YOU ARE HERE: HOMEVeracode Compilation Instructions for Android

Veracode Compilation Instructions for Android

This document is for customer licensed Veracode SAST. Last check and update 11-Jan-2018.

See the master compilation guidelines for instructions for other platforms.

Veracode supports the scanning of Java applications compiled for Android. In addition, we support these other mobile frameworks:

  • Appcelerator Titanium
  • Apache Cordova/Adobe PhoneGap
  • Xamarin

Other cross-platform development frameworks are not supported.

Required Files

Supported Android JREs and Compilers

Language Platform Version
Java Android Android API Level 8-26 (Android 2.2 – 8)

Veracode supports scanning Android applications written in Java and packaged as an Android Package (APK).

The Veracode Platform can analyze Android application code with or without debug symbols. Providing debug builds of Android application code allows the Veracode Platform to provide source file and line number information about the location of flaws found.

Supported Android Frameworks

Veracode supports and provides high quality results for Android applications using the following frameworks.

Framework Supported Version(s)
AWS Mobile SDK for Android 2.2.4
Parse Android SDK 1.9.4

Compilation Guidance for Debug Builds

  1. If you use Android Studio to develop your project:
    • Select a debug build variant from the Build Variants menu. Verify all submodules are also set to Debug.
    • Use the APK created with the naming standard of <app_name>-<productFlavor>-debug.apk.
  2. To build with Android Studio on the command-line interface, call gradlew with the assembleDebug flag.
  3. With the standard javac compiler on the commandline, add the -g option to get debug symbols, for example:
    javac -g foo.java
  4. If you are using ant to build the project, the debug property in the javac task(s) needs to be turned on, for example:
    <javac debug="on"> ... set of classes </javac>
  5. If you are developing the project with Eclipse, go to Project > Properties and select the “Java Compiler” properties. Under “Classfile Generation”, select the following:
    • Add variable attributes to generated class files
    • Add line number attributes to generated class files
    • Add source file name to generated class files

Packaging Guidance

  • For a successful scan, the Android application cannot be obfuscated.