9

I'm wondering if anyone has some recommendations for Android source code review which is Java based. For example, reviewing an Android app for security issues. Bonus for being F/OSS.

Fortify seems to be a good option but out of my price range. :)

AviD
  • 72,138
  • 22
  • 136
  • 218
Lizbeth
  • 757
  • 6
  • 14

4 Answers4

7

Try LAPSE+, Yasca, CodePro AnalytiX, Klocwork Solo, and the Teachable Static Analysis Workbench.

Be sure to check out The Denim Group's blog post on Using static analysis to review file access in android apps, which includes some tools written in Perl.

When Angry Birds Attack Android Edition is the latest blog post from TEAM JOCK, who presented on this research during this video at Shmoocon with a talk entitled [PDF - TEAM JOCH vs. Android: The Ultimate Showdown - PDF].

Nils also presented on Building android sandcastles in android’s sandbox at a recent BlackHat.

ENISA has done a more formal job at modeling the risks to smartphone platforms with their Smartphones: Information security risks, opportunities and recommendations for users paper. Cigital has at least one blog post on Moving to Mobile - New Threats which also covers threat-modeling topics.

atdre
  • 18,885
  • 6
  • 58
  • 107
  • 1
    If the tools you mention don't have a model of the Android libraries, and knowledge of common Android vulnerabilities, I don't think they're going to be very useful. LAPSE+, Yasca, CodePro, Teachable Static Analysis look like generic Java analyzers, so I'm very skeptical they'll be good for this purpose. In contrast, Klocwork advertises its use for Android security, though I haven't tried it myself. Have you actually tried any of these tools on Android applications yourself? – D.W. May 29 '11 at 21:59
  • 1
    @D.W.: Yes, I agree with you and no I have not yet used them on Android apps. However, if the Android apps use common Java EE components on both the server and client-side, then it would make sense that some of these tools would work in some scenarios. Better would be Appscan Source Edition with the ability to detect missing sinks in order to write custom rules. – atdre May 30 '11 at 01:15
2

For static analysis of source code I found this tool useful especially for Android. It is a free tool called OpenGrok ,which can index a source repository. It supports multiple languages so it has been useful for analysis of Androids Java and native code. AndroidXRef also hosts an index that can be used for analysis of multiple versions of Android. Hope this helps.

MCW
  • 2,572
  • 1
  • 15
  • 26
dudebrobro
  • 673
  • 3
  • 7
2

Here are two free online tools that check for certain specific issues with Android applications:

  • Comdroid checks for vulnerabilities related to the use of Intents. See this presentation for description of those vulnerabilities, and other pitfalls.

  • Stowaway checks for overprivilege: i.e., it checks to see if the application requests permissions that its code doesn't seem to use.

Keep in mind that these are research tools. Moreover, they focus only on a very specific set of vulnerabilities. They are not a general-purpose static analysis tool, and are not substitute for a general-purpose security static analysis tool for Android (like Fortify); they are better thought of as a supplement for other tools available to you.

D.W.
  • 98,420
  • 30
  • 267
  • 572
1

Sorry if this is too basic, but I wanted to make sure the easy options are covered.

I just added static analysis with FindBugs and PMD (free) to my Eclipse workflow. I didn't go with Klockwork Solo yet because of the price, but I plan to use the 30 day trial before releasing my next app.

ProjectJourneyman
  • 111
  • 2