Scanning Android APK Files

Our ideal scan target is a post-build, production like artifact. When we perform an evaluation, we traverse the contents of the artifact searching for known extensions Eg .jar. Once we come across a known extension, we fingerprint that file and examine the contents of the file Eg .class. It is the collection of this information that then allows us to identify the component/library in use and the ability to provide any metadata we have on that component.

However, in the case of Android, it must be treated differently. We do not support scanning a .apk directly due to the minification performed via the dalvik byte code process. For this reason, scanning prior to the assembling of the .apk is required.

Check out this article for more information on How Your Android Code Compiles to Deliver .APK Package File - .

See below for options on scanning Android applications, which can be referenced when interacting with development teams.

To scan your android packages, the easiest integration is at build time. If you are building with Maven, you can simply use the Sonatype maven plugin, which is downloaded when invoked. A sample command of the required arguments below would be sufficient:

mvn com.sonatype.clm:clm-maven-plugin:evaluate -Dclm.applicationId=test -Dclm.serverUrl=http://localhost:8070

In this example, we are executing the Sonatype maven plugin and running the evaluate goal, which will scan the dependencies and build artifacts of your project. The additional parameters -Dclm.applicationId and -Dclm.serverUrl are also required, which provides the IQ Server URL and Application ID. These can be provided by your IQ Server administration team.

If you are not building with Maven, but are using a build tool that handles Maven commands (Eg Gradle) the best best alternative is to execute the Maven copy dependencies command:

Mvn dependency:copy-dependencies

This will copy the dependencies of your project to a separate directory. This directory can then be scanned via the CLI or compressed into a zip file and scanned via the UI.

If you are not using maven or not using a build tool that handles maven commands, the next option is to manually or automatically (depending on the build tool) copy the dependencies of your project to a separate folder and follow the directions above for scanning it via the CLI or UI.

We have a sample build.gradle that defines a build task that calls out to the CLI to do a scan during the gradle build - see attached.

Additional references:

Have more questions? Submit a request


Article is closed for comments.