This document is for customer licensed Veracode SAST. Last check and update 11-Jan-2018.
See thefor instructions for other platforms.
Veracode supports the scanning of Java applications compiled for Android. In addition, we support these other mobile frameworks:
Other cross-platform development frameworks are not supported.
Supported Android JREs and Compilers
|Java||Android||Android API Level 8-26 (Android 2.2 – 8)|
Veracode supports scanning Android applications written in Java and packaged as an Android Package (APK).
The Veracode Platform can analyze Android application code with or without debug symbols. Providing debug builds of Android application code allows the Veracode Platform to provide source file and line number information about the location of flaws found.
Supported Android Frameworks
Veracode supports and provides high quality results for Android applications using the following frameworks.
|AWS Mobile SDK for Android||2.2.4|
|Parse Android SDK||1.9.4|
Compilation Guidance for Debug Builds
- If you use Android Studio to develop your project:
- Select a debug build variant from the Build Variants menu. Verify all submodules are also set to Debug.
- Use the APK created with the naming standard of <app_name>-<productFlavor>-debug.apk.
- To build with Android Studio on the command-line interface, call gradlew with the assembleDebug flag.
- With the standard javac compiler on the commandline, add the -g option to get debug symbols, for example:
javac -g foo.java
- If you are using ant to build the project, the debug property in the javac task(s) needs to be turned on, for example:
<javac debug="on"> ... set of classes </javac>
- If you are developing the project with Eclipse, go to
and select the “Java Compiler” properties. Under “Classfile Generation”, select the following:
- Add variable attributes to generated class files
- Add line number attributes to generated class files
- Add source file name to generated class files
- For a successful scan, the Android application cannot be obfuscated.