Authoring a Tech Book: My Writing Experience
Over the past few years, I’ve been asked several times about my experience co-authoring the Android Security Cookbook. While I’ve always been candid in sharing insights, these conversations have largely taken place in private forums, like Slack or the pub. Now, with some downtime between roles, I’ve decided to put my thoughts into a more permanent form.
I was driven to research and share how to make more secure apps because I felt it was an area that wasn’t adequately covered at the time. Writing a book was particularly daunting for me due to my dyslexia, but it stands as one of my proudest achievements. Becoming a published author in such a competitive field is no small feat. In this article, I’ll walk through the benefits and challenges I faced during the process, offering insights for anyone curious about embarking on a similar journey. Of course, this is based on my experience from over 10 years ago, so some of the pain points may have evolved since then.
How did I become an author?
I was first approached by Packt publishing to serve as a technical reviewer for an upcoming Android security book. They had come across my GitHub profile and saw that my experience aligned well with the project. At the time, Keith Makan had already written the first couple of chapters, focusing on introducing readers to Android app reverse engineering.
The goal of the book was to guide readers through practical recipes, arming them with the tools to identify and prevent Android security attacks. Given my background working for a security startup called via forensics (renamed to NowSecure), the project sounded like an ideal fit for me.
While reviewing the first defence-focused chapter Protecting Applications I felt it didn’t quite align with the perspective of a developer. After providing detailed feedback and suggesting larger-than-usual rewrites, I somewhat naively offered to rewrite the chapter myself to better align with a developer-centric approach.
I’m passionate about arming developers with the tools to harden their apps especially when I’ve seen first-hand the lack of priority given to security. I saw you’re primarily a breaker of things :P in the pen testing/hacking sense and from what I’ve reviewed so far of the book it’s clear you know your stuff. I’m the other side of the coin; a developer/hardener and felt I could add my perspective and experience.
Extract from the email I sent to Keith ^
To my surprise, both the publisher and Keith agreed. Keith and I negotiated a split of the royalties based roughly on % of the book I was going to write. Boom! I formally joined the project to write chapters on Protecting Applications, Secure Networking, and Encryption and Device Administration Policies—which make up Chapters 5, 7, and 9, approximately a third of the book.
The Writing Process
For each chapter, my role involved researching and writing defence strategies and migration guides, along with sample code, based on the attack recipes Keith had already written. All content had to adhere to the Packt Word template, which added a layer of structure but also constraints. I enjoyed the research side of things, these were areas I had some knowledge already but writing it in book format forced me to go deeper to allow me to explain it better.
Once a chapter was completed, I would send it to the editor, who would forward it to technical reviewers. From what I gathered, most reviewers were volunteers looking for recognition in the book and a free copy—similar to how I started as a reviewer. Keith and I would also review each other’s chapters ensuring the links/prompts between the chapters make sense. Towards the end of the process, all chapters underwent a thorough review by paid technical editors, who often made significant grammatical and structural revisions.
The feedback from reviewers was returned in separate Word documents with tracked changes enabled. The lack of a collaborative platform made it incredibly tedious to consolidate all the feedback into a single document. Each reviewer’s feedback had to be manually incorporated, often with overlapping comments on the same issues, which wasted time and effort.
I was keen on us using Google Docs as it allowed multiple collaborators and a single document to streamline this process and reduce duplicated feedback. However, this was not possible I think due to external printing constraints. Essentially Packt required everything to remain in the Word document format and were not open to deviation from their established process. I’m sure 10 years on they use a more efficient process.
Show me the money
I don’t have a precise record of how many hours/days I spent writing the book. I began the first chapter in early September 2013, working roughly two days a week. Fridays were typically spent writing as part of the 20% learning time that via Forensics allowed, with additional hours during evenings and weekends. By early November, I had completed the initial drafts and naively thought the bulk of the work was behind me. However, the real challenge was just beginning—the review and editing phase. This stage took far longer than I had anticipated, with the time needed for revisions and feedback feeling never-ending.
Regarding payment, it’s typical to receive both a royalty advance and royalties. The advance is essentially a prepayment of future royalties, so once it’s paid out, you’ll only receive further royalties once your book earns enough to cover the advance. For the Android Security Cookbook, the advance was split across milestones as follows:
- 15% on acceptance of the first 50% of draft chapters
- 15% on acceptance of the remaining draft chapters
- 20% on acceptance of the final draft
- 50% upon publication
As of September 2024, the total earnings from the book as a co-author (with the lowest royalty share) are less than what I’d make in a week as an Android contractor. After the first five years, royalties dwindled to less than £10 per year. While I could have boosted sales with a revised edition, that never materialized.
Writing a book is an incredible accomplishment, but it’s not something you should do for financial gain. The time you’ll invest in drafting, revising, and responding to feedback is immense—likely far more than you initially expected. Ultimately, it’s about the journey, the learning, and the opportunity to share your knowledge with the community.
Content rights / Copyright
All the people who have asked me about the book were concerned with copyright more so that the money as it’s generally known the actual writing doesn’t generate a sizeable income. They often were already writing blog articles and we’re looking to reuse and formalise these into a book.
I found there wasn’t much room for negotiation with the publisher. I naively asked to retain the copyright for my work, but they outright refused. However, I did manage to negotiate a few key points. For instance, I successfully removed the clause that would have given Packt first refusal for my next three books—something I found quite unreasonable. To be fair Packt removed this without issue.
Additionally, I increased the percentage of the book content I could share on my blog from 5% to 10% as I intended to use some of the content to promote the book, but naturally, the publisher was keen on limiting how much I could give away for free.
If the content is already published on a blog or in an open-source library, this can create complications. For example, with the Android Security Cookbook, we encountered issues with including open-source Gists that I’d already written for a security talk. The publisher was hesitant about having these examples available on GitHub, so instead, they had to be hosted in a zip file on the publisher’s website, accessible only through user login. Which unfortunately increased the friction for readers.
Post publishing
After the book was published, I found Packt’s post-publishing marketing and support to be lacking compared to what I’ve seen with friends’ books. I had to prompt them to issue a press release, and when it finally came out, it was just a copy-paste of the book’s back cover. This was compounded by the fact it was released on a Friday at the end of December 2013, right before the Christmas break. I expected a more intentional launch rather than the feeling the publisher moved on to the next book in their pipeline.
Another minor disappointment was the limited number (2) of free books provided to authors. In contrast, friends who co-authored a book with Wiley received boxes of books. I would have appreciated having more copies to give away at events where I spoke.
But despite these challenges, I was still stoked to hold the printed book in my hands and be able to give a copy to my parents. That moment made all the effort and hurdles worth it.
Support and Thanks
Firstly, a big thanks goes to Keith Makan for agreeing to bring me on board and Packt even though a couple of the items noted here are negative I am very grateful for the opportunity.
I’m also grateful to via Forensics for allowing me to use one day a week (aka 20% time) for September/October to dedicate to researching and writing the book. My heartfelt thanks to the reviewers and editors for their meticulous attention to detail. And of course, I couldn’t have done it without my family—thank you for the time, space, and support in making this achievement possible.
Would I do it again?
Writing a book is a labour of love. While it can be quite challenging to balance with a full-time job and family commitments, the end result was worthwhile. I’m confident that writing the book has had a positive impact on my career, distinguished me from others and boosted my confidence.
Benefits:
- Deeper knowledge of how to secure Android apps that I was able to apply in my day job and use for conference talks
- Increased chance of conference talk acceptance.
- Indirectly helped get jobs/contracts
- Positively impacted salary negotiations
Pain Points:
- The significant amount of time required to complete the book.
- Frustrating editing and review workflow.
I’ve been offered the opportunity to write additional books with Packt, but the topics didn’t closely align with my interests or professional experience. If I were to write another book, I’d likely consider self-publishing through a platform like Leanpub. While I haven’t used it personally, I’m drawn to their author-focused approach, offering 80% royalties. Alternatively, I’d approach No Starch Press, as they have a strong reputation and provide clear guidelines for submitting book proposals.
Thanks for reading! Let me know if you found this useful, have any questions or want to share your own experiences being an author I’d be keen to hear them.
Thanks to Dori Cussen and Andy Barber for reviewing this article!