Overview › Quick Wins (Android)

Quick Wins (Android)

Generated 2026-05-07 · Costco Android

Top 10 quick wins (android)

Each row is a sub-1-day fix that reduces immediate risk. Copy-paste the After block; verify locally; ship.

Total quick wins
10
Estimated total effort
~1.5 days

spread across the team

Severity reduction
4

HIGH+ findings closed

MEDIUM

QW-A-01 · Rename `test-progaurd-rules.pro` typo

30 min

Filename typo (progaurd → proguard) shows up in every grep and confuses new engineers.

Before
Costco/test-progaurd-rules.pro
After
Costco/test-proguard-rules.pro
# Update Costco/build.gradle reference too:
#   testProguardFile 'test-proguard-rules.pro'
HIGH

QW-A-02 · Move Maps API key out of committed gradle.properties

1 hour

Hardcoded Google Maps API key in a committed file is a poor-hygiene flag in any audit.

Before
# gradle.properties (committed)
MAPS_API_KEY=AIzaSy...
After
# local.properties (gitignored)
MAPS_API_KEY=AIzaSy...

// Costco/build.gradle
def localProps = new Properties()
file(rootDir.absolutePath + "/local.properties").withInputStream { localProps.load(it) }
buildConfigField "String", "MAPS_API_KEY", "\"${localProps['MAPS_API_KEY']}\""
HIGH

QW-A-03 · Move staging hosts out of production AndroidManifest

1 hour

www-vqa2.costco.ca and www-vqa3.costco.ca appear in production intent filters; should ship in debug only.

Before
<!-- Costco/src/main/AndroidManifest.xml -->
<intent-filter android:autoVerify="true">
    <data android:host="www-vqa2.costco.ca" />
    <data android:host="www-vqa3.costco.ca" />
    ...
</intent-filter>
After
<!-- Costco/src/debug/AndroidManifest.xml (manifest merge) -->
<intent-filter>
    <data android:host="www-vqa2.costco.ca" />
    <data android:host="www-vqa3.costco.ca" />
</intent-filter>

<!-- Production manifest only contains real costco.com / costco.ca hosts -->
HIGH

QW-A-04 · Replace Handler() with Handler(Looper.getMainLooper())

30 min

Default new Handler() is deprecated since API 30; uses calling thread's Looper.

Before
// MainActivity.java:1864
new Handler().postDelayed(() -> {
    // ... 3 second delay
}, 3000);
After
// MainActivity.java:1864
new Handler(Looper.getMainLooper()).postDelayed(() -> {
    // ... 3 second delay
}, 3000);
HIGH

QW-A-05 · Stop swallowing exception in CostcoApplication

30 min

Empty catch block in CostcoApplication.java:219 hides initialization failures.

Before
// CostcoApplication.java:219
try {
    // ... initialization
} catch (Exception e) {
}
After
// CostcoApplication.java:219
try {
    // ... initialization
} catch (Exception e) {
    Timber.e(e, "App init failed");
    FirebaseCrashlytics.getInstance().recordException(e);
}
MEDIUM

QW-A-06 · Add ABI splits / App Bundle for size

2 hours

Single universal APK ships every architecture and language; users download megabytes they don't need.

Before
// Costco/build.gradle (no splits configured)
android { ... }
After
android {
    bundle {
        language { enableSplit = true }
        density  { enableSplit = true }
        abi      { enableSplit = true }
    }
}
LOW

QW-A-07 · Generate Lint baseline + commit

1 hour

No baseline means lint findings are background noise; with one, baseline diffs become actionable.

Before
# No baseline today
After
./gradlew :Costco:lintDebug
# Lint writes Costco/lint-baseline.xml
git add Costco/lint-baseline.xml
git commit -m "chore(lint): freeze baseline"

// In Costco/build.gradle
android {
    lint { baseline = file("lint-baseline.xml") }
}
MEDIUM

QW-A-08 · Add Detekt + Ktlint with default rulesets

30 min

No Detekt / Ktlint configuration found at repo root.

Before
# Detekt + Ktlint not configured
After
// Root build.gradle.kts
plugins {
    id("io.gitlab.arturbosch.detekt") version "1.23.6"
    id("com.diffplug.spotless") version "6.25.0"
}
subprojects {
    apply(plugin = "io.gitlab.arturbosch.detekt")
    apply(plugin = "com.diffplug.spotless")
    spotless { kotlin { ktlint() } }
}
LOW

QW-A-09 · Add CODEOWNERS

15 min

Reviews are unrouted; with CODEOWNERS, GitHub/Azure auto-requests the right team.

Before
# No CODEOWNERS
After
# .github/CODEOWNERS
* @costco-android/maintainers
/feature/account/        @costco-android/account-team
/feature/dmc/            @costco-android/dmc-team
/feature/warehouse/      @costco-android/warehouse-team
/shared/sdui/            @costco-android/platform
/shared/auth/            @costco-android/security
MEDIUM

QW-A-10 · Strip Timber.Tree on release builds

10 min

Without a release tree filter, log strings (potentially PII) ship to logcat in release builds.

Before
// CostcoApplication.kt
Timber.plant(Timber.DebugTree())
After
// CostcoApplication.kt
if (BuildConfig.DEBUG) {
    Timber.plant(Timber.DebugTree())
} else {
    Timber.plant(ReleaseTree())  // forwards Errors to Crashlytics; drops verbose/debug
}
Costco Android · Code Review Report · Generated 2026-05-07 · 626 machine-curated findings