staggered grids, etc.


 Q: What is the difference between Material2 and Material3 in Compose?

 A: Material3 (aka Material You) is the new design system with dynamic theming, more flexible color

 systems, and newer components.

 Material3 APIs are backward-compatible with Material2 in Compose but require setup with new

 theming.


 Q: How do you test side effects and navigation in Compose?

 A: Use ComposeTestRule.setContent {} for Composable testing.

 Test NavController behavior using TestNavHostController.

 Use assertIsDisplayed(), performClick(), etc. from compose.ui.test.


 Q: What are the best practices to avoid recomposition performance issues?

 A: Use remember, rememberUpdatedState

 Stable classes / data structures

 Keys in Lazy layouts

 derivedStateOf

 snapshotFlow to observe state efficiently


 Q: How do you implement Compose in Clean Architecture / Modular App?

 A: UI Layer: Compose only

 ViewModel: Use StateFlow / UiState

 Domain Layer: Pure Kotlin logic

 Navigation and state hoisting should be delegated from Composables to ViewModels or UseCases.


 Q: What's the use of SideEffect, DisposableEffect, and rememberUpdatedState?

 A: SideEffect: Executes after every successful recomposition. Use for non-composable side effects

 like analytics logging.

 DisposableEffect: Manages lifecycle and cleanup like observers or callbacks.

 rememberUpdatedState: Keeps the latest lambda across recompositions without restarting effects.


 Q: How do you handle authentication flows with Compose + Navigation?

 A: Use NavController and authentication state (e.g., isLoggedIn) from ViewModel.

 Conditionally navigate to authenticated vs unauthenticated routes using navigation graph changes

 or conditional Composables.


 Q: How does Compose manage state hoisting and why is it important?

 A: State hoisting is the practice of moving state ownership to a higher-level Composable.

 Makes Composables stateless, testable, and reusable.


 Q: Explain Compose's snapshot system.

 A: Compose uses a snapshot system that tracks reads/writes of state.

It batches changes and triggers recomposition only when relevant state is modified.


 Q: How do you debug recomposition issues?

 A: Use log statements in Composables

 Use Android Studio Composition Tracing and Layout Inspector

 Annotate Composables with @Stable, @Immutable for optimization


 Q: Can you explain why a Composable is recomposing unnecessarily and how to fix it?

 A: Common reasons:- Mutable state in wrong scope- Lack of key in LazyColumn- Recreating lambda in parameters- Unstable data types

 Fix: Hoist state, use remember, use stable classes


Android Security Interview Questions :

Q: What is Android sandboxing?

A: Android runs each app in its own sandbox to isolate data and processes, enforced by the Linux kernel.

Q: How does Android protect app data by default?

A: By storing data in internal storage, which is private to the app and inaccessible to others unless rooted.

Q: What is the purpose of android:exported?

A: It determines whether a component is accessible to other apps. Required from Android 12 for components with intent filters.

Q: What is ProGuard or R8 and how do they help?

A: They obfuscate the code, making reverse engineering harder by renaming classes and methods.

Q: What is the difference between install-time and runtime permissions?

A: Install-time permissions are granted when the app is installed, while runtime permissions are requested during app usage.

Q: What’s the risk of using external storage?

A: External storage is readable by other apps with storage permissions, risking data leakage.

Q: Why is enabling JavaScript in WebView risky?

A: It can expose the app to XSS or remote code execution if untrusted content is loaded.

Q: What is android:allowBackup and why is it risky?

A: If set to true, app data can be backed up and restored, potentially leaking sensitive data.

Q: What is an implicit vs explicit intent?

A: Explicit intents target a specific component; implicit ones allow other apps to handle them, which can lead to hijacking.

Q: What is Network Security Configuration?

A: An XML configuration that controls network security policies like HTTPS enforcement and certificate pinning.

Q: How do you securely store user credentials?

A: Use Android Keystore to store encryption keys, and EncryptedSharedPreferences or SQLCipher for data.

Q: What is Android Keystore?

A: A system component that securely generates and stores cryptographic keys in a hardware-backed environment.

Q: How do you prevent sensitive data from being logged?

A: Avoid logging sensitive information and remove logs in release builds using ProGuard rules.

Q: What is Tapjacking and how to prevent it?

A: A UI deception attack. Prevent it by setting WindowManager.LayoutParams.FLAG_SECURE on sensitive screens.

Q: How can you protect your app from reverse engineering?

A: Obfuscate code, avoid hardcoded secrets, use native code for sensitive logic, and detect rooting.

Q: What is Certificate Pinning?

A: Ensures the app communicates only with a specified server certificate, preventing MITM attacks.

Q: How do you restrict access to ContentProviders?

A: Set android:exported to false and define permissions for external access.

Q: What is SELinux and how does it secure Android?

A: SELinux applies mandatory access control policies that restrict apps even at the system level.

Q: What is Android Verified Boot?

A: It ensures the device boots using verified system images, protecting against boot-level malware.

Q: What is SafetyNet and Play Integrity API?

A: APIs to verify device and app integrity, detect rooting, and prevent tampering or abuse.

Q: What is dynamic code loading and why is it risky?

A: Loading external code at runtime can introduce malicious code. Use only trusted sources and HTTPS.

Q: How to detect if a device is rooted?

A: Check for su binary, root apps, test-keys, and use SafetyNet or Play Integrity API.

Q: How to secure API keys in an app?

A: Do not hardcode. Use NDK with Keystore or store keys server-side and use short-lived tokens.

Q: How to protect a payment feature in an app?

A: Use HTTPS, certificate pinning, validate inputs, store encrypted data, and integrity APIs.

Q: User reports data theft. What steps do you take?

A: Check logs, validate secure storage and network handling, and verify app/device integrity.