State of the Costco Android App

How likely the app is to crash or freeze on real devices in production.

39 critical-severity defects across the codebase — Kotlin !! force-unwraps, unsafe as casts, unguarded getActivity() calls, list-index access without bounds checks. 96 memory-leak risk patterns additionally — Handler.postDelayed without cleanup, WebViews not destroyed, untracked coroutine Jobs. Concentration in MainWebViewFragment, FindAStoreFragment, MainActivity, WarehouseOffersFragment.

Each unhandled crash is a transaction lost during peak shopping hours. Sustained Crash-Free-Users decline cuts Play Store ranking, drives 1-star reviews, and erodes member trust. Memory leaks compound during long sessions and during the holiday shopping push.

Stability strike-team — 2 senior engineers × 4 weeks fixing the top-20 by realized Crashlytics impact. Target: +2 percentage points crash-free-users within 1–2 release cycles.

Resistance to data theft, fraud, abuse, and tampering.

Strong baseline: HTTPS-only enforced, AES-256-GCM AndroidKeystore for tokens, biometric auth, R8 obfuscation, backup disabled, NowSecure scans in CI. Gaps: WebView lockdown incomplete (setAllowFileAccess(false) not set; addJavascriptInterface + dynamic loadUrl("javascript:…") in offers screen), no Play Integrity API, no FLAG_SECURE on payment / DMC screens, no data extraction rules file, certificate pinning import found but use needs verification.

WebView and dynamic JS-injection patterns are the typical entry points pen-testers find first. A successful exploit could exfiltrate session data or hijack payment flows. Lack of Play Integrity removes a key signal against fraud rings.

Two-week WebView lockdown sweep + Play Integrity adoption + FLAG_SECURE on payment screens. Verify cert-pin activation. Address ahead of the next NowSecure scan.

Adherence to privacy law (GDPR / CCPA / PIPEDA) and Play Store policies.

~38 third-party SDKs shipping data off-device — Adobe Marketing Cloud (11 modules), Firebase, NokNok FIDO2, ThreatMetrix fingerprinting, Mastercard ClickToPay, Lucidworks, Contentstack. OneTrust integrated for consent. Email persisted unencrypted in DataStore; lat/lng cached on device. ACCESS_BACKGROUND_LOCATION used for warehouse geofencing — Play Store-sensitive permission. No SDK manifest or data-flow document.

Background-location reviews block releases when policy refreshes. CCPA / PIPEDA exposure if consent flow does not gate analytics. Data Subject Access Requests (DSARs) become engineering emergencies without a documented PII map.

Verify Firebase Consent Mode v2 and Adobe consent flags gate analytics correctly. Encrypt cached email via the existing KeyStoreManager. Publish an SDK manifest + privacy disclosure update.

How fast the app feels — startup, scrolling, memory.

20+ dependencies eagerly initialized in CostcoApplication. Dual image libraries (Coil + Glide) and dual networking stacks (Volley + Retrofit/OkHttp) ship together. No baseline profile, no Macrobenchmark in CI. 8 runBlocking calls in production code (NewOnboardingViewModel alone has 8). 96 memory leak risk patterns trend memory upward in long sessions.

Slow cold start translates directly to lower engagement and retention. Play Vitals "slow start" + "slow rendering" flags reduce store visibility. OOM crashes on memory-constrained Android devices (still ~30% of the market) are unaddressed.

Defer non-critical Application init paths via androidx.startup.Initializer. Generate a baseline profile for Home → PDP → Cart and ship it. Remove duplicate stacks (Glide and Volley).

How well the app serves users in different languages and regions.

Currently English + French (incl. Canadian variants en-rCA, fr-rCA). 693 locale resource directories total, 439 strings in main module. No RTL-locale resources. No LocaleManager.setApplicationLocales (Android 13 per-app language). No pseudo-locales in debug. Currency / date / plural formatters not consistently used (NumberFormat, DateTimeFormatter, getQuantityString).

Future Costco market expansion (Mexico, UK, Australia, Iceland, Sweden, Spain, Korea, Japan, Taiwan) means locale-specific bugs surface in production at scale. RTL-blind layouts will fail Hebrew / Arabic markets if those become targets.

Add pseudo-locales (en_XA, ar_XB) in debug builds. Audit string concatenation of currency / dates / counts. Plan a one-week RTL audit pass when expansion targets firm up.

How much of the code is verified by automated tests.

~170 unit tests + ~80 instrumentation tests; modern stack (MockK 1.14.9, Turbine 1.2.1, kotlinx-coroutines-test 1.10.2, Compose UI Test, Karumi Shot screenshots, Hilt-testing). JaCoCo threshold 40.81% (low for a retail-scale app). Hilt-testing pinned at 2.28-alpha while Hilt 2.56 in main — version drift. MainCoroutineRule duplicated in 7 modules. JUnit 4 + 5 both present. No Macrobenchmark, no Firebase Test Lab in CI.

40% coverage means ~60% of changes don't run through any test gate. Test/runtime version drift can produce subtle DI bugs that pass tests but break in production.

Stair-step JaCoCo threshold to 60–70% over two quarters; consolidate MainCoroutineRule into a shared/testfixtures module; bump Hilt-testing to 2.56; pilot Macrobenchmark.

How fast the team can ship features safely.

56 modules buildable in parallel (good for incremental builds). No build-logic / convention plugins — each module's gradle file is independent and prone to drift. Azure Pipelines CI with NowSecure scans. No Detekt / Ktlint baseline at the repo root. No CODEOWNERS — reviews are unrouted. JaCoCo 40% threshold doesn't actively gate. Hardcoded Maps API keys in committed gradle.properties create onboarding friction.

Reviews take longer than necessary; regressions slip through; new engineers spend their first week chasing setup issues instead of shipping.

Add convention plugins; CODEOWNERS at the repo root mapping modules to teams; Detekt + Ktlint with baselines; Codecov / SonarCloud per-PR coverage diffs.

Visibility into production behavior — logs, metrics, alerts, dashboards.

Firebase Crashlytics + Firebase Performance + Firebase Analytics integrated. Adobe Analytics + Adobe Target + Adobe Campaign (full marketing cloud). Timber + custom FirebaseRemoteLogger + ConsoleLoggerImpl. No clear PII scrubbing in release Timber tree. 8+ runBlocking sites are potential ANR sources without instrumentation. No defined error budget or rollback triggers.

Without consent-aware analytics, GDPR / CCPA risk. Without PII scrubbing, leaked logs become compliance issues. Without an error budget, the team can't make data-driven release decisions.

Add ReleaseLoggerTree with PII scrubbing patterns; verify Firebase Consent Mode v2; instrument repository latency to feed Performance dashboards; define a quarterly error budget.