Protect your code from Gemini in Android Studio

The Studio Bot is great, but be sure you are not sharing proprietary code unintentionally

Image credit: https://android-developers.googleblog.com/2023/09/studio-bot-expands-to-international-markets.html

Update: Since writing this, I have been told that the .aiexclude file usage will soon change so instead of an empty file to exclude all files the .aiexclude file should just contain an *. I have updated the details below.

If you are using Android Studio Jellyfish or later, you may see the Gemini in Android Studio (formerly Studio Bot). You can ask it many different types of questions right in your IDE. The tool is very smart and has the ability to use your project code in the IDE to improve the responses it is giving you as well as giving you smart auto-complete. While this is a helpful feature, if you are working on a proprietary or (commercially or otherwise) sensitive codebase you may not want to share your code with Google. Google is clear about how the data is used in their Privacy Policy and Data and Privacy documentation but even if you personally are happy with these controls, many organisations have stricter policies for their intellectual property (e.g. code).

You can control the sharing of your code right within the settings of Android Studio. You are able to choose to allow all project code, allow specific projects or do not use any project code.

This is from Koala Canary 2, the current version may look different.

You can then make the decision to only allow specific projects by selecting the Ask to decide per project option and checking the associated checkbox for only the specific ones you are happy to allow.

And whilst you may be aware of the risks in sharing sensitive code and have made a conscious decision, anyone else who also uses your codebase within Android Studio may not be and may inadvertently have the Use context from your project to improve responses setting set to true. You still need to protect your codebase and it can be tedious constantly verifying settings with a large team of developers so the best thing is to ensure the code is protected right from your source control.

Excluding code from Gemini Studio Bot

All you need to do to exclude an entire directory is place a file named .aiexclude at the top level of the directory (note the preceding period). This has the same grammar and semantics as .gitignore files so to exclude all files and subfolders recursively it just needs to contain an * (comments starting with # can also be added).

Then all files within the directory and all subfolders will have the block applied.

This will block everything. I added some comments so other developers (and my future self) will remember what is for and know not to remove it.

Check this file into your source control (git etc.) and it will be picked up by all your developers and will apply this setting (undercover — it won’t actually change the Android Studio setting in the settings screen, but you’ll see the Gemini icon change in the bottom right — see below) when they attempt to use the Gemini Studio Bot. Developers will still be able to use it as a tool to ask questions about general concepts but the code will not be sent to the AI to provide context on the answers. In theory they could delete this file before using Gemini but that is a deliberate decision to share the code (equivalent to uploading the code to a public repository for example).

If you want a little more control over what you are excluding (for example, when only part of your code should be protected) you can treat this .aiexclude file just like a .gitignore file with the same rules. You can simply place the file with an * at the top of the directory you want to protect or you can add file names or extensions with wildcards to the file for more fine grained control.

Testing

You might ask, how did I verify (beyond trusting the official documentation) that this would work?

To test this I enabled Use context from your project to improve responses and the Enable AI-based inline code completions option and started modifying a sample app. As expected Gemini Studio Bot helpfully suggested what I might be typing.

Don’t worry, this is not proprietary code! Just my test project for random experiements.

When I added the .aiexclude file and tried the same test the code completion was not supplied indicating this had been turned off.

Autocomplete was useful, but only where I know it doesn’t violate my organisation’s policies.

You can also verify the setting at the bottom right corner of Android Studio, the AI Code Completion info will tell you whether it is available or not:

Left, enabled. Right not enabled.

Clicking on the icon will also allow you to access the settings. On newer versions of Android Studio the message may also be “Completion inactive: file is blocked by .aiexclude”

Even with the .aiexclude file provided I was still able to ask Gemini general questions not relating to the specific codebase.

Now that these great tools are out there to help speed up development we need to make sure we use them the right way. Hopefully the other generative AI creators will use a similar (or ideally the same!) method of preventing context ingestion so that we can still use these great tools without worrying about compromising intellectual property.