Security Code Review of Android applications

You are developing mobile applications and you have read the OWASP Mobile - Top Ten Mobile Risks. You may be wondering what security tools can help you face the growing complexity of your Android applications. Well, there are plenty! In this article, I will present two free static analysis tools which scan your code directly from your IDE.

Android Lint

What is it?

Android Lint is a static code analyzer provided in the official IDE Android Studio.

What will it find?

The list of checks is quite long, but the number security checks are low. There are still critical checks that justified running this tool regularly.

Installation

None! As mention previously, it is included in the official IDE Android Studio. However, if you want to keep only the security related checks, you can use this "security only" profile.

Demonstration

FindBugs + Find Security Bugs plugin

What is it?

FindBugs is a popular static analysis engine which is widely used in the Java community. Find Security Bugs is a plugin for this tool to bring security rules to the analysis.

What will it find?

The main focus of the security plugin FindSecBugs is to mark weaknesses such insecure communication, cryptography missuses and sensible sections of the application.

Installation

The installation and configuration of FindBugs can be done with few clicks. If you are still using Eclipse (previously official IDE), an equivalent plugin is also available in the Eclipse Marketplace.

Demonstration

Here is a short demonstration that showcases the FindBugs integration in Android Studio.


(Note : An old version of Find Security Bugs is used)

What is next?

Unfortunately, the client mobile application is only the tip of the iceberg. Your application back-end also requires special attention. The number one risk of the OWASP Top Ten Mobile Risk is Weak Server Side Controls after all.

Another great initiative would be to integrate both tools, Android Lint and FindBugs, in your continuous integration environment.

Upcoming presentation at BlackHat USA 2015

I will be presenting the security plugin for FindBugs at Black Hat arsenal. I will give demonstrations of the integration on IntelliJ and on SonarQube. If you have used the tool already, don't hesitate to come give me your feedback in person.
If you are doing Android development, don't miss QARK which will be presented during the same period.




That's it! If you have ideas for new security rules that would apply to Android, don't hesitate to open a ticket on Github.

References

OWASP: Source Code Analysis Tools: List of static code analysis tools
NIST: Source Code Security Analyzers: Another great list of tools classified by language.
Android Lint: Official documentation of Lint
Find Security Bugs: Github website for the FindBugs security plugin
Mobile Security Wiki: A well organized list of resources including tools for Android.