Hi dear friend!
Today we’ll cover an important topic - git ignoring files.
And how it improves our app security.
We’ll do it like nobody else - with real issues and use-cases.
You’ll learn:
Why
.gitignoreexists (the truth)Common security issues it causes
Why not to generate it with AI
Patterns for file management
What to include and exclude
How to test Git Ignoring
Impact of syntax errors
Best practices I use
You’ll also get:
Cheat sheet to master file patterns
Cheat sheet on what to include and exclude
Git commands for debugging git ignoring
GPT prompt to remove fluff from your
.gitignore
Bonus: my clear and secure .gitignore from an app with over 5M users
Believe me, there are things you really need to know!
What is the .gitignore
Most devs think of this file as protection from accidentally pushing Android Studio-generated code to a shared Git repository.
And they’re right, but that’s only half the story.
The .gitignore file also adds an extra layer of security to our applications.
Some real industry stories (fails)
If you’ve been building software for a while, I bet you’ve heard stories like:
A company employee abused their cloud services for $60k
An open-source project creator got a $15k bill from Firebase
Someone stole an app
And there are many other fails that happen simply because someone messed up their .gitignore configuration.
Common Issues
Each project is different, so I might miss some issues.
But here’re some common problems found in production applications:
Codebase pollution with IDE-specific files
Missing IDE code style and license files
Uploaded local Gradle properties
Uploaded generated files in multi-module projects
Uploaded build outputs like
.apk/.aabUploaded reports (issues, code style, test coverage, etc.)
Leaked service configuration files (
.json)Leaked keystore files and signing configurations
Leaked API keys and security tokens
Multiple
.gitignorefiles that conflict with each other and don’t work
Most devs are uploading secrets to GitHub and don’t even realize it.
Default Android Studio .gitignore
When we start a new project, Android Studio includes this file for us
Here’s what it generates in the latest Android Studio:
*.iml
.gradle
/local.properties
/.idea/caches
/.idea/libraries
/.idea/modules.xml
/.idea/workspace.xml
/.idea/navEditor.xml
/.idea/assetWizardSettings.xml
.DS_Store
/build
/captures
.externalNativeBuild
.cxx
local.propertiesIgnores some Android Studio files and caches
Ignores Gradle cache and settings
Ignores macOS system files
Ignores build outputs
Ignores screenshot files
Ignores some native NDK code
Ignores local SDK path
Looks solid? (NO)
What’s wrong with it
If you try to make your initial commit, you’ll notice that a lot of junk gets uploaded to a repository.
If you use AI agents or some external services, it can look even worse.
The only files that should be uploaded are: .gitignore, code style files (missed), and copyright files (missed).
Once you start developing your app, things get even worse:
It doesn’t handle multi-module projects
Service configurations can be leaked
Keystores and signing properties can be leaked
etc…
You might think, “I’ll include them later.”
But trust me - you probably won’t.
Generating .gitignore using AI or third party tools
If you try searching for better solutions, you basically have three options:
Online generators like gitignore.io
AI tools: GPT, Claude, GitHub Copilot, etc.
YouTube tutorials
Sounds good? Not really.
They all tend to:
Miss important files
Upload unnecessary files
Ignore security and modularity
Include outdated or irrelevant tools
Overcomplicate things with bad syntax
For example, here’s a .gitignore for Android Appgenerated from gitignore.io:
### AndroidStudio ###
# Built application files
*.apk
*.ap_
*.aab
# Files for the ART/Dalvik VM
*.dex
# Java class files
*.class
# Generated files
bin/
gen/
out/
# Gradle files
.gradle
.gradle/
build/
# Signing files
.signing/
# Local configuration file (sdk path, etc)
local.properties
# Proguard folder generated by Eclipse
proguard/
# Log Files
*.log
# Android Studio
/*/build/
/*/local.properties
/*/out
/*/*/build
/*/*/production
captures/
.navigation/
*.ipr
*~
*.swp
# Keystore files
*.jks
*.keystore
# Google Services (e.g. APIs or Firebase)
# google-services.json
# Android Patch
gen-external-apklibs
# External native build folder generated in Android Studio 2.2 and later
.externalNativeBuild
# NDK
obj/
# IntelliJ IDEA
*.iml
*.iws
/out/
# User-specific configurations
.idea/caches/
.idea/libraries/
.idea/shelf/
.idea/workspace.xml
.idea/tasks.xml
.idea/.name
.idea/compiler.xml
.idea/copyright/profiles_settings.xml
.idea/encodings.xml
.idea/misc.xml
.idea/modules.xml
.idea/scopes/scope_settings.xml
.idea/dictionaries
.idea/vcs.xml
.idea/jsLibraryMappings.xml
.idea/datasources.xml
.idea/dataSources.ids
.idea/sqlDataSources.xml
.idea/dynamic.xml
.idea/uiDesigner.xml
.idea/assetWizardSettings.xml
.idea/gradle.xml
.idea/jarRepositories.xml
.idea/navEditor.xml
# Legacy Eclipse project files
.classpath
.project
.cproject
.settings/
# Mobile Tools for Java (J2ME)
.mtj.tmp/
# Package Files #
*.war
*.ear
# virtual machine crash logs
hs_err_pid*
## Plugin-specific files:
# mpeltonen/sbt-idea plugin
.idea_modules/
# JIRA plugin
atlassian-ide-plugin.xml
# Mongo Explorer plugin
.idea/mongoSettings.xml
# Crashlytics plugin (for Android Studio and IntelliJ)
com_crashlytics_export_strings.xml
crashlytics.properties
crashlytics-build.properties
fabric.properties
### AndroidStudio Patch ###
!/gradle/wrapper/gradle-wrapper.jarDoesn’t look great, yeah?
Don’t complicate
Generated .gitignore files are messy, confusing, and often miss important configs.
That’s why I recommend creating it from scratch.
By the end of 5 minutes, you’ll know exactly how to build it yourself.
(keep reading)
Patterns
To create a clean .gitignore file - patterns are key.
They allow you to have clear, concise syntax and avoid duplications.
Here’s a cheat sheet of essential patterns you need to master to create an elegant configuration file:
Pattern | Description | Example |
|---|---|---|
| Matches all files with a given extension |
|
| Ignores an exact file | Ignores |
| Ignores a specific directory |
|
| Ignores a specific hidden directory (dot → hidden) | . |
| Recursive ignore for a directory |
|
| Excludes a file from being ignored |
|
| Used for notes |
|
Cheat sheet for Git Ignoring
Next, we’ll look at what should go in an Android Application .gitignore config.
Here’s a checklist of all essential files and folders:
Category | 📂 Folder or 📄 File | Why Ignore It |
|---|---|---|
🏗️ Build Outputs | 📂 | Generated and compiled files, reports, and outputs |
⚙️ Gradle System Files | 📂 | Contains local Gradle caches and dependency data |
🧩 IDE / Android Studio | 📂 | Contains local workspace settings |
🧾 Logs & Reports | 📄 | Temporary build/test logs |
⚙️ Native Code / NDK | 📂 📂 | Auto-generated when building native (C/C++) code |
🧭 Local Configs | 📄 | Stores SDK paths, signing keys, or API keys |
🔑 Signing configurations | 📄 📄 | Contains signing keys |
🔒 External Services configurations | 📄 *.json | Configuration files. |
🧪 Test Data | 📂 | Contains screenshots from Android instrumented tests. |
💾 OS-specific files | 📄 📄 | Hiden OS metadata files. |
Any other files or folders in your .gitignore?
99% of the time, you can safely delete them.
Double-checking properties with GPT
Never delete configs without double-checking first.
Here’s an efficient GPT prompt you can use:
In an Android project, is it safe to remove [CONFIG_OR_FILE_NAME] from .gitignore?
Explain briefly what it does, if it should be committed, and what could happen if I remove it.
Here’s my config file: (paste your existing config file)
IMPORTANT: Don’t forget to include your current config file into prompt.
This helps GPT spot duplicate configs caused by bad syntax or patterns.
Cheat sheet what NOT to ignore in Git
Some IDE files and project configs should always be included in your repository.
Folder | Purpose | Why Commit |
|---|---|---|
| Stores copyright profiles used for automatically adding headers to new files | Ensures license/copyright headers are uniform |
| Stores IDE code style rules | Ensures everyone on the team formats code the same way |
Config file that I use
As I mentioned earlier, if you master the basic knowledge about git ignoring - your configuration file will be concise and clear.
Here’s the config file I use for apps with millions of users and hundreds of modules.
# Android Studio \ IDE files
.idea/
*.iml
#Include IDE copyright and code style
!.idea/copyright
!/.idea/codeStyles
# Gradle files
#(for multi-module projects)
**/build/
.gradle/
# Log/Crash files
*.log
# Local configuration files
*.properties
# Configurations files
#(only for open-source projects)
*.json
# Keystores
*.jks
*.keystore
#Screenshots
captures/
#NDK generated files
obj/
.cxx/
.externalNativeBuild
# Mac OS files
.DS_StoreYou should notice the amount of fluff that I’ve removed, compare to the examples generated using GPT of gitignore.io.
Will missing the file break the app?
Nope. Even if your .gitignore has syntax errors or references missing files, the app won’t break. It just silently ignores invalid patterns.
Relax - no panic!
Next, we’ll see how to test and debug git ignoring.
Testing and debugging Git Ignoring
Here’s one more cool thing about git ignoring - you can test it.
These two Git commands help you double-check for syntax issues and ensure sensitive files won’t be uploaded:
1 .Check which files are ignored
git status --ignoredThis command shows all the files Git is currently ignoring in your project
The output highlights all ignored files and directories:
2. Test a specific file or directory
git check-ignore -v <file_path>This command is even more interesting.
It shows which .gitignore pattern matches the specified file or directory.
Here’s an output example:
The output shows that the pattern in line 14 matches the given file.
Now, I can open the config file and find the pattern.
Don’t mess up your .gitignore - unless you want a surprise “email from HR”! 😅
If this was useful, drop me a message. 📩
Catch you later! 👋