Skip to main content

Android packaging

Your Android applications must meet specific packaging and compilation requirements before you can submit them for scanning.

See Supported languages and platforms for instructions for other platforms.

You can analyze applications using Veracode Static Analysis or Veracode Software Composition Analysis (SCA) agent-based scanning. For SCA agent-based scan requirements, see Using Veracode SCA with programming languages.

Veracode supports the scanning of Java and Kotlin applications compiled for Android. Veracode also supports these mobile frameworks:

If you are using any of these frameworks, follow the instructions on the respective pages and do not follow the guidance for native Android apps.

Veracode does not support other cross-platform development frameworks.

Supported Android JREs and compilers

LanguagePlatformSupported versions
Java and KotlinAndroidAndroid 2.2–14 (API Levels 8–34), including Jetpack
Veracode supports scanning Android applications written in Java and Kotlin and packaged as an Android Package (APK) or Android App Bundle (AAB).

Veracode can analyze Android apps without debug symbols, but the results do not provide details about the finding location, such as the source files and code line numbers. Veracode recommends that you always provide a variant with debug symbols for analysis.

For a successful scan, you cannot obfuscate the Android application.

Supported Android frameworks

Veracode supports and provides high-quality results for Android applications using these frameworks.

FrameworkSupported versions
AWS Mobile SDK for Android2.2.4
Parse Android SDK1.9.4

Compilation guidance for Debug builds

Android Studio IDE

  1. Select a debug build variant from the Build Variants menu.
  2. Verify that you set all submodules to Debug.
  3. Name the APK using this format: {app_name}-{productFlavor}-debug.apk

Apache Ant

Enable the debug property in the javac tasks, for example:

<javac debug="on"> ... set of classes </javac>


Go to Project > Properties and select the Java Compiler properties. Under Classfile Generation, select these options:

  • Add variable attributes to generated class files
  • Add line number attributes to generated class files
  • Add source file name to generated class files


Use gradlew with the assembleDebug option.

If you want to include Software Composition Analysis (SCA) findings in your Static Analysis, you must also include the dependencies. This is the default behavior. If you had opted out of sharing dependencies, you must remove the dependenciesInfo section from the build.gradle file.


With the standard javac compiler, on the command line, add the -g option to obtain debug symbols, for example:

javac -g