Anti-patterns are recurring solutions to recurring problems that produce negative consequences. They appear repeatedly across mobile codebases because they are natural: they are what a developer writes when following the path of least resistance without the benefit of architectural discipline.
| 1 | Overview | 2 | Critical Anti-Patterns |
| 3 | High-Severity Anti-Patterns | 4 | Medium-Severity Anti-Patterns |
| 5 | Anti-Patterns to Avoid | 6 | References |
Anti-patterns are categorised by severity: Critical (produce security vulnerabilities, data loss, or production crashes), High (produce significant technical debt and degraded quality), and Medium (reduce maintainability and team velocity without immediate production impact). Critical anti-patterns are blocking code review findings — no PR that introduces a critical anti-pattern is merged.
Symptom: Session tokens, API keys, or passwords stored in SharedPreferences, UserDefaults, or a plaintext SQLite column.
Root Cause: Developer unaware of platform secure storage APIs. Speed priority over security.
Consequence: Any party with filesystem access (rooted/jailbroken device, backup extraction, physical access) reads the credential.
Correct approach: Android Keystore + EncryptedSharedPreferences. iOS Keychain with kSecAttrAccessibleWhenUnlockedThisDeviceOnly.
⚠ Plaintext Credential Storage —
sharedPrefs.putString("token", accessToken)on Android orUserDefaults.standard.set(accessToken, forKey: "token")on iOS. P1 security finding. Blocking code review gate.
CORRECT:EncryptedSharedPreferences.create(...)on Android.KeychainSwift().set(accessToken, forKey: "token")with appropriate accessibility attribute on iOS.
Symptom: ViewModel contains Retrofit or URLSession import. apiService.getAccount() called directly from ViewModel.
Root Cause: Architect specified clean architecture verbally but did not enforce it through static analysis or code review.
Consequence: Business logic mixed with network I/O. ViewModel untestable without mocking the entire network stack. Security audit cannot identify the data layer boundary.
Correct approach: Network calls are in Repository implementations only. ViewModel calls Use Cases. Use Cases call Repository interfaces.
⚠ Network Call in ViewModel —
viewModelScope.launch { val account = apiService.getAccount(id) ... }in a ViewModel class.
CORRECT:viewModelScope.launch { val result = getAccountUseCase(id); _state.update { it.copy(account = result.getOrNull()) } }. The Use Case handles the Repository call.
Symptom: OAuth authorization URL contains response_type=token. Access token appears in the redirect URL fragment.
Root Cause: OAuth Implicit Flow was the recommended mobile pattern before 2017. Many tutorials still reference it.
Consequence: Access token transmitted in URL fragment is visible in server logs, browser history, and referrer headers. Attack surface for token interception.
Correct approach: OAuth 2.0 Authorization Code + PKCE. response_type=code. Access token received only in the token endpoint response body.
⚠ God ViewModel — ViewModel with 600+ lines handling networking, navigation, business logic, analytics, error handling, and UI state. Impossible to test, constant merge conflicts for large teams.
CORRECT: Maximum 200 lines. Business logic in Use Cases. Navigation events in a dedicated NavigationEvent sealed class. Analytics in a separate event observer. Each concern in its own class.⚠ Mutable State Exposed from ViewModel —
val accounts: MutableList<Account>as a public property. Any class can add, remove, or reorder accounts.
CORRECT: Expose only immutable state.val uiState: StateFlow<AccountsUiState>. Internal mutable state isprivate val _uiState: MutableStateFlow<AccountsUiState>.⚠ Hardcoded Strings for Configuration — API base URL, feature flags, or environment identifiers hardcoded as string literals in source code. Different teams maintain different source files for different environments.
CORRECT: Android BuildConfig fields injected from Gradle build variants. iOS xcconfig files with environment-specific values. CI injects values from encrypted secrets at build time.⚠ Synchronous Network on Background Thread in Loop — Fetching 500 records by making 500 sequential API calls in a for loop on a background thread. Each call adds 200ms on 4G — 100 seconds total.
CORRECT: Batch endpoint returns all 500 records in a single API call. If a batch endpoint is not available, concurrent requests usingasync/awaitwithwithContext(Dispatchers.IO).
⚠ Context Passed as Use Case Parameter —
GetUserUseCase(context: Context)— the domain layer has a dependency on the Android platform.
CORRECT: Domain layer imports no Android classes. Values that require Context (resources, file paths) are resolved at the Repository or data layer and passed as primitive types to the domain.⚠ Magic Numbers in Domain Logic —
if (account.balance > 50000) { applyPremiumTier() }— business threshold embedded as a literal in source code.
CORRECT: Named constants in the domain model:const val PREMIUM_TIER_THRESHOLD = 50_000. Document the business rule in a comment. Ideally, fetch the threshold from configuration to enable adjustment without a release.
Session tokens or API keys written to SharedPreferences or UserDefaults, readable on any rooted or jailbroken device. A P1 finding that exposes every user's session.
Android Keystore + EncryptedSharedPreferences; iOS Keychain with kSecAttrAccessibleWhenUnlockedThisDeviceOnly. Hardware-backed, device-bound, never embedded in the binary.
apiService.get() invoked directly from a ViewModel, collapsing the data layer into presentation. Untestable without mocking the network stack and a standing security-boundary violation.
ViewModel → Use Case → Repository interface → data source. Each layer is independently testable and the network boundary stays in the data layer.