1- Jetpack Compose Interview Questions and Answers
Advanced Jetpack Compose Interview Questions and Answers
Q: What is the Slot API in Jetpack Compose?
A: The Slot API allows developers to pass Composables as parameters, enabling content injection.
It's commonly used in custom UI components like Scaffold, AlertDialog, or your own Composable
functions.
Q: Explain Skippable vs Restartable Composables.
A: Restartable: Composables that can be re-invoked during recomposition.
Skippable: If Compose determines that inputs haven't changed, it can skip recomposing them to
improve performance.
Q: How does Jetpack Compose handle recomposition behind the scenes?
A: Compose uses a snapshot system that tracks state reads during composition. When state
changes, Compose only re-executes affected Composables (based on changed state).
Q: What is LaunchedEffect and when should you use it?
A: LaunchedEffect runs suspend functions in a composable-safe coroutine scope. It is keyed, so
when the key changes, the block cancels and restarts. Useful for one-time effects or when inputs
change.
Q: How does rememberCoroutineScope() differ from LaunchedEffect?
A: rememberCoroutineScope() provides a scoped CoroutineScope that survives recomposition,
giving you manual control. LaunchedEffect is lifecycle-aware and tied to composition changes.
Q: What is derivedStateOf and when should it be used?
A: derivedStateOf creates a derived state from other state objects, recomputing only when inputs
change. Ideal for expensive computations that depend on observable state.
Q: How do you implement a performant LazyColumn with dynamic content?
A: Use key parameter to prevent unnecessary recompositions.
Use itemsIndexed() or items() with unique keys.
Avoid state inside each row unless necessary.
Use rememberLazyListState() for scroll handling and performance tracking.
Q: How do you integrate Jetpack Compose with legacy View-based code?
A: Use ComposeView in XML layout.
Use AndroidView() to embed Views inside Compose.
Share ViewModels and data layers to bridge both systems.
Q: What are Modifier.composed {} and why is it needed?
A: Modifier.composed {} is used to create custom Modifiers with internal state or side effects.
Allows access to remember and recomposition-aware logic inside a Modifier.
Q: How do you measure and layout custom Composables manually?
A: Use Layout { measurables, constraints -> ... } to measure and place children manually, enabling
complex UI designs like custom flow layouts, staggered grids, etc.
Q: What is the difference between Material2 and Material3 in Compose?
A: Material3 (aka Material You) is the new design system with dynamic theming, more flexible color
systems, and newer components.
Material3 APIs are backward-compatible with Material2 in Compose but require setup with new
theming.
Q: How do you test side effects and navigation in Compose?
A: Use ComposeTestRule.setContent {} for Composable testing.
Test NavController behavior using TestNavHostController.
Use assertIsDisplayed(), performClick(), etc. from compose.ui.test.
Q: What are the best practices to avoid recomposition performance issues?
A: Use remember, rememberUpdatedState
Stable classes / data structures
Keys in Lazy layouts
derivedStateOf
snapshotFlow to observe state efficiently
Q: How do you implement Compose in Clean Architecture / Modular App?
A: UI Layer: Compose only
ViewModel: Use StateFlow / UiState
Domain Layer: Pure Kotlin logic
Navigation and state hoisting should be delegated from Composables to ViewModels or UseCases.
Q: What's the use of SideEffect, DisposableEffect, and rememberUpdatedState?
A: SideEffect: Executes after every successful recomposition. Use for non-composable side effects
like analytics logging.
DisposableEffect: Manages lifecycle and cleanup like observers or callbacks.
rememberUpdatedState: Keeps the latest lambda across recompositions without restarting effects.
Q: How do you handle authentication flows with Compose + Navigation?
A: Use NavController and authentication state (e.g., isLoggedIn) from ViewModel.
Conditionally navigate to authenticated vs unauthenticated routes using navigation graph changes
or conditional Composables.
Q: How does Compose manage state hoisting and why is it important?
A: State hoisting is the practice of moving state ownership to a higher-level Composable.
Makes Composables stateless, testable, and reusable.
Q: Explain Compose's snapshot system.
A: Compose uses a snapshot system that tracks reads/writes of state.
It batches changes and triggers recomposition only when relevant state is modified.
Q: How do you debug recomposition issues?
A: Use log statements in Composables
Use Android Studio Composition Tracing and Layout Inspector
Annotate Composables with @Stable, @Immutable for optimization
Q: Can you explain why a Composable is recomposing unnecessarily and how to fix it?
A: Common reasons:- Mutable state in wrong scope- Lack of key in LazyColumn- Recreating lambda in parameters- Unstable data types
Fix: Hoist state, use remember, use stable classes
Android Security Interview Questions :
Q: What is Android sandboxing?
A: Android runs each app in its own sandbox
to isolate data and processes, enforced by the Linux kernel.
Q: How does Android protect app data by default?
A: By storing data in internal storage,
which is private to the app and inaccessible to others unless rooted.
Q: What is the purpose of android:exported?
A: It determines whether a component is
accessible to other apps. Required from Android 12 for components with intent
filters.
Q: What is ProGuard or R8 and how do they help?
A: They obfuscate the code, making reverse
engineering harder by renaming classes and methods.
Q: What is the difference between install-time and runtime
permissions?
A: Install-time permissions are granted
when the app is installed, while runtime permissions are requested during app
usage.
Q: What’s the risk of using external storage?
A: External storage is readable by other
apps with storage permissions, risking data leakage.
Q: Why is enabling JavaScript in WebView risky?
A: It can expose the app to XSS or remote
code execution if untrusted content is loaded.
Q: What is android:allowBackup and why is it risky?
A: If set to true, app data can be backed
up and restored, potentially leaking sensitive data.
Q: What is an implicit vs explicit intent?
A: Explicit intents target a specific
component; implicit ones allow other apps to handle them, which can lead to
hijacking.
Q: What is Network Security Configuration?
A: An XML configuration that controls
network security policies like HTTPS enforcement and certificate pinning.
Q: How do you securely store user credentials?
A: Use Android Keystore to store encryption
keys, and EncryptedSharedPreferences or SQLCipher for data.
Q: What is Android Keystore?
A: A system component that securely
generates and stores cryptographic keys in a hardware-backed environment.
Q: How do you prevent sensitive data from being logged?
A: Avoid logging sensitive information and
remove logs in release builds using ProGuard rules.
Q: What is Tapjacking and how to prevent it?
A: A UI deception attack. Prevent it by
setting WindowManager.LayoutParams.FLAG_SECURE on sensitive screens.
Q: How can you protect your app from reverse engineering?
A: Obfuscate code, avoid hardcoded secrets,
use native code for sensitive logic, and detect rooting.
Q: What is Certificate Pinning?
A: Ensures the app communicates only with a
specified server certificate, preventing MITM attacks.
Q: How do you restrict access to ContentProviders?
A: Set android:exported to false and define
permissions for external access.
Q: What is SELinux and how does it secure Android?
A: SELinux applies mandatory access control
policies that restrict apps even at the system level.
Q: What is Android Verified Boot?
A: It ensures the device boots using
verified system images, protecting against boot-level malware.
Q: What is SafetyNet and Play Integrity API?
A: APIs to verify device and app integrity,
detect rooting, and prevent tampering or abuse.
Q: What is dynamic code loading and why is it risky?
A: Loading external code at runtime can
introduce malicious code. Use only trusted sources and HTTPS.
Q: How to detect if a device is rooted?
A: Check for su binary, root apps,
test-keys, and use SafetyNet or Play Integrity API.
Q: How to secure API keys in an app?
A: Do not hardcode. Use NDK with Keystore
or store keys server-side and use short-lived tokens.
Q: How to protect a payment feature in an app?
A: Use HTTPS, certificate pinning, validate
inputs, store encrypted data, and integrity APIs.
Q: User reports data theft. What steps do you take?
A: Check logs, validate secure storage and
network handling, and verify app/device integrity.
