Android packaging
Your Android applications must meet specific packaging and compilation requirements before you can submit them for scanning.
See Supported languages and platforms for instructions for other platforms.
You can analyze applications using Veracode Static Analysis or Veracode Software Composition Analysis (SCA) agent-based scanning. For SCA agent-based scan requirements, see Using Veracode SCA with programming languages.
Veracode supports the scanning of Java and Kotlin applications compiled for Android. Veracode also supports these mobile frameworks:
- .NET MAUI
- Appcelerator Titanium
- Apache Cordova/Adobe PhoneGap
- Dart and Flutter
- Ionic
- React Native
- Xamarin
If you are using any of these frameworks, follow the instructions on the respective pages and do not follow the guidance for native Android apps.
Veracode does not support other cross-platform development frameworks.
Supported Android JREs and compilers
| Language | Platform | Supported versions |
|---|---|---|
| Java and Kotlin | Android | Android 2.2–14 (API Levels 8–34), including Jetpack |
| Veracode supports scanning Android applications written in Java and Kotlin and packaged as an Android Package (APK) or Android App Bundle (AAB). |
Veracode can analyze Android apps without debug symbols, but the results do not provide details about the finding location, such as the source files and code line numbers.
Veracode recommends that you always provide a variant with debug symbols for analysis.
For a successful scan, you cannot obfuscate the Android application.
Supported Android frameworks
Veracode supports and provides high-quality results for Android applications using these frameworks.
| Framework | Supported versions |
|---|---|
| AWS Mobile SDK for Android | 2.2.4 |
| Parse Android SDK | 1.9.4 |
| ExoPlayer | 2.x |
Compilation guidance for Debug builds
Android Studio IDE
- Select a debug build variant from the Build Variants menu.
- Verify that you set all submodules to Debug.
- Name the APK using this format:
{app_name}-{productFlavor}-debug.apk
Apache Ant
Enable the debug property in the javac tasks, for example:
<javac debug="on"> ... set of classes </javac>
Eclipse
Go to Project > Properties and select the Java Compiler properties. Under Classfile Generation, select these options:
- Add variable attributes to generated class files
- Add line number attributes to generated class files
- Add source file name to generated class files
Gradle
Use gradlew with the assembleDebug option.
If you want to include Software Composition Analysis (SCA) findings in your Static Analysis, you must also include the dependencies. This is the default behavior. If you had opted out of sharing dependencies, you must remove the dependenciesInfo section from the build.gradle file.
javac
With the standard javac compiler, on the command line, add the -g option to obtain debug symbols, for example:
javac -g foo.java