Android Packaging

Your Android applications must meet specific packaging and compilation requirements before you can submit them for scanning.

See Supported Languages and Platforms for instructions for other platforms.

You can analyze applications using Veracode Static Analysis or Veracode Software Composition Analysis (SCA) agent-based scanning. For SCA agent-based scan requirements, see Using Veracode SCA with Programming Languages.

Veracode supports the scanning of Java and Kotlin applications compiled for Android. Veracode also supports these mobile frameworks:

• Appcelerator Titanium
• Apache Cordova/Adobe PhoneGap
• React Native
• Xamarin

Veracode does not support other cross-platform development frameworks.

Supported Android JREs and Compilers

Language	Platform	Supported Versions
Jetpack	Android	All stable releases through January 2022
Java and Kotlin	Android	Android 2.2–13 (API Levels 8–33)
		NOTE Initial support for Android 12 (API Level 31), Android 13 (API Level 33).

Veracode supports scanning Android applications written in Java and Kotlin and packaged as an Android Package (APK) or Android App Bundle (AAB).

Veracode can analyze Android application code with or without debug symbols. When you provide debug builds of Android application code, Veracode can provide source file and line number information about the location of findings.

For a successful scan, you cannot obfuscate the Android application.

Supported Android Frameworks

Veracode supports and provides high-quality results for Android applications using these frameworks.

Framework	Supported Versions
AWS Mobile SDK for Android	2.2.4
Parse Android SDK	1.9.4
ExoPlayer	2.x

Compilation Guidance for Debug Builds

1. If you use Android Studio to develop your project:

   • Select a debug build variant from the Build Variants menu. Verify that you set all submodules to Debug.
   • Name the APK using this format: <app_name>-<productFlavor>-debug.apk

2. To build with Android Studio on the command-line interface, use gradlew with the assembleDebug option.

3. With the standard javac compiler, on the command line, add the -g option to obtain debug symbols, for example:

   javac -g foo.java

4. If you are using ant to build the project, you must enable the debug property in the javac tasks, for example:

   <javac debug="on"> ... set of classes </javac>

5. If you are developing the project with Eclipse, go to Project > Properties and select the Java Compiler properties. Under Classfile Generation, select these options:

   • Add variable attributes to generated class files
   • Add line number attributes to generated class files
   • Add source file name to generated class files

6. If you want to include Software Composition Analysis (SCA) findings in your Static Analysis, you must also include the dependencies. This is the default behavior. If you had opted out of sharing dependencies, you must remove the dependenciesInfo section from the build.gradle file.